Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  2. ZBX-5513

External HTTP Auth broken for non-password based authentication mechanisms


      A recent change to breaks external HTTP authentication for any auth method which does not use passwords (mod_auth_tkt or mod_auth_pam for example). Even though the underlying authentication is successful, the user is given a "You are not logged in." error when attempting to view the frontend. This was reported in the forums by a user at http://www.zabbix.com/forum/showthread.php?t=28371

      Commit r28716 (tomtom | 2012-07-06 06:08:24 +0000) changed this line in frontends/php/index.php

      • if (!empty($_SERVER['PHP_AUTH_USER'])) {
        + if (!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW'])) {

      This would appear to require any Apache external authentication mechanism to have supplied both the authenticated username as well as an associated password. However many external authentication mechanisms do not involve passwords and therefore fail this test because there is no PHP_AUTH_PW populated.

      This commit was associated with ZBX-5070 (Sql error after logout) and ZBX-4741 (authentication configuration page still uses "profiles" table) but I can't see how the change directly addresses either of those two issues. I think it may have been an inadvertent or unintended change of behavior. I'm not entirely clear on the intent behind the change, so I'm not sure if simply reverting to the old line is a suitable fix, but rolling back the change to that one line definitely "fixes the glitch" and allows External HTTP auth to function again.

      If the additional check of requiring a non-empty is truly necessary to resolve ZBX-5070 or ZBX-4741 then a more flexible approach will be necessary.

            Unassigned Unassigned
            nugget David McNett
            0 Vote for this issue
            0 Start watching this issue