Unable to log in after installing phpgacl

anojgoel wrote on Monday, January 26, 2009:

testing openemr 2.9.1 dev
installed on ubuntu and had it running properly with username admin and password pass.

added phpgacl

now unable to login to openemr with username admin and password pass
is there a way to remove the phpgacl or troubleshoot the current setup?

thanks

anojgoel wrote on Monday, January 26, 2009:

could it be something to do with ownership/ permissions
i created <phpGACL root>/admin/templates_c directory,
chmod 777
chown www-data
is that correct or the owner needs to be something else.
thanks

cfapress wrote on Monday, January 26, 2009:

Anoj,

After you install PHPGACL and activate it within OpenEMR you need to be sure your admin user is in PHPGACL with the proper group membership.

See these files in the root of your OpenEMR installation folder:

acl_setup.php
acl_test.ph
acl_upgrade.php

Jason

anojgoel wrote on Tuesday, January 27, 2009:

hi jason

thanks for the pointers. here is output of some of the files. still not working.

do i need different user for gacl and for openemr database for this to work properly or i can use user root for both databases?

phpGACL Database Setup

Configuration:
driver = mysql,
host = localhost,
user = root,
database = gacl,
table prefix =
Testing database connection…
Success! Connected to "mysql" database on "localhost".
Testing database type…
Success! Compatible database type "mysql" detected!
Making sure database "gacl" exists…
Success! Good, database "gacl" already exists!
Success! Installation Successful!!!

acl_setup.php

This is not working. Make sure you have:
* Set the correct phpgacl database name, user and password in gacl.ini.php
* Done the same in gacl.class.php
* Run setup.php from the phpGACL distribution
* Not already run this script successfully

acl_upgrade.php
Checking to ensure all the proper ACL(access control list) are present:
‘Administrators’ group ‘write’ ACL is present.
‘Physicians’ group ‘write’ ACL is present.
‘Clinicians’ group ‘write’ ACL is present.
‘Clinicians’ group ‘addonly’ ACL is present.
‘Front Office’ group ‘write’ ACL is present.
‘Accounting’ group ‘write’ ACL is present.

Adding new object sections
The ‘Sensitivities’ object section already exist.

Adding new objects
The ‘Normal’ object in the ‘Sensitivities’ section already exist.
The ‘High’ object in the ‘Sensitivities’ section already exist.
The ‘Pharmacy Dispensary’ object in the ‘Administration’ section already exist.
The ‘ACL Administration’ object in the ‘Administration’ section already exist.
The ‘Price Discounting’ object in the ‘Accounting’ section already exist.

Upgrading objects
The ‘High’ object in the ‘Sensitivities’ section has already been updated.

Updating the ACLs(Access Control Lists)
The ‘Superuser’ object of the ‘Administration’ section is already found in the ‘Administrators’ group ‘write’ ACL.
The ‘High’ object of the ‘Sensitivities’ section is already found in the ‘Administrators’ group ‘write’ ACL.
The ‘Normal’ object of the ‘Sensitivities’ section is already found in the ‘Administrators’ group ‘write’ ACL.
The ‘High’ object of the ‘Sensitivities’ section is already found in the ‘Physicians’ group ‘write’ ACL.
The ‘Normal’ object of the ‘Sensitivities’ section is already found in the ‘Physicians’ group ‘write’ ACL.
The ‘Normal’ object of the ‘Sensitivities’ section is already found in the ‘Clinicians’ group ‘addonly’ ACL.
The ‘Pharmacy Dispensary’ object of the ‘Administration’ section is already found in the ‘Administrators’ group ‘write’ ACL.
The ‘Pharmacy Dispensary’ object of the ‘Administration’ section is already found in the ‘Physicians’ group ‘write’ ACL.
The ‘Pharmacy Dispensary’ object of the ‘Administration’ section is already found in the ‘Clinicians’ group ‘write’ ACL.
The ‘ACL Administration’ object of the ‘Administration’ section is already found in the ‘Administrators’ group ‘write’ ACL.
The ‘Price Discounting’ object of the ‘Accounting’ section is already found in the ‘Administrators’ group ‘write’ ACL.
The ‘Price Discounting’ object of the ‘Accounting’ section is already found in the ‘Accounting’ group ‘write’ ACL.
The ‘Price Discounting’ object of the ‘Accounting’ section is already found in the ‘Physicians’ group ‘write’ ACL.

ALL DONE

cfapress wrote on Tuesday, January 27, 2009:

The point where ACL_SETUP.PHP fails is a check on adding the Accounting object section in PHP GACL.

