ccolumbu

Member

Last active 9 years ago

  1. 9 years ago
    Wed Jul 9 11:10:43 2014
    ccolumbu posted in HTTP authentication.

    I don't think I explained it correctly, but I think I am talking about an alias.

    Let me try again.

    A CGI program (I thought FOP2 was written in Perl like FOP waas) can pull ENV vars from the HTTPD server on the server side.
    If a user logins via HTTPD, the HTTPD server creates an ENV var called REMOTE_USER.
    I am suggesting that you allow authentication to happen at the HTTPD level and then map or alias the REMOTE_USER to an extension and log in the end user as the extension that is mapped to the REMOTE_USER value without needing to re-authenticate with FOP2 directly.

    Simple example is adding something like this to the .htaccess inside /var/www/html/fop2:
    AuthType Basic
    AuthName "FOP2"
    AuthUserFile /<path to .passwd file>/.passwd
    Require valid-user

    Then when a user hits the FOP2 site apache will ask for a user/password and authenticate against the AuthUserFile (there are multiple ways to authenticate on the HTTPD side). The REMOTE_USER environment variable will be created and FOP2's CGI program can pull that REMOTE_USER value and compare to the fop2.cfg file for an alias.

    Then I (and other admins) can use HTTPD to authenticate against LDAP or MySQL or pam.d or IMAP, etc and fop2 only has to know about the REMOTE_USER environment variable <-> fop2.cfg alias map and does not need any new authentication scheme to allow all those authentication types that are built into HTTPD already.

  2. Tue Jul 8 19:48:21 2014
    ccolumbu posted in button.cfg privacy=hidden.

    Yes, exactly

  3. Sun Jul 6 18:25:54 2014
    ccolumbu started the conversation HTTP authentication.

    Add http authentication, so that we can use HTTP, LDAP, MySQL, etc to authenticate users.

    I suggest adding something like this to the user definition in the fop2.cfg:
    user= EXTENSION : SECRET : PERMISSIONS : GROUPS : PLUGINS : HTTP USER NAME

    Then when fop2 goes to display the login screen it checks to see:
    if ($ENV{'REMOTE_USER'} =~ /^HTTP USER NAME$/i) {
    # User is already logged in via HTTP skip auth, and login user as EXTENSION
    } else {
    # Display login screen:
    }

  4. Sun Jul 6 18:19:45 2014
    ccolumbu started the conversation fop2.cfg allow all minus.

    If there are a large number of extensions it may be easier to specify ALL and then subtract the extension you don't want.
    Like:
    perm=supervisor:dial,spy,chat,preferences:All,-SIP/101

    Instead of:
    perm=supervisor:dial,spy,chat,preferences:SIP/102,SIP/103,SIP/104,SIP/105,SIP/106,SIP/107,SIP/108,SIP/109,SIP/110

    Or maybe allow ranges:
    perm=supervisor:dial,spy,chat,preferences:SIP/102..110

  5. Sun Jul 6 18:15:33 2014
    ccolumbu started the conversation button.cfg privacy=hidden.

    I the idea is that for admin extensions you can hide their button from everyone but the other admins.
    This makes it easy to hide 1 extension so you don't have to create a group (or multiple groups) just to hide the admin button.