This extension to Phabricator performs authentication
via a web server's REMOTE_USER variable. It should be able to work with a variety of
major servers such as Apache and Nginx, but I have only tested it with Apache.
It can be used with Basic authentication, but is most useful when the server is configured for single-sign-on, for example, using kerberos.
To install this library, simply clone this repository alongside your phabricator installation:
cd /path/to/install
git clone https://github.com/make-all/libphremoteuser.git
Then, simply add the path to this library to your phabricator configuration:
cd /path/to/install/phabricator
./bin/config set load-libraries '["libphremoteuser/src/"]'
When you next log into Phabricator as an Administrator, go to Auth > Add Authentication Provider.
In the list, you should now see an entry called Web Server. Enabling this provider should add a
new button to your login screen.
In order to actually log in, your web server needs to populate the $REMOTE_USER variable when the
login button is pressed. You can do this by forcing the login URI that Phabricator uses to be
restricted, by adding a directive like the following to your web server configuration (this is Apache2):
<Location "/auth/login/RemoteUser:self/">
AuthType Kerberos
AuthName "Phabricator at My Server"
KrbAuthRealms DOMAIN.EXAMPLE.COM
KrbServiceName HTTP
Krb5Keytab /etc/apache2/kerberos.keytab
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbLocalUserMapping On
# The following two lines can be used when authenticating against
# Microsoft ActiveDirectory to pull extra info from LDAP, and
# limit access to a certain group. It may also be useful in
# other cases.
# Require ldap-dn can probably be used to allow all users in
# a domain if you don't wish to limit access to a group, or
# multiple Require ldap-group lines can be used to expand the list.
# Require valid-user will bypass the LDAP authorization step,
# defeating the additional info on the first line
AuthLDAPUrl ldap://adserver.domain.example.com/dc=domain,dc=example,dc=com?uid,cn,mail
Require ldap-group DEVELOPERS_GROUP
Options None
Order allow,deny
Allow from all
</Location>
When a user registers using this auth provider, it will attempt to discover
the user's full name and email from AUTHORIZE_CN and AUTHORIZE_MAIL variables
in the server environment, as well as getting the username from REMOTE_USER.
These variables are available if you configure LDAP authorization with those
attributes appended to the AuthLDAPUrl directive, as explained in the
mod_authnz_ldap
documentation.
If you use LDAP for authentication rather than kerberos, the
environment variables will start with AUTHENTICATE_ instead of AUTHORIZE_, but you are probably better off using
Phabricator's native LDAP auth provider in that case.
I make no guarantees about this library being totally secure. It's not obviously insecure.
However, please make sure to at least
REDIRECT THE LOGIN URI TO SSL, OTHERWISE YOU ARE POTENTIALLY SENDING PLAIN TEXT PASSWORDS.
If you care about security consider:
- Hosting Phabricator entirely on https/SSL
- Restricting access to the whole Phabricator installation directory, also using SSL.