Go to your PHP GACL administration interface web page. Take a look at the ACL Admin tab. You should see a list of sections in there. If not, clearly OpenEMR is not able to populate your PHPGACL security. I think this is the case.

First, you shouldn’t use ‘root’ as the database user for any database besides the MySQL tables. For example, you could use the username ‘openemr’ for the OpenEMR database and the username ‘phpgacl’ for the PHPGACL database. If you use the user ‘root’ you will open yourself up for potential security breaches. Mainly because the OpenEMR and PHPGACL database passwords are stored in plain text files. So, if you know how, change the database users and passwords. If you do this, you will also have to change the granted privileges. It gets a little messy here. Don’t hesitate to ask questions about it.

Second, PHPGACL should be working as a stand-alone system accesible with a web browser. Check that. Can you access the PHPGACL admin pages?

Third, attempt to create a Section in the ACL Admin page of PHPGACL. It’s a little confusing so play with it a little bit. Don’t worry about breaking it.

Finally, if everything above works perfectly, we need to figure out why OpenEMR cannot talk to PHPGACL. This is typically a configuration issue. So check your setting in <openemr>/library/acl.inc for
  $phpgacl_location = “<somelocation>”;
Be sure that <somelocation> is the full path to your installed PHPGACL. For example, ‘/var/www/phpgacl’.

And if everything about is working fine and you’re still having trouble… perhaps there is some supporting library that is missing our at an incorrect version.

Good Luck, and report back your progress.
Jason

anojgoel wrote on Tuesday, January 27, 2009:

jason

thanks for being patient with me.

i am trying to setup an emr for a my small consultative practice and this is not a secured system at present. i still need to learn how to do the users/ passwords for databases. i think that would be from phpmyadmin.

i am able to see phpgacl admin and it has sections populated by openemr.
i am able to add users in phpgacl admin

this is from acl list group administrators
    *  Accounting
         1. Billing (write optional)
         2. Price Discounting
         3. EOB Data Entry
         4. Financial Reporting - my encounters
         5. Financial Reporting - anything
    * Administration
         1. ACL Administration
         2. Batch Communication Tool
         3. Calendar Settings
         4. Database Reporting
         5. Pharmacy Dispensary
         6. Forms Administration
         7. Language Interface Tool
         8. Practice Settings
         9. Superuser
        10. Superbill Codes Administration
        11. Users/Groups/Logs Administration
    * Encounters
         1. Authorize - any encounters
         2. Coding - any encounters (write,wsome optional)
         3. Fix encounter dates - any encounters
         4. Notes - any encounters (write,addonly optional)
    * Patients
         1. Appointments (write optional)
         2. Demographics (write,addonly optional)
         3. Documents (write,addonly optional)
         4. Medical/History (write,addonly optional)
         5. Patient Notes (write,addonly optional)
         6. Transactions (write optional)
    * Sensitivities
         1. High
         2. Normal

acl_setup.php had worked initially but did not work after i rebooted the computer and now gives me error.
This is not working. Make sure you have:
* Set the correct phpgacl database name, user and password in gacl.ini.php
* Done the same in gacl.class.php
* Run setup.php from the phpGACL distribution
* Not already run this script successfully

<openemr>/library/acl.inc
this is from the terminal window
-rw-r–r--  1 anoj anoj 18970 2009-01-27 13:21 acl.inc
-rw-r–r--  1 anoj anoj 18973 2009-01-27 13:18 acl.inc~
when i try to open it for editing in terminal i get a blank page

this is from desktop
/var/www/openemr/library/acl.inc
and in text editor the setting seems to be correct
<?php
  // If you have installed phpGACL (http://phpgacl.sourceforge.net/)
  // and have configured it for your site, then uncomment the following
  // statement and change it to point to the location where
  // gacl.class.php is intalled.
  //
  $phpgacl_location = "/var/www/phpgacl";

question for you—

if the openemr admin/ user password is messed up, should i get an error that username/password is wrong or it simply fails to login with return to login screen?

i think my openemr admin password is messed up and hence it does not allow me to login? is there a location i can check for current admin and additional usernames password or reset them to default from terminal?

also

is the webserver installation messed up? i get this error while restarting apache2. although apache2 works well and i am able to connect to my webpages locally and remotely.
anoj@anoj-laptop:~$ /etc/init.d/apache2 restart
* Restarting web server apache2                                               
apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1 for ServerName
apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1 for ServerName
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
Unable to open logs
                                                                         [fail]

thank you again.

if i have to start all over–
should i just delete the var/www/openemr and var/www/phpgacl folder or there are some other places where files related to this are stored.

anojgoel wrote on Wednesday, January 28, 2009:

hi jason

it appears that phpgacl does not work with php5???

see the following post on the net.
http://www.codingforums.com/showthread.php?t=152966

part of the post is copied below for referance

>>>>> I’ve been working on a project where I needed an access control system and decided to used phpgacl 3.3.7, only to find out that using the configuration file didn’t work quite right. I did some debugging, and discovered a few issues, which I’ve fixed. You may have already gotten past these things, but in case not…

When I installed phpgacl, the admin interface worked fine. But when I tried to use it in my application, things didn’t work. I found a few things which got me past the problems.

