"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "mrbs-1.9.4/AUTHENTICATION" between
mrbs-1.9.4.tar.gz and mrbs-1.10.0.tar.gz

About: MRBS is a web application for booking meeting rooms or other resources (using PHP and MySQL/pgsql).

AUTHENTICATION  (mrbs-1.9.4):AUTHENTICATION  (mrbs-1.10.0)
skipping to change at line 203 skipping to change at line 203
| |Must be used together | | | | |Must be used together | | |
| |with the 'remote_user' | | | | |with the 'remote_user' | | |
| |session scheme. | | | | |session scheme. | | |
+---------+------------------------+-------------------+------------------------ + +---------+------------------------+-------------------+------------------------ +
External authentication programs External authentication programs
-------------------------------- --------------------------------
+------------------+------------------+-----------------+-------------------+ +------------------+------------------+-----------------+-------------------+
|Program |Description |Pros |Cons | |Program |Description |Pros |Cons |
+------------------+------------------+-----------------+-------------------+ +------------------+------------------+-----------------+-------------------+
|badpw.pl |Perl script with | | | |crypt_passwd.pl |Perl script which | - Easy to setup | - Relies upon a |
| |reads a 'shadow' | | special users |
| |style file with | | file. |
| |usernames and | | | | |usernames and | | |
| |passwords hard | - Very simple | - No security at | | |crypted passwords.| | |
| |coded in. | to setup. | all. |
| |Not for use this | | |
| |in a production | | |
| |environment - it's| | |
| |just to | | |
| |demonstrate. | | |
+------------------+------------------+-----------------+-------------------+
|crypt_passwd.pl |Idem, but with | | |
| |passwords | | |
| |encrypted. | | |
+------------------+------------------+-----------------+-------------------+ +------------------+------------------+-----------------+-------------------+
|auth_pam.pl |Uses PAM | | | |auth_pam.pl |Uses PAM | | |
| | | | | | | | | |
| | | - For Unix | | | | | - For Unix | |
| | | system uses PAM| | | | | system uses PAM| |
| | | (especially | | | | | (especially | |
| | | Linux, but also| | | | | Linux, but also| |
| | | SUN Solaris) | | | | | SUN Solaris) | |
| | | | | | | | | |
+------------------+------------------+-----------------+-------------------+ +------------------+------------------+-----------------+-------------------+
skipping to change at line 468 skipping to change at line 460
$auth["admin"][] = "username2"; $auth["admin"][] = "username2";
etc etc
DB Authentication DB Authentication
------------------- -------------------
Authentication method, usable on the Internet. Authentication method, usable on the Internet.
It works by storing the list of users in a new table called mrbs_users in It works by storing the list of users in a new table called mrbs_users in
the mrbs database. The authentication is done by the module auth_db.inc. the mrbs database. The authentication is done by the class \MRBS\Auth\AuthDb.
Enable it by setting $auth["type"]="db" in config.inc.php. Enable it by setting $auth["type"]="db" in config.inc.php.
The list of users is displayed by clicking on the "Users" menu item in the The list of users is displayed by clicking on the "Users" menu item in the
top banner. This list is managed by module edit_users.php. Administrators top banner. This list is managed by module edit_users.php. Administrators
have the right to edit every entry, and add or remove users. Ordinary users have the right to edit every entry, and add or remove users. Ordinary users
only have the right to edit their own entry. only have the right to edit their own entry.
When you first run MRBS it will prompt you to set up a user with administrator When you first run MRBS it will prompt you to set up a user with administrator
rights. Until you do this the system is open and the first person to use MRBS rights. Until you do this the system is open and the first person to use MRBS
will be able to set up an administrator and lock you out of the system. You will be able to set up an administrator and lock you out of the system. You
skipping to change at line 879 skipping to change at line 871
and that you have set up aliases in your webserver so that SimpleSamlPhp and that you have set up aliases in your webserver so that SimpleSamlPhp
can handle incoming assertions. Refer to the SimpleSamlPhp documentation can handle incoming assertions. Refer to the SimpleSamlPhp documentation
for more information on how to do that. for more information on how to do that.
https://simplesamlphp.org/docs/stable/simplesamlphp-install https://simplesamlphp.org/docs/stable/simplesamlphp-install
https://simplesamlphp.org/docs/stable/simplesamlphp-sp https://simplesamlphp.org/docs/stable/simplesamlphp-sp
External Authentication Programs Configuration External Authentication Programs Configuration
============================================== ==============================================
Perl password list
"badpw.pl" is a short piece of Perl, which can quickly be used to demonstrate
how the "ext" authentication provider works.
It has usernames and passwords hard coded. I don't expect anyone to use this in
a production environment - it's just to demonstrate.
