authentication options
Brought to you by:
trilexcom
Menu
▾
▴
#20 authentication options
I'm currently working to try and work around the built in authentication schemes for local and ldap. We use radius in our environment, and the user has to authenticate before they are able to reach any resources on the webserver itself.
This means that in the instance of phpip they currently have to authenticate twice, and against different systems.
Is there an 'easy' way to just pick up the php env variable server remote_user and query for their existence in phpip?
Logged In: YES
user_id=386949
Originator: NO
Hi Tremaine,
Do you use some type of proxy to authenticate users?
Thanks,
Mearls
Logged In: YES
user_id=1275591
Originator: YES
When the user initially hits the webserver, they are prompted through apache modules to authenticate, and those credentials are passed to a server running Radius. This is all done over https.
Logged In: YES
user_id=386949
Originator: NO
How do you handle this with other applications? You could create local accounts without passwords then update login.php with the following if you can get apache/proxy to submit post data.
login.php?req=validate
post values = 'username'
post vaule = '$realUsername'
login.php
line 28: //if(!$_POST['username'] || !$_POST['password'] ) {
replace with: if(!$_POST['username'] ) {
Remove:
line 52: AND
line 53: `password` = md5('$password')");
I have not tried this out yet but this removes passwords from the validate user section and allows only post username data to pass.
Thanks,
mearls
Logged In: YES
user_id=1275591
Originator: YES
Oddly, this is the first app where it's been an issue. Everything else being used either doesn't require authentication (other than getting onto the corporate network itself) or is a commercial app that allows us to select radius as an option.
I'll give your suggestion a shot and let you know. Thanks for the help, much appreciated!
I'm actually going to be taking a poke at expanding on your app and seeing if I can tie in switchmap somehow to correlate the data in phpip against actual production values from cisco switches. Wish me luck *grin*
Logged In: YES
user_id=1275591
Originator: YES
I'm attaching two variants of the original login.php file.
login-remoteuser.php picks up the _SERVER['REMOTE_USER'] variable from Apache and uses a blank password to take into account a user that has already authenticated externally and is passing a credential forward.
I am also attaching login-static.php which is largely self explanatory. I ultimately used this second one because it avoids having to recreate descriptions. I'm not sure if descriptions are intended to be user specific, or if they are group specific, but the CIDR desc's were missing when I logged in using login-remoteuser.php where it used my account.
To keep the audit trail however, I have updated display.php (also attached) to take advantage of the remote_user variable and modified the history table in mysql :
externaluser varchar(16) latin1_swedish_ci No
File Added: login-remoteuser.php
login an externally authenticateded user
static login - no manual auth from user at login page
Logged In: YES
user_id=1275591
Originator: YES
File Added: login-static.php
modified display.php
Logged In: YES
user_id=1275591
Originator: YES
File Added: display.php