is a web application for booking meeting rooms or other resources (using PHP and MySQL/pgsql).
| AUTHENTICATION (mrbs-1.9.4) | : | AUTHENTICATION (mrbs-1.10.0) |
|---|
| | |
| skipping to change at line 203 | | skipping to change at line 203 |
|---|
| | |Must be used together | |
| | | | |Must be used together | |
| |
| | |with the 'remote_user' | |
| | | | |with the 'remote_user' | |
| |
| | |session scheme. | |
| | | | |session scheme. | |
| |
| +---------+------------------------+-------------------+------------------------
+ | | +---------+------------------------+-------------------+------------------------
+ |
| | |
| External authentication programs | | External authentication programs |
| -------------------------------- | | -------------------------------- |
| +------------------+------------------+-----------------+-------------------+ | | +------------------+------------------+-----------------+-------------------+ |
| |Program |Description |Pros |Cons | | | |Program |Description |Pros |Cons | |
| +------------------+------------------+-----------------+-------------------+ | | +------------------+------------------+-----------------+-------------------+ |
|
| |badpw.pl |Perl script with | | | | | |crypt_passwd.pl |Perl script which | - Easy to setup | - Relies upon a | |
| | | |reads a 'shadow' | | special users | |
| | | |style file with | | file. | |
| | |usernames and | | | | | | |usernames and | | | |
|
| | |passwords hard | - Very simple | - No security at | | | | |crypted passwords.| | | |
| | |coded in. | to setup. | all. | | | |
| | |Not for use this | | | | | |
| | |in a production | | | | | |
| | |environment - it's| | | | | |
| | |just to | | | | | |
| | |demonstrate. | | | | | |
| +------------------+------------------+-----------------+-------------------+ | | |
| |crypt_passwd.pl |Idem, but with | | | | | |
| | |passwords | | | | | |
| | |encrypted. | | | | | |
| +------------------+------------------+-----------------+-------------------+ | | +------------------+------------------+-----------------+-------------------+ |
| |auth_pam.pl |Uses PAM | | | | | |auth_pam.pl |Uses PAM | | | |
| | | | | | | | | | | | | |
| | | | - For Unix | | | | | | | - For Unix | | |
| | | | system uses PAM| | | | | | | system uses PAM| | |
| | | | (especially | | | | | | | (especially | | |
| | | | Linux, but also| | | | | | | Linux, but also| | |
| | | | SUN Solaris) | | | | | | | SUN Solaris) | | |
| | | | | | | | | | | | | |
| +------------------+------------------+-----------------+-------------------+ | | +------------------+------------------+-----------------+-------------------+ |
| | |
| skipping to change at line 468 | | skipping to change at line 460 |
|---|
| $auth["admin"][] = "username2"; | | $auth["admin"][] = "username2"; |
| | |
| etc | | etc |
| | |
| DB Authentication | | DB Authentication |
| ------------------- | | ------------------- |
| | |
| Authentication method, usable on the Internet. | | Authentication method, usable on the Internet. |
| | |
| It works by storing the list of users in a new table called mrbs_users in | | It works by storing the list of users in a new table called mrbs_users in |
|
| the mrbs database. The authentication is done by the module auth_db.inc. | | the mrbs database. The authentication is done by the class \MRBS\Auth\AuthDb. |
| Enable it by setting $auth["type"]="db" in config.inc.php. | | Enable it by setting $auth["type"]="db" in config.inc.php. |
| | |
| The list of users is displayed by clicking on the "Users" menu item in the | | The list of users is displayed by clicking on the "Users" menu item in the |
| top banner. This list is managed by module edit_users.php. Administrators | | top banner. This list is managed by module edit_users.php. Administrators |
| have the right to edit every entry, and add or remove users. Ordinary users | | have the right to edit every entry, and add or remove users. Ordinary users |
| only have the right to edit their own entry. | | only have the right to edit their own entry. |
| | |
| When you first run MRBS it will prompt you to set up a user with administrator | | When you first run MRBS it will prompt you to set up a user with administrator |
| rights. Until you do this the system is open and the first person to use MRBS | | rights. Until you do this the system is open and the first person to use MRBS |
| will be able to set up an administrator and lock you out of the system. You | | will be able to set up an administrator and lock you out of the system. You |
| | |
| skipping to change at line 879 | | skipping to change at line 871 |
