EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #09642


< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

RE: [EP-tech] Adding the username to the Access Logs


CAUTION: This e-mail originated outside the University of Southampton.

> If you don't want to modify core code

My suggested trigger is meant to be saved in the archive config too 😊

 

It uses a URL_REWRITE trigger – rather than a BEGIN_REQUEST one – but both should work equally – as both should fire before the request gets to the log handling phase.

 

I’m part way through writing an Issue for this – we can discuss the best approach in there.

 

Cheers,

John

 

 

From: eprints-tech-request@ecs.soton.ac.uk <eprints-tech-request@ecs.soton.ac.uk> On Behalf Of David R Newman
Sent: Tuesday, February 27, 2024 4:16 PM
To: eprints-tech@ecs.soton.ac.uk; John Salter <J.Salter@leeds.ac.uk>
Subject: Re: [EP-tech] Adding the username to the Access Logs

 

CAUTION: External Message. Use caution opening links and attachments.

Hi John and Maher,

If you don't want to modify core code, I think this can be done with the following trigger in an archive level configuration file (e.g. EPRINTS_PATH/archives/ARCHIVE_ID/cfg/cfg.d/set_user.pl):

$c->add_trigger( EPrints::Const::EP_TRIGGER_BEGIN_REQUEST, sub
{
    my( %params ) = @_;

    my $repo = $params{repository};

    if ( my $request = $repo->get_request )
    {
        my $securecode = EPrints::Apache::AnApache::cookie( $request, 'secure_eprints_session:' . $repo->config( 'securehost' ) );
        my $logintickets = $repo->dataset( 'loginticket' )->search( search_fields => [ { meta_fields => [ 'securecode' ], value => $securecode } ] );
        return unless defined $logintickets->item( 0 );
        my $user = $repo->dataset( 'user' )->dataobj( $logintickets->item( 0 )->get_value( 'userid' ) );
        $request->user( $user->get_value( 'username' ) );
    }
});

Regards

David Newman

On 27/02/2024 15:21, John Salter wrote:

CAUTION: This e-mail originated outside the University of Southampton.

CAUTION: This e-mail originated outside the University of Southampton.

[Christian – I hoped that was the case – otherwise I was very confused!]

 

Hi Maher,

There is currently one scenario where the username does get logged – when someone is using ‘Basic Auth’.

 

I’ve had a quick review of the code, and for that specific case, this line that adds the username to the Apache request object, which then gets logged to the Apache access log file:

https://github.com/eprints/eprints3.4/blob/13690e736eaed14002ebcfea97ecf68ee897c78f/perl_lib/EPrints/Apache/Auth.pm#L292

 

A similar addition to the ‘auth_cookie’ method (https://github.com/eprints/eprints3.4/blob/13690e736eaed14002ebcfea97ecf68ee897c78f/perl_lib/EPrints/Apache/Auth.pm#L182 ) would additional usernames when auth is done via cookies.


sub auth_cookie

{

    my( $r, $repository ) = @_;

 

    my $user = $repository->current_user;

   if( defined $user ){

        $r->user( $user->get_value( "username" ) );

    }

…[rest of method unchanged]

 

This won’t log the user for some /cgi/ pages – where the user isn’t tested/authenticated.

An EPrints rewrite trigger also seems to work:

 

https://gist.github.com/jesusbagpuss/fb4c01825f5da53ac5ddb2d6a6fa69d3 (see note at top of file as to where to save it)

If you go down this route, you don’t need to make the addition to the EPrints::Apache::Auth module.

 

Please note, I haven’t thoroughly tested the above code, but initial experiments appear OK. Please run on a test server first!

Any questions, please ask here! 😊

 

Cheers,

John

 

 

 

From: eprints-tech-request@ecs.soton.ac.uk <eprints-tech-request@ecs.soton.ac.uk> On Behalf Of Wimmer Christian
Sent: Tuesday, February 27, 2024 2:26 PM
To: eprints-tech@ecs.soton.ac.uk
Subject: AW: [EP-tech] Adding the username to the Access Logs

 

CAUTION: External Message. Use caution opening links and attachments.

CAUTION: This e-mail originated outside the University of Southampton.

CAUTION: This e-mail originated outside the University of Southampton.

https://help-de.oclc.org/Library_Management/EZproxy/Configure_resources/LogFormat

 

https://help-de.oclc.org/Library_Management/EZproxy/Configure_resources/Option_LogUser

 

We use LDAP and the default logging format gives us the SessionID as %u in the logfiles. We use the audit events search to resolve these to usernames if needed.

 

If no username is logged at all you might want to contact to contact OCLC support for assistance.

 

--

Christian Wimmer

 

Ludwig-Maximilians-Universität München

Universitätsbibliothek

Abteilung Digitale Dienste

Teamleitung Team Server und Infrastruktur

 

Geschwister-Scholl-Str 1, D-80539 München

Telefon: 089/2180-1307


Von: eprints-tech-request@ecs.soton.ac.uk <eprints-tech-request@ecs.soton.ac.uk> im Auftrag von Maher Abdellatif Ahmad Qahwash <qahwash@kfupm.edu.sa>
Gesendet: Dienstag, 27. Februar 2024 13:54:23
An:
eprints-tech@ecs.soton.ac.uk
Betreff: [EP-tech] Adding the username to the Access Logs

 

CAUTION: This e-mail originated outside the University of Southampton.

CAUTION: This e-mail originated outside the University of Southampton.

Internal

 

Hi

 

We are running EPrints 3.4.1-rc2 and users authenticate with LDAP to login.  We need to know how to add the username used when authenticating in the httpd access_logs.  We already have the %u parameter added in the LogFormat in the httpd.conf file but the username is not being added to the access logs.  Instead a ‘-‘ is being added.

 

Please assist in how to add the username to the access logs.

 

Thanks

Maher

 

 

 

This message is marked for Internal university use only. Not to be circulated outside KFUPM.



*** Options: https://wiki.eprints.org/w/Eprints-tech_Mailing_List
*** Archive: https://www.eprints.org/tech.php/
*** EPrints community wiki: https://wiki.eprints.org/