Apache2-AuthzNIS
view release on metacpan or search on metacpan
lib/Apache2/AuthzNIS.pm view on Meta::CPAN
'-compile' => 'HTTP_UNAUTHORIZED',
'OK', 'HTTP_INTERNAL_SERVER_ERROR'
);
}
=head1 NAME
Apache2::AuthzNIS - mod_perl2 NIS Group Authorization module
=cut
our $VERSION = '0.13';
=head1 SYNOPSIS
<Directory /foo/bar>
# This is the standard authentication stuff
AuthName "Foo Bar Authentication"
AuthType Basic
# The following is actually only needed when you will authenticate
# via NIS passwd as well as authorize via NIS group.
# Apache2::AuthenNIS is a separate module.
PerlAuthenHandler Apache2::AuthenNIS
# Standard require stuff, NIS users or groups, and
# "valid-user" all work OK
require user username1 username2 ...
require group groupname1 groupname2 ...
require valid-user
PerlAuthzHandler Apache2::AuthzNIS
</Directory>
These directives can also be used in the <Location> directive or in
an .htaccess file.
=head1 DESCRIPTION
This perl module is designed to work with mod_perl, the Net::NIS module by
Rik Haris (B<rik.harris@fulcrum.com.au>), and the Apache2::AuthenNIS module.
Version 0.11 of Apache::AuthzNIS was renamed and modified to use mod_perl2.
That module was a direct adaptation of Michael Parker's
(B<parker