Apache Perl CGI script sso trouble and environment variables










2















I’m lost and I don’t know where else I could ask after spending hours and days of researching.



I’m trying to integrate and application written in Perl (OTRS) running with Apache to SSO all my agents. Between the client and the OTRS Server there is a Tivoli Access Manager and on it we have a junction configured. When the client opens the OTRS WAM enabled resource the TAM Server performs already SSO by taking the user id from the Kerberos ticket and checks whether the given user is able to access the junction if he/she is then TAM sets an variable named iv-user in the HTTPheader of the request and passes it to the application OTRS.



When I open the url http://myserver/otrs/index.pl I can see that Apache receives the iv-user variable in the HTTP header (I have configured mod_log_forensic in Apache):



iv-user variable in the HTTP request



When I login now with my user id and password and access the information section of the system I can see that the variable was basically “re-write?” to HTTP_IV_USER



iv_user to HTTP_IV_USER



In the end when I call a URL CGI script are being called and as per my understanding the “rewrite” is a common CGI thing so to say
https://tools.ietf.org/html/rfc3875



“The server SHOULD set meta-variables specific to the protocol and
scheme for the request. Interpretation of protocol-specific
variables depends on the protocol version in SERVER_PROTOCOL. The
server MAY set a meta-variable with the name of the scheme to a
non-NULL value if the scheme is not the same as the protocol. The
presence of such a variable indicates to a script which scheme is
used by the request.

Meta-variables with names beginning with "HTTP_" contain values read
from the client request header fields, if the protocol used is HTTP.
The HTTP header field name is converted to upper case, has all
occurrences of "-" replaced with "_" and has "HTTP_" prepended to
give the meta-variable name. The header data can be presented as
sent by the client, or can be rewritten in ways which do not change
its semantics. If multiple header fields with the same field-name
are received then the server MUST rewrite them as a single value
having the same semantics. Similarly, a header field that spans
multiple lines MUST be merged onto a single line. The server MUST,
if necessary, change the representation of the data (for example, the
character set) to be appropriate for a CGI meta-variable.”


Now I enable SSO within OTRS (that is basically one line) as OTRS relies that the user was already pre-authenticated and it looks for the REMOTE_USER variable to SSO into OTRS:



 HTTPBasicAuth for Agents
If you want to implement a "single sign on" solution for all your agents, you can use HTTP basic authentication (for all your systems) and the HTTPBasicAuth module for OTRS (see Example below).
Example 4.14. Authenticate Agents using HTTPBasic
# This is an example configuration for an apache ($ENVREMOTE_USER)
# auth. backend. Use it if you want to have a singe login through
# apache http-basic-auth
$Self->'AuthModule' = 'Kernel::System::Auth::HTTPBasicAuth';

# Note:
#
# If you use this module, you should use as fallback
# the following configuration settings if the user is not authorized
# apache ($ENVREMOTE_USER)
$Self->LoginURL = 'http://host.example.com/not-authorised-for-otrs.html';
$Self->LogoutURL = 'http://host.example.com/thanks-for-using-otrs.html';


Because I didn’t want to mess with the production environment I have configured my own test environment and to simulate the TAM Server I have used Modify Headers for Google Chrome to set the headers.

When I set the variable in Modify Headers in the header directly to HTTP_IV_USER not iv_user and take the value from HTTP_IV_USER and set it to REMOTE_USER in Apache SetEnvIf HTTP_IV_USER "(.*)$" REMOTE_USER=$1 I can SSO successfully.



But the problem is that Apache receives the variable as iv_user. If I set it that way in Modify Headers for Google Chrome SSO fails with the error message ser: No $ENVREMOTE_USER or $ENVHTTP_REMOTE_USER !(REMOTE_ADDR: x.x.x.x). so it looks like that my SetEnvIf does not get triggered.



