Apache Perl CGI script sso trouble and environment variables
I’m lost and I don’t know where else I could ask after spending hours and days of researching.
I’m trying to integrate and application written in Perl (OTRS) running with Apache to SSO all my agents. Between the client and the OTRS Server there is a Tivoli Access Manager and on it we have a junction configured. When the client opens the OTRS WAM enabled resource the TAM Server performs already SSO by taking the user id from the Kerberos ticket and checks whether the given user is able to access the junction if he/she is then TAM sets an variable named iv-user in the HTTPheader of the request and passes it to the application OTRS.
When I open the url http://myserver/otrs/index.pl I can see that Apache receives the iv-user variable in the HTTP header (I have configured mod_log_forensic in Apache):
When I login now with my user id and password and access the information section of the system I can see that the variable was basically “re-write?” to HTTP_IV_USER
In the end when I call a URL CGI script are being called and as per my understanding the “rewrite” is a common CGI thing so to say
https://tools.ietf.org/html/rfc3875
“The server SHOULD set meta-variables specific to the protocol and
scheme for the request. Interpretation of protocol-specific
variables depends on the protocol version in SERVER_PROTOCOL. The
server MAY set a meta-variable with the name of the scheme to a
non-NULL value if the scheme is not the same as the protocol. The
presence of such a variable indicates to a script which scheme is
used by the request.
Meta-variables with names beginning with "HTTP_" contain values read
from the client request header fields, if the protocol used is HTTP.
The HTTP header field name is converted to upper case, has all
occurrences of "-" replaced with "_" and has "HTTP_" prepended to
give the meta-variable name. The header data can be presented as
sent by the client, or can be rewritten in ways which do not change
its semantics. If multiple header fields with the same field-name
are received then the server MUST rewrite them as a single value
having the same semantics. Similarly, a header field that spans
multiple lines MUST be merged onto a single line. The server MUST,
if necessary, change the representation of the data (for example, the
character set) to be appropriate for a CGI meta-variable.”
Now I enable SSO within OTRS (that is basically one line) as OTRS relies that the user was already pre-authenticated and it looks for the REMOTE_USER variable to SSO into OTRS:
HTTPBasicAuth for Agents
If you want to implement a "single sign on" solution for all your agents, you can use HTTP basic authentication (for all your systems) and the HTTPBasicAuth module for OTRS (see Example below).
Example 4.14. Authenticate Agents using HTTPBasic
# This is an example configuration for an apache ($ENVREMOTE_USER)
# auth. backend. Use it if you want to have a singe login through
# apache http-basic-auth
$Self->'AuthModule' = 'Kernel::System::Auth::HTTPBasicAuth';
# Note:
#
# If you use this module, you should use as fallback
# the following configuration settings if the user is not authorized
# apache ($ENVREMOTE_USER)
$Self->LoginURL = 'http://host.example.com/not-authorised-for-otrs.html';
$Self->LogoutURL = 'http://host.example.com/thanks-for-using-otrs.html';
Because I didn’t want to mess with the production environment I have configured my own test environment and to simulate the TAM Server I have used Modify Headers for Google Chrome
to set the headers.
When I set the variable in Modify Headers
in the header directly to HTTP_IV_USER
not iv_user
and take the value from HTTP_IV_USER
and set it to REMOTE_USER
in Apache SetEnvIf HTTP_IV_USER "(.*)$" REMOTE_USER=$1
I can SSO successfully.
But the problem is that Apache receives the variable as iv_user. If I set it that way in Modify Headers for Google Chrome SSO fails with the error message ser: No $ENVREMOTE_USER or $ENVHTTP_REMOTE_USER !(REMOTE_ADDR: x.x.x.x)
. so it looks like that my SetEnvIf does not get triggered.
I can go and add the HTTP_IV_USER
variable directly in the OTRS code as follows but don’t think that this is an elegant way to handle it:
Long story shor here are my questions:
- Does Apache create the variable
HTTP_IV_USER
from the variable found in the HTTP header (iv_user
) - If yes, can it be that it is using the
SetEnv
directive to do so ? - If yes, and this is my only guess, does my SetEnvIf directive not work because of
The SetEnv directive runs late during request processing meaning that directives such as SetEnvIf and RewriteCond will not see the variables set with it
. http://httpd.apache.org/docs/2.4/env.html#using
I hope my problem is clear and understandable and I know that there are passionate people out there wiling to share their knowledge and expertise :)
Many thanks in advance and best regards!
apache perl environment-variables cgi
add a comment |
I’m lost and I don’t know where else I could ask after spending hours and days of researching.
I’m trying to integrate and application written in Perl (OTRS) running with Apache to SSO all my agents. Between the client and the OTRS Server there is a Tivoli Access Manager and on it we have a junction configured. When the client opens the OTRS WAM enabled resource the TAM Server performs already SSO by taking the user id from the Kerberos ticket and checks whether the given user is able to access the junction if he/she is then TAM sets an variable named iv-user in the HTTPheader of the request and passes it to the application OTRS.
When I open the url http://myserver/otrs/index.pl I can see that Apache receives the iv-user variable in the HTTP header (I have configured mod_log_forensic in Apache):
When I login now with my user id and password and access the information section of the system I can see that the variable was basically “re-write?” to HTTP_IV_USER
In the end when I call a URL CGI script are being called and as per my understanding the “rewrite” is a common CGI thing so to say
https://tools.ietf.org/html/rfc3875
“The server SHOULD set meta-variables specific to the protocol and
scheme for the request. Interpretation of protocol-specific
variables depends on the protocol version in SERVER_PROTOCOL. The
server MAY set a meta-variable with the name of the scheme to a
non-NULL value if the scheme is not the same as the protocol. The
presence of such a variable indicates to a script which scheme is
used by the request.
Meta-variables with names beginning with "HTTP_" contain values read
from the client request header fields, if the protocol used is HTTP.
The HTTP header field name is converted to upper case, has all
occurrences of "-" replaced with "_" and has "HTTP_" prepended to
give the meta-variable name. The header data can be presented as
sent by the client, or can be rewritten in ways which do not change
its semantics. If multiple header fields with the same field-name
are received then the server MUST rewrite them as a single value
having the same semantics. Similarly, a header field that spans
multiple lines MUST be merged onto a single line. The server MUST,
if necessary, change the representation of the data (for example, the
character set) to be appropriate for a CGI meta-variable.”
Now I enable SSO within OTRS (that is basically one line) as OTRS relies that the user was already pre-authenticated and it looks for the REMOTE_USER variable to SSO into OTRS:
HTTPBasicAuth for Agents
If you want to implement a "single sign on" solution for all your agents, you can use HTTP basic authentication (for all your systems) and the HTTPBasicAuth module for OTRS (see Example below).
Example 4.14. Authenticate Agents using HTTPBasic
# This is an example configuration for an apache ($ENVREMOTE_USER)
# auth. backend. Use it if you want to have a singe login through
# apache http-basic-auth
$Self->'AuthModule' = 'Kernel::System::Auth::HTTPBasicAuth';
# Note:
#
# If you use this module, you should use as fallback
# the following configuration settings if the user is not authorized
# apache ($ENVREMOTE_USER)
$Self->LoginURL = 'http://host.example.com/not-authorised-for-otrs.html';
$Self->LogoutURL = 'http://host.example.com/thanks-for-using-otrs.html';
Because I didn’t want to mess with the production environment I have configured my own test environment and to simulate the TAM Server I have used Modify Headers for Google Chrome
to set the headers.
When I set the variable in Modify Headers
in the header directly to HTTP_IV_USER
not iv_user
and take the value from HTTP_IV_USER
and set it to REMOTE_USER
in Apache SetEnvIf HTTP_IV_USER "(.*)$" REMOTE_USER=$1
I can SSO successfully.
