Apache-AuthenNTLM
view release on metacpan or search on metacpan
AuthenNTLM.pm view on Meta::CPAN
. "while waiting for lock (key = $self->{semkey})\n"; die ; };
alarm $self -> {semtimeout} ;
$self -> {lock} = Apache::AuthenNTLM::Lock -> lock ($self->{semkey}, $debug) ;
alarm 0;
};
}
$self -> {smbhandle} = Authen::Smb::Valid_User_Connect ($pdc, $bdc, $domain, $nonce) ;
print STDERR "[$$] AuthenNTLM: verify handle $self->{username} smbhandle == $self->{smbhandle} \n" if ($debug) ;
if (!$self -> {smbhandle})
{
MP2 ? $r->log_error("Connect to SMB Server failed (pdc = $pdc bdc = $bdc domain = $domain error = "
. Authen::Smb::SMBlib_errno . '/' . Authen::Smb::SMBlib_SMB_Error . ") for " .
$r -> uri) : $r->log_reason("Connect to SMB Server failed (pdc = $pdc bdc = $bdc " .
"domain = $domain error = " .
Authen::Smb::SMBlib_errno . '/'
. Authen::Smb::SMBlib_SMB_Error . ") for " . $r -> uri) ;
return undef ;
}
return $self -> {nonce} = $nonce ;
}
sub verify_user
{
my ($self, $r) = @_ ;
if (!$self -> {smbhandle})
{
$self -> {lock} = undef ; # reset lock in case anything has gone wrong
MP2 ? $r->log_error("SMB Server connection not open in state 3 for " . $r -> uri)
: $r->log_reason("SMB Server connection not open in state 3 for " . $r -> uri) ;
return ;
AuthenNTLM.pm view on Meta::CPAN
? (defined($nonce))
? (MP2 ? Apache::HTTP_FORBIDDEN : Apache::Constants::HTTP_FORBIDDEN)
: (MP2 ? Apache::HTTP_INTERNAL_SERVER_ERROR : Apache::Constants::HTTP_INTERNAL_SERVER_ERROR)
: (MP2 ? Apache::DECLINED : Apache::Constants::DECLINED) ;
}
my $header1 = $self -> set_msg2 ($r, $nonce) ;
my $hdr = $r -> err_headers_out ;
$hdr -> add ($r->proxyreq ? 'Proxy-Authenticate' : 'WWW-Authenticate', $header1) if ($self -> {authntlm}) ;
# $r->discard_request_body ;
print STDERR "[$$] AuthenNTLM: verify handle = 1 smbhandle == $self->{smbhandle} \n" if ($debug) ;
return MP2 ? Apache::HTTP_UNAUTHORIZED : Apache::Constants::HTTP_UNAUTHORIZED ;
}
elsif ($type == 3)
{
print STDERR "[$$] handler type == 3 \n" if ($debug) ;
print STDERR "[$$] AuthenNTLM: verify handle = 3 smbhandle == $self->{smbhandle} \n" if ($debug) ;
if ( !$self->verify_user( $r ) )
{
if ( $self->{ntlmauthoritative} )
{
my $hdr = $r -> err_headers_out ;
$hdr -> add ($r->proxyreq ? 'Proxy-Authenticate' : 'WWW-Authenticate', 'NTLM') if ($self -> {authntlm}) ;
$hdr -> add ($r->proxyreq ? 'Proxy-Authenticate' : 'WWW-Authenticate', 'Basic realm="'
. $self -> {authname} . '"') if ($self -> {authbasic}) ;
# $r->discard_request_body ;
return MP2 ? Apache::HTTP_UNAUTHORIZED : Apache::Constants::HTTP_UNAUTHORIZED ;
}
AuthenNTLM.pm view on Meta::CPAN
elsif ($type == -1)
{
my $nonce = $self -> get_nonce ($r) ;
if (!$nonce)
{
$self -> {lock} = undef ; # reset lock in case anything has gone wrong
MP2 ? $r->log_error("Cannot get nonce for " . $r->uri) : $r->log_reason("Cannot get nonce for " . $r->uri) ;
return MP2 ? Apache::HTTP_INTERNAL_SERVER_ERROR : Apache::Constants::HTTP_INTERNAL_SERVER_ERROR ;
}
if (!$self -> verify_user ($r))
{
if ($self -> {basicauthoritative})
{
my $hdr = $r -> err_headers_out ;
$hdr -> add ($r->proxyreq ? 'Proxy-Authenticate' :'WWW-Authenticate', 'Basic realm="'
. $self -> {authname} . '"') if ($self -> {authbasic}) ;
# $r->discard_request_body ;
return MP2 ? Apache::HTTP_UNAUTHORIZED : Apache::Constants::HTTP_UNAUTHORIZED ;
}
else
AuthenNTLM.pm view on Meta::CPAN
Explorer and is mainly useful for intranets. Depending on your preferences
setting IE will supply your windows logon credentials to the web server
when the server asks for NTLM authentication. This saves the user to type in
his/her password again.
