Hello Sven, thank you, the approach sounds sensible and I will try that
out and document a working setup.
Regards, Jakob
Am 06.12.2016 um 20:00 schrieb Sven Nierlein:
Hi,
i did implement that once in a customer setup but i cannot remember all
details. Basically you need to change the
apache config in a way, that everything except <site>/thruk/cgi-bin/cmd.cgi is
not protected and free to access.
In order to do so you need to add an exception to the rewrite block which make
the redirect for the thruk cookie
auth.
Just add
RewriteCond %{REQUEST_URI} ^/${OMD_SITE}/thruk/cgi-bin/cmd.cgi
in etc/apache/conf.d/thruk_cookie_auth.conf.
I haven't tested it, but i'd say that should do the trick already.
If that works, please document it next to the apache ldap config here:
https://github.com/sni/Thruk/blob/master/docs/documentation/install-webserver.asciidoc#ldap--ad-authentication
So next time someone asks he has the chance to find something :-)
Cheers,
Sven
On 06/12/16 17:40, Jakob Curdes wrote:
Hello, we use an OMD-based system with naemon and thruk for our monitoring and
are trying to implement a two level access model:
- anonymous access to status information (read-only)
- cookie-based access for the rest.
This means that apache and thruk must interact to allow access to certain URLs
with a default username while requiring cookie auth for orther URLs.
The Thruk part of this is easy and solved, we set a "default_user_name" and
limited access and permissions of that user, this works nicely.
But then all the interface is limited and we cannot use a different username.
Now we are trying to configure apache to pass this username to thruk, but only
for certain URL's, i.e. status.cgi.
In other cases, suggestions were to make a link to the directory with the CGI's
and use the different URLs to distinguish the two cases in the apache
configuration.
This seems to be difficult with thruk, as the URL's are not directories and how
do you make a link to a location ?? We tried setting an alias but this did not
help.
Another approach could be to allow only this URL without auth by a combination
of location and file directives; however there we seem to get stuck in the
rewrite rules used for the cookie based auth. It seems that even if the user is
passed the rewrite rule changes the status.cgi to the login page.
Has anybody gotten a working solution for such a setup? Are we doing something
wrong?
Regards, Jakob Curdes
_______________________________________________
omd-users mailing list
[email protected]
http://lists.mathias-kettner.de/mailman/listinfo/omd-users
_______________________________________________
omd-users mailing list
[email protected]
http://lists.mathias-kettner.de/mailman/listinfo/omd-users
