Apache-AuthenN2

 view release on metacpan or  search on metacpan

AuthenN2.pm  view on Meta::CPAN

my $self="Apache::AuthenN2";

sub handler {

   # get request object
   my $r = shift;

   # service only the first internal request
   return OK unless $r->is_initial_req;

   # get password user entered in browser
   my($res, $sent_pwd) = $r->get_basic_auth_pw;

   # decline if not basic
   return $res if $res;

   # get user name
   my $name = $r->connection->user;

   # blank user name would cause problems
   unless($name){

AuthenN2.pm  view on Meta::CPAN

         unless (Authen::Smb::authen($name, $sent_pwd, $pdc, $bdc, $domain)){
            $r->push_handlers(PerlAuthzHandler => \&authz);
            return OK;
         }
      }
   }

   # try nis+
   # get passwd table name
   my $passwd_table = $dir_config->get('NISPlus_Passwd_Table');
   # get user password entry
   my $pwd_table = Net::NISPlus::Table->new($passwd_table);
   unless ($pwd_table){
      $r->note_basic_auth_failure;
      $r->log_reason($self . ': cannot get nis+ passwd table', $r->uri);
      return AUTH_REQUIRED;
   }
   my $pwd = '';
   my $group = '';
   # look for name match
   foreach ($pwd_table->lookup('[name=' . $name . ']')){

AuthenN2.pm  view on Meta::CPAN

default domains listed in the above config.  Failing nt
authentication, try nis+.  This order (nt then nis+) is simply to
boost average apparent performance because the nt population is much
larger than the unix population at the author's company.  If your
population has an opposite demographic, feel free to reverse the
order of checking.

Note that this scheme is quite permissive.  Valid nt credentials
against any of the controllers or domains, or valid nis+ credentials
will allow access.  This multiplies exposure to poorly selected
passwords.

<Files *challenge*> is just a way of specifying which files should be
protected by this authenticator.  In this example, a script named
newbug-challenge.pl would be protected, regardless of where it is
located in the apache htdocs or cgi directories.  If you prefer, you
can use the simpler <Location> directive to protect a particular file
or directory.

Instead of requiring specific groups or users, you could just
'require valid-user'.

AuthenN2.pm  view on Meta::CPAN

      PerlSetVar NISPlus_Group_Table group.org_dir.yoyodyne.com
      PerlSetVar NT_Default_Domains 'eng corporate'
      PerlSetVar NT_Controllers 'bapdc:babdc nypdc:nybdc'
      PerlSetVar AuthenCache_casesensitive off
      PerlAuthenHandler Apache::AuthenCache Apache::AuthenN2 Apache::AuthenCache::manage_cache
      require group eng
      require user john larry
   </Files>

A couple of tips about AuthenCache: 1 comment out the $r->warn lines
that echo the password to the apache error log (they are fine for
debugging but not good for production), and 2 keep in mind that the
cache has to be established separately in each current httpd child
process, so it does not appear to be working consistently until all
the children know about the user.  This is nothing to panic about; we
are just playing the odds: the more active the user is, the more they
will benefit from the caching.

=head1 AUTHOR

valerie at savina dot com (Valerie Delane), originally based more or

README  view on Meta::CPAN

    specified a domain, e.g., sales\john, then just try against that domain;
    if no domain was specified by the user, try all of the default domains
    listed in the above config. Failing nt authentication, try nis+. This
    order (nt then nis+) is simply to boost average apparent performance
    because the nt population is much larger than the unix population at the
    author's company. If your population has an opposite demographic, feel
    free to reverse the order of checking.

    Note that this scheme is quite permissive. Valid nt credentials against
    any of the controllers or domains, or valid nis+ credentials will allow
    access. This multiplies exposure to poorly selected passwords.

    <Files *challenge*> is just a way of specifying which files should be
    protected by this authenticator. In this example, a script named newbug-
    challenge.pl would be protected, regardless of where it is located in
    the apache htdocs or cgi directories. If you prefer, you can use the
    simpler <Location> directive to protect a particular file or directory.

    Instead of requiring specific groups or users, you could just 'require
    valid-user'.

README  view on Meta::CPAN

          PerlSetVar NISPlus_Group_Table group.org_dir.yoyodyne.com
          PerlSetVar NT_Default_Domains 'eng corporate'
          PerlSetVar NT_Controllers 'bapdc:babdc nypdc:nybdc'
          PerlSetVar AuthenCache_casesensitive off
          PerlAuthenHandler Apache::AuthenCache Apache::AuthenN2 Apache::AuthenCache::manage_cache
          require group eng
          require user john larry
       </Files>

    A couple of tips about AuthenCache: 1 comment out the $r->warn lines
    that echo the password to the apache error log (they are fine for
    debugging but not good for production), and 2 keep in mind that the
    cache has to be established separately in each current httpd child
    process, so it does not appear to be working consistently until all the
    children know about the user. This is nothing to panic about; we are
    just playing the odds: the more active the user is, the more they will
    benefit from the caching.

AUTHOR
    valerie at savina dot com (Valerie Delane), originally based more or
    less on code shamelessly lifted from Doug MacEachern's Apache::AuthNIS

TODO  view on Meta::CPAN

o Add nt group authentication when it is available in
  Authen::Authen-Smb.

o Consult nis+ groups table (and /etc/groups?) to see if user is in
  additional groups besides the one specified in the password record
  (thanks to Joseph Sonnier for suggestion).