Using NicToolClient with Apache Basic Authentication

[monachus]

We are deploying NicTool as part of a customer extranet at our site.  We have a number of tools which are available to them - Nagios, Request Tracker, Cacti, NicTool, and others, and we'd like for the utilities to be accessible via a single signon.  Apache authenticates users via Basic Authentication and mod_auth_ldap, but I needed a way for NicTool to recognize this.

I modified index.cgi to recognize the presence of REMOTE_USER and go straight to the login process without displaying the login box.  If REMOTE_USER isn't present, it displays the login box.

Users who auth via Apache are in the NicTool user table, but they have blank passwords.  To accomodate this, index.cgi ignores an empty password if REMOTE_USER is present.

We're also allowing clients to make NicTool available to their customers, who aren't in our LDAP database.  For that we published NicTool in two locations - one protected by Basic Authentication and one openly accessible.  There is actually only a single directory with a symlink for the second installation, and two 'Directory' blocks in httpd.conf.  The login box will still error out on the submission of an empty password, so it ensures that someone who gets the login box can't submit a known username with an empty password and gain access as one of my LDAP-authed clients.

Because NicTool uses user@domain to determine permissions, I had to modify our LDAP database to accomodate this.  We use LDAP authentication for all of our services - shell access to machines, etc, so users have simple usernames.  By adding another 'uid' attribute of 'user@domain' to LDAP, they are able to log into shell accounts as 'user' and into NicTool and other utilities as 'user@domain' with the same password.

If an LDAP-authed user's session times out in NicTool, it continues to log them back in automatically, but the location bar displays the 'Please login again' error message and the objects are all set to their default status (closed, etc).  Figuring that sessions are a good thing, I've only increased that timeout to something longer than what a user is likely to stay on our site for, so this detail will be mostly transparent.

To accomodate the 'logout' option when you're and LDAP-authed user, I'm simply performing the logout (which I presume whacks the session data in MySQL) and then sending them to our main extranet URL.

To prevent loops on errors, I'm redirecting the user to somewhere else.  You'll have to designate what you want these locations to be, presumably pages with error and/or support information on them.  Search for 'www.arces.net' in the code and change these to something else you like.

This is in production with Apache 1.3.x.  It should work just fine with 2.0.  

As with my other scripts and such, I'm not providing any support.  If it's broken or you think of something cool or something that I missed, ping me and I'll take a look.  Otherwise, it's all as-is, and YMMV.

[monachus]

Ah - one other detail.  In order to load users with empty passwords via the "New User" option in the GUI, I had to mod NicToolServer.pm to make 'password' and 'password2' fields non-required.  Took me a bit to figure out that this had to happen in the site-wide perl installation of NicToolServer.pm and not in the local NicToolServer apache installation - why are there two of them?  

Look in the api_commands subroutine, or search for 'password2' in NicToolServer.pm.  Change the one to a zero for required for 'password' and 'password2' and you'll be good to go.

[monachus]

Also had to change User/Sanity.pm to reflect that minimum password length only matters if the password length is > 0:

   if( length($data->{'password'}) < 4  and length( $data->{'password'}) > 0 )