|---|
| and that you have set up aliases in your webserver so that SimpleSamlPhp | | and that you have set up aliases in your webserver so that SimpleSamlPhp |
| can handle incoming assertions. Refer to the SimpleSamlPhp documentation | | can handle incoming assertions. Refer to the SimpleSamlPhp documentation |
| for more information on how to do that. | | for more information on how to do that. |
| | |
| https://simplesamlphp.org/docs/stable/simplesamlphp-install | | https://simplesamlphp.org/docs/stable/simplesamlphp-install |
| https://simplesamlphp.org/docs/stable/simplesamlphp-sp | | https://simplesamlphp.org/docs/stable/simplesamlphp-sp |
| | |
| External Authentication Programs Configuration | | External Authentication Programs Configuration |
| ============================================== | | ============================================== |
| | |
|
| Perl password list | | |
| | |
| "badpw.pl" is a short piece of Perl, which can quickly be used to demonstrate | | |
| how the "ext" authentication provider works. | | |
| | |
| It has usernames and passwords hard coded. I don't expect anyone to use this in | | |
| a production environment - it's just to demonstrate. | | |
| | |
| In the config.inc.php file authentication section, set: | | |
| | |
| # Authentication settings - read AUTHENTICATION | | |
| | |
| $auth["type"] = "ext"; | | |
| $auth["prog"] = "./badpw.pl"; | | |
| $auth["params"] = "#USERNAME# #PASSWORD#"; | | |
| | |
| NOTE: The last line are parameters that will get passed to the 'badpw.pl' | | |
| script. At runtime "#USERNAME#" and "#PASSWORD" will get replaced with the | | |
| username and password that the user entered to login. | | |
| | |
| NOTE: Under Unix, make sure badpw.pl has execution rights: 'chmod +x badpw.pl' | | |
| | |
| Once you have changed this then look at the /mrbs/ page through your browser. | | |
| When you click one of the (+) buttons, you will be asked for a username and | | |
| password. Check badpw.pl for the valid combinations. | | |
| | |
| To try out an "admin" user, add an appropriate username to the section that | | |
| says: | | |
| | |
| $auth["admin"][] = "...."; | | |
| | | |
| Encrypted password authentication | | Encrypted password authentication |
| ------------------------------- | | ------------------------------- |
| | |
|
| crypt_passwd.pl is like the badpw.pl method above but uses a file containing | | crypt_passwd.pl is a short Perl script, which can be used to demonstrate |
| usernames and their encrypted passwords | | how the "ext" authentication provider works. |
| | |
| | It utilises uses a file containing usernames and their encrypted passwords. |
| | |
| config.inc.php should be changed to have a section that reads something like: | | config.inc.php should be changed to have a section that reads something like: |
| | |
| $auth["type"] = "ext"; | | $auth["type"] = "ext"; |
| | |
| $auth["prog"] = "../crypt_passwd.pl"; | | $auth["prog"] = "../crypt_passwd.pl"; |
| $auth["params"] = "/etc/httpd/mrbs_passwd #USERNAME# #PASSWORD#"; | | $auth["params"] = "/etc/httpd/mrbs_passwd #USERNAME# #PASSWORD#"; |
| | |
| As you can see the crypt_passwd.pl script takes 3 parameters. | | As you can see the crypt_passwd.pl script takes 3 parameters. |
| | |
| | |
| skipping to change at line 976 | | skipping to change at line 938 |
|---|
| $auth["params"] = "#USERNAME# #PASSWORD#"; | | $auth["params"] = "#USERNAME# #PASSWORD#"; |
| | |
| That's it. | | That's it. |
| | |
| Note that this has been only tested with Red Hat 7.x. Feedback on whether this | | Note that this has been only tested with Red Hat 7.x. Feedback on whether this |
| works on other systems ( eg. Solaris) is appreciated. | | works on other systems ( eg. Solaris) is appreciated. |
| | |
| Creating a new authentication scheme | | Creating a new authentication scheme |
| ==================================== | | ==================================== |
| | |
|
| Authentication programs are responsible for validating user/password pairs. | | Authentication classes are responsible for validating user/password pairs. |
| They must not attempt to communicate with the user. | | They must not attempt to communicate with the user. |
| | |
| Adding support for a new authentication service not yet supported by MRBS can | | Adding support for a new authentication service not yet supported by MRBS can |
| be done using one of the two following techniques: | | be done using one of the two following techniques: |
| | |
|
| Using a PHP module | | Adding a PHP class |
