Thruk cookie authentication

[aesnau...@gmail.com]

Hi,

I want to use the Thruk cookie authentication with the version 1.70-2 of thruk. I applied the apache configuration below but at the end I'm always logged in Thruk with the default user "thrukadmin", whatever the login that I take. Can you help me?

Here, my apache configuration :

<VirtualHost *:80>
    DocumentRoot /usr/share/thruk/root
    CustomLog    /var/log/httpd/thruk_access.log combined
    ErrorLog     /var/log/httpd/thruk_error.log

    <Directory /usr/share/thruk/root>
        Options FollowSymLinks
        AllowOverride All
        order allow,deny
        allow from all
    </Directory>

    Alias /thruk/documentation.html /usr/share/thruk/root/thruk/documentation.html
    Alias /thruk/startup.html /usr/share/thruk/root/thruk/startup.html
    AliasMatch ^/thruk/(.*\.cgi|.*\.html)  /usr/share/thruk/fcgid_env.sh/thruk/$1
    AliasMatch ^/thruk/plugins/(.*?)/(.*)$  /etc/thruk/plugins/plugins-enabled/$1/root/$2
    Alias /thruk/themes/  /etc/thruk/themes/themes-enabled/
    Alias /thruk /usr/share/thruk/root/thruk

    <LocationMatch /thruk>
        Options ExecCGI
         AuthName "Thruk Demo" 
         AuthType Basic
         AuthUserFile /etc/thruk/htpasswd
         order allow,deny
         allow from all
         require valid-user
     </LocationMatch>

     RewriteMap  users prg:/usr/share/thruk/script/thruk_auth

     # make all cookies accessible by the url
     RewriteCond %{REQUEST_URI}           !^/thruk/cgi-bin/restricted.cgi
     RewriteCond %{HTTP_COOKIE}           (thruk_auth=[^;]+|$)  [NC]
     RewriteRule ^/(.*)$                  /%1/%{REMOTE_ADDR}/____/$1 [C,NS]
     RewriteRule ^(.*)$                   ${users:$1|/loginbad/}  [C,NS]
     RewriteRule ^/pass/(.*)$             /$1 [NS,E=!REMOTE_USER]
     RewriteRule ^/redirect/(.*)$         /$1 [NS,R=302]
     RewriteRule ^/loginok/([^/]+)/(.*)$  /$2 [NS,E=REMOTE_USER:$1]

     <LocationMatch ^/(?!thruk/cgi-bin/restricted.cgi)>
         Order allow,deny
         Allow from all
         Satisfy any
     </LocationMatch> 

    <IfModule mod_fcgid.c>
     # AddHandler fcgid-script .pl
      AddHandler fcgid-script .sh
      MaxRequestsPerProcess 100
    </IfModule>
</VirtualHost>

Arnaud

[Sven Nierlein]

On 27.05.2013 14:48, aesnau...@gmail.com wrote:
> I want to use the Thruk cookie authentication with the version 1.70-2 of thruk. I applied the apache configuration below but at the end I'm always logged in Thruk with the default user "thrukadmin", whatever the login that I take. Can you help me?

Do you have a default user set in your cgi.cfg maybe?

Sven

[aesnau...@gmail.com]

Hi Sven,

Yes I have a default user set in my cgi.cfg :

default_user_name=thrukadmin
use_authentication=1

Arnaud

[Sven Nierlein]

Then just remove that, it overwrites the apache user.

On 5/27/13 15:56, aesnau...@gmail.com wrote:
> Hi Sven,
>
> Yes I have a default user set in my cgi.cfg :
>
> default_user_name=thrukadmin
> use_authentication=1
>
> Arnaud
>
> Le lundi 27 mai 2013 15:50:53 UTC+2, Sven Nierlein a écrit :
>

> On 27.05.2013 14:48, aesnau...@gmail.com <javascript:> wrote:
> > I want to use the Thruk cookie authentication with the version 1.70-2 of thruk. I applied the apache configuration below but at the end I'm always logged in Thruk with the default user "thrukadmin", whatever the login that I take. Can you help me?
>
> Do you have a default user set in your cgi.cfg maybe?
>
> Sven
>

> --
> You received this message because you are subscribed to the Google Groups "Thruk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to thruk+un...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

[aesnau...@gmail.com]

Hi Sven,

I remove the parameters default_user_name and use_authentication in my cgi.cfg. Then I restarted my apache. But after the login page, I have the message "You are not authorized."

I make the same test with "use_authentication=0" with the same result.

Arnaud

[Sven Nierlein]

Only remove the default user, keep use_authentication=1

> > To unsubscribe from this group and stop receiving emails from it, send an email to thruk+un...@googlegroups.com <javascript:>.
> > For more options, visit https://groups.google.com/groups/opt_out <https://groups.google.com/groups/opt_out>.