The first issue was that when I put phpgacl into a subdirectory, when I loaded the class library, the config file (gacl.ini.php - which really isn’t a php file by the way) could not be found during class initialization. To fix it, I just created a symlink in my app directory to gacl.ini.php in the phpgacl subdirectory.

The second thing I found was a use of "array_merge()" which was incompatible with PHP5 in gacl.class.php on line 119. Here is the original code:

if ( is_array($config) ) {
$gacl_options = array_merge($config, $options);
}

I had to typecast "$options" - the changed code is:

if ( is_array($config) ) {
$gacl_options = array_merge($config, (array) $options);
}

The third issue was an outright bug - I’'m not sure how the developer originally tested the code, but using gacl.ini.php flat out didn’t work. While there is a workaround, this kind of makes the gacl.ini.php file less useful. The problem was a reference to the wrong array name on lines 125 & 126:

if (is_array($options)) {
foreach ($options as $key => $value) {

The way things are setup, the above code only works if $options is passed in via the constructor - this is the case with the admin interface, so that works. But when we initialize the class from an app, we must construct our own options array and pass it in - it cannot be null. In the code, I can see that the intent was for the constructor to work with a null options list - in which case it should pull them from the config file. While I can certainly pass options in to the constructor, it really should be able to use options from the config file. (I really don’t understand why the admin stuff doesn’t just let the gacl class constructor read the config file, but it reads it itself instead.).

To fix this so that the config file works correctly for both the app and the admin interface, I just added a check and set $options to the right thing before the if test on line 125:

if ($options == NULL)
$options = &$gacl_options;

These two lines needed to be changed to:

if (is_array($gacl_options)) {
foreach ($gacl_options as $key => $value) {

After making the above changes, things appear to work properly.

Mind you, I haven’t run a full battery of tests on this - there could be other issues lurking. But with these changes, I managed to get phpgacl 3.3.7 working a whole lot better.

I’m really surprised that these problems had not been discovered much sooner - I did some searches and basically found that many folks had concluded that phpgacl was PHP4 only and had abandoned it (I’m using it with PHP5). That seems unfortunate, because it seems to be quite a useful package for apps in need of this kind of capability.>>>>>

let me know if this is the problem and i can try to make these changes and report back.

cfapress wrote on Wednesday, January 28, 2009:

Anoj,

I’m using PHP 4 and phpGACL 3.3.7. I haven’t tried PHP 5 yet but wouldn’t be surprised to see some problems appear. Unfortunately I can’t offer any specific advice. If you can edit the phpGACL code, follow the suggestions in the forums you’ve read.

The acl_setup might be failing because the ACL Sections already exist. So this error could be ignored until you get the PHP4 vs. PHP5 sorted out.

In OpenEMR once you’ve set
$phpgacl_location = “/var/www/phpgacl”;
then it will not use the built in admin user/pass at all. It will only rely upon phpGACL.

You could try commenting out the phpgacl_location line and OpenEMR will fall back to the built in security. Then, attempt to log in to OpenEMR with the admin user/pass that worked in the past.

To reset the OpenEMR admin password you can open a MySQL session on the comment line. This example uses the ‘root’ user since that is what you’ve been using:
  mysql -u root -p openemr
Once you’re logged in to the openemr database type this command:
  update users set password=password(’<secret>’) where username=‘admin’
Replace <secret> with whatever password you’d like.

Now, with phpGACL disabled and the admin password reset, you should be able to log into OpenEMR.

If we get that far, then we can tackle the phpGACL vs. PHP5 problem.

Jason

anojgoel wrote on Friday, January 30, 2009:

jason

thanks for the pointers.

i have put the ubuntu installation on hold, but i will definately try some of the suggestions and report back to you/ here.

in the meantime i have openemr 2.9.1 dev working well in XP using XAMPP. the phpgacl is working, so it is not a php 4 vs 5 issue.

anoj

ideaman911 wrote on Tuesday, February 03, 2009:

Jason;

I also am having a problem with phpGACL.  My installations are all on Windows using the Xampp configuration which uses Apache and MySQL.  I have no problems using OpenEMR, and fully understand the issue of the acl.ini $phpgacl_location declaration.  That is commented out for now, until I can get GACL to work on its own.  I have tried multiple starts, removing all before trying another.