In the config.inc.php file authentication section, set:
# Authentication settings - read AUTHENTICATION
$auth["type"] = "ext";
$auth["prog"] = "./badpw.pl";
$auth["params"] = "#USERNAME# #PASSWORD#";
NOTE: The last line are parameters that will get passed to the 'badpw.pl'
script. At runtime "#USERNAME#" and "#PASSWORD" will get replaced with the
username and password that the user entered to login.
NOTE: Under Unix, make sure badpw.pl has execution rights: 'chmod +x badpw.pl'
Once you have changed this then look at the /mrbs/ page through your browser.
When you click one of the (+) buttons, you will be asked for a username and
password. Check badpw.pl for the valid combinations.
To try out an "admin" user, add an appropriate username to the section that
says:
$auth["admin"][] = "....";
Encrypted password authentication Encrypted password authentication
------------------------------- -------------------------------
crypt_passwd.pl is like the badpw.pl method above but uses a file containing crypt_passwd.pl is a short Perl script, which can be used to demonstrate
usernames and their encrypted passwords how the "ext" authentication provider works.
It utilises uses a file containing usernames and their encrypted passwords.
config.inc.php should be changed to have a section that reads something like: config.inc.php should be changed to have a section that reads something like:
$auth["type"] = "ext"; $auth["type"] = "ext";
$auth["prog"] = "../crypt_passwd.pl"; $auth["prog"] = "../crypt_passwd.pl";
$auth["params"] = "/etc/httpd/mrbs_passwd #USERNAME# #PASSWORD#"; $auth["params"] = "/etc/httpd/mrbs_passwd #USERNAME# #PASSWORD#";
As you can see the crypt_passwd.pl script takes 3 parameters. As you can see the crypt_passwd.pl script takes 3 parameters.
skipping to change at line 976 skipping to change at line 938
$auth["params"] = "#USERNAME# #PASSWORD#"; $auth["params"] = "#USERNAME# #PASSWORD#";
That's it. That's it.
Note that this has been only tested with Red Hat 7.x. Feedback on whether this Note that this has been only tested with Red Hat 7.x. Feedback on whether this
works on other systems ( eg. Solaris) is appreciated. works on other systems ( eg. Solaris) is appreciated.
Creating a new authentication scheme Creating a new authentication scheme
==================================== ====================================
Authentication programs are responsible for validating user/password pairs. Authentication classes are responsible for validating user/password pairs.
They must not attempt to communicate with the user. They must not attempt to communicate with the user.
Adding support for a new authentication service not yet supported by MRBS can Adding support for a new authentication service not yet supported by MRBS can
be done using one of the two following techniques: be done using one of the two following techniques:
Using a PHP module Adding a PHP class
------------------ ------------------
You must create a new module called "auth_xxx.inc". You must create a new filed called "web/lib/MRBS/Auth/AuthXxx.php".
It will be configured by setting in config.inc.php: It will be configured by setting in config.inc.php:
$auth["type"] = "xxx"; $auth["type"] = "xxx";
The "auth_xxx.inc" file needs to define the following functions: Underscores in the config variable need a CamelCase name. For example
$auth["type"] = "xxx_yyy";
+-------------------------+----------------------------+---------------------+ requires a file called AuthXxxYyy.php
|Function Name |Description |Returns |
+-------------------------+----------------------------+---------------------+
|authValidateUser($user, |Checks if the specified |0 = The pair is |
|$pass) |username/password pair are |invalid or does not |
| |valid. |exist. |
| | |Non 0 = The pair is |
| | |valid |
+-------------------------+----------------------------+---------------------+
|authGetUserLevel($user) |Determines the users access |0 = Unknown |
| |level. |1 = User |
| | |2 = Administrator |
+-------------------------+----------------------------+---------------------+
Store any configuration parameters specific to your module in a dedicated
section in config.inc.php.
Finally update this document with a description of your module. The class should extend \MRBS\Auth\Auth
Using an external program Using an external program
------------------------- -------------------------
External authentication programs are invoked via the internal PHP configuration External authentication programs are invoked via the internal PHP configuration
proxy module called "auth_ext.inc". proxy class called "AuthExt".
The external program must take the username, password, and possibly other The external program must take the username, password, and possibly other
values as parameters. Its exit code must be a zero for "OK", and anything else values as parameters. Its exit code must be a zero for "OK", and anything else
for "not OK". for "not OK".
