Re: [users@httpd] Rewrite REMOTE_USER environment variable

2017-05-29 Thread Ken Mycock 

Thanks Rainer

I have no option but to fix the scripts, as I can't change the Apache 
installation on a shared server. The fix to each cgi script is easy, but the 
volume of scripts makes it a significant task. Best I get on with it then!


Ken


On 24/05/2017 15:41, Rainer Canavan wrote:

On Tue, May 23, 2017 at 8:45 PM, Ken Mycock  wrote:

Eric

It seems to make sense that REMOTE_USER wasn't set when the rule I tried in
htaccess ran, as that would explain RU not being set.

But, REMOTE_USER must be set by Apache, even if it is late in the sequence,
so where/how can I get at it?

ap_add_common_vars() sets REMOTE_USER from r->user, and practically nothing
happens between then and the execution of the cgi script (assuming you're using
mod_cgi, I haven't checked anything else). So it looks like your options are

- change the environment variable in the CGI process itself
- write an apache module to remove the leading zeroes
- possibly use mod_lua

rainer




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Rewrite REMOTE_USER environment variable

2017-05-24 Thread Rainer Canavan 
On Tue, May 23, 2017 at 8:45 PM, Ken Mycock  wrote:
> Eric
>
> It seems to make sense that REMOTE_USER wasn't set when the rule I tried in
> htaccess ran, as that would explain RU not being set.
>
> But, REMOTE_USER must be set by Apache, even if it is late in the sequence,
> so where/how can I get at it?

ap_add_common_vars() sets REMOTE_USER from r->user, and practically nothing
happens between then and the execution of the cgi script (assuming you're using
mod_cgi, I haven't checked anything else). So it looks like your options are

- change the environment variable in the CGI process itself
- write an apache module to remove the leading zeroes
- possibly use mod_lua

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Rewrite REMOTE_USER environment variable

2017-05-23 Thread Ken Mycock 

Eric

It seems to make sense that REMOTE_USER wasn't set when the rule I tried in 
htaccess ran, as that would explain RU not being set.


But, REMOTE_USER must be set by Apache, even if it is late in the sequence, so 
where/how can I get at it?


Ken


On 23/05/2017 18:43, Eric Covener wrote:

On Tue, May 23, 2017 at 1:41 PM, Ken Mycock  wrote:

didn't set the RU environment variable either, so it's perhaps more
fundamental than not being allowed to rewrite REMOTE_USER.

IIUC It does not exist as an environment variable until right before
the CGI is executed.




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Rewrite REMOTE_USER environment variable

2017-05-23 Thread Eric Covener 
On Tue, May 23, 2017 at 1:41 PM, Ken Mycock  wrote:
> didn't set the RU environment variable either, so it's perhaps more
> fundamental than not being allowed to rewrite REMOTE_USER.

IIUC It does not exist as an environment variable until right before
the CGI is executed.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Rewrite REMOTE_USER environment variable

2017-05-23 Thread Ken Mycock 

Rainer

Thanks, but unfortunately that didn't work.  Does 
 have any relevance here?


Changing the rule to:
RewriteCond %{REMOTE_USER} ^0*([1-9][0-9]+)
RewriteRule ^ -  [env=RU:%1]
didn't set the RU environment variable either, so it's perhaps more fundamental 
than not being allowed to rewrite REMOTE_USER.


Ken

On 23/05/2017 14:20, Rainer Canavan wrote:

On Tue, May 23, 2017 at 2:10 PM, Ken Mycock  wrote:
[...]


Hence, we need to allow authentication of either form of number but to strip
leading zeros from the number stored in REMOTE_USER.

I've tried various combinations of:
RewriteCond %{REMOTE_USER} ^0*([1-9][0-9]+)
RewriteRule ^0*([1-9]+)$ [E=RU:$1]

I haven't tested it, but I think

RewriteCond %{REMOTE_USER} ^0*([1-9][0-9]+)
RewriteRule ^ -  [env=REMOTE_USER:%1]

might work. The RewriteRule does nothing to the current location,
and sets REMOTE_USER from a backreference on the RewriteCond
matches.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Rewrite REMOTE_USER environment variable

2017-05-23 Thread Eric Covener 
In case rewrite does not work at all, you could call your scripts via
"Action" and change the environment in a simple shell script.

(the likely reason changing REMOTE_USER is hard is related to when it
is set from internal variables and when things have a chance to
override it)

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Rewrite REMOTE_USER environment variable

2017-05-23 Thread Rainer Canavan 
On Tue, May 23, 2017 at 2:10 PM, Ken Mycock  wrote:
[...]

> Hence, we need to allow authentication of either form of number but to strip
> leading zeros from the number stored in REMOTE_USER.
>
> I've tried various combinations of:
> RewriteCond %{REMOTE_USER} ^0*([1-9][0-9]+)
> RewriteRule ^0*([1-9]+)$ [E=RU:$1]

I haven't tested it, but I think

RewriteCond %{REMOTE_USER} ^0*([1-9][0-9]+)
RewriteRule ^ -  [env=REMOTE_USER:%1]

might work. The RewriteRule does nothing to the current location,
and sets REMOTE_USER from a backreference on the RewriteCond
matches.

rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Rewrite REMOTE_USER environment variable

2017-05-23 Thread Ken Mycock 
I am involved in migrating a legacy site, using Apache authentication and cgi 
scripts, to a CMS based site which uses its own access control.


The legacy site used  membership numbers as the user name, but the CMS site uses 
zero padded versions of those numbers.  So a user logging in to the legacy site 
would enter 10123, but 00010123 on the CMS site.  For consistency of user 
experience, we need to allow either form to pass Apache authentication - no 
problem as both forms are now included in the password file.


However, several hundred of the legacy cgi scripts read the REMOTE_USER 
environment variable to use as a key to identifying the member in the legacy 
database.  This lookup fails for users who log in with the zero padded form of 
number.


Hence, we need to allow authentication of either form of number but to strip 
leading zeros from the number stored in REMOTE_USER.


I've tried various combinations of:
RewriteCond %{REMOTE_USER} ^0*([1-9][0-9]+)
RewriteRule ^0*([1-9]+)$ [E=RU:$1]
#SetEnvIfNoCase ^REMOTE.USER$ ^0*([1-9][0-9]+) RU=$1
RequestHeader set REMOTE-USER %{RU}e env=REMOTE_USER

From the documentation, I know that this sort of manipulation was easy before 
Apache 2.4, but now needs a work-around.  What work-around should I use?  As 
we're on a shared server, the solution has to be implemented in htaccess, not 
httpd.conf.


Ken


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org