But the problem is that Apache receives the variable as iv_user. If I set it that way in Modify Headers for Google Chrome SSO fails with the error message ser: No $ENVREMOTE_USER or $ENVHTTP_REMOTE_USER !(REMOTE_ADDR: x.x.x.x)
. so it looks like that my SetEnvIf does not get triggered.
I can go and add the HTTP_IV_USER
variable directly in the OTRS code as follows but don’t think that this is an elegant way to handle it:
Long story shor here are my questions:
- Does Apache create the variable
HTTP_IV_USER
from the variable found in the HTTP header (iv_user
) - If yes, can it be that it is using the
SetEnv
directive to do so ? - If yes, and this is my only guess, does my SetEnvIf directive not work because of
The SetEnv directive runs late during request processing meaning that directives such as SetEnvIf and RewriteCond will not see the variables set with it
. http://httpd.apache.org/docs/2.4/env.html#using
I hope my problem is clear and understandable and I know that there are passionate people out there wiling to share their knowledge and expertise :)
Many thanks in advance and best regards!
apache perl environment-variables cgi
Maybe a better question for serverfault.com?
– mob
Nov 13 '18 at 13:40
@Could we please migrate it then ? It seams I'm not in the position to do so. Thank you!
– postFix
Nov 20 '18 at 8:31
add a comment |
I’m lost and I don’t know where else I could ask after spending hours and days of researching.
I’m trying to integrate and application written in Perl (OTRS) running with Apache to SSO all my agents. Between the client and the OTRS Server there is a Tivoli Access Manager and on it we have a junction configured. When the client opens the OTRS WAM enabled resource the TAM Server performs already SSO by taking the user id from the Kerberos ticket and checks whether the given user is able to access the junction if he/she is then TAM sets an variable named iv-user in the HTTPheader of the request and passes it to the application OTRS.
When I open the url http://myserver/otrs/index.pl I can see that Apache receives the iv-user variable in the HTTP header (I have configured mod_log_forensic in Apache):
When I login now with my user id and password and access the information section of the system I can see that the variable was basically “re-write?” to HTTP_IV_USER
In the end when I call a URL CGI script are being called and as per my understanding the “rewrite” is a common CGI thing so to say
https://tools.ietf.org/html/rfc3875
“The server SHOULD set meta-variables specific to the protocol and
scheme for the request. Interpretation of protocol-specific
variables depends on the protocol version in SERVER_PROTOCOL. The
server MAY set a meta-variable with the name of the scheme to a
non-NULL value if the scheme is not the same as the protocol. The
presence of such a variable indicates to a script which scheme is
used by the request.
Meta-variables with names beginning with "HTTP_" contain values read
from the client request header fields, if the protocol used is HTTP.
The HTTP header field name is converted to upper case, has all
occurrences of "-" replaced with "_" and has "HTTP_" prepended to
give the meta-variable name. The header data can be presented as
sent by the client, or can be rewritten in ways which do not change
its semantics. If multiple header fields with the same field-name
are received then the server MUST rewrite them as a single value
having the same semantics. Similarly, a header field that spans
multiple lines MUST be merged onto a single line. The server MUST,
if necessary, change the representation of the data (for example, the
character set) to be appropriate for a CGI meta-variable.”
Now I enable SSO within OTRS (that is basically one line) as OTRS relies that the user was already pre-authenticated and it looks for the REMOTE_USER variable to SSO into OTRS:
HTTPBasicAuth for Agents
If you want to implement a "single sign on" solution for all your agents, you can use HTTP basic authentication (for all your systems) and the HTTPBasicAuth module for OTRS (see Example below).
Example 4.14. Authenticate Agents using HTTPBasic
# This is an example configuration for an apache ($ENVREMOTE_USER)
# auth. backend. Use it if you want to have a singe login through
# apache http-basic-auth
$Self->'AuthModule' = 'Kernel::System::Auth::HTTPBasicAuth';
# Note:
#
# If you use this module, you should use as fallback
# the following configuration settings if the user is not authorized
# apache ($ENVREMOTE_USER)
$Self->LoginURL = 'http://host.example.com/not-authorised-for-otrs.html';
$Self->LogoutURL = 'http://host.example.com/thanks-for-using-otrs.html';
Because I didn’t want to mess with the production environment I have configured my own test environment and to simulate the TAM Server I have used Modify Headers for Google Chrome
to set the headers.
When I set the variable in Modify Headers
in the header directly to HTTP_IV_USER
not iv_user
and take the value from HTTP_IV_USER
and set it to REMOTE_USER
in Apache SetEnvIf HTTP_IV_USER "(.*)$" REMOTE_USER=$1
I can SSO successfully.
But the problem is that Apache receives the variable as iv_user. If I set it that way in Modify Headers for Google Chrome SSO fails with the error message ser: No $ENVREMOTE_USER or $ENVHTTP_REMOTE_USER !(REMOTE_ADDR: x.x.x.x)
. so it looks like that my SetEnvIf does not get triggered.
I can go and add the HTTP_IV_USER
variable directly in the OTRS code as follows but don’t think that this is an elegant way to handle it:
Long story shor here are my questions:
- Does Apache create the variable
HTTP_IV_USER
from the variable found in the HTTP header (iv_user
) - If yes, can it be that it is using the
SetEnv
directive to do so ? - If yes, and this is my only guess, does my SetEnvIf directive not work because of
The SetEnv directive runs late during request processing meaning that directives such as SetEnvIf and RewriteCond will not see the variables set with it
. http://httpd.apache.org/docs/2.4/env.html#using
I hope my problem is clear and understandable and I know that there are passionate people out there wiling to share their knowledge and expertise :)
Many thanks in advance and best regards!
apache perl environment-variables cgi
I’m lost and I don’t know where else I could ask after spending hours and days of researching.
I’m trying to integrate and application written in Perl (OTRS) running with Apache to SSO all my agents. Between the client and the OTRS Server there is a Tivoli Access Manager and on it we have a junction configured. When the client opens the OTRS WAM enabled resource the TAM Server performs already SSO by taking the user id from the Kerberos ticket and checks whether the given user is able to access the junction if he/she is then TAM sets an variable named iv-user in the HTTPheader of the request and passes it to the application OTRS.
When I open the url http://myserver/otrs/index.pl I can see that Apache receives the iv-user variable in the HTTP header (I have configured mod_log_forensic in Apache):
When I login now with my user id and password and access the information section of the system I can see that the variable was basically “re-write?” to HTTP_IV_USER
In the end when I call a URL CGI script are being called and as per my understanding the “rewrite” is a common CGI thing so to say
https://tools.ietf.org/html/rfc3875
“The server SHOULD set meta-variables specific to the protocol and
scheme for the request. Interpretation of protocol-specific
variables depends on the protocol version in SERVER_PROTOCOL. The
server MAY set a meta-variable with the name of the scheme to a
non-NULL value if the scheme is not the same as the protocol. The
presence of such a variable indicates to a script which scheme is
used by the request.
Meta-variables with names beginning with "HTTP_" contain values read
from the client request header fields, if the protocol used is HTTP.
The HTTP header field name is converted to upper case, has all
occurrences of "-" replaced with "_" and has "HTTP_" prepended to
give the meta-variable name. The header data can be presented as
sent by the client, or can be rewritten in ways which do not change
its semantics. If multiple header fields with the same field-name
are received then the server MUST rewrite them as a single value
having the same semantics. Similarly, a header field that spans
multiple lines MUST be merged onto a single line. The server MUST,
if necessary, change the representation of the data (for example, the
character set) to be appropriate for a CGI meta-variable.”