I am using the current Xampp distribution, along with OpenEMR 2.9.1dev.  But at this point, I do not see where OpenEMR is the problem, since I cannot get the GACL to configure and let me administer it.

Running the setup.php from within the GACL distribution, it shows all the databases are creating fine until it gets to Smarty.  Then it displays errors that Smarty is not an allowed option.  There are three such lines.

I have added and removed the (array) stuff as noted above since Apache and Xampp run PHP 5, but with no seeming impact.  I am aware of the Smarty stuff only because I switched the debug to TRUE.

I am NOT a Linux guy.  I have been working with Dr Bowen to port to Windows, and have a very reliable set of machines in XP and Vista running, with proven usability with either IE or Firefox on all from Win 98SE thru Vista 64 when the LAN server is running XP Pro at least.  Only the server needs to have any of the xampp & OpenEMR install, by the way, and it needs to have the Apache & MySQL running there.  But we also use copies of that "real" for various functions, so those are each configured as their own OpenEMR setups as well.

I am currently testing a VPN setup from logmein.com called Hamachi for remote networking (I won’t bore you with why, but it IS important to be able to do so).  tests so far are very promising.

If you have any clue as to how I fix that Smarty problem, I would really appreciate it.  Thanks.

Joe Holzer

drbowen wrote on Tuesday, February 03, 2009:

From Joe Holzer:

*****
However, it did point me toward where the problem could be traced, and when I found the Debug option setting in gacl.ini.php I decided to try the setup.php with it TRUE.  The results show all good until the ‘smarty’ config tries to load.  I have pasted the output below in the hope you might know how to fix it.  I am again in unknown waters.

All above the following shows fine, then it gets to Smarty (whatever that is)

Valid Config options: max_select_box_items
Option: max_search_return_items
Valid Config options: max_search_return_items
Option: smarty_dir
ERROR: Config option: smarty_dir is not a valid option
Option: smarty_template_dir
ERROR: Config option: smarty_template_dir is not a valid option
Option: smarty_compile_dir
ERROR: Config option: smarty_compile_dir is not a valid option
phpGACL Database Setup

Configuration:
driver = mysql,
host = localhost,
user = root,
database = gacl,
table prefix =
Testing database connection…
Failed! ERROR connecting to database,
are you sure you specified the proper host, user name, password, and database in admin/gacl_admin.inc.php?
Did you create the database, and give read/write permissions to "root" already?

Any ideas?  Please note that this prevents phpGACL Admin to come up, so I have still got the …openemr/library/acl.inc linkage commented out so I can work with OEMR separately until I get the GACL stuff to work.

Joe Holzer
*****

This means that your smarty_compile_dir and smarty_template_dir are either do not have the correct path, do not exist or have incorrect permissions.  In Windows permissions are usually not an issue.  Most likely your path is incorrect or the directories do not exist.  In my gacl (3.3.6) these directories appear to be at:

gacl/admin/templates/
gacl/admin/templates_c/smarty

We have "Smarty Templates" in OpenEMR as well.  For Smarty Templates to work you need to have usually a couple of directories "cache", and "compile" for thw Apache web server to be able to use for temporary files.  In OpenEMR, these files are used to run the calender.

In gacl these directories: smarty,  template,  compile need to be accessible to (exist and have a correct path) and be writable by Apache.

Also the “table prefix” should not be empty.  (I don’t remember adding a table prefix but) this increases the security of gacl.

The last five lines of your error report suggest that the gacl setup program doe snot have permission to install the gacl database.  This can be remedied two ways, 1) create an empty gacl database in your mysql using the command line to do so.  then grant privileges on the gacl.* database to the gacl admin user.  2) give the mysql root user and password to the gacl setup program and let the setup program make the connection for you.

Sam Bowen, MD

drbowen wrote on Wednesday, February 04, 2009:

Would you guys just like to have a copy of phpgacl 3.3.6 ?

It seems like an awful lot of work to get phpgacl working.

