When using Web Basic Authentication, user is always mapped as guest. #4536
Comments
hendero1
added
bug
|
My guess is that you don't have a Template User specified. Can you check that? |
* After authenticating via Web Basic Authentication, user always mapped as guest. * This is a slight redesign to make provide a better flow. It will require rework to merge back to develop. * deprecated use of display_custom_error_message() * Add custom error message for basic authentication * Fix some display issues on the settings page related to new settings. * Make it clear in the cacti.log that LOGIN messages are failed or otherwise.
TheWitness
added
resolved
|
Okay, I've made some corrections including a setting that will allow you to display a custom error message if the template account is not created. Prior to this change, you would have never been given the opportunity to present that error message to the end user. As it was in your case, you settings had the guest account enabled, and the template account disabled, which forces users to the Guest account. But pull the latest 1.2.x branch, and test again. Let me know what you find. |
Under Configuration -> Settings -> Authentication -> Special Users -> "User Template" I had "guest". Still same issue (I did a git pull & a clearing of my cookies before re-trying). I did actually define a "template_user" as follows: On the permissions tab for template_user, all 8 boxes under "Normal User" are set to on (green). Enabled: Yes (green) I'm still getting mapped to guest. Let me know if I missed something. |
|
After doing all of this, I went to back to Configuration -> Settings -> Special Users -> User Template and it's set back to "No User". I'm missing something, although I might have found out what. If my template_user is set to "Web Basic" it doesn't become an option to use as the "Template User". If I set it back to "local" it does. I set it back to "local" and was able to re-select it as the Template User. In any case, I get logged in as guest. as mentioned above. If I remove both guest & template user I still get "ERR_TOO_MANY_REDIRECTS" as noted above, however if I map just the guest user & leave template as "No User" it maps me to the guest user. The oddest thing I don't understand is the template is for "New" Web basic users, but I already have a Web Basic user defined that matches the web basic auth so I'd think this wouldn't be used... |
|
The template account needs to be a local user. The login will switch it to basic once a user clears the auth hurdle. The process copies the template account to the username of the login. That basic user becomes the place to hold the login users settings. |
|
The redirect issue is solved in 1.2.20. |
|
Ok thanks. I had manually created the users so I'm going to delete those & let the template do it & see if my issue is resolved. |
|
I switched back to local auth & deleted my user. I then setup a template user as "template_user" and added this to group sae. When I login, it does recreate my user, but I still get mapped to guest (or at least it shows that in the upper right part of the screen): I did this as local "admin" but I want to show you the auth settings otherwise....before trying to login I set the config in mysql back to web basic ('2") Auth -> Settings (shows mapped guest/template user) Template user General/Permissions: And this is what I see when I login: |
|
Okay, open the browser, then open the Debug panel on the browser, goto the Network tab, and then when you get the login prompt, look for the headers that go to the Cacti server after the basic auth is done. You should find one of the following: Let me know which variable it is and what the value is. |
For clarity, this means an account selected for those options, not whether the selected account is enabled. Any template account is automatically marked as disabled to prevent a template account from logging in. When the account is copied, the new account should be automatically enabled. The disabling of template accounts was something introduced a long time ago to prevent misuse of the template account (back in 1.1.x days I'm sure). |
I assume by debug panel, it is ctrl-shift-i in chrome (windows). After selecting network, I'm not sure where to look to find those variables. Please see screenshot.