The NTLM protocol performs a challenge/response to exchange a random number
(nonce) and get back a md4 hash, which is built from the user's password
and the nonce. This makes sure that no password goes over the wire in plain text.
The main advantage of the Perl implementation is, that it can be easily extended
to verify the user/password against other sources than a windows domain controller.
The defaultf implementation is to go to the domain controller for the given domain
and verify the user. If you want to verify the user against another source, you
can inherit from Apache::AuthenNTLM and override it's methods.
To support users that aren't using Internet Explorer, Apache::AuthenNTLM can
also perform basic authentication depending on its configuration.
B<IMPORTANT:> NTLM authentification works only when KeepAlive is on. (If you have set ntlmdebug 2, and see that there is no return message (type 3), check your httpd.conf file for "KeepAlive Off". If KeepAlive Off, then change it to KeepAlive On, re...
=head1 CONFIGURATION
AuthenNTLM.pm view on Meta::CPAN
isn't configured. This is useful in environments where you have a lot of
domains, which trust each other, allowing you to always authenticate against
a single domain, (removing the need to configure all domains available in
your network).
=head2 PerlSetVar ntlmauthoritative
Setting the ntlmauthoritative directive explicitly to 'off' allows authentication
to be passed on to lower level modules if AuthenNTLM cannot authenticate the user
and the NTLM authentication scheme is used.
If set to 'on', which is the default, AuthenNTLM will try to verify the user and,
if it fails, will give an Authorization Required reply.
=head2 PerlSetVar basicauthoritative
Setting the ntlmauthoritative directive explicitly to 'off' allows authentication
to be passed on to lower level modules if AuthenNTLM cannot authenticate the user
and the Basic authentication scheme is used.
If set to 'on', which is the default, AuthenNTLM will try to verify the user and
if it fails will give an Authorization Required reply.
=head2 PerlSetVar ntlmsemkey
There are troubles when two authentication requests take place at the same
time. If the second request starts, before the first request has successfully
verified the user to the smb (windows) server, the smb server will terminate the first
request. To avoid this Apache::AuthenNTLM serializes all requests. It uses a semaphore
for this purpose. The semkey directive set the key which is used (default: 23754).
Set it to zero to turn serialization off.
AuthenNTLM.pm view on Meta::CPAN
Will be called after the object is setup to read in configuration informations.
The $r -> dir_config can be used for that purpose.
=head2 $self -> get_nonce ($r)
Will be called to setup the connection to the windows domain controller
for $self -> {domain} and retrieve the nonce.
In case you do not authenticate against a windows machine, you simply need
to set $self -> {nonce} to a 8 byte random string. Returns undef on error.
=head2 $self -> verify_user ($r)
Should verify that the given user supplied the right credentials. Input:
=over
=item $self -> {basic}
Set when we are doing basic authentication
=item $self -> {ntlm}
Set when we are doing ntlm authentication
More detailed implementation details are available from:
http://www.opengroup.org/comsource/techref2/NCH1222X.HTM
http://www.innovation.ch/java/ntlm.html
A lot of ideas and information are taken from the similar Apache module mod_ntlm,
which can be found at http://sourceforge.net/projects/modntlm/
The main advantage of the Perl implementation is, that it can be easily extended
to verify the user/password against other sources than a windows domain controller.
The default implementation is to go to the domain controller for the given domain
and verify the user. If you want to verify the user against another source, you
can inherit from Apache::AuthenNTLM and override its methods.
To support users that aren't using Internet Explorer, Apache::AuthenNTLM can
also perform basic authentication depending on it's configuration.
Apache::AuthenNTLM contains an extended version of Authen::Smb, which exposes
some more functions to Perl.
( run in 0.658 second using v1.01-cache-2.11-cpan-5467b0d2c73 )