Open Bug 392482 Opened 18 years ago Updated 10 years ago

Bugzilla as an Apache authentication provider (authentication server)

Categories

(Bugzilla :: Administration, task)

Product:
Bugzilla
Component:
Administration
Type:
task
Priority:
Not set
Severity:
normal

Tracking

()

People

(Reporter: jochen.wiedmann, Unassigned)

Details

Attachments

(3 files, 6 obsolete files)

Apache module for authenticating against a Bugzilla database
10.82 KB, text/plain
Details
Patch to enable maintenance of user passwords and extern_id (Bugzilla 4.0)
4.69 KB, patch
Details | Diff | Splinter Review
Apache module for authenticating against a Bugzilla database (Bugzilla 5.x)
10.83 KB, text/x-csrc
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Build Identifier: 3.0 The attached files are used to make Bugzilla as an authentication server. We use this to have Bugzilla as the core of an authentication server. Other components (subversion, webdav, etc.) are based on this authentication. The file mod_authn_bugzilla.c is an Apache module, which is derived from mod_authn_dbd.c. It is an Apache authentication module, which allows the user to authenticate itself via basic authentication. The user is able to use either its email address or its extern_id as a user name and the bugzilla password. It is likely, that the module in its current stage won't work on Windows, because Bugzilla uses crypt to encode passwords, which is typically missing in a Windows Apache server. The file AuthEnv.patch contains a patch against Bugzilla 3.0. The patch enables maintenance of the extern_id via editusers.cgi. It also enables users to change their own password, although they are authenticated by the above Apache module. This patch is incomplete: For example, the extern_id should be checked for uniqueness. (In our case, this isn't necessary, because we use the Windows ID's anyways.) I know that it is unlikely that these suggestions will have an influence on the further Bugzilla development. However, it seems worth documenting my efforts. Of course, I am ready for any necessary changes, should my assumption prove to be wrong. Reproducible: Always Steps to Reproduce: 1. 2. 3.
This module is basically compiled, installed, and configured like mod_authn_dbd.c. A typical configuration would look like LoadModule authn_bugzilla_module modules/mod_authn_bugzilla.so DBDriver mysql DBDParams "dbname=bugs,user=bugs,password=bugz" DBDMin 1 DBDKeep 2 DBDMax 10 DBDExptime 60 <Location /> AuthType Basic AuthName "Bugzilla Authentication" AuthBasicProvider bugzilla AuthBugzillaUserPWQuery "select cryptpassword,login_name, extern_id,realname from bugs.profiles where %s in (login_name,extern_id)" require valid-user </Location>
Well, although you're right that we're unlikely to implement this, it's certainly a cool idea and I could possibly be convinced to accept it if I saw some broad user need from the community. Otherwise, it certainly does no harm sitting here, available for users. You might want to link to here from the Bugzilla:Addons page in the Wiki, too. I didn't look over the patch extensively, but you're right that _check_extern_id should check if the extern_id is unique, not just trim it and return it.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows XP → All
Hardware: PC → All
Summary: Bugzilla as an authentication server → Bugzilla as an Apache authentication provider (authentication server)
(In reply to comment #3) > You might want to link to here from the Bugzilla:Addons page in the Wiki, too. Done, thank you!
Update of the previous patch with the following changes: - Upgrade to Bugzilla 3.0.1 - The extern_id is now checked for uniqueness.
Attachment #276992 - Attachment is obsolete: true
Updated version of the patch for Bugzilla 3.0.3
Attachment #280194 - Attachment is obsolete: true
For clarification for this patch, can Internet Explorer users (and those Firefox users who've enabled network.automatic-ntlm-auth.trusted-uris) be automatically logged into bugzilla using their local windows login credentials? Or does Basic Authentication require a user/password box be popped up anyway?
(In reply to comment #7) > For clarification for this patch, can Internet Explorer users (and those > Firefox users who've enabled network.automatic-ntlm-auth.trusted-uris) be > automatically logged into bugzilla using their local windows login credentials? > Or does Basic Authentication require a user/password box be popped up anyway? The latter is the case, sorry!
This is cool stuff, thanks. At Eclipse we've been centralizing the authentication of our various web properties around the Bugzilla auth. This mod could come in handy.
Comment on attachment 392113 [details] [diff] [review] Patch to enable maintenance of user passwords and extern_id with Bugzilla::Auth::Login::Env (Bugzilla 3.4) Hey, you know, in modern Bugzilla, all of this could go into a packaged extension, except the extern_id updating stuff--and we actually already have a bug filed for being able to edit extern_in from the UI, which your patch pretty much implements nearly perfectly. If you attach the extern_id part, we could possibly integrate it upstream and then you could make the rest of this a formal extension.
Max, I am of course integrated in getting as much upstream as possible. I am quite ready to isolate that part and propose it separately. Question: How to enable editing the extern_id? Through a parameter?
(In reply to comment #12) > Question: How to enable editing the extern_id? Through a parameter? Let's discuss it in bug 423612.
Updated version of the Apache module with support for SHA-256 encoded strings, as used by Bugzilla 3.4.
Attachment #276991 - Attachment is obsolete: true
Can anybody provide me with some info on how to compile the mod_authn_dbd.c? I've read into apache mod-building, but I can't get this module to compile.
This patch introduces a new login module Bugzilla::Auth::Login::AuthEnv.pm and the necessary configuration parameters. The patch depends on attachment 517110 [details] [diff] [review] from bug 42362 as a prerequisite.
Attachment #392113 - Attachment is obsolete: true
Attachment #517111 - Attachment description: Patch to enable maintenance of user passwords and extern_id → Patch to enable maintenance of user passwords and extern_id (Bugzilla 4.0)
This patch introduces a new login module Bugzilla::Auth::Login::AuthEnv.pm and the necessary configuration parameters. The patch depends on attachment 517118 [details] [diff] [review] from bug 423612 as a prerequisite.
Attachment #517111 - Attachment is obsolete: true
The introduction of a comma to separate salt and hash within the cryptedpassword field in bugzilla 5 broke validate_password for the apache module. This is a patched version of the module that should also work with bz 4 (untested). The patch to the original is: --- mod_authn_bugzilla.c.orig 2015-11-07 23:34:54.298851922 +0000 +++ mod_authn_bugzilla.c 2015-11-09 09:47:58.991383216 +0000 @@ -114,17 +114,19 @@ int hashLen = len - markerLen; if (hashLen > 0 && strcmp(hash + hashLen, SHA256_MARKER) == 0) { char sha256_hash[SHA256_DIGEST_STRING_LENGTH]; + char *unsaltedHash = strchr(hash,','); + if (unsaltedHash == NULL) { + unsaltedHash = (char *)&hash[SHA256_SALT_LENGTH]; + } else { + unsaltedHash++; + } sha256_digest(r->pool, sha256_hash, password, hash, strlen(password)); - int unsaltedHashLen = hashLen - SHA256_SALT_LENGTH; - char hashPrefix[unsaltedHashLen + 1]; - strncpy(hashPrefix, hash + SHA256_SALT_LENGTH, unsaltedHashLen); - hashPrefix[unsaltedHashLen] = '\0'; - apr_status_t result = strcmp(sha256_hash, hashPrefix) == 0 + apr_status_t result = strncmp(sha256_hash, unsaltedHash, SHA256_DIGEST_STRING_LENGTH-1) == 0 ? APR_SUCCESS : APR_EMISMATCH; if (mod_authn_bugzilla_debugging) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "validate_password: <- SHA256, %d, %s, %s", result, sha256_hash, hashPrefix); + "validate_password: <- SHA256, %d, %s, %s", result, sha256_hash, unsaltedHash); } return result; }
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: