EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #09644

RE: [EP-tech] Adding the username to the Access Logs

To: "eprints-tech@ecs.soton.ac.uk" <eprints-tech@ecs.soton.ac.uk>
Subject: RE: [EP-tech] Adding the username to the Access Logs
From: Maher Abdellatif Ahmad Qahwash <qahwash@kfupm.edu.sa>
Date: Wed, 28 Feb 2024 04:23:45 +0000

CAUTION: This e-mail originated outside the University of Southampton.

Hi David and John

Many thanks for your support.

Regards

Maher

-------- Original message --------

From: David R Newman <drn@ecs.soton.ac.uk>

Date: 2/27/24 7:29 PM (GMT+03:00)

To: eprints-tech@ecs.soton.ac.uk, John Salter <J.Salter@leeds.ac.uk>

Subject: Re: [EP-tech] Adding the username to the Access Logs

Warning: This email has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.

Sorry, missed that link. That is probably a less esoteric way of solving that problem. I already had the solution half-written after your first reply but coming at it from a different angle.

On 27/02/2024 16:25, John Salter wrote:

CAUTION: This e-mail originated outside the University of Southampton.
CAUTION: This e-mail originated outside the University of Southampton.
> If you don't want to modify core code

My suggested trigger is meant to be saved in the archive config too 😊

It uses a URL_REWRITE trigger – rather than a BEGIN_REQUEST one – but both should work equally – as both should fire before the request gets to the log handling phase.

I’m part way through writing an Issue for this – we can discuss the best approach in there.

Cheers,

John

From: eprints-tech-request@ecs.soton.ac.uk <eprints-tech-request@ecs.soton.ac.uk> On Behalf Of David R Newman
Sent: Tuesday, February 27, 2024 4:16 PM
To: eprints-tech@ecs.soton.ac.uk; John Salter <J.Salter@leeds.ac.uk>
Subject: Re: [EP-tech] Adding the username to the Access Logs

CAUTION: External Message. Use caution opening links and attachments.
Hi John and Maher,

If you don't want to modify core code, I think this can be done with the following trigger in an archive level configuration file (e.g. EPRINTS_PATH/archives/ARCHIVE_ID/cfg/cfg.d/set_user.pl):

$c->add_trigger( EPrints::Const::EP_TRIGGER_BEGIN_REQUEST, sub
{
    my( %params ) = @_;

    my $repo = $params{repository};

    if ( my $request = $repo->get_request )
    {
        my $securecode = EPrints::Apache::AnApache::cookie( $request, 'secure_eprints_session:' . $repo->config( 'securehost' ) );
        my $logintickets = $repo->dataset( 'loginticket' )->search( search_fields => [ { meta_fields => [ 'securecode' ], value => $securecode } ] );
    return unless defined $logintickets->item( 0 );
      my $user = $repo->dataset( 'user' )->dataobj( $logintickets->item( 0 )->get_value( 'userid' ) );
        $request->user( $user->get_value( 'username' ) );
    }
});

Regards

David Newman

On 27/02/2024 15:21, John Salter wrote:
CAUTION: This e-mail originated outside the University of Southampton.

CAUTION: This e-mail originated outside the University of Southampton.

[Christian – I hoped that was the case – otherwise I was very confused!]

Hi Maher,

There is currently one scenario where the username does get logged – when someone is using ‘Basic Auth’.

I’ve had a quick review of the code, and for that specific case, this line that adds the username to the Apache request object, which then gets logged to the Apache access log file:

https://github.com/eprints/eprints3.4/blob/13690e736eaed14002ebcfea97ecf68ee897c78f/perl_lib/EPrints/Apache/Auth.pm#L292

A similar addition to the ‘auth_cookie’ method (https://github.com/eprints/eprints3.4/blob/13690e736eaed14002ebcfea97ecf68ee897c78f/perl_lib/EPrints/Apache/Auth.pm#L182 ) would additional usernames when auth is done via cookies.

sub auth_cookie

{

    my( $r, $repository ) = @_;

    my $user = $repository->current_user;

   if( defined $user ){

        $r->user( $user->get_value( "username" ) );

    }

…[rest of method unchanged]

This won’t log the user for some /cgi/ pages – where the user isn’t tested/authenticated.

An EPrints rewrite trigger also seems to work:

https://gist.github.com/jesusbagpuss/fb4c01825f5da53ac5ddb2d6a6fa69d3 (see note at top of file as to where to save it)

If you go down this route, you don’t need to make the addition to the EPrints::Apache::Auth module.

Please note, I haven’t thoroughly tested the above code, but initial experiments appear OK. Please run on a test server first!

Any questions, please ask here! 😊

Cheers,

John

From: eprints-tech-request@ecs.soton.ac.uk <eprints-tech-request@ecs.soton.ac.uk> On Behalf Of Wimmer Christian
Sent: Tuesday, February 27, 2024 2:26 PM
To: eprints-tech@ecs.soton.ac.uk
Subject: AW: [EP-tech] Adding the username to the Access Logs

CAUTION: External Message. Use caution opening links and attachments.

CAUTION: This e-mail originated outside the University of Southampton.

CAUTION: This e-mail originated outside the University of Southampton.

https://help-de.oclc.org/Library_Management/EZproxy/Configure_resources/LogFormat

https://help-de.oclc.org/Library_Management/EZproxy/Configure_resources/Option_LogUser

We use LDAP and the default logging format gives us the SessionID as %u in the logfiles. We use the audit events search to resolve these to usernames if needed.

If no username is logged at all you might want to contact to contact OCLC support for assistance.

--

Christian Wimmer

Ludwig-Maximilians-Universität München

Universitätsbibliothek

Abteilung Digitale Dienste

Teamleitung Team Server und Infrastruktur

Geschwister-Scholl-Str 1, D-80539 München

Telefon: 089/2180-1307

E-Mail: christian.wimmer@ub.uni-muenchen.de

Von: eprints-tech-request@ecs.soton.ac.uk <eprints-tech-request@ecs.soton.ac.uk> im Auftrag von Maher Abdellatif Ahmad Qahwash <qahwash@kfupm.edu.sa>
Gesendet: Dienstag, 27. Februar 2024 13:54:23
An: eprints-tech@ecs.soton.ac.uk
Betreff: [EP-tech] Adding the username to the Access Logs

CAUTION: This e-mail originated outside the University of Southampton.

CAUTION: This e-mail originated outside the University of Southampton.

Internal

Hi

We are running EPrints 3.4.1-rc2 and users authenticate with LDAP to login. We need to know how to add the username used when authenticating in the httpd access_logs. We already have the %u parameter added in the LogFormat in the httpd.conf file but the username is not being added to the access logs. Instead a ‘-‘ is being added.

Please assist in how to add the username to the access logs.

Thanks

Maher

This message is marked for Internal university use only. Not to be circulated outside KFUPM.
*** Options: https://wiki.eprints.org/w/Eprints-tech_Mailing_List
*** Archive: https://www.eprints.org/tech.php/
                *** EPrints community wiki: https://wiki.eprints.org/
                 
              
*** Options: https://wiki.eprints.org/w/Eprints-tech_Mailing_List
*** Archive: https://www.eprints.org/tech.php/
*** EPrints community wiki: https://wiki.eprints.org/

References:
- [EP-tech] Adding the username to the Access Logs
  - From: Maher Abdellatif Ahmad Qahwash <qahwash@kfupm.edu.sa>
- AW: [EP-tech] Adding the username to the Access Logs
  - From: Wimmer Christian <Christian.Wimmer@ub.uni-muenchen.de>
- RE: [EP-tech] Adding the username to the Access Logs
  - From: John Salter <J.Salter@leeds.ac.uk>
- Re: [EP-tech] Adding the username to the Access Logs
  - From: David R Newman <drn@ecs.soton.ac.uk>
- RE: [EP-tech] Adding the username to the Access Logs
  - From: John Salter <J.Salter@leeds.ac.uk>
- Re: [EP-tech] Adding the username to the Access Logs
  - From: David R Newman <drn@ecs.soton.ac.uk>

Prev by Date: Re: [EP-tech] Adding the username to the Access Logs
Next by Date: [EP-tech] 0 byte file uploads
Previous by thread: Re: [EP-tech] Adding the username to the Access Logs
Next by thread: [EP-tech] 0 byte file uploads
Index(es):
- Date
- Thread