Grant IBM i user profiles permissions to access PHP when using Basic Authentication

Avatar
rod flohr
Follow

This article is now available in our new knowledge base:  Grant IBM i user profiles permissions to access PHP when using Basic Authentication

Issue

IBM HTTP Server provides for Apache Basic Authentication using IBM i user profiles.  When Basic Authentication is used in this way, the FastCGI child job running under Apache assumes the user profile of the requester, replacing the default QTMHHTTP profile for the duration of the request.  This can cause a fatal error for any Apache request if the user does not have authority to write to the Apache logs.  This can also cause a fatal error for PHP requests if the user does not have authority to the FastCGI socket.  This article tells how to assign permissions to the *PUBLIC user to prevent these errors.

Environment

Zend server for IBM i version 6 or higher, running on any supported version of IBM i, using IBM i user profiles for Basic Authentication.

The following article tells how to set up Basic Authentication with User Profiles:

IBMi Apache HTTP - Server Authentication using IBMi user profiles

Resolution

Make sure *PUBLIC can write to the Apache log files.  From a 5250 command line, logged in with a *SECOFR class user profile:

CHGAUT OBJ('/www/zendsvr6/logs') USER(*PUBLIC) DTAAUT(*RWX) SUBTREE(*ALL)

To grant permissions for a specific user, just use the user profile name instead of *PUBLIC in the above command.

Make sure *PUBLIC can update the FastCGI socket:

Please back up this file, and then edit it:

/www/zendsvr6/conf/fastcgi.conf

At the end of the file, add this line:

IpcPublic *RWX

Save the file and restart Apache for the change to take effect.

For IBM i versions prior to 7.2, PTFs are required for this setting to have an effect.  The PTFs have been out for quite some time, so most customers are likely to have them.  Here is a list of the required PTFs:

Release       57**DG1 PTF          57**SS1 PASE PTF 
i 5.4         SI41577, SI41688     SI41324 
i 6.1         SI41253, SI41704     SI41326 
i 7.1         SI41367, SI41706     SI41325

Verify that basic authentication works for a given profile.

Here is a simple script you can run that demonstrates how to retrieve the user profile and password in a PHP script.  (This also demonstrates that it is a really good idea to use SSL when using Basic Authentication.)  Call this script something like authinfo.php and place it in the document root for your Basic Authenticated virtual host.  When you access it in your browser, enter the user profile you would like to test in the prompt.  If it is all working, you will see your user profile and password displayed in the browser.

<?php
// Demonstrates access to user name and password when basic authorization is used
if (!isset($_SERVER['PHP_AUTH_USER'])) {
 header('WWW-Authenticate: Basic realm="My Authorized Application"');
 header('HTTP/1.0 401 Unauthorized');
 echo 'Text to send if user hits Cancel button';
 exit;
}
else {
 echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
 echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
}
?>

Comments

  • Avatar
    Ira Chandler

    Very helpful info. We had not been able to find this elsewhere.