HTTP Basic authentication

[sgarringer]

I am running zoneminder through an HTTPS proxy with a cert which is trusted by my device.

Each time I start zmNinja it prompts me to authenticate. I provide the http basic username and password and the application functions normally.

There appears to be an option to configure this in the settings but this does not appear to be used to authenticate at all? Otherwise why would it ask me to authenticate each time I start the app.

I have a special hardened username and password I use for apps such as this, so there is no risk to me saving the password in the config where it could be compromised.

Can you add a function to allow the username and password to be really stored in the app?

[pliablepixels]

@sgarringer - I think this is a problem with Chrome - my app uses Chrome's web view It seems chrome does not send user:password in the URL (which basic auth uses) https://code.google.com/p/chromium/issues/detail?id=123150 which is why you have to do it each time as a challenge. zmNinja does save it -- but chrome takes it out

[sgarringer]

It looks like that bug was fixed last year though in Chrome, when I try accessing my zm URL https://user:pass@some.host.com/zm_mobile on Chrome app (Nexus 5 running 6.0.1) it authenticates me correctly (does not prompt for anything) and apache logs show the authenticated session:

2001:470:XXXX:X:9934:4046:f36:5f47 - XXXXXX [23/Dec/2015:09:21:53 -0600] "GET /zm_mobile/graphics/favicon.ico HTTP/1.1" 200 719 "https://XXXXXXX/zm_mobile/" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5 Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36"

(Edit removed PII)

[pliablepixels]

Are you using the iOS client or the Android one? For Android I use crosswalk's version of Chrome - not sure if their version resolves this. I faced the same problem when I enabled http auth - and I don't quite know how to fix it - I'll investigate

[sgarringer]

I am using the Android version. For now I have set up a hidden URL where there is no authentication and restricted the user agent to that specifically sent by your app ""Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5 Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Crosswalk/14.43.343.25 Mobile Safari/537.36" but I hope you can make some progress on this because it's a biggie. The other mobile apps that support ZM (IP Cam Viewer) on Android don't have this same issue...

[pliablepixels]

Could you do me a favor and try a desktop version? You can download a version from here: https://github.com/pliablepixels/zmNinja/releases and please let me know how HTTP basic auth behaves there.

[sgarringer]

I can't get the desktop version to work at all, it will never authenticate. The apache logs show it's never trying either, apache is sending a 401 but the app isn't retrying with authentication:

2001:470:XXXX:8::ffff:fffe - - [23/Dec/2015:11:15:01 -0600] "GET /zm HTTP/1.1" 401 3856 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) zmNinjaDesktop/0.1.0 Chrome/45.0.2454.85 Electron/0.34.2 Safari/537.36" 2001:470:XXXX:8::ffff:fffe - - [23/Dec/2015:11:15:01 -0600] "POST /zm/index.php HTTP/1.1" 401 3856 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) zmNinjaDesktop/0.1.0 Chrome/45.0.2454.85 Electron/0.34.2 Safari/537.36"

[pliablepixels]

okay, let me set up basic auth with an instance here and give it a go - I'll keep you updated

[sgarringer]

In case it's helpful for you, I have my instance behind apache through mod_proxy, here's my vhost config stanza that applies:

    <Location /zm >
            Order allow,deny
            Allow from 10.0.0.0/8
            Allow from 2001:470:XXXX::1/48
            ProxyPass http://security/zm
            ProxyPassReverse http://security/zm
            AuthType Basic
            AuthBasicProvider ldap
            AuthzLDAPAuthoritative on
            AuthName "XXXX"
            AuthLDAPURL "ldap://10.0.8.95/OU=Users,OU=Home,DC=XXXX,DC=XXXX,DC=net?sAMAccountName?sub?(objectClass=*)"
            AuthLDAPBindDN "svc_unixldap@XXXXX.XXXX.net"
            AuthLDAPBindPassword XXXXXXXX
            Require ldap-group CN=WebDavUsers,OU=Groups,OU=Home,DC=XXXX,DC=XXXX,DC=net
            Satisfy any
    </Location>

[pliablepixels]

@sgarringer I got the desktop version to work with http basic auth. Please do the following -- in the desktop settings page, make sure you enable auth - even if you are not using ZM auth and put a dummy login password (x/x) like so - let me know, and in the API and ZM url put in your basic auth credentials like before

screenshot: http://imgur.com/uewU8Zx

I'll see if I can fix the mobile version over the next few days

[sgarringer]

Confirmed, that does work.

[sgarringer]

Actually I added the u:p@host on the mobile version and it seems to work there too. Will continue to use this and see

[pliablepixels]

oh, it did? I thought you were already adding it and it did not work?

[sgarringer]

No, if the documentation says to define that somewhere I totally missed it. I assumed the authentication options in the app were setting the basic auth parameters.

[pliablepixels]

ah, okay. I'll clarify in the help somewhere - the auth parameters in the app are ZM auth parameters not http basic auth - glad it worked out for you at the end

[sgarringer]

Yeah you really want to point that out clearly . From all the Zm research I have done online almost everyone uses http basic auth to protect zoneminder, and few if any people use the actual zm auth and account system.

[pliablepixels]

actually its just the opposite. No one I know of does http basic auth. I'll clarify anyway

[sgarringer]

Uh... ok. Search google for zoneminder ldap authentication, I see hundreds of threads about setting it up with Apache and basic auth, but none about using the zoneminder account system.

[pliablepixels]

You don't see threads of ZM's auth because there is not much to ask. It works as advertised. You see threads for Apache/LDAP with ZM because its not automatically provided. You are correct, however, that folks who use LDAP with ZM do use basicauth. Most people who hang around in the ZM community that I know either don't expose ZM to the internet at all and don't use auth (via VPN only) or use ZM's own auth.