I can go and add the HTTP_IV_USER variable directly in the OTRS code as follows but don’t think that this is an elegant way to handle it:



change in HTTPBasicAuth.pm



Long story shor here are my questions:



  1. Does Apache create the variable HTTP_IV_USER from the variable found in the HTTP header (iv_user)

  2. If yes, can it be that it is using the SetEnv directive to do so ?

  3. If yes, and this is my only guess, does my SetEnvIf directive not work because of The SetEnv directive runs late during request processing meaning that directives such as SetEnvIf and RewriteCond will not see the variables set with it. http://httpd.apache.org/docs/2.4/env.html#using

I hope my problem is clear and understandable and I know that there are passionate people out there wiling to share their knowledge and expertise :)



Many thanks in advance and best regards!










share|improve this question
























  • Maybe a better question for serverfault.com?

    – mob
    Nov 13 '18 at 13:40











  • @Could we please migrate it then ? It seams I'm not in the position to do so. Thank you!

    – postFix
    Nov 20 '18 at 8:31















2















I’m lost and I don’t know where else I could ask after spending hours and days of researching.



I’m trying to integrate and application written in Perl (OTRS) running with Apache to SSO all my agents. Between the client and the OTRS Server there is a Tivoli Access Manager and on it we have a junction configured. When the client opens the OTRS WAM enabled resource the TAM Server performs already SSO by taking the user id from the Kerberos ticket and checks whether the given user is able to access the junction if he/she is then TAM sets an variable named iv-user in the HTTPheader of the request and passes it to the application OTRS.



When I open the url http://myserver/otrs/index.pl I can see that Apache receives the iv-user variable in the HTTP header (I have configured mod_log_forensic in Apache):



iv-user variable in the HTTP request



When I login now with my user id and password and access the information section of the system I can see that the variable was basically “re-write?” to HTTP_IV_USER



iv_user to HTTP_IV_USER



In the end when I call a URL CGI script are being called and as per my understanding the “rewrite” is a common CGI thing so to say
https://tools.ietf.org/html/rfc3875



“The server SHOULD set meta-variables specific to the protocol and
scheme for the request. Interpretation of protocol-specific
variables depends on the protocol version in SERVER_PROTOCOL. The
server MAY set a meta-variable with the name of the scheme to a
non-NULL value if the scheme is not the same as the protocol. The
presence of such a variable indicates to a script which scheme is
used by the request.

Meta-variables with names beginning with "HTTP_" contain values read
from the client request header fields, if the protocol used is HTTP.
The HTTP header field name is converted to upper case, has all
occurrences of "-" replaced with "_" and has "HTTP_" prepended to
give the meta-variable name. The header data can be presented as
sent by the client, or can be rewritten in ways which do not change
its semantics. If multiple header fields with the same field-name
are received then the server MUST rewrite them as a single value
having the same semantics. Similarly, a header field that spans
multiple lines MUST be merged onto a single line. The server MUST,
if necessary, change the representation of the data (for example, the
character set) to be appropriate for a CGI meta-variable.”


Now I enable SSO within OTRS (that is basically one line) as OTRS relies that the user was already pre-authenticated and it looks for the REMOTE_USER variable to SSO into OTRS:



 HTTPBasicAuth for Agents
If you want to implement a "single sign on" solution for all your agents, you can use HTTP basic authentication (for all your systems) and the HTTPBasicAuth module for OTRS (see Example below).
Example 4.14. Authenticate Agents using HTTPBasic
# This is an example configuration for an apache ($ENVREMOTE_USER)
# auth. backend. Use it if you want to have a singe login through
# apache http-basic-auth
$Self->'AuthModule' = 'Kernel::System::Auth::HTTPBasicAuth';

# Note:
#
# If you use this module, you should use as fallback
# the following configuration settings if the user is not authorized
# apache ($ENVREMOTE_USER)
$Self->LoginURL = 'http://host.example.com/not-authorised-for-otrs.html';
$Self->LogoutURL = 'http://host.example.com/thanks-for-using-otrs.html';


Because I didn’t want to mess with the production environment I have configured my own test environment and to simulate the TAM Server I have used Modify Headers for Google Chrome to set the headers.

When I set the variable in Modify Headers in the header directly to HTTP_IV_USER not iv_user and take the value from HTTP_IV_USER and set it to REMOTE_USER in Apache SetEnvIf HTTP_IV_USER "(.*)$" REMOTE_USER=$1 I can SSO successfully.



But the problem is that Apache receives the variable as iv_user. If I set it that way in Modify Headers for Google Chrome SSO fails with the error message ser: No $ENVREMOTE_USER or $ENVHTTP_REMOTE_USER !(REMOTE_ADDR: x.x.x.x). so it looks like that my SetEnvIf does not get triggered.



I can go and add the HTTP_IV_USER variable directly in the OTRS code as follows but don’t think that this is an elegant way to handle it:



change in HTTPBasicAuth.pm



Long story shor here are my questions:



  1. Does Apache create the variable HTTP_IV_USER from the variable found in the HTTP header (iv_user)

  2. If yes, can it be that it is using the SetEnv directive to do so ?

  3. If yes, and this is my only guess, does my SetEnvIf directive not work because of The SetEnv directive runs late during request processing meaning that directives such as SetEnvIf and RewriteCond will not see the variables set with it. http://httpd.apache.org/docs/2.4/env.html#using

I hope my problem is clear and understandable and I know that there are passionate people out there wiling to share their knowledge and expertise :)



Many thanks in advance and best regards!










share|improve this question
























  • Maybe a better question for serverfault.com?

    – mob
    Nov 13 '18 at 13:40











  • @Could we please migrate it then ? It seams I'm not in the position to do so. Thank you!

    – postFix
    Nov 20 '18 at 8:31













2












2








2








I’m lost and I don’t know where else I could ask after spending hours and days of researching.



I’m trying to integrate and application written in Perl (OTRS) running with Apache to SSO all my agents. Between the client and the OTRS Server there is a Tivoli Access Manager and on it we have a junction configured. When the client opens the OTRS WAM enabled resource the TAM Server performs already SSO by taking the user id from the Kerberos ticket and checks whether the given user is able to access the junction if he/she is then TAM sets an variable named iv-user in the HTTPheader of the request and passes it to the application OTRS.



When I open the url http://myserver/otrs/index.pl I can see that Apache receives the iv-user variable in the HTTP header (I have configured mod_log_forensic in Apache):



iv-user variable in the HTTP request



When I login now with my user id and password and access the information section of the system I can see that the variable was basically “re-write?” to HTTP_IV_USER



iv_user to HTTP_IV_USER



In the end when I call a URL CGI script are being called and as per my understanding the “rewrite” is a common CGI thing so to say
https://tools.ietf.org/html/rfc3875



“The server SHOULD set meta-variables specific to the protocol and
scheme for the request. Interpretation of protocol-specific
variables depends on the protocol version in SERVER_PROTOCOL. The
server MAY set a meta-variable with the name of the scheme to a
non-NULL value if the scheme is not the same as the protocol. The
presence of such a variable indicates to a script which scheme is
used by the request.

Meta-variables with names beginning with "HTTP_" contain values read
from the client request header fields, if the protocol used is HTTP.
The HTTP header field name is converted to upper case, has all
occurrences of "-" replaced with "_" and has "HTTP_" prepended to
give the meta-variable name. The header data can be presented as
sent by the client, or can be rewritten in ways which do not change
its semantics. If multiple header fields with the same field-name
are received then the server MUST rewrite them as a single value
having the same semantics. Similarly, a header field that spans
multiple lines MUST be merged onto a single line. The server MUST,
if necessary, change the representation of the data (for example, the
character set) to be appropriate for a CGI meta-variable.”


