Apache-AuthCookieDBIRadius
view release on metacpan or search on metacpan
AuthCookieDBIRadius.pm view on Meta::CPAN
EOS
foreach my $group ( @groups ) {
$result->execute( $group, $user );
return OK if ( $result->fetchrow_array );
}
$r->log_reason( "Apache::AuthCookieDBIRadius: user $user was not a member of any of the required groups @groups for auth realm $auth_name", $r->uri );
return FORBIDDEN;
}
1;
__END__
=head1 NAME
Apache::AuthCookieDBIRadius - An AuthCookie module backed by a DBI database, and an optional Radius server.
=head1 SYNOPSIS
# In httpd.conf or .htaccess
############################################
# AuthCookie #
# #
# PortalDBI_CryptType #
# PortalDBI_GroupsTable #
# PortalDBI_GroupField #
# PortalDBI_GroupUserField #
# PortalDBI_EncryptionType none|crypt|md5 #
# PortalDBI_a on|off #
# PortalDBI_b on|off #
# PortalDBI_c on|off #
# PortalDBI_d on|off #
# PortalDBI_e on|off #
# PortalDBI_f on|off #
# PortalDBI_g on|off #
# PortalDBI_useracct on|off #
# PortalDBI_log_field last_access #
# PortalDBI_Radius_host none #
# PortalDBI_Radius_port 1645 #
# PortalDBI_Radius_secret none #
# PortalDBI_Radius_timeout 45 #
# AuthCookieDebug 0,1,2,3 #
# PortalDomain .yourdomain.com #
# #
############################################
# key line must come first
PerlSetVar PortalDBI_SecretKeyFile /usr/local/apache/conf/site.key
PerlModule Apache::AuthCookieDBIRadius
PerlSetVar PortalPath /
PerlSetVar PortalLoginScript /login.pl
PerlSetVar AuthCookieDebug 1
PerlSetVar PortalDBI_DSN 'dbi:Pg:host=localhost port=5432 dbname=mydatabase'
PerlSetVar PortalDBI_User "database_user"
PerlSetVar PortalDBI_Password "database_password"
PerlSetVar PortalDBI_UsersTable "users"
PerlSetVar PortalDBI_UserField "userid"
PerlSetVar PortalDBI_PasswordField "password"
PerlSetVar PortalDBI_SessionLifeTime 00-24-00-00
<FilesMatch "\.pl">
AuthType Apache::AuthCookieDBIRadius
AuthName Portal
SetHandler perl-script
PerlHandler Apache::Registry
Options +ExecCGI
</FilesMatch>
# login.pl
<Files LOGIN>
AuthType Apache::AuthCookieDBIRadius
AuthName Portal
SetHandler perl-script
PerlHandler Apache::AuthCookieDBIRadius->login
</Files>
#######################################
# #
# Begin websites #
# #
#######################################
# private
<Directory /home/httpd/html/private>
AuthType Apache::AuthCookieDBIRadius
AuthName Portal
PerlSetVar PortalDBI_b on
PerlAuthenHandler Apache::AuthCookieDBIRadius->authenticate
PerlAuthzHandler Apache::AuthCookieDBIRadius->authorize
require valid-user
</Directory>
# calendar
<Directory /home/httpd/html/calendar>
AuthType Apache::AuthCookieDBIRadius
AuthName Portal
PerlSetVar PortalDBI_a on
PerlAuthenHandler Apache::AuthCookieDBIRadius->authenticate
PerlAuthzHandler Apache::AuthCookieDBIRadius->authorize
require valid-user
</Directory>
=head1 DESCRIPTION
This module is an authentication handler that uses the basic mechanism provided
by Apache::AuthCookie with a DBI database for ticket-based protection. It
is based on two tokens being provided, a username and password, which can
be any strings (there are no illegal characters for either). The username is
used to set the remote user as if Basic Authentication was used.
On an attempt to access a protected location without a valid cookie being
provided, the module prints an HTML login form (produced by a CGI or any
other handler; this can be a static file if you want to always send people
to the same entry page when they log in). This login form has fields for
username and password. On submitting it, the username and password are looked
up in the DBI database. The supplied password is checked against the password
in the database; the password in the database can be plaintext, or a crypt()
or md5_hex() checksum of the password. If this succeeds, the user is issued
AuthCookieDBIRadius.pm view on Meta::CPAN
=item C<WhatEverDBI_UserField>
The field in the above table that has the user name. This is not
required and defaults to 'user'.
=item C<WhatEverDBI_PasswordField>
The field in the above table that has the password. This is not
required and defaults to 'password'.
=item C<WhatEverDBI_CryptType>
What kind of hashing is used on the password field in the database. This can
be 'none', 'crypt', or 'md5'. This is not required and defaults to 'none'.
=item C<WhatEverDBI_GroupsTable>
The table that has the user / group information. This is not required and
defaults to 'groups'.
=item C<WhatEverDBI_GroupField>
The field in the above table that has the group name. This is not required
and defaults to 'grp' (to prevent conflicts with the SQL reserved word 'group').
=item C<WhatEverDBI_GroupUserField>
The field in the above table that has the user name. This is not required
and defaults to 'user'.
=item C<WhatEverDBI_SecretKeyFile>
The file that contains the secret key (on the first line of the file). This
is required and has no default value. This key should be owned and only
readable by root. It is read at server startup time.
The key should be long and fairly random. If you want, you
can change it and restart the server, (maybe daily), which will invalidate
all prior-issued tickets.
=item C<WhatEverDBI_EncryptionType>
What kind of encryption to use to prevent the user from looking at the fields
in the ticket we give them. This is almost completely useless, so don't
switch it on unless you really know you need it. It does not provide any
protection of the password in transport; use SSL for that. It can be 'none',
'des', 'idea', 'blowfish', or 'blowfish_pp'.
This is not required and defaults to 'none'.
=item C<WhatEverDBI_SessionLifetime>
How long tickets are good for after being issued. Note that presently
Apache::AuthCookie does not set a client-side expire time, which means that
most clients will only keep the cookie until the user quits the browser.
However, if you wish to force people to log in again sooner than that, set
this value. This can be 'forever' or a life time specified as:
DD-hh-mm-ss -- Days, hours, minute and seconds to live.
This is not required and defaults to '00-24-00-00' or 24 hours.
=back
=head1 DATABASE SCHEMAS
For this module to work, the database tables must be laid out at least somewhat
according to the following rules: the user field must be a primary key
so there is only one row per user; the password field must be NOT NULL. If
you're using MD5 passwords the password field must be 32 characters long to
allow enough space for the output of md5_hex(). If you're using crypt()
passwords you need to allow 13 characters.
An minimal CREATE TABLE statement might look like:
CREATE TABLE users (
user VARCHAR(16) PRIMARY KEY,
password VARCHAR(32) NOT NULL
)
For the groups table, the access table is actually going to be a join table
between the users table and a table in which there is one row per group
if you have more per-group data to store; if all you care about is group
membership though, you only need this one table. The only constraints on
this table are that the user and group fields be NOT NULL.
A minimal CREATE TABLE statement might look like:
CREATE TABLE groups (
grp VARCHAR(16) NOT NULL,
user VARCHAR(16) NOT NULL
)
=head1 COPYRIGHT
Copyright (C) 2000 SF Interactive, Inc. All rights reserved.
=head1 LICENSE
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
ERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
=head1 AUTHOR
Author: Charles Day <BarracodE@s1te.com>
Original Author: Jacob Davies <jacob@sfinteractive.com> <jacob@well.com>
=head1 SEE ALSO
( run in 2.451 seconds using v1.01-cache-2.11-cpan-39bf76dae61 )