[aesnau...@gmail.com]

Hi Sven,

I keep use_authentication=1 and I remove the default user. I always the message "You are not authorized." after the login page.

Arnaud

[PvPer]

Hello,

I am also interested by the resolution of this issue.
Any further idea ?

[Sven Nierlein]

On 5/28/13 9:34, PvPer wrote:
> I am also interested by the resolution of this issue.
> Any further idea ?

I will try to find some time to write documentation on how to get this working
in non-omd setups.

Sven

[aesnau...@gmail.com]

Hi Sven,

Have you find some time to write documentation on how to configure cookie authentication in non-omd setups ?

Aranud

[PvPer]

Hello there,

I definately need this solution too, the logging without cookie authentification is a pain in the ass for our users :-)

Regards.

[Sven Nierlein]

Still had no time, but its quite easy and just a few lines of apache rewrite magic:

This is taken from demo.thruk.org where it works without OMD:

RewriteMap users prg:/home/thruk/Thruk/script/thruk_auth

RewriteCond %{REQUEST_URI} !^/thruk/cgi-bin/restricted.cgi
RewriteCond %{HTTP_COOKIE} (thruk_auth=[^;]+|$) [NC]
RewriteRule ^/(.*)$ /%1/%{REMOTE_ADDR}/____/$1 [C,NS]
RewriteRule ^(.*)$ ${users:$1|/loginbad/} [C,NS]
RewriteRule ^/pass/(.*)$ /$1 [NS,E=!REMOTE_USER]
RewriteRule ^/redirect/(.*)$ /$1 [NS,R=302]
RewriteRule ^/loginok/([^/]+)/(.*)$ /$2 [NS,E=REMOTE_USER:$1]
<LocationMatch ^/(?!thruk/cgi-bin/restricted.cgi)>
Order allow,deny
Allow from all
Satisfy any
</LocationMatch>

Maybe this helps already.
Sven

On 08.10.2013 13:59, PvPer wrote:
> Hello there,
>
> I definately need this solution too, the logging without cookie authentification is a pain in the ass for our users :-)
>
> Regards.
>

> Le jeudi 26 septembre 2013 15:33:19 UTC+2, aesnau...@gmail.com a �crit :

>
> Hi Sven,
>
> Have you find some time to write documentation on how to configure cookie authentication in non-omd setups ?
>
> Aranud
>

> Le mardi 28 mai 2013 10:40:16 UTC+2, Sven Nierlein a �crit :

>
> On 5/28/13 9:34, PvPer wrote:
> > I am also interested by the resolution of this issue.
> > Any further idea ?
>
> I will try to find some time to write documentation on how to get this working
> in non-omd setups.
>
> Sven
>

[PvPer]

Thanks for your reply.

We try this out.

Regards.

Le mardi 8 octobre 2013 14:06:30 UTC+2, Sven Nierlein a écrit :

Still had no time, but its quite easy and just a few lines of apache rewrite magic:

This is taken from demo.thruk.org where it works without OMD:

     RewriteMap  users prg:/home/thruk/Thruk/script/thruk_auth
     RewriteCond %{REQUEST_URI} !^/thruk/cgi-bin/restricted.cgi
     RewriteCond %{HTTP_COOKIE}           (thruk_auth=[^;]+|$) [NC]
     RewriteRule ^/(.*)$ /%1/%{REMOTE_ADDR}/____/$1 [C,NS]
     RewriteRule ^(.*)$                   ${users:$1|/loginbad/} [C,NS]
     RewriteRule ^/pass/(.*)$             /$1 [NS,E=!REMOTE_USER]
     RewriteRule ^/redirect/(.*)$         /$1 [NS,R=302]
     RewriteRule ^/loginok/([^/]+)/(.*)$  /$2 [NS,E=REMOTE_USER:$1]
     <LocationMatch ^/(?!thruk/cgi-bin/restricted.cgi)>
         Order allow,deny
         Allow from all
         Satisfy any
     </LocationMatch>

Maybe this helps already.
  Sven


On 08.10.2013 13:59, PvPer wrote:
> Hello there,
>
> I definately need this solution too, the logging without cookie authentification is a pain in the ass for our users :-)
>
> Regards.
>

> Le jeudi 26 septembre 2013 15:33:19 UTC+2, aesnau...@gmail.com a �crit :

>
>     Hi Sven,
>
>     Have you find some time to write documentation on how to configure cookie authentication in non-omd setups ?
>
>     Aranud
>

>     Le mardi 28 mai 2013 10:40:16 UTC+2, Sven Nierlein a �crit :