Now I enable SSO within OTRS (that is basically one line) as OTRS relies that the user was already pre-authenticated and it looks for the REMOTE_USER variable to SSO into OTRS:



 HTTPBasicAuth for Agents
If you want to implement a "single sign on" solution for all your agents, you can use HTTP basic authentication (for all your systems) and the HTTPBasicAuth module for OTRS (see Example below).
Example 4.14. Authenticate Agents using HTTPBasic
# This is an example configuration for an apache ($ENVREMOTE_USER)
# auth. backend. Use it if you want to have a singe login through
# apache http-basic-auth
$Self->'AuthModule' = 'Kernel::System::Auth::HTTPBasicAuth';

# Note:
#
# If you use this module, you should use as fallback
# the following configuration settings if the user is not authorized
# apache ($ENVREMOTE_USER)
$Self->LoginURL = 'http://host.example.com/not-authorised-for-otrs.html';
$Self->LogoutURL = 'http://host.example.com/thanks-for-using-otrs.html';


Because I didn’t want to mess with the production environment I have configured my own test environment and to simulate the TAM Server I have used Modify Headers for Google Chrome to set the headers.

When I set the variable in Modify Headers in the header directly to HTTP_IV_USER not iv_user and take the value from HTTP_IV_USER and set it to REMOTE_USER in Apache SetEnvIf HTTP_IV_USER "(.*)$" REMOTE_USER=$1 I can SSO successfully.



But the problem is that Apache receives the variable as iv_user. If I set it that way in Modify Headers for Google Chrome SSO fails with the error message ser: No $ENVREMOTE_USER or $ENVHTTP_REMOTE_USER !(REMOTE_ADDR: x.x.x.x). so it looks like that my SetEnvIf does not get triggered.



I can go and add the HTTP_IV_USER variable directly in the OTRS code as follows but don’t think that this is an elegant way to handle it:



change in HTTPBasicAuth.pm



Long story shor here are my questions:



  1. Does Apache create the variable HTTP_IV_USER from the variable found in the HTTP header (iv_user)

  2. If yes, can it be that it is using the SetEnv directive to do so ?

  3. If yes, and this is my only guess, does my SetEnvIf directive not work because of The SetEnv directive runs late during request processing meaning that directives such as SetEnvIf and RewriteCond will not see the variables set with it. http://httpd.apache.org/docs/2.4/env.html#using

I hope my problem is clear and understandable and I know that there are passionate people out there wiling to share their knowledge and expertise :)



Many thanks in advance and best regards!










share|improve this question
















I’m lost and I don’t know where else I could ask after spending hours and days of researching.



I’m trying to integrate and application written in Perl (OTRS) running with Apache to SSO all my agents. Between the client and the OTRS Server there is a Tivoli Access Manager and on it we have a junction configured. When the client opens the OTRS WAM enabled resource the TAM Server performs already SSO by taking the user id from the Kerberos ticket and checks whether the given user is able to access the junction if he/she is then TAM sets an variable named iv-user in the HTTPheader of the request and passes it to the application OTRS.



When I open the url http://myserver/otrs/index.pl I can see that Apache receives the iv-user variable in the HTTP header (I have configured mod_log_forensic in Apache):



iv-user variable in the HTTP request



When I login now with my user id and password and access the information section of the system I can see that the variable was basically “re-write?” to HTTP_IV_USER



iv_user to HTTP_IV_USER



In the end when I call a URL CGI script are being called and as per my understanding the “rewrite” is a common CGI thing so to say
https://tools.ietf.org/html/rfc3875



“The server SHOULD set meta-variables specific to the protocol and
scheme for the request. Interpretation of protocol-specific
variables depends on the protocol version in SERVER_PROTOCOL. The
server MAY set a meta-variable with the name of the scheme to a
non-NULL value if the scheme is not the same as the protocol. The
presence of such a variable indicates to a script which scheme is
used by the request.

Meta-variables with names beginning with "HTTP_" contain values read
from the client request header fields, if the protocol used is HTTP.
The HTTP header field name is converted to upper case, has all
occurrences of "-" replaced with "_" and has "HTTP_" prepended to
give the meta-variable name. The header data can be presented as
sent by the client, or can be rewritten in ways which do not change
its semantics. If multiple header fields with the same field-name
are received then the server MUST rewrite them as a single value
having the same semantics. Similarly, a header field that spans
multiple lines MUST be merged onto a single line. The server MUST,
if necessary, change the representation of the data (for example, the
character set) to be appropriate for a CGI meta-variable.”


Now I enable SSO within OTRS (that is basically one line) as OTRS relies that the user was already pre-authenticated and it looks for the REMOTE_USER variable to SSO into OTRS:



 HTTPBasicAuth for Agents
If you want to implement a "single sign on" solution for all your agents, you can use HTTP basic authentication (for all your systems) and the HTTPBasicAuth module for OTRS (see Example below).
Example 4.14. Authenticate Agents using HTTPBasic
# This is an example configuration for an apache ($ENVREMOTE_USER)
# auth. backend. Use it if you want to have a singe login through
# apache http-basic-auth
$Self->'AuthModule' = 'Kernel::System::Auth::HTTPBasicAuth';

# Note:
#
# If you use this module, you should use as fallback
# the following configuration settings if the user is not authorized
# apache ($ENVREMOTE_USER)
$Self->LoginURL = 'http://host.example.com/not-authorised-for-otrs.html';
$Self->LogoutURL = 'http://host.example.com/thanks-for-using-otrs.html';


Because I didn’t want to mess with the production environment I have configured my own test environment and to simulate the TAM Server I have used Modify Headers for Google Chrome to set the headers.

When I set the variable in Modify Headers in the header directly to HTTP_IV_USER not iv_user and take the value from HTTP_IV_USER and set it to REMOTE_USER in Apache SetEnvIf HTTP_IV_USER "(.*)$" REMOTE_USER=$1 I can SSO successfully.



But the problem is that Apache receives the variable as iv_user. If I set it that way in Modify Headers for Google Chrome SSO fails with the error message ser: No $ENVREMOTE_USER or $ENVHTTP_REMOTE_USER !(REMOTE_ADDR: x.x.x.x). so it looks like that my SetEnvIf does not get triggered.



I can go and add the HTTP_IV_USER variable directly in the OTRS code as follows but don’t think that this is an elegant way to handle it:



change in HTTPBasicAuth.pm



Long story shor here are my questions:



  1. Does Apache create the variable HTTP_IV_USER from the variable found in the HTTP header (iv_user)

  2. If yes, can it be that it is using the SetEnv directive to do so ?

  3. If yes, and this is my only guess, does my SetEnvIf directive not work because of The SetEnv directive runs late during request processing meaning that directives such as SetEnvIf and RewriteCond will not see the variables set with it. http://httpd.apache.org/docs/2.4/env.html#using

I hope my problem is clear and understandable and I know that there are passionate people out there wiling to share their knowledge and expertise :)



Many thanks in advance and best regards!







apache perl environment-variables cgi






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 13 '18 at 15:09









Dave Cross

47.6k34078




47.6k34078










asked Nov 13 '18 at 11:13









postFixpostFix

244




244












  • Maybe a better question for serverfault.com?

    – mob
    Nov 13 '18 at 13:40











  • @Could we please migrate it then ? It seams I'm not in the position to do so. Thank you!

    – postFix
    Nov 20 '18 at 8:31

















  • Maybe a better question for serverfault.com?

    – mob
    Nov 13 '18 at 13:40











  • @Could we please migrate it then ? It seams I'm not in the position to do so. Thank you!

    – postFix
    Nov 20 '18 at 8:31
















Maybe a better question for serverfault.com?

– mob
Nov 13 '18 at 13:40





Maybe a better question for serverfault.com?

– mob
Nov 13 '18 at 13:40













@Could we please migrate it then ? It seams I'm not in the position to do so. Thank you!

– postFix
Nov 20 '18 at 8:31





@Could we please migrate it then ? It seams I'm not in the position to do so. Thank you!

– postFix
Nov 20 '18 at 8:31












0






active

oldest

votes











Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53279763%2fapache-perl-cgi-script-sso-trouble-and-environment-variables%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes















draft saved

draft discarded
















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53279763%2fapache-perl-cgi-script-sso-trouble-and-environment-variables%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Use pre created SQLite database for Android project in kotlin

Darth Vader #20

Ondo