set username by REMOTE_USER

[tbeitter]

set pad's username by the REMOTE_USER passed threw by http AuthBasic f.e.

Many Pads are running behind a webserver AuthBasic, so it would be nice to not have to set my username everytime I logged in.

[Pita]

maybe you can make an apache rule that passes the username with a ?userName parameter

[Wikinaut]

maybe you can make an apache rule that passes the username with a ?userName parameter

So that userName can be faked ? I guess, this is not what spicewiesel wanted.

[prauscher]

If you want Serious authentification, you may want to use the HTTP API to create a Session (e.g. in PHP with etherpad-lite-client).
According to faking userNames: etherpad lite allows users to change their username in Pad - to avoid username-faking we would have to change more code (Perhaps forbid Authors to change their Username via API?)

[tbeitter]

it would be enough to initial set the username to REMOTE_USER. There is atm no need to avoid faking.

[HoverHell]

Note that the more commonly used header for that purpose is X-Forwarded-User; and it would be sufficiently safe to add a config option that makes etherpad read that header if present and authenticate as the specified user (just as safe as using a webserver in front of the etherpad for authentication).
(REMOTE_USER is, usually, a wsgi / fastcgi variable)

[HoverHell]

HoverHell/etherpad-lite@5a5dd9034f6ef8abcb7176f0bab3ba389a08cf75
(also see two other commits in my fork for possible usefulness)

[Wikinaut]

see also duplicate "Set author name from HTTP auth data" https://github.com/Pita/etherpad-lite/issues/759

[mamachine]

Hi,

like others I want to authenticate etherpad-lite with Shibboleth through an Apache proxy using mod_shib.

I managed to found a solution which works.

The global idea is to use a value in the headers (set by the proxy) to set the AuthorName.
This way it can be use for Shibboleth, but even CAS or any auth mechanism through a proxy.

I'm new to nodejs ; is the way I did it ok from a developper point of view ?

The suggested patch : support_shibb_etherpad-lite.diff => http://pastebin.com/raw.php?i=hYr8bd89
A sample config of apache with mod_shib : config_apache_shibb_etherpad-lite.txt => http://pastebin.com/raw.php?i=SDhJpDNd

If it's correct could it be commited in the master branch ?

[disy-mk]

Wow,

that sounds fantastic! Is s.th. like that also possible with ldap?

[mamachine]

I guess yes. As long as you can set a header through a proxy It should work.

[JohnMcLear]

Auth is being reviewed at the moment and we're waiting on a draft spec from @Pita so I'd say hold out on that before trying to integrate too prematurely and having to to redo your work.
In a short answer of could it committed to the master branch. No. Sorry!
It's worth noting we don't accept commits direct to master. You must issue pull requests against develop. We use a git flow model (or try to) when releasing. Please see our developer guidelines.
Secondly auth is being rewritten so no pull requests for anything related to auth will be considered.
If you want to be part of the auth rewrite I'd be very happy to help you with that by introducing you the the other developers. I'd recommend having a chat with @Pita @rhelmer and @marcelklehr and/or jump into the IRC channel where they are all hanging out.

[disy-mk]

Which git rev is the patch applicable to?

Am 23.10.2012 um 22:03 schrieb mamachine notifications@github.com:

Hi,

like others I want to authenticate etherpad-lite with Shibboleth through an Apache proxy using mod_shib.

I managed to found a solution which works.

The global idea is to use a value in the headers (set by the proxy) to set the AuthorName.
This way it can be use for Shibboleth, but even CAS or any auth mechanism through a proxy.

I'm new to nodejs ; is the way I did it ok from a developper point of view ?

The suggested patch : support_shibb_etherpad-lite.diff => http://pastebin.com/raw.php?i=hYr8bd89
A sample config of apache with mod_shib : config_apache_shibb_etherpad-lite.txt => http://pastebin.com/raw.php?i=SDhJpDNd

If it's correct could it be commited in the master branch ?

[mamachine]

For @johnyma22, sorry I don't have time to help working on auth rewrite. But I could do some tests for Shibb or CAS authentication when you'll have something workable.

For @disy-mk, the patch was written for v1.1.4 :

commit e19c05d
Merge: 3caa030 e484121
Author: John McLear john@mclear.co.uk
Date: Thu Oct 11 08:40:25 2012 -0700

Merge pull request #1058 from Pita/release/releases-1.1.4

Release 1.1.4

[disy-mk]

@mamachine:
could you check on that?

---

Note: checking out 'e19c05d1c4652191467e7e53cbf906ce9882fd14'.

epl$ git log |head -n5
commit e19c05d
Merge: 3caa030 e484121
Author: John McLear john@mclear.co.uk
Date: Thu Oct 11 08:40:25 2012 -0700

epl$ patch -p1 < shib.patch
patching file settings.json.template
patching file src/node/db/Pad.js
patching file src/node/handler/PadMessageHandler.js
Hunk #1 FAILED at 334.
Hunk #2 FAILED at 412.
Hunk #3 FAILED at 935.
Hunk #6 FAILED at 1085.
4 out of 6 hunks FAILED -- saving rejects to file src/node/handler/PadMessageHandler.js.rej
patching file src/node/utils/Settings.js

[disy-mk]

@mamachine:
could you check on that?

---

Note: checking out 'e19c05d1c4652191467e7e53cbf906ce9882fd14'.

epl$ git log |head -n5
commit e19c05d
Merge: 3caa030 e484121
Author: John McLear john@mclear.co.uk
Date: Thu Oct 11 08:40:25 2012 -0700

epl$ patch -p1 < shib.patch
patching file settings.json.template
patching file src/node/db/Pad.js
patching file src/node/handler/PadMessageHandler.js
Hunk #1 FAILED at 334.
Hunk #2 FAILED at 412.
Hunk #3 FAILED at 935.
Hunk #6 FAILED at 1085.
4 out of 6 hunks FAILED -- saving rejects to file src/node/handler/PadMessageHandler.js.rej

patching file src/node/utils/Settings.js

[mamachine]

There was some spaces/tabs problems with the first pastebin file.

Here it's better, but it may display a warning "(Stripping trailing CRs from patch.)" during the patch process.
http://pastebin.com/raw.php?i=M3e3Dvi7

Here is how to replay the patch and check that it's been well applied :

$ git clone https://github.com/ether/etherpad-lite
$ cd etherpad-lite
$ git checkout e19c05d
$ patch -p1 < shib.patch
$ git diff|md5sum
656f8adfe0a2d9dc357182e1538eb24e -

If you know a better place to post the patch...

Otherwise you may try this alternative work someone else have done ; it seems to work too :
https://github.com/wtsi-hgi/ep_sotauth

[JohnMcLear]

Please create a vote for this plugin / feature on http://etherpad.idea.informer.com/

[TiagoTT]

Everyone interested, please vote here: http://etherpad.idea.informer.com/proj/?ia=72231

set author name to the one used in basic http auth

the etherpad lite is accessed directly without a proxy
the author name should be set to the one used in basic http auth

[JohnMcLear]

LDAP auth available here https://github.com/tykeal/ep_ldapauth

[Wikinaut]

@JohnMcLear thanks for posting here!

[JohnMcLear]

Bounty this: https://www.bountysource.com/issues/1371936-set-username-by-remote_user

[lkraav]

This never moved forward even with the bounty? I was looking at the description of https://github.com/lsowen/ep_auth_author and wasn't able to understand "Add a prefix to settings.json to distinguish between normal BasicAuth users...", makes it sound like BasicAuth is already baked in, but this ticket is still open.

[JohnMcLear]

Bounty too small?

----- Reply message -----
From: "Leho Kraav" notifications@github.com
To: "ether/etherpad-lite" etherpad-lite@noreply.github.com
Cc: "John McLear" John@mclear.co
Subject: [etherpad-lite] set username by REMOTE_USER (#551)
Date: Wed, Feb 24, 2016 12:49

This never moved forward even with the bounty?

Reply to this email directly or view it on GitHubhttps://github.com//issues/551#issuecomment-188240767.

[HoverHell]

I implemented this for myself back then, but it was not merged.
On 24 Feb 2016 15:49, "Leho Kraav" notifications@github.com wrote:

This never moved forward even with the bounty?

—
Reply to this email directly or view it on GitHub
#551 (comment)
.

[JohnMcLear]

Closing as plugins are doing this.

[volter]

And which ones?

[JohnMcLear]

Afaik ep_ldap does it ?

[volter]

But this request was a lot more generic than LDAP.

[JohnMcLear]

The point is that plugins are doing it and I provided an example that does. You can copy/page the LDAP logic to whatever Auth mechanism you are using.