|
|
I've taken @netniV suggestion and added disabled both the Realm and Enabled for Template accounts, and force enabled the Admin account in a separate ticket. |
|
@hendero1, you need to capture the post to auth_login.php, then when you are on the network tab, you select the auth_login.php POST, and then you can goto the General tab pull the variable off the "Request Headers". You may have to "persist" the Network logging. There should be a checkbox, normally on the right hand side of the debug panel. You need to persist in order to not loose the "auth_login.php" POST information. Make sure you open the debug panel before getting your login prompt. So, in summary
|
|
My suspicion is one of two things:
We've seen 2) before. Just need to post what you find. |
|
So I set my (cacti) user to not redirect to graphs page. This will cause the ERR_TOO_MANY_REDIRECTS. I then attempted to load https://myserver/cacti/index.php. (with myserver/company name blacked out for privacy). At that point I get redirected to Azure SSO by mod_auth_mellon. I've snagged the details (see screenshots). I'm kind of wondering if mod_mellon is borking the data somehow before it gets to cacti. I've enclosed the postResponse (first post-azure entry in the log) as well as the index.php that redirects forever. Perhaps the clue is in the melllon cookie? I don't have enough web dev background to really troubleshoot this. PostResponse: Index.php: |
|
Would it be easier to do this on the server side where I can redirect to a basic/custom PHP page that prints the variables that are passed? Example: I try to load https://myhost.server.com/cacti/printvars.php which will redirect to me sso and then back to that page... |
|
You could edit auth_login.php and do a If you want too. It's your call. If you want it to goto the cacti log, you could do: cacti_log(implode(', ', array_keys($_SERVER)));
cacti_log(implode(', ', array_values($_SERVER)));Put that in the top of the file after global.php is included. |
|
Thanks, I did that on the graph page as I never seem to hit the auth_login.php page when redirecting from Azure: The "PHP_" variables are as follows: ["PHP_SELF"]=> Note: The actual letters of my login are capitalized (in the string from Azure). There is also the @mydomain.com that is in that variable as well. If I click the "login as regular user" my cacti name appears & my perms are now correct, and the PHP_AUTH_USER is the same. Does this shed any light on what may be happening? |
|
Also: the (26) next to string is the actual length of my username. |
|
So, I'm not sure the Template User and the Guest User can be the same. Try making them different. In Cacti 1.2.x (where is is some point version I don't remember), we strip off the |
|
auth_login.php will only be used if the auth_method is not 0 and there is no user id in the session. The numbers in brackets are always the length of string or object. |
I currently have "guest" assigned to guest account and "template_user" assigned for the User Template. |
Understood & thanks for the explanation. That is what I observed in the logs as well as I didn't see |
|
The first time you login, Cacti will notice that you do not have a User Account created, and copy the template user to the Azure user name, and then create a session with that user. It strips the @ sign too. Once you have logged in once, the Cacti Basic Integration will verify the Azure user name against the user that has already been created and then use the matching User Account for subsequent logins. |
|
So, my guess is that you are possibly not using the basic service correctly. You should direct your users to auth_login.php vs. graph_view.php. Sorry I can not give much more help. It's working great, though we use a different Basic Auth provider. BTW, if you are doing Basic Auth correctly, you should get an apache login, which is simply a popup that asked for Username and Password. If you are being Redirected to the Azure corporate site, another web page, and then being tossed back to Cacti, you should use the mod_auth_openid Basic Auth Module for Apache as it works with Azure and Cacti. I set it up for a customer a few years ago, but don't remember the exact steps. It's a tricky setup though, but it does work. |
|
I tried to go to https://mysite.fqdn.com/cacti/auth_login.php and I get a 500 error in my browser. Apache logs say the following:
If I go to https://myfqdn.com/cacti/ it works same as how I opened the ticket. |
|
If I recall correctly, auth_login in 1.2.x is an include (though located in the wrong place). So it would expect that all the global stuff to have been handled already. This won't be the case if you go directly to auth_login.php. I haven't reviewed the code to verify that, but I'm pretty sure its the case from when I adjusted the login flow in 1.3.x |
|
Okay, my bad, and looking at this, it's like auth_login.php should also be located somewhere else as it's not directly callable. I think that is a challenge for another date. |
|
It has been moved in 1.3 |
I think mod_auth_mellon redirects to azure first if/whatever login/cookie/etc is not set. I login there, and then get sent back to page of my choice that I give to the azure guy (currently https://myfqdn.com/cacti/). In the logs, as shown above, myfirstname.mylastname is showing up correctly in the cacti log with "AUTH LOGIN: User 'myfirstname.mylastname' authenticated, but the actual web page showing me as guest. Currently the workaround is just to hover over "guest" on the right side of the web page and then select myfirstname.mylastname & that fixes the issue. This obviously requires guest to have some permissions (which in my case is OK), and the default login page for a user to be set to something that guest has access to, or the user can't login at all. While I'd love to have the permissions correct when I first login, I realize the Cacti team has spent a large amount of time already (by looking at the follow-ups) on this issue, and I'm very appreciative of that. If you'd like to close this due to the issue being minor in my case, I'm ok with that. However if you'd like to resolve this, I'm happy to try the other auth module, but it's going to be at least a few weeks until I can get the time to try to set this up & test. Thanks for all your responses & work on this issue! |
|
So, the accounts are created? Make sure that Azure redirects back to https://myfqdn.com/cacti/index.php that may fix it. I'm going to close otherwise as I think there has been quite a few improvements and we did correct some important issues. Unless you wish to test directly with the 1.2.x branch, we can not be of more help. After you upgrade to that version, you can choose to open a new ticket. |
|
I am going to have my Azure guy try to change the URL again, and I'm already on (and have been for this whole ticket) running on 1.2.x from git. If it's not resolved, I'll open a new ticket, thanks! |
|
Oh, sorry about the 1.2.x comment. Maybe we can do an instrumented binary after your azure guy makes the change. |
netniV
changed the title
Describe the bug
Hello, I recently setup Cacti 1.2.20 with Web Basic authentication. I've created a user with the myfirstname.mylastname in cacti.
