We’re injecting X- headers from our Apache configuration that contain user additional information (GECOS, Email, etc) but I can’t find a good example of how I can access those headers from OOD, for populating default information in a form.
Specifically for we have the following in ood_portal.yml as part of our authentication process with LDAP/Active Directory:
- 'RequestHeader set X-WEBAUTH-EMAIL %{AUTHORIZE_MAIL}e'
- 'RequestHeader set X-WEBAUTH-FULLNAME %{AUTHORIZE_DISPLAYNAME}e'
- 'SetEnv OOD_USER_EMAIL %{AUTHORIZE_MAIL}e'
- 'SetEnv OOD_USER_FULLNAME %{AUTHORIZE_DISPLAYNAME}e'
I’d like to use either the X-WEBAUTH header or OOD_USER_ values inside an OOD form, and do something like follows:
I’ve tried using request.headers["X-WEBAUTH-EMAIL"] (with causes an error because request is not available) along with ENV['OOD_USER_EMAIL'] without success. I can see where it would be useful/valuable to be able to pass arbitrary data like this from our central authentication system (LDAP / Active Directory / Kerberos) through to the OOD PUN, to be used in a form.
I know the X-WEBAUTH headers are being passed to the PUN correctly. I use them with a ttyd interactive app for Authentication via SSO, but I can’t figure out how to correctly get the Ruby code to be able to query them from YAML in /etc/ood/config/ondemand.d.
SetEnv doesn’t really work like that. It’s not an actual environment variable (in the threads’/processes’ environment), it’s more like an internal apache environment variable (internal to that apache worker).
Right now I don’t know if we have a clear way to access things like email addresses.
But since Apache knows the data and it is being passed to the PUN, I wanted to try and make it a little cleaner and not have to spawn a command just to pull in the email I already have.
It certainly isn’t inside /etc/ood/config/ondemand.d/*.yml, which is where I am trying to use it.
Does OOD maybe process and cache all HTML headers someplace? So if there is an X- header injected, is it parsed/stored in a array or hash someplace along with all the other Headers, that I can get access too?
This only works because we only provide access to members of university.edu, so you’d need to come up with something more robust if you have a multi-tenant OOD deployment.
I am a big proponent of configuration profiles, and support_ticket is one of the properties that you can configure on a per-profile basis. If you did have two institutions and each had their own OOD Dashboard, then it would be easy to hard-code the @university.edu value for each profile. Again – very low-tech.
The getmail.pl script is something I wrote that will take the username, query Active Directory and return the email address to stdout. Which works well enough, was just hoping to avoid needing to shell out an external command.
Gotcha. This could also be a good case for initializers, where your script would only be invoked upon initial log-in or when restarting the PUN. I’m not sure how often the ondemand.d files get called, but it would be something to monitor if you see your AD being queried too often.