Multi-user Surftrackr

Feb 21st 2008

As promised, here's the latest Surftrackr with multi-user capabilities. During the testing process, I discovered a few little bugs which have been fixed. I've also added a feature to allow workstations to be mapped to user-names, for installations where your proxy is not using authentication.

Multi-user Capabilities

Django comes with a built-in authentication mechanism which is designed to make logging users in both quick and easy. So, naturally, I've chosen not to use it :) Instead, Surftrackr detects the user logged in by Apache, and creates a Django user of the same name, with its own profile and preferences. Think about that for a moment and I hope you'll see why I chose to do it: you can use any of Apache's array of authentication mechanisms (LDAP, basic auth, MySQL auth, etc) and Django will happily go with them. And without disrespect to the Django developers, Apache's authentication is mature, tried and tested, so security should be good.

Settings related to authentication are held in the .htaccess file which ships with Surftrackr, and the settings.py file. Look in .htaccess and you'll see I've commented out two possible methods for authentication: LDAP and basic auth.

LDAP

AuthLDAPURL ldap://192.168.1.1:389/ou=Staff,ou=People,dc=myserver,dc=example,dc=com?sAMAccountName?sub?(objectCategory=Person)
AuthLDAPBindDN cn=Administrator,cn=Users,dc=myserver,dc=example,dc=com
AuthLDAPBindPassword adminpw
AuthzLDAPAuthoritative off
AuthType Basic
AuthName "Surftrackr"
AuthBasicProvider ldap
require valid-user

To use this, you need mod_authnz_ldap available to your Apache. My httpd.conf contains a line like this:

LoadModule authnz_ldap_module libexec/apache22/mod_authnz_ldap.so

As usual, if you're unsure consult the Apache docs and see if yum or apt-get, etc, can help you out. Just don't ask me about it - I refuse to debug your LDAP installation if it doesn't work! (Documentation about using Surftrackr like this will, however, be forthcoming when I have time.)

Basic Auth

AuthUserFile /data/htpasswd
AuthName "Surftrackr"
AuthType Basic
require valid-user

For simpler and more ad-hoc authentication, just use basic auth and create an htpasswd file (or, more traditionally, a .htaccess file, which is hidden):

htpasswd -c /data/htpasswd simon
New password:
Re-type new password:
Adding password for user simon

To add another user to the same htpasswd file:

htpasswd /data/htpasswd gerald
New password:
Re-type new password:
Adding password for user gerald

Just make sure your htpasswd file is somewhere outside of your web directories, so it can't be viewed via the web.

Surftrackr settings.py

Look in settings.py and change this line to suit:

DISABLE_AUTH = True

Setting it to True means you won't be using authentication, and you can use Surftrackr as with previous versions. There should be no difference at all.

Set it to False, after you have got your authentication working, to automatically create Django users when an Apache user logs in. There are a few things to be aware of:

Suppose an Apache user called 'simon' logs in to Surftrackr: he gets no privileges by default, so won't be able to do anything except view some empty reports. If he clicks on 'Admin', he'll see nothing except a message that he has no permissions.
To remedy this, the admin user (created when you set up Surftrackr) will need to log in (from another workstation would be ideal) and go to the admin interface. Click on 'Users' in the Auth section at the top of the screen, click on the username (eg 'simon), then allocate permissions to the user.
If you don't want the user to be able to upload their own squid logfiles, make sure you don't allocate 'Can add general setting' or 'Can change general setting' permissions to the user.
Likewise, if you don't want the user to be able to change lexicons, words, hilites, etc, don't allocate permissions for those items - the Django permissions system is highly granular and gives you a high level of control.
To save time, you can make the user a Super-User, and he gets all permissions, including the ability to edit other users.
If the user is not a super-user, go back to the main admin screen and click on 'Users' in the 'Log' section (just below 'User Mappings'). These are your squid users.
Click on the username of a squid user. There will be a 'Managed by' option, which you can set to the name of any authenticated user. When you do (and save the change) the authenticated, Surftrackr user in the 'Managed by' list will be able to see log items for that squid user.

User Mapping

This is in response to a user request to allow workstations to be mapped to user-names in situations where your squid proxy does not use authentication (if it does, Surftrackr will use the username of the authenticated user). Check the user-mappings section in the admin interface, and you should be able to work it out for yourself (but more details to follow if you can't). I would suggest uploading a logfile or two first, just so Surftrackr has some users and workstations to show you.

Downloads available from the usual place.

Simon Burns
21 Feb 2008