I also setup mod_auth_mellon to tie into Azure for SSO. This works fine, and after logging in via my company portal & clicking on the cacti link (made available by our Azure person), it takes me to my server with the cacti install, and cacti recognizes (seen in the cacti.log) fistname.lastname as authenticated -- but only if my user "login options" are set to "show the default graph screen, Settings -> Authentication -> Guest User is set to "guest.", and Settings -> Authentication -> User Template is set to "guest."
Once I am logged in, if I look on the right side of the screen, I can see "Logged in as guest.". If I mouseover "guest", I can click "Log in as regular user" and then it shows me as "logged in as firstname.lastname" and I can see everything as expected.
If Settings -> Authentication -> "Guest User" or "User Template" are set to "No User", my browser hits "ERR_TOO_MANY_REDIRECTS" The chrome developer tools, under network show "302 redirect" over & over again. The cacti logs, in this case, show:
" - AUTH LOGIN: USER 'firstname.lastname' Authenticated" over & over until my browser gives up. My latest test shows this happening 18 times in a row within a second.
To Reproduce
Steps to reproduce the behavior:
Setup & install cacti on Ubuntu 20.0.4.3
Enable web basic auth.
apt-get install libapache2-mod-auth-mellon
/etc/apache2/sites-enabled/default-ssl.conf (Mellon config)
4." <Location /cacti>
Require valid-user
AuthType "Mellon"
MellonEnable "auth"
MellonDecoder "none"
MellonVariable "cookie"
MellonSecureCookie On
MellonUser "Name"
"
/etc/apache2/conf-enabled/mellon.conf
Expected behavior
Since cacti recognizes my user fistname.lastname as authenticated, I expected that I'd actually be logged in as that user, and not mapped to guest.
Screenshots
Cacti auth logs when Settings -> Authentication -> "Guest User" or "User Template" are set to "No User",
2022-01-28 14:53:13 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
2022-01-28 14:53:13 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
2022-01-28 14:53:13 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
2022-01-28 14:53:13 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
2022-01-28 14:53:13 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
2022-01-28 14:53:13 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
2022-01-28 14:53:13 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
2022-01-28 14:53:13 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
2022-01-28 14:53:13 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
2022-01-28 14:53:13 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
2022-01-28 14:53:43 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
2022-01-28 14:53:43 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
2022-01-28 14:53:43 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
2022-01-28 14:53:43 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
2022-01-28 14:53:43 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
2022-01-28 14:53:43 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
2022-01-28 14:53:43 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
2022-01-28 14:53:43 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
2022-01-28 14:53:43 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
2022-01-28 14:53:43 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
2022-01-28 14:53:43 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
2022-01-28 14:53:43 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
2022-01-28 14:53:43 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
2022-01-28 14:53:43 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
2022-01-28 14:53:43 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
2022-01-28 14:53:43 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
2022-01-28 14:53:43 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
2022-01-28 14:53:43 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
Cati logs (DEVL LOG TURNED ON) when I login as myself but the right side of cacti shows me "Logged in as guest"
2022-01-28 15:08:30 - AUTH LOGIN: User 'myfirstname.mylastname' Authenticated
Desktop (please complete the following information)
OS: Windows 10
Browser: Chrome
Version: 97.0.4692.99
Additional context
Note: since I'm using my companies sso, I've replaced my first name.lastname login with 'myfirstname.mylastname' for privacy reasons.
The text was updated successfully, but these errors were encountered: