Serendipity Forums

I'm working on an upgrade of Serendipity from 0.8.2 to 1.4.1 So far, all has gone very well, but the httpauth plugin does not seem to exhibit the same behavior as in the old installation. The old (and I think expected) behavior with 0.8.2 and the 1.5 httpauth plugin is that Serendipity will pick up $REMOTE_USER from our general website auth and automatically log users into their admin interfaces without requiring the local Serendipity password stored in the database. After the upgrade to 1.4.1, Serendipity requires the database password. The normal database auth works fine, there don't seem to be any issues with sessions.

The following settings are configured for the httpauth plugin on both the new and old installations:

Require authentication for frontend: NO
Grant REMOTE_USER Authentication? YES
Enable wildcard authentication? NO

I've tried both the 1.5 and 1.6 httpauth plugin, and the behavior is the same. I've turned on debugging in the plugin, and after adding a few additional statements, confirmed that the plugin is getting the correct REMOTE_USER and sending that and the correct md5 database password to the serendipity_authenticate_author function, ie serendipity_authenticate_author($_SERVER['REMOTE_USER'], $pass, 'true', 'true'); I'm not sure where the failure is occurring after this point.

Is httpauth known to work with 1.4.1, and does anyone have any suggestions for further debugging and/or fixing this problem?

Thanks,

Heather

Hi!

Sadly yes, from s9y 0.8 until now, the authentication scheming has changed. Due to security exploits that were possible, the username+password are now evaluated everytime.

So you cannot login as a user with a password that is different from the one stored in the database. I'm afraid your only solution would be to set the passwords for REMOTE_USER to match the one also set in the database, so that those do not differ.

The only other variant I see would be to create a custom plugin that also listens to the backend_login event hook and sets the $eventData value to TRUE if your prerequisites match.

You might want to test the serendipity 1.5 version, we have improved the login management there one step further (using sha1 passwords instead of md5), and the upside of that improved management is that we added more debugging options. If you set the $debug variable inside the serendipity_authenticate_author function you'll get a logfile output that would help you a lot to check what comes in and out of the login routine functions...

HTH,
Garvin

Garvin,

Thanks for your reply, I had a feeling that would be the case. We'll work on some alternatives and may share the code if we end up with a good replacement for our intranet authentication needs.

Heather

Hi!

Okay, no problem. If you have any questions about the s9y specifics, please report back and I'll try how I can help

Regards,
Garvin