| ------------------ | | ------------------ |
| | |
|
| You must create a new module called "auth_xxx.inc". | | You must create a new filed called "web/lib/MRBS/Auth/AuthXxx.php". |
| | |
| It will be configured by setting in config.inc.php: | | It will be configured by setting in config.inc.php: |
| | |
| $auth["type"] = "xxx"; | | $auth["type"] = "xxx"; |
| | |
|
| The "auth_xxx.inc" file needs to define the following functions: | | Underscores in the config variable need a CamelCase name. For example |
| | |
| | $auth["type"] = "xxx_yyy"; |
| | |
|
| +-------------------------+----------------------------+---------------------+ | | requires a file called AuthXxxYyy.php |
| |Function Name |Description |Returns | | | |
| +-------------------------+----------------------------+---------------------+ | | |
| |authValidateUser($user, |Checks if the specified |0 = The pair is | | | |
| |$pass) |username/password pair are |invalid or does not | | | |
| | |valid. |exist. | | | |
| | | |Non 0 = The pair is | | | |
| | | |valid | | | |
| +-------------------------+----------------------------+---------------------+ | | |
| |authGetUserLevel($user) |Determines the users access |0 = Unknown | | | |
| | |level. |1 = User | | | |
| | | |2 = Administrator | | | |
| +-------------------------+----------------------------+---------------------+ | | |
| Store any configuration parameters specific to your module in a dedicated | | |
| section in config.inc.php. | | |
| | |
|
| Finally update this document with a description of your module. | | The class should extend \MRBS\Auth\Auth |
| | |
| Using an external program | | Using an external program |
| ------------------------- | | ------------------------- |
| | |
| External authentication programs are invoked via the internal PHP configuration | | External authentication programs are invoked via the internal PHP configuration |
|
| proxy module called "auth_ext.inc". | | proxy class called "AuthExt". |
| | |
| The external program must take the username, password, and possibly other | | The external program must take the username, password, and possibly other |
| values as parameters. Its exit code must be a zero for "OK", and anything else | | values as parameters. Its exit code must be a zero for "OK", and anything else |
| for "not OK". | | for "not OK". |
| | |
|
| "auth_ext.inc" takes the following parameters in config.inc.php: | | AuthExt takes the following parameters in config.inc.php: |
| | |
| $auth["type"] = "ext"; | | $auth["type"] = "ext"; |
| | |
| $auth["prog"] = "the_pathname_of_your_program"; | | $auth["prog"] = "the_pathname_of_your_program"; |
| $auth["params"] = "the arguments your program needs"; | | $auth["params"] = "the arguments your program needs"; |
| | |
|
| "auth_ext.inc" constructs a command line to execute like: | | AuthExt constructs a command line to execute like: |
| | |
| $cmd = $auth["prog"] . ' ' . $auth["params"]; | | $cmd = $auth["prog"] . ' ' . $auth["params"]; |
| | |
| $cmd = preg_replace('/#USERNAME#/',$user,$cmd); | | $cmd = preg_replace('/#USERNAME#/',$user,$cmd); |
| $cmd = preg_replace('/#PASSWORD#/',$pass,$cmd); | | $cmd = preg_replace('/#PASSWORD#/',$pass,$cmd); |
| | |
| This should allow a lot of flexibility with different authenticators. | | This should allow a lot of flexibility with different authenticators. |
| | |
| Creating a new session scheme | | Creating a new session scheme |
| ============================== | | ============================== |
| | |
|
| Session modules manage the user interface for obtaining the user name and | | Session classes manage the user interface for obtaining the user name and |
| password. They also manage the way the name and password are recorded | | password. They also manage the way the name and password are recorded |
| throughout a session. | | throughout a session. |
| | |
|
| To create a new scheme, you must create a new PHP module called | | To create a new scheme, you must create a new PHP class called |
| "session_xxx.inc". | | "web/lib/MRBS/Session/SessionXxx.php". |
| | |
| It will be configured by setting in config.inc.php: | | It will be configured by setting in config.inc.php: |
| | |
| $auth["session"] = "xxx"; | | $auth["session"] = "xxx"; |
| | |
|
| The "session_xxx.inc" file needs to define certain functions: | | Underscores in the config variable need a CamelCase name. For example |
| | |
| | $auth["session"] = "xxx_yyy"; |
| | |
| | requires a file called SessionXxxYyy.php |
| | |
| | The session class should extend either \MRBS\Session\SessionWithLogin or |
| | \MRBS\Session\SessionWithoutLogin. |
