We've just upgraded to Nagios XI 5.5.11 and experienced a bug in how the code deals with users authenticated via BasicAuth.
We use Apache's Mellon module to enable Single Sign On and so when a user signs in through SSO it sets the BasicAuth username header to whatever they authenticated as.
Nagios XI 5.5.11 then ignores the basic auth header and forces the user to use the local authentication system, which meant for us having to use the locally set password instead of our central AD based password used in the SSO process.
The bug in the code is as follows -
line 117 of /nagiosxi/html/includes/auth.inc.php has the check
Code: Select all
// HTTP basic authentication support
if ($remote_user = is_http_basic_authenticated()) {
$uid = get_user_id($remote_user);
Code: Select all
function is_http_basic_authenticated()
{
$remote_user = "";
if (isset($_SERVER["REMOTE_USER"])) {
$remote_user = $_SERVER["REMOTE_USER"];
}
if (!empty($remote_user)) {
return true;
} else {
return false;
}
}Code: Select all
$remote_user = is_http_basic_authenticated()Code: Select all
$uid = get_user_id($remote_user);with the get_user_id() function being a database lookup of the username.
I've fixed this by changing the initial block of code to be
Code: Select all
// HTTP basic authentication support
if ($remote_user = is_http_basic_authenticated()) {
#############
# added actual username variable - Mickey 12/04
#############
$remote_user = $_SERVER["REMOTE_USER"];
# ###########
$uid = get_user_id($remote_user);