Hi there
Let me confess that I have an agenda of wanting graylog-web to support
SAML, but from my google-ing about I can also see others have asked for
Kerberos, Basic, etc authentication to be added to graylog-web.
That is actually sounding like a whole lot of work... I was wondering if an
alternative would be to make it "somebody else's problem". ie put a web
server (like apache) in front of graylog-web, and configure it with any of
the thousand authentication systems it supports - and configure apache to
reflect that "user metadata" via HTTP headers - so that graylog-web can
just use that instead
eg the following pseudo-code would make apache support SAML (via
mod_auth_mellon) and push some of the SAML-gained account data to
graylog-web via HTTP headers
<LocationMatch "^/">
AuthType "Mellon"
Require valid-user
MellonUser "uid"
MellonSetEnv "e-mail" "mail"
RequestHeader set X-Apache-UID %{MELLON_uid}e
RequestHeader set X-Apache-Email %{MELLON_e-mail}e
RequestHeader set X-Apache-Name %{MELLON_cn}e
ProxyPass http://127.0.0.1:9000/
ProxyPassReverse http://127.0.0.1:9000/
</LocationMatch>
Then all that would remain to do would be to secure graylog-web by running
it only on 127.0.0.1:9000 and bringing up apache over HTTPS on 443. And the
only new code for graylog-web would be that it could be configured in
"reverse proxy" mode and to map arbitrary headers to authentication details
it allows to be set (hence my choice of username/email/name, as the current
LDAP implementation uses them too)
Just an idea.. :-)
Jason
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