| | |
|
| +-----------------+---------------------------------------------+------------+ | | |
| |Function Name |Description |Returns | | | |
| +-----------------+---------------------------------------------+------------+ | | |
| |authGet() |Prompt the user for username/password. |Nothing | | | |
| +-----------------+---------------------------------------------+------------+ | | |
| |getUserName() |Returns the current user name. |The user | | | |
| | | |name, | | | |
| | | |or null if | | | |
| | | |not known. | | | |
| +-----------------+---------------------------------------------+------------+ | | |
| |PrintLogonBox() |Optional. If defined, it will be used to draw|Nothing | | | |
| | |the contents of the logon/logoff box in MRBS | | | | |
| | |top banner. | | | | |
| +-----------------+---------------------------------------------+------------+ | | |
| Note: Session schemes are also useful in the case where a web server enforces | | Note: Session schemes are also useful in the case where a web server enforces |
|
| its own session and authentication management. See the session_nt.inc and | | its own session and authentication management. See the SessionNt.php and |
| session session_omni.inc files as examples. In this case, use in combination | | session SessionOmni.php files as examples. In this case, use in combination |
| with authentication "none", as the real authentication is already done during | | with authentication "none", as the real authentication is already done during |
| the session initiation, and needs not be done again inside MRBS. | | the session initiation, and needs not be done again inside MRBS. |
| | |
| A little bit of history | | A little bit of history |
| ======================= | | ======================= |
| | |
| The original version of MRBS, created by Daniel Gardner, did not have | | The original version of MRBS, created by Daniel Gardner, did not have |
| username/password support. Each booking that was made had the IP address of the | | username/password support. Each booking that was made had the IP address of the |
| client machine logged as the "creator" of the booking. | | client machine logged as the "creator" of the booking. |
| | |
| | |
| skipping to change at line 1134 | | skipping to change at line 1077 |
|---|
| authentication servers are not available in the general case. | | authentication servers are not available in the general case. |
| - There was no way to log off. | | - There was no way to log off. |
| | |
| In MRBS 1.2, the authentication system was restructured by Jean-François | | In MRBS 1.2, the authentication system was restructured by Jean-François |
| Larvoire <jf.larvoire@sf.net> | | Larvoire <jf.larvoire@sf.net> |
| | |
| The main change was to separate the user/password acquisition (Also called | | The main change was to separate the user/password acquisition (Also called |
| session initiation), from its validation (called authentication). | | session initiation), from its validation (called authentication). |
| | |
| The existing routines for querying the user identity were moved to module | | The existing routines for querying the user identity were moved to module |
|
| session_http.inc. This module is left in for backwards compatibility, but | | session_http.inc (now SessionHttp.php). This module is left in for backwards |
| deprecated. A new session management module was introduced, based on PHP's | | compatibility, but deprecated. A new session management module was introduced, |
| built-in session management. This is the one recommended now on. It includes | | based on PHP's built-in session management. This is the one recommended now on. |
| the ability to log off. | | It includes the ability to log off. |
| | |
| On the authentication side, most existing modules were carried on, with the | | On the authentication side, most existing modules were carried on, with the |
|
| session code removed. A simple module (auth_config.inc) was added, managing a | | session code removed. A simple module, auth_config.inc (now AuthConfig.php) was |
| simple list of users in config.inc.php. Eventually there will also be another | | added, managing a simple list of users in config.inc.php. Eventually there will |
| authentication module, using a table of users in the MRBS database. | | also be another authentication module, using a table of users in the MRBS |
| | database. |
| | | |
| End of changes. 21 change blocks. |
|---|
| 93 lines changed or deleted | | 37 lines changed or added |
|---|
"Fossies" - the Fresh Open Source Software Archive 