Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Active Basic Authentication prevents login in owncloud #107

Closed
RandolfCarter opened this issue Oct 26, 2012 · 14 comments
Labels
bug

Comments

@RandolfCarter
Copy link
Contributor

@RandolfCarter RandolfCarter commented Oct 26, 2012

If in server (apache in my case) configuration, basic authentication is enabled, then owncloud login doesn't work as expected: When given the right basic authentication username/password and entering the correct owncloud username/password, one is still not logged in but redirected back to the login page.

I don't think this has anything to do with my server configuration, since with several other web apps, the combination of basic authentication and the apps own login mechanism works without problems. Does owncloud somehow specially check for existing basic authentication? If so, to what end, and shouldn't that be disabled by default?

@RandolfCarter

This comment has been minimized.

Copy link
Contributor Author

@RandolfCarter RandolfCarter commented Nov 14, 2012

In my opinion the install documentation needs to mention that Basic Authentication must not be configured in the server configuration!

For me at least it was not obvious from the start that owncloud uses basic auth somehow, but gets thrown off track by configuring a separate one via server settings...

@tanghus

This comment has been minimized.

Copy link
Contributor

@tanghus tanghus commented Nov 14, 2012

Does owncloud somehow specially check for existing basic authentication?

ownCloud uses Basic Auth both for *DAV authentication and to allow for example scripted access. I also think it's used by LDAP somehow?

In my opinion the install documentation needs to mention that Basic Authentication must not be configured in the server configuration!

Good point.

@blizzz

This comment has been minimized.

Copy link
Contributor

@blizzz blizzz commented Nov 14, 2012

The LDAP backend (as any other user backend) just get the credentials from how ever the authentication takes place, they are not bound to any form.

@RandolfCarter

This comment has been minimized.

Copy link
Contributor Author

@RandolfCarter RandolfCarter commented Jan 21, 2013

In any case, with the current way its implemented, a basic auth configuration in e.g. apache will prevent any login to ownCloud. Is there anything one can do to make a double login possible (i.e. one login via basic auth as configured in the apache configuration, and once via ownCloud's authentication mechanism)?

Or is the only way to disable any "AuthType" directives on the ownCloud directory? In that case I'll add a big warning sign to the installation document....

@BernhardPosselt

This comment has been minimized.

Copy link
Contributor

@BernhardPosselt BernhardPosselt commented Feb 28, 2013

Can you create update for the documentation where this is mentioned?

@karlitschek

This comment has been minimized.

Copy link
Member

@karlitschek karlitschek commented Feb 28, 2013

As Thomas said ownCloud is using Basic Auth for WebDAV, CalDAV and CardDav. A client can only send one set of login/password with an http request. So you can't authenticate against Apache and ownCloud at the same time if the accounts are different. So this is not fixable.

@cedric-dufour

This comment has been minimized.

Copy link

@cedric-dufour cedric-dufour commented Mar 12, 2013

Would Apache/HTTP authentication work if credentials are identical (e.g. taken from the same LDAP backend)? Do all clients support HTTP credentials?
(I'm currently evaluating OwnCloud which looks absolutely great; however, our policy is to always have the HTTP layer of authentication to prevent vulnerability scans of the application code from unknown sources)

@tanghus

This comment has been minimized.

Copy link
Contributor

@tanghus tanghus commented Mar 12, 2013

The realm would also have to be the same i.e. ownCloud. I doubt that it will work though, but you are free to try ;)

@IBBoard

This comment has been minimized.

Copy link

@IBBoard IBBoard commented Mar 16, 2013

I've just tried using Apache HTTP auth and it seems to work fine. ownCloud is in my root dir for the domain and I've got:

<Location />
    AuthType Basic
    AuthName "ownCloud"
    AuthUserFile /path/to/owncloud.htpasswd
    Require valid-user
</Location>

The only limitation will be that you can't manage users from within ownCloud at the moment, but as I'm just using the system for myself then that is fine (and is probably okay for some other people as well).

@tanghus

This comment has been minimized.

Copy link
Contributor

@tanghus tanghus commented Mar 16, 2013

It's been a long time since I messed with web server setup, but I seem to remember it was possible to use custom auth backends?

@IBBoard

This comment has been minimized.

Copy link

@IBBoard IBBoard commented Mar 16, 2013

You can change the Apache auth backend (the "AuthType"), but based on what I'd read then I assumed it only worked with "Basic", but it does appear to work with "Digest" as well:

<Location />
            AuthType Digest
            AuthName "ownCloud"
            AuthDigestDomain /
            AuthUserFile /path/to/owncloud.htdigest
            Require valid-user
</Location>

and then create users with htdigest command.

It'd be good if ownCloud could manage it as well (Trac can be configured to control user accounts in .htdigest files) but unless I'm missing something then I've not seen anything so far.

[Edit] Although not everything supports Digest. I tested with Chrome accessing the web side and it was fine, but 20 minutes later Thunderbird refreshed itself and Lightning or the SOGo connector prompted me for login details and wouldn't accept them until I change the web server back to Basic auth (over SSL).

@tanghus

This comment has been minimized.

Copy link
Contributor

@tanghus tanghus commented Mar 16, 2013

I was more thinking about using auth_mysql and authenticate against the ownCloud db - but no idea if it would work, just a thought ;)

@renne

This comment has been minimized.

Copy link

@renne renne commented May 28, 2013

in OC 5.0.6 I've found a workaround.

We've system-wide HTTPS-basic-authentication via Apache/PWAuth

<Directory /var/www/>
AuthType Basic
AuthName Private
AuthBasicProvider external
AuthExternal pwauth
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
require valid-user

AddExternalAuth pwauth /usr/sbin/pwauth
SetExternalAuthMethod pwauth pipe

If username and passwort in the OC database match username and password of a system-user, he's logged in automagically. But if the password in the OC database doesn't match the basic-authenticated password, the login form is shown with the "Lost Password?" message.

Obviously OC checks $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'], but instead of just using $_SERVER['PHP_AUTH_USER'] it tries to login internally with $_SERVER['PHP_AUTH_PW'].

As I haven't found the corresponding OC-code, yet, I tried to write a new authentication class (http://forum.owncloud.org/viewtopic.php?f=23&t=11472&p=29743&hilit=renne#p29743), but it failed to to anything. :(

As a workaround I installed the User_Unix-App which uses PWAuth, too, to make sure OC uses the same passwords like Apache. It's dirty, but it works - for now.

It would be great, if OC wouldn't check the password if a user is already authenticated via HTTP(S).

@tamaskan

This comment has been minimized.

Copy link

@tamaskan tamaskan commented Jul 18, 2013

the code you are looking for should be in ./lib/base.php

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
9 participants
You can’t perform that action at this time.