Now I enable SSO within OTRS (that is basically one line) as OTRS relies that the user was already pre-authenticated and it looks for the REMOTE_USER variable to SSO into OTRS:
HTTPBasicAuth for Agents
If you want to implement a "single sign on" solution for all your agents, you can use HTTP basic authentication (for all your systems) and the HTTPBasicAuth module for OTRS (see Example below).
Example 4.14. Authenticate Agents using HTTPBasic
# This is an example configuration for an apache ($ENVREMOTE_USER)
# auth. backend. Use it if you want to have a singe login through
# apache http-basic-auth
$Self->'AuthModule' = 'Kernel::System::Auth::HTTPBasicAuth';
# Note:
#
# If you use this module, you should use as fallback
# the following configuration settings if the user is not authorized
# apache ($ENVREMOTE_USER)
$Self->LoginURL = 'http://host.example.com/not-authorised-for-otrs.html';
$Self->LogoutURL = 'http://host.example.com/thanks-for-using-otrs.html';
Because I didn’t want to mess with the production environment I have configured my own test environment and to simulate the TAM Server I have used Modify Headers for Google Chrome
to set the headers.
When I set the variable in Modify Headers
in the header directly to HTTP_IV_USER
not iv_user
and take the value from HTTP_IV_USER
and set it to REMOTE_USER
in Apache SetEnvIf HTTP_IV_USER "(.*)$" REMOTE_USER=$1
I can SSO successfully.
But the problem is that Apache receives the variable as iv_user. If I set it that way in Modify Headers for Google Chrome SSO fails with the error message ser: No $ENVREMOTE_USER or $ENVHTTP_REMOTE_USER !(REMOTE_ADDR: x.x.x.x)
. so it looks like that my SetEnvIf does not get triggered.
I can go and add the HTTP_IV_USER
variable directly in the OTRS code as follows but don’t think that this is an elegant way to handle it:
Long story shor here are my questions:
- Does Apache create the variable
HTTP_IV_USER
from the variable found in the HTTP header (iv_user
) - If yes, can it be that it is using the
SetEnv
directive to do so ? - If yes, and this is my only guess, does my SetEnvIf directive not work because of
The SetEnv directive runs late during request processing meaning that directives such as SetEnvIf and RewriteCond will not see the variables set with it
. http://httpd.apache.org/docs/2.4/env.html#using
I hope my problem is clear and understandable and I know that there are passionate people out there wiling to share their knowledge and expertise :)
Many thanks in advance and best regards!
apache perl environment-variables cgi
apache perl environment-variables cgi
edited Nov 13 '18 at 15:09
Dave Cross
47.6k34078
47.6k34078
asked Nov 13 '18 at 11:13
postFixpostFix
244
244
Maybe a better question for serverfault.com?
– mob
Nov 13 '18 at 13:40
@Could we please migrate it then ? It seams I'm not in the position to do so. Thank you!
– postFix
Nov 20 '18 at 8:31
add a comment |
Maybe a better question for serverfault.com?
– mob
Nov 13 '18 at 13:40
@Could we please migrate it then ? It seams I'm not in the position to do so. Thank you!
– postFix
Nov 20 '18 at 8:31
Maybe a better question for serverfault.com?
– mob
Nov 13 '18 at 13:40
Maybe a better question for serverfault.com?
– mob
Nov 13 '18 at 13:40
@Could we please migrate it then ? It seams I'm not in the position to do so. Thank you!
– postFix
Nov 20 '18 at 8:31
@Could we please migrate it then ? It seams I'm not in the position to do so. Thank you!
– postFix
Nov 20 '18 at 8:31
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53279763%2fapache-perl-cgi-script-sso-trouble-and-environment-variables%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53279763%2fapache-perl-cgi-script-sso-trouble-and-environment-variables%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Maybe a better question for serverfault.com?
– mob
Nov 13 '18 at 13:40
@Could we please migrate it then ? It seams I'm not in the position to do so. Thank you!
– postFix
Nov 20 '18 at 8:31