Is it possible to use HTTP Basic Auth instead of Cacti login

[nick]

I have to implement cacti in a directory tree that is already protected by HTTP Basic Authentication under Apache. I don't want my users to have to log in twice, so I'd like to have cacti accept the auth credentials passed to it by Apache.

Is this possible?

[raX]

You can disable cacti's builtin authentication, and use HTTP authentication instead. You cannot however currently have cacti interface with HTTP security.

-Ian

[robsweet]

It would be pretty easy to make Cacti use the username from HTTP Basic Auth and have it pull the user info permissions just like if the user had logged in through the Cacti interface. Just a matter of checking to see if credentials are already being passed. If they are, you look up the user and carry on. If the user doesn't exist in Cacti, you check for guest access and presuming it's turned on, you set them up as a guest.

Ian - thoughts?

Rob.

[Fred]

[tirvin]

Hi:

[mwoliver]

Same here... want to integrate the existing Nagios http auth into Cacti to avoid the whole multiple-login process, as well as the out-of-sync password garbage.

Anyone with any tips on making this happen? I would be soooo nice....

[mwoliver]

well, I am not sure if this is right, but this worked for me... so far...

[flashbac]

Hello,

I'm a newbie to php, and i have a dumb question, how do i use/apply the file posted above?

Thanks

[mwoliver]

Here is a very short answer that skips a lot of details. The file is a "unified diff", and in those files, any lines that are preceeded with a single "+" are additions, and lines that are preceeded with a single "-" are deletions. Typically, there are three lines of context provided before and after the affected lines of code. Additionally, the lines that begin with "@@" tell you which line to start making changes.

So, what this diff tells you to do is go to line 35 (32 + 3 lines of context), and add the two lines that are preceeded with a single "+" (but not the "+" itself!).

If you are using a flavor of *nix (hopefully FreeBSD ), then you can use the `patch` utility to apply this patch to the auth.php file.

HOLY CRAP! I just noticed that there are two 'auth.php' files in the unpacked code! This diff is supposed to be against ./include/auth.php, NOT ./lib/auth.php

[muckl]

[rony]

Ok, well this has been bugging me for a while, so yesterday I wrote it into cacti. Normally I would supply a patch, but instead this time I have supplyed the whole files. Mostly because there is one addtional file.

Attached you will find a archive with 4 files in it:

./include/config_settings.php
./auth_login.php
./logout.php
./images/auth_logout.php

These files should be extracted into the cacti directory. Always remember to BACKUP YOU CURRENT CACTI, because you will be replacing these files.

These files are for Cacti version 0.8.5a. It has not been tested on earlier versions.

Note: Make sure you have added the users, with proper permissions, in cacti. The usernames must match and are case sensitive.
Note: Once Web Basic Auth is turned on, you will have to close your browsers, or goto http://server/cacti/logout.php to clear you current session. Then try loggin in.
Note: If the user does not exist and attempts to use graph_view.php, they will be considered a guest, and have right as such. Otherwise, they will not have console access to cacti.
Note: This is untested with LDAP, and turning both on may have interesting side effects.



Almost forgot....
Note: If you lock yourself out, run the following query on the cacti database. It will return cacti to internal authencation.
update settings set value = '' where name = 'web_basic_auth';

[monachus]

To get the auth.php diff working (the first one, not the second one), you need to leave Cacti's authentication turned on. The change to auth.php sets the user's session up based upon the username used in the Basic authentication, thereby bypassing some PHP code that would have sent the user to the login page.

What's missing is a piece of code that recognizes where the user _is_ supposed to be directed after logging in. If your users don't have permissions for the Console realm, they will see a big fat ACCESS DENIED after logging in. The only way around this is if they went to graph_view.php directly.

My users should be able to go to /cacti and end up where they need to be.

The attached diff provides some additional logic to make that happen.

Enjoy.


To use this, do the following:

* Save this patch to /var/tmp.
* copy ./include/auth.php to /var/tmp.
* Change to /var/tmp and run
<pre>patch < auth.php.patch.txt</pre>
* Once that is complete (no errors), you will have auth.php.orig (the original file) and auth.php (the patched file).
* Copy auth.php back into your cacti distribution's include directory

[rony]

When I originally wrote that patch, I didn't think about that, and at the time, I wasn't a developer either. Lame excuse, I know.

Version 0.8.7 alpha does include Web Basic auth and highly configurable LDAP support.

But it is alpha and changes daily. So I don't recommend using it unless you like pain.

[monachus]

[romp]

Is there a chance that this becomes maybe integrated in the "official" cacti source.
IMHO, additional alternative Auth would be great, especial if you use/support the combination
-> htaccess
-> LDAP
with the acl's from cacti.

regards
Christian