I have posted phpgacl-3.3.6 at oemr.org for download.

http://www.oemr.org/html/downloads.php

Sam Bowen, MD

bradymiller wrote on Wednesday, February 04, 2009:

hey,
  In my experience on Mandriva 2008, phpgacl 3.3.7 works in openemr on php5.2.4.  I’m thinking it’s time to embed phpgacl into openemr to avoid all these installation problems.  Should be straightforward to merge phpgacl into openemr. I just posted the plan here:
https://sourceforge.net/forum/forum.php?thread_id=1844870&forum_id=202506

-Brady

anojgoel wrote on Wednesday, February 04, 2009:

hi joe

regarding your connection error
-------
Configuration:
driver = mysql,
host = localhost,
user = root,
database = gacl,
table prefix =
Testing database connection…
Failed! ERROR connecting to database,
---------

i ran into similar problems when i was using mysql for running several databases for different programs
the key is to make a seperate user for each database
ie
for openemr-- user maybe openemr
for gacl-- user maybe gacl

also check in phpmyadmin
http://localhost/phpmyadmin/
if the host is mapped to correct location
root  127.0.0.1 global  ALL PRIVILEGES  Yes
or something similar

i have the phpgacl loaded and working in windows XP/ xampp with no issues so far.

post a snapshot of your phpmyadmin if possible

anojgoel wrote on Saturday, February 07, 2009:

back to my ubuntu installation

i deleted everything and started from scratch.

everything works so long as i do not secure the phpgacl directory in apache2. once i secure the phpgacl directory, i get error on restarting apache2. it said something like
error on line 5 --members only – fail–
???Require valid-user line in the httpd.conf is causing trouble???

see the directions below
------
Next we will create password protection for the /var/www/phpgacl/admin directory.
Edit the file /etc/apache2/httpd.conf It is likely to be empty to start. In any case, add the following section at the end of the file. Again, whenever you see "{" or "}" you are to replace them with "<" and ">" in your actual file. This wiki just does not display the less than and greater than signs properly.
{Directory "/var/www/phpgacl/admin"}
AuthType Basic
AuthName “ACL Administrators”
AuthUserFile /var/www/phpgacl/admin/.htpasswd
Require valid-user
{/Directory}
Next, create the password file .htpasswd by typing these commands:
cd /var/www/phpgacl/admin
htpasswd -c /var/www/phpgacl/admin/.htpasswd admin
It will then ask for a password.
Next, restart apache by typing /etc/init.d/apache2 restart. At this point I found that I had to make the following changes to permissions and ownership:
cd /var/www/
chown www-data.www-data phpgacl -Rf
chmod 777 /var/www/phpgacl/admin/gacl_admin.inc.php
Now reboot, or restart apache by typing
/etc/init.d/apache2 restart
----------

is the chown line www-data.www-data or www-data:www-data???

thanks

bradymiller wrote on Saturday, February 07, 2009:

hey,

  What version you using. If your using the newest cvs version, then phpgacl will be installed automatically when you run OpenEMR’s setup.php script. I just committed the changes to cvs yesterday, which basically completely embeds phpgacl within OpenEMR(security is also already set up, so you can avoid above).  Here’s the link discussing changes:
https://sourceforge.net/forum/forum.php?thread_id=1844870&forum_id=202506

when I use chown, I use chown www-data:www-data

-Brady

anojgoel wrote on Sunday, February 08, 2009:

tried the new cvs version in ubuntu. it looks good.

thanks for the chown command.

there is a typo in the openemr install on ubuntu guide since it says www-data.www-data instead of www-data:www-data

took me some time on how to use cvs in ubuntu.

any idea how to add a user with access to acl admin only?

when a user is logged in, how do i make it display on top left hand corner. right now it says logged in default for all except administrator?

anoj

bradymiller wrote on Monday, February 09, 2009:

hey,

I can help with the first question.  Make a new user. Then log in to OpenEMR as ‘admin’ and go to admin->ACL menu. Click box near ‘Groups and Access Controls’ and click ‘Add New Group’. Call it whatever you want. Then click ‘edit’ of that group and put the ‘ACL Administration’ control in it. Then click edit in the user you want to give only acl access and put them in only the new group you made.

-brady

anojgoel wrote on Monday, February 09, 2009:

hi brady

thanks for the tip. i will try it tonight.

is there any way to load a hand made comma delimited CPT4 file using the script. what changes i need to make to the script so that it can read my file?

at present it has "code" "," "description", "other stuff"
i do not need all the CPT4 codes in the system and would modify the script to be able to use this file.

anoj

drbowen wrote on Monday, February 09, 2009:

I posted a script at:

https://sourceforge.net/forum/message.php?msg_id=5917899

that can be made to work or at least help show you the way.  I think Rod also has a script under contribs that does this as well.

Sam Bowen, MD