Auto Registration with Lazy Authentication

[mcbulba]

Hi

First of all: thanks for this plugin.

But I have an issue with lazy authentication and auto registration. I want the redmine site be available without bothering "external" people (that can not authenticate via HTTP-auth). On the other hand, people who can do HTTP authentication should be asked for their credentials using mod_auth_basic when visiting /httpauth-login.

So i setup two location directives in apache2:

<Location />
  # No auth needed
</Location>
<Location /httpauth-*>
  # Basic authentication needed
</Location>

By doing so I can activate lazy authentication and after being redirected from /httpauth-login to /login people are still logged into redmine.

However, if someone does not have a redmine account yet, he will not be logged in but sent to /httpauth-selfregister which is still OK due to the wildcard in my Location directive. REMOTE_USER is still set at this point. But after clicking on "Submit" he will find himself on / with an error saying "Username is not provided".

Did I do something too complicated and is there another way to achieve the wanted behavior with apache and mod_auth_basic? Otherwise I would suggest to not redirect to / until the session really started and lazy authentication can be applied. Either by starting the session right after creating the new account and then redirecting to home_url like it is done now, or by inserting a redirect to httpauth-login after creating the account.

The latter way would as far as I understood things retry to login using HTTP authentication (REMOTE_USER is still set) and succeed because now the account exists.

[AdamLantos]

Hi,

yes, the registration form would submit the user back to the main page, where the remote_user is lost. You somehow need to trick apache to provide REMOTE_USER when the browser provides the username/password, but do not explicity require them when browsing outside /httpauth-. If I remember well from my good old apache days, you can use the combination of Satisfy statements to achieve this behavior:

<Location />
  Order allow, deny
  Allow from all
  AuthType basic
  ...
  Satisfy Any
</Location>
<Location /httpauth-*>
  Satisfy All
</Location>

[mcbulba]

Hi,

thanks for your reply. You are right, basically apache can be tricked to provide REMOTE_USER at the right moment. Like this:

    Order allow,deny
    Allow from all

    AuthType basic
    AuthName "MyRealm"
    AuthUserFile /tmp/foo
    Require valid-user

    Satisfy any
</Location>
<Location /httpauth-*>
    Satisfy all
</Location>

Then it works. But in my case I want to use another module to lookup and authenticate users, like pam. That means, as there is no users file that I also must use AuthBasicAuthoritative:

<Location />
    Order allow,deny
    Allow from all

    AuthType basic
    AuthName "MyRealm"
    AuthBasicAuthoritative off

    AuthPAM_Enabled on
    AuthPAM_FallThrough off
    Require valid-user

    Satisfy any
</Location>
<Location /httpauth-*>
    Satisfy all
</Location>

And that again seems to break things. As we are now in the world of apache modules I will have a look into this a bit more. Maybe there is another way to use PAM.

But apart from that I tried to redirect users after self-registering to httpauth-login replacing redirect_to home_url in app/controllers/registration_controller.rb:18 to redirect_to '/httpauth-login' and also to 'https://foobar.org/httpauth-login'. But i has no effect. That surely is because I am absolutely not familiar with ruby on rails. Would it be possible to give that strategy a try, or am I totally wrong with this idea?

[AdamLantos]

Hi,

this is getting really complex now. Also the current httpauth module logs out the user if the REMOTE_USER disappears from the environment. The reasoning behind that is that many single sign-on solutions use the REMOTE_USER to communicate the logged on user, and albeit it's not easy to "log out" from standard http authentication, it's relatively common to implement logout behavior in corporate sso environments.

Regarding the registration_controller change, it seems fine, but restarting apache might be necessary, based on the current rails environment you're using. But still I would strongly discourage to modify core redmine classes.

I can't comment on the PAM scenario, because I'm not that familiar with the inner workings of apache.

Adam

[giner]

Hello mcbulba,

Could you help please? Could you describe your environment what you use? I'd like to know bacause lazy authentication doesn't work for me with following configuration:

<Location />
    AuthType basic
    AuthName "MyRealm"
    AuthUserFile /tmp/foo
    Require valid-user
    Satisfy any
</Location>
<Location /httpauth-*>
    Satisfy all
</Location>

Regards, Stanislav