git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [users@httpd] use cookie value as auth username


I'm still interested in any ideas to try to set REMOTE_USER from a
cookie value.


AuthBasicFake sounds like it would work, but when I use it authz_dbd
still complains:

   AH00027: No authentication done but request not allowed without
   authentication for /whatever/file.txt. Authentication not
   configured?

   Does that sound like a bug/deficiency in AuthBasicFake?  Ie. it appears
   it didn't 'fake' authentication enough for an authorization module to
   think that it had been configured.


   mod_auth_env looks like it would work, but isn't packaged for debian so
   doesn't work well for my needs (creating a tutorial for users to follow
   after they've installed apache & modules from debian packages).

   This patch looks like just the ticket, but isn't included upstream so
   of course the same source/packaging issue as with mod_auth_env:  
   https://github.com/jkbzh/apache2_mod_authz_dbd

If I can't find any other way I might have to just use mod_auth_env
(assuming it will work) and provide instructions for how to build and
install the .deb file, but I'd sure rather use stock modules.

Thanks!
Jesse


On Tue, 2018-09-25 at 14:54 -0600, Jesse Norell wrote:
> Hello,
> 
>   I'm trying to use an authz_dbd query to authorize based on the
> value
> of a cookie (ie. if PHPSESSID cookie is set, a db query can test if
> it
> should be authorized).  It seems the only parameter AUTHzDBDQuery
> will
> supply to the sql query is the username in place of %s; this could
> work
> if I could set what REMOTE_USER should be prior to the query running,
> but I haven't found a way to do so.  Eg. here the username for the
> query is from the auth provider (anon), the SetEnv doesn't the query:
> 
> <Directory "/whatever/">
>   AuthName "Name"
>   AuthType Basic
>   AuthBasicProvider anon
> 
>   Anonymous_NoUserID on
>   Anonymous_MustGiveEmail off
>   Anonymous anonymous "*"
> 
>   SetEnvIf Cookie "PHPSESSID=([^ ]+)" REMOTE_USER=$1
> 
>   Require dbd-group foo
> 
>   # this will work, for any username entered in the browser:
>   #AuthzDBDQuery "SELECT 'foo' FROM sys_session"
> 
>   # this does not work to obtain %s from PHPSESSID:
>   AuthzDBDQuery "SELECT 'foo' FROM sys_session WHERE session_id = %s"
> 
> </Directory>
> 
>   I'm pretty sure I must convince apache to set a new REMOTE_USER (or
> httpd_username?) internal variable, not an environment variable, but
> I
> don't see how.  If I don't specify any AuthType, or set it to None,
> the
> AuthzDBDQuery never runs and the error.log says it requires
> authentication but authentication is not set up.  Any ideas are
> appreciated - thanks!
> 
>   I'm running 2.4.25-3+deb9u5 from debian stretch.
> 
> Thanks,
> Jesse Norell 
> 
-- 
Jesse Norell
Kentec Communications, Inc.
970-522-8107  -  www.kci.net


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx