Details
-
Help
-
Resolution: Unresolved
-
Major
-
None
-
Professional Edition
-
None
Description
We have observium for quite a time with mysql authentification backend and it's working fine.
I'm trying to implement openid SSO via apache wich works great, so I have changed the auth_mechanism in the config.ini to "remote", Now I can log in via my SSO and my user is recognized white out problem but the filtering for the device access or any filtering did not work at all, so my user has no right to view anything even if I am at administrator level.
From my understanding it's because the filtering query's include the auth_mecanism field, but since all my rights are done with the mysql user, the remote auth_mecanism does not exist at all.
Is there any procedure to migrate from one authentification method to another ? I didn't find anything in the documentation.
Regard's
Claude
Attachments
Activity
Hi, sorry for the late reply ..
Yes I have tried with the auth_remote_userlevel but it's changing nothing, I have made some other tests, if I define the user when I'm in $config['auth_mechanism'] = "mysql", give them the good right's I want everything is ok :
then when I switch to $config['auth_mechanism'] = "remote" I loose the rights
By the way, when I'm in "remote" mode and I log in as administrator (my account) I'm registered as admin but I have no rights at all :
Any idea ?
Did you set this variable in config.php?
$config['auth_remote_userlevel'] = 10;
|
* Configuration variables:
|
*
|
* $config['auth_mechanism'] = "remote";
|
* - Enables this authentication method
|
*
|
* $config['auth_remote_userlevel'] = 10;
|
* - What userlevel to assign to users, defaults to 1. https://docs.observium.org/user_levels/
|
*
|
* $config['auth_remote_variable'] = 'REMOTE_USER';
|
* - What server variable to to use, if unspecified then REMOTE_USER is assumed.
|
*
|
* $config['auth_remote_logout_url'] = 'http://blah';
|
* - URL to redirect users when they click the logout button. If this is not specified, no logout button
|
* will be available.
|
Mike,
We are also migrating to remote auth (due to several security reasons).
What he means is that there is no way of assigning permissions to users that are authenticated remotely (see html/includes/authentication/remote.inc.php)
We are using a mix of LDAP/RADIUS and MySQL authentication backends, they all allow for user permissions one way or another (because even though authentication is remote, a user is provisioned in the database).
For example, we could authentication a user through RADIUS, a user is provisioned, and then we would be able to assign roles, device groups, port groups, etc as permissions to that user.
Ideally, the remote authentication backend is altered to replicate the RADIUS backend, where a user does get provisioned in the database, to allow some user management (settings, group/port/role based access permissions, or even user level through the UI).
At this time the remote auth backend fails back to mysql_auth_user_info because the remote_auth_user_info function (see html/includes/authenticate-functions.inc.php) is not defined, hence the misleading user information (it shows the correct permissions because the MySQL user with the same username has the correct permissions, but they are not fetched).