All geek questions in one place

How can I implement single sign-on with Check_MK?

I am working on a panel type site. We have a login page implemented in php that authenticates to the LDAP server. We also have the Check_MK page, which has its own login dialog, which is authenticated on the same LDAP server. I would like the user to not have to re-enter their credentials in the Check_MK login dialog. I would prefer the credentials entered on our php login page to be passed to Check_MK so that authentication can be performed without user interaction. Is it possible? If so, how to do it?

Edit Please explain who said it is too wide.

I managed to get automatic login using check_MK by passing the username and password through the URL as described on this website: http://stichl.at/2014/04/check_mk-multisite-auto-login/
I do not think that this will be a viable option for me, although it seems to be unsafe, as described in detail in this matter. Is it safe to pass login credentials in plain text to HTTPS URLs?

Although open source, I cannot modify the checkMK login.py file due to its GNU license. Besides sending the credentials via a plain text URL, how can I use the credentials provided on the php login page to automatically enter the check_MK page?

Below is the php / html code where I open the Check_MK registration screen.

<script type="text/javascript"> var version = global.dashboard_version; console.log("version = " + version); var url = global.ips[version+"_nagios_iframe"]; var suffix = <?php echo "'". '&_username='. $_SESSION['username']. '&_password='. $_SESSION['password']. "&_login=1'";?>; console.log("suffix = "+suffix); url = url + suffix; console.log("url = "+url); document.getElementById("nagiosiframe").src = url; </script>

Check_MK registration code can be found here: https://github.com/sileht/check_mk/blob/master/web/htdocs/login.py

The corresponding function is called do_login and is located on line 147.

In particular, I don’t know how to safely pass the values ​​of my session variables (username and password) to login.py code.

This is my first introduction to any of these languages ​​and technologies. Even search query suggestions will be appreciated.

+6
source share
1 answer

Justin

Since you cannot change the code for the check_mk page, you must give it credentials. if this restriction was not, then there are many safe ways to do this.

Now with this limitation, this is an option that I have used in the past and could work for you.

Step 1. In your PHP code, you have access to the original password ... (store it in safe mode) Step 2. As part of the transaction (all or nothing, do the following) a. Set the password in ldap for this particular user to the random password that you just created b. Pass this password to this check_mk page with. once authentication is complete, from your PHP page, set the ldap password back to the original.

This way you will not pass a real password and will perform single sign-on between your php and the check_mk page.

If you can change check_mk, I would give you other answers. Let me know if this works.

+1
source

Source: https://habr.com/ru/post/986514/

More articles:


All Articles