"auth_ext.inc" takes the following parameters in config.inc.php: AuthExt takes the following parameters in config.inc.php:
$auth["type"] = "ext"; $auth["type"] = "ext";
$auth["prog"] = "the_pathname_of_your_program"; $auth["prog"] = "the_pathname_of_your_program";
$auth["params"] = "the arguments your program needs"; $auth["params"] = "the arguments your program needs";
"auth_ext.inc" constructs a command line to execute like: AuthExt constructs a command line to execute like:
$cmd = $auth["prog"] . ' ' . $auth["params"]; $cmd = $auth["prog"] . ' ' . $auth["params"];
$cmd = preg_replace('/#USERNAME#/',$user,$cmd); $cmd = preg_replace('/#USERNAME#/',$user,$cmd);
$cmd = preg_replace('/#PASSWORD#/',$pass,$cmd); $cmd = preg_replace('/#PASSWORD#/',$pass,$cmd);
This should allow a lot of flexibility with different authenticators. This should allow a lot of flexibility with different authenticators.
Creating a new session scheme Creating a new session scheme
============================== ==============================
Session modules manage the user interface for obtaining the user name and Session classes manage the user interface for obtaining the user name and
password. They also manage the way the name and password are recorded password. They also manage the way the name and password are recorded
throughout a session. throughout a session.
To create a new scheme, you must create a new PHP module called To create a new scheme, you must create a new PHP class called
"session_xxx.inc". "web/lib/MRBS/Session/SessionXxx.php".
It will be configured by setting in config.inc.php: It will be configured by setting in config.inc.php:
$auth["session"] = "xxx"; $auth["session"] = "xxx";
The "session_xxx.inc" file needs to define certain functions: Underscores in the config variable need a CamelCase name. For example
$auth["session"] = "xxx_yyy";
requires a file called SessionXxxYyy.php
The session class should extend either \MRBS\Session\SessionWithLogin or
\MRBS\Session\SessionWithoutLogin.
+-----------------+---------------------------------------------+------------+
|Function Name |Description |Returns |
+-----------------+---------------------------------------------+------------+
|authGet() |Prompt the user for username/password. |Nothing |
+-----------------+---------------------------------------------+------------+
|getUserName() |Returns the current user name. |The user |
| | |name, |
| | |or null if |
| | |not known. |
+-----------------+---------------------------------------------+------------+
|PrintLogonBox() |Optional. If defined, it will be used to draw|Nothing |
| |the contents of the logon/logoff box in MRBS | |
| |top banner. | |
+-----------------+---------------------------------------------+------------+
Note: Session schemes are also useful in the case where a web server enforces Note: Session schemes are also useful in the case where a web server enforces
its own session and authentication management. See the session_nt.inc and its own session and authentication management. See the SessionNt.php and
session session_omni.inc files as examples. In this case, use in combination session SessionOmni.php files as examples. In this case, use in combination
with authentication "none", as the real authentication is already done during with authentication "none", as the real authentication is already done during
the session initiation, and needs not be done again inside MRBS. the session initiation, and needs not be done again inside MRBS.
A little bit of history A little bit of history
======================= =======================
The original version of MRBS, created by Daniel Gardner, did not have The original version of MRBS, created by Daniel Gardner, did not have
username/password support. Each booking that was made had the IP address of the username/password support. Each booking that was made had the IP address of the
client machine logged as the "creator" of the booking. client machine logged as the "creator" of the booking.
skipping to change at line 1134 skipping to change at line 1077
authentication servers are not available in the general case. authentication servers are not available in the general case.
- There was no way to log off. - There was no way to log off.
In MRBS 1.2, the authentication system was restructured by Jean-Fran├žois In MRBS 1.2, the authentication system was restructured by Jean-Fran├žois
Larvoire <jf.larvoire@sf.net> Larvoire <jf.larvoire@sf.net>
The main change was to separate the user/password acquisition (Also called The main change was to separate the user/password acquisition (Also called
session initiation), from its validation (called authentication). session initiation), from its validation (called authentication).
The existing routines for querying the user identity were moved to module The existing routines for querying the user identity were moved to module
session_http.inc. This module is left in for backwards compatibility, but session_http.inc (now SessionHttp.php). This module is left in for backwards
deprecated. A new session management module was introduced, based on PHP's compatibility, but deprecated. A new session management module was introduced,
built-in session management. This is the one recommended now on. It includes based on PHP's built-in session management. This is the one recommended now on.
the ability to log off. It includes the ability to log off.
On the authentication side, most existing modules were carried on, with the On the authentication side, most existing modules were carried on, with the
session code removed. A simple module (auth_config.inc) was added, managing a session code removed. A simple module, auth_config.inc (now AuthConfig.php) was
simple list of users in config.inc.php. Eventually there will also be another added, managing a simple list of users in config.inc.php. Eventually there will
authentication module, using a table of users in the MRBS database. also be another authentication module, using a table of users in the MRBS
database.
 End of changes. 21 change blocks. 
93 lines changed or deleted 37 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)