There may be an easier way to do this but my company has our wiki and other web apps (including TestLink) on an Apache server that has its own authentication (I think its basic authentication but changing soon to LDAP). So we don't want to have another login to TestLink or have to manage another password if we don't have to. We do still need to use the TestLink user management to assign roles for authorization. I originally did this hack on TL 1.7.4 but now did it on 1.8.5. It would be nice if this were a built in option. I'll submit an enhancement request for it.
With these changes in place our TestLink opens up already logged in as the user login that matches the one I already authenticated with our Apache server as.
In /lib/functions/user.class.php I made this change to just always return OK so it doesn't matter what passwords in are in the TestLink DB;
public function comparePassword($pwd)
{
// Lee - hack to ignore local passwords and just use Apache authentication
return tl::OK;
And then changed index.php to "require_once('doAuthorize.php');" , "$login = $_SERVER['PHP_AUTH_USER'];", "doDBConnect($db);", and "doAuthorize($db,$login,$pwd,$msg);"
The key is setting "$login = $_SERVER['PHP_AUTH_USER']"
WARNING: I make no guarantees that this is a "secure" change to make. I also renamed the logout.php file so that a user couldn't logout and then log back in with another user's login (and any password). It might be better (maybe easier) to change login.php to use the apache session username to do this?
{{ The whole index.php file }}
<?php
/**
* TestLink Open Source Project - http://testlink.sourceforge.net/
* This script is distributed under the GNU General Public License 2 or later.
*
* Filename $RCSfile: index.php,v $
*
* @version $Revision: 1.19 $
* @modified $Date: 2008/10/12 08:11:56 $ by $Author: schlundus $
*
* @author Martin Havlat
*
* This file is main window. Include authorization of user and define frames (navBar and main).
**/
require_once('lib/functions/configCheck.php');
checkConfiguration();
require_once('config.inc.php');
require_once('common.php');
require_once('doAuthorize.php');
doSessionStart();
unset($_SESSION['basehref']);
setPaths();
$reqURI = isset($_GET['reqURI']) ? $_GET['reqURI'] : 'lib/general/mainPage.php';
// Lee 2008-07-21 Use Apache BASIC Authentication instead of prompting user for username and password
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Use same username and pwd as Wiki';
exit;
} else {
//echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
//echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
}
$_POST = strings_stripSlashes($_POST);
// Lee 2008-07-21 Use Apache BASIC Authentication instead of prompting user for username and password
// $_SESSION['user'] = $_SERVER['PHP_AUTH_USER'];
$login = $_SERVER['PHP_AUTH_USER'];
$pwd = ''; // We don't use this
$op = doDBConnect($db);
if ($op['status'])
{
doAuthorize($db,$login,$pwd,$msg);
}
//verify the session during a work
if (!isset($_SESSION['currentUser']))
{
redirect(TL_BASE_HREF ."login.php?note=expired");
exit;
}
$smarty = new TLSmarty();
$smarty->assign('title', lang_get('main_page_title'));
$smarty->assign('titleframe', 'lib/general/navBar.php');
$smarty->assign('mainframe', $reqURI);
$smarty->display('main.tpl');
?>