-
Making Mantis with Basic Authentication Not Suck
Posted on November 10th, 2005 4 commentsAt work, I’ve been doing a lot of system setup and administration. While it’s definitely beyond my job description as a Software Architect, there’s nobody else than can do it right on my team – and thus it falls to me.
When administrating a large number of servers, it becomes quickly apparant that a centralized directory of credentials is absolutely necessary. The obvious solution is OpenLDAP. After creating a directory, though, it becomes necessary to integrate the various applications into the directory so that the users may use the same credentials across all applications. (I’m not even talking about single sign-on. That’s a whole other kettle of fish.)
In some cases, it’s built right in. For example, our Linux servers use pam_ldap and nss_ldap to tie in the operating system. For Apache, the modules mod_ldap and mod_auth_ldap provide the necessary integration; and some web applications, such as Subversion fall in line quite naturally.
Many web applications, though, support their own authentication via a web page, and those applications often do not fit in quite the way you would hope. Two such applications we use are MediaWiki and MantisBT. In the case of MediaWiki, I found a series of modifications that pretty much worked. I had to tweak a few things, and while I’m not going to write about them here, feel free to contact me if you’d like to know what I did.
Mantis, though, ostensibly supports basic authentication. The authentication section in the manual has a specific
BASIC_AUTH
option. The problem is that it doesn’t work quite right.I am protecting my Mantis directory with an Apache authentication directive. In the
.htaccess
in the Mantis directory, I require basic authentication, and the authenticated user must be a member of thecn=Mantis
group in the directory.
SSLRequireSSLAuthType Basic
AuthName "Mantis"
AuthLDAPEnabled on
AuthLDAPUrl ldaps://ldap_server/ou=people,dc=example,dc=com?uid?sub?objectClass=accountAuthLDAPGroupAttributeIsDN on
require group cn=Mantis,ou=groups,dc=example,dc=com
order deny,allow
deny from all
The Mantis configuration directive to use basic authentication is set in the
config_inc.php
file.
# --- authentication settings ---
$g_login_method = BASIC_AUTH;
So in this scenario, you would never be able to get to the login page without authenticating with the web server. Mantis, rather than treating the basic auth as authoratitive, it takes the username and password received and then tries to log in using them (at least in version 0.19.3). I’m not sure the when that would be the right thing to do, but it certainly isn’t in this case because it requires me to keep the password in the directory synchronized with the password in the Mantis database.
So our goal is to make Mantis ignore its own password and simply think it has successfully authenticated when
g_login_method
is set toBASIC_AUTH
.As a nice feature, the
core/authentication_api.php
file has support for auto-creation of a user if it doesn’t exist when logging in via basic authentication. We want to keep that functionality. However, it inserts the basic authentication password into the database. While it really shouldn’t hurt anything, I’d like to keep it seperate for clarity. So on line 77, I’ve modified the call touser_create()
in theauth_attempt_login()
to generate a random password and insert that into the database.
# Modified to generate a random password.
# Since the basic authentication should be authoratative, then
# this password is just a dummy password, and should never be used.
# -- BCV
$t_cookie_string = user_create( $p_username, auth_generate_random_password() );
The next step is to make
auth_attempt_login()
succeed when basic authentication has been used. Modifying theif
block around theauth_does_password_match()
, we use some short-circuiting to skip the check (and therefore always succeed) if the login method equalsBASIC_AUTH
.
# Since basic auth is authoratative, and assuming that this page
# cannot be viewed unless it has already succeeded, then don't
# bother checking a password, and just do a valid login.
# -- BCV
if (BASIC_AUTH != $t_login_method && !auth_does_password_match( $t_user_id, $p_password ) ) {
user_increment_failed_login_count( $t_user_id );
return false;
}
The final step is to redirect to the
login.php
script at certain appropriate points. The first is in the default page, namedindex.php
. Normally, it redirects to the login page if the user is not authenticated. We’re going to modify that behavior when we’re using basic authentication so that it skips right to the login script instead. That way, it will automatically attempt to log in the user.
if ( auth_is_user_authenticated() ) {
print_header_redirect( 'main_page.php' );
} else if (BASIC_AUTH == config_get( 'login_method')) {
print_header_redirect( 'login.php' );
} else {
print_header_redirect( 'login_page.php' );
}
Finally, we don’t really want them to be able to log out, since that would require a login again. The modification I’ve chosen does a logout, and then immediately attempts to log in again.
auth_logout();if ( HTTP_AUTH == config_get( 'login_method' ) ) {
auth_http_set_logout_pending( true );
}if ( BASIC_AUTH == config_get( 'login_method' ) ) {
print_header_redirect( 'index.php' );
} else {
print_header_redirect( config_get( 'logout_redirect_page' ) );
}
And that’s it! Remember, the entire premise of these modifications is that the web server authentication is fully trusted, and that access to the underlying PHP scripts cannot occur unless the user has already successfully authenticated. If that’s no the case in your scenario, then these modifications won’t be secure.
Feel free to take these modifications for yourself. I’m going to see about submitting them as a patch to the official Mantis codebase. Oh, and if you find anything that I’ve missed, or anything that’s insecure, please let me know.
4 responses to “Making Mantis with Basic Authentication Not Suck”
-
Hi,
your howto works perfect for mantis 1.1.1. and sso from jasig cas. But i must change auth_generate_random_password() to auth_generate_random_password($t_seed) to prevent an error.
Best regards
Holger Koch
-
Anonymous March 30th, 2008 at 22:03
Thanks a lot for the instructions. I was able to get my apache/mantis setup working. Two modifications I had to make for mantis v1.1.1:
-auth_generate_random_password takes the email addy as input, though it doesn’t actually use it
-the directions you had given at the end didn’t specify that the changes need to be made in the logout_page.php -
benny April 8th, 2008 at 02:21
Hello,
I followed all steps above, but when I try to go to the mantis page (without login), I received that issue :
APPLICATION ERROR #805
The username is invalid. Usernames may only contain Latin letters, numbers, spaces, hyphens, and underscores.I don’t understand cause all my users are like they said, I have one ‘administrator’ and one ‘benoit’. So If you know how I can fix it, appreciate 😉
PS : I have a warning too, SYSTEM WARNING: Missing argument 1 for auth_generate_random_password(), called in /usr/share/mantis/core/authentication_api.php on line 97 and defined
Regards, benny
-
Hugo Hernández-Mora June 5th, 2008 at 09:33
Hello there,
it is possible to use in combination two different authentication methods like the default one and LDAP?
Thanks in advance for your help.
-Hugo
-
Holger Koch March 28th, 2008 at 09:24