HTTP authentication

Add http authentication, so that we can use HTTP, LDAP, MySQL, etc to authenticate users.

I suggest adding something like this to the user definition in the fop2.cfg:
user= EXTENSION : SECRET : PERMISSIONS : GROUPS : PLUGINS : HTTP USER NAME

Then when fop2 goes to display the login screen it checks to see:
if ($ENV{'REMOTE_USER'} =~ /^HTTP USER NAME$/i) {
# User is already logged in via HTTP skip auth, and login user as EXTENSION
} else {
# Display login screen:
}

Comments

  • FOP2 does not use php nor http to perform authentications, so this is not possible. I think it is not possible to get auth headers from javascript (you are free to correct me).

    However, you can write a php wrapper and use the builtin methods for authentication (passing exten/pass via request or via window.name in javascript), and possibly using the master password you can define in fop2.cfg

    The problem with this is that your username has to be mapped to an extension, otherwise you won't be able to perform any actions. So if your http user names are "john", you might get it to login, but you won't be able to perform any actions. Perhaps adding another parameter to the user line to have an "alias" could work, so you can authenticate using the extension number or its alias.

    But for aliases I would use:

    alias=100:mary,Mary Jenkins
    alias=101:john,John Doe,jj

    or something similar to that. The user line is already too crowded.
  • I don't think I explained it correctly, but I think I am talking about an alias.

    Let me try again.

    A CGI program (I thought FOP2 was written in Perl like FOP waas) can pull ENV vars from the HTTPD server on the server side.
    If a user logins via HTTPD, the HTTPD server creates an ENV var called REMOTE_USER.
    I am suggesting that you allow authentication to happen at the HTTPD level and then map or alias the REMOTE_USER to an extension and log in the end user as the extension that is mapped to the REMOTE_USER value without needing to re-authenticate with FOP2 directly.

    Simple example is adding something like this to the .htaccess inside /var/www/html/fop2:
    AuthType Basic
    AuthName "FOP2"
    AuthUserFile /<path to .passwd file>/.passwd
    Require valid-user

    Then when a user hits the FOP2 site apache will ask for a user/password and authenticate against the AuthUserFile (there are multiple ways to authenticate on the HTTPD side). The REMOTE_USER environment variable will be created and FOP2's CGI program can pull that REMOTE_USER value and compare to the fop2.cfg file for an alias.

    Then I (and other admins) can use HTTPD to authenticate against LDAP or MySQL or pam.d or IMAP, etc and fop2 only has to know about the REMOTE_USER environment variable <-> fop2.cfg alias map and does not need any new authentication scheme to allow all those authentication types that are built into HTTPD already.
  • Fop2 is not a cgi program, but a websockets/xmlsockets server. It does not have access to Web server variables at all. As I said it cannot be done unless you write a wrapper like I said.

    Adding alias support to map usernames to extensions is the only doable thing that can make this kind of integration easier.
Sign In or Register to comment.