Authentication / ACL seems broken

[fjavierc]

I'm trying IVRE authentication without much success and I do not know if it's something I'm doing wrong. I explain:

I create a new configuration file to enable some IVRE options:

vi /usr/local/etc/ivre.conf

And I add the following content:

WEB_LIMIT = 15
WEB_INIT_QUERIES = {
     "Admin": 'full'
# 'Admin', 'none',
# "Admin": 'category: MIDOMINIO.ES'
# 'Admin-scanner-a' 'source: scanner-to'
}
WEB_DEFAULT_INIT_QUERY = 'noaccess'

Well, with this configuration, when access IVRE, I do not get results.

Consulting /usr/local/lib/python2.7/dist-packages/ivre/webutils.py note that employs variable "REMOTE_USER"

get_user def ():
    "" "Return the connected user.

    "" "
    os.getenv return ('REMOTE_USER')

As I do not know if IVRE authentication uses Dokuwiki, I login in Dokuwiki and test access without result. You can see as i`m "admin" on Dokuwiki

Well... I Create a php file with phpinfo (); to see which user is being sent but not REMOTE_USER variable appears :-(

Next, I configure Apache with authentication so that when access IVRE, It ask me username/password

# Set up apache to be permitted values ​​using .htaccess
$ sed -i 's / AllowOverride None / AllowOverride All /' /etc/apache2/apache2.conf

$ cd /var/www/html

$ vi .htaccess

## Content of .htaccess :::
<Directory/var/www/html>
AuthType Digest
AuthName Wiki
AuthUserFile /etc/passwd-apache
require valid-user
</ Directory>
# ::: EOF .htaccess

# Create passwd-apache ( user/pass for auth )
$ htdigest -c / etc / passwd-admin apache Wiki

# Enable auth_digest,  por si acaso :-)
$ a2enmod auth_digest

# Restart apache
apache2ctl restart

Access to IVRE

Now, I can see that Apache/php recognizes "REMOTE_USER"

But ... again, no results :-(

If I set "WEB_DEFAULT_INIT_QUERY = none", I can see all hosts on IVRE as enable default value ( none = full )

What am i doing wrong ??

Ahh... thanks for read me

[p-l-]

Hi,

Usernames are case sensitive. Your ivre.conf contains "Admin": 'full' (be careful by the way, you will need a coma after if you uncomment the lines below), and Apache says REMOTE_USER: admin.

Can you change your configuration to read "admin": 'full' and tell us if it works?

[fjavierc]

Hi !

Yes, you are correct. I see this "errata" but i see that ivre.conf contains "admin". ( Was an error using google translator jejeje ).

[p-l-]

OK so you confirm that it is still broken?

[fjavierc]

Hi Pierre;

Yes, I confirm i have on ivre.conf:

# -- 2015.11.11 - FJCN -- Habilitando ACLS
## Basic ACL example
#WEB_DEFAULT_INIT_QUERY = 'noaccess'
WEB_INIT_QUERIES = {
     "admin": 'full',
#      'admin': 'none',
#     'admin-site-a': 'category:MIDOMINIO.ES',
#     "admin": 'category:MIDOMINIO.ES',
#     'admin-scanner-a': 'source:scanner-a',
}
WEB_DEFAULT_INIT_QUERY = 'noaccess'

I test again but same results :-(

Sorry again for the typo and the delay responding you.
Thansks Pierre and

[p-l-]

No worries! Let's find out what happens here.

Can you upgrade to the latest version from GitHub (with #184), add a line DEBUG = True to your configuration file, then browse the main page? You should get INFO messages. Can you post their content here? Thanks.

[fjavierc]

I was testing some things but same results :-(

Also, I update code with new files from #184 but same. Looks like a problem when read "REMOTE_USER".

This is what i get when DEBUG=TRUE

If I force 'get_user()' to 'admin' on webutils.py, work. If I force 'get_user()' to any string, fails:
*** 'admin' forced ( You can see that i have 317 hosts ) ***

*** 'any string', 0 results ***

If i use a default value for "REMOTE_USER", also works. The code on webutils.py:

def get_user():
    """Return the connected user.

    """
    return os.getenv('REMOTE_USER', "admin")

I start to think that is a problem with python/apache environment or how i configure apache auth.

[fjavierc]

Solved !!! ( well.... I think :-) )

After too many test,errors and headache; I think I found my error (stupid error). I created a env.cgi file on /usr/lib/cgi-bin which content is:

#!/usr/bin/perl -wT
use strict;
use CGI qw(:standard);
use CGI::Carp qw(warningsToBrowser fatalsToBrowser);

print header;
print start_html("Environment");

foreach my $key (sort(keys(%ENV))) {
    print "$key = $ENV{$key}<br>\n";
}
print end_html;

And when access to http:\192.168.0.23\cgi-bin\env.cgi, I get information whithin "REMOTE_USER" so the problem was here.

On Debian 8.2, edit /etc/apache2/conf-available/serve-cgi-bin.conf:

 ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
                <Directory "/usr/lib/cgi-bin">
                        AllowOverride none
                        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                        Require all granted
                </Directory>

You can see AllowOverride none so that not apply .htaccess settings. You need change this line to AllowOverride Authconfig and restart apache.

But, important, you also need the .htaccess file on /usr/lib/cgi-bin/. If no exist .htaccess on this directory, REMOTE_USER = none !!.

I probe with the same .htaccess file on /var/www/html and /usr/lib/cgi-bin; and works.

It also works if we have only .htaccess on /usr/lib/cgi-bin

Besides, I have successfully tested this using basic and digest authentication :-)

Thanks Pierre!

[p-l-]

All right! Glad you've found that issue. So to sum up, in case someone else faces the same issue: the most important is to authenticate the access to the CGI file. May I close this issue?

[fjavierc]

Yes, you can. Thanks Pierre

je suis paris

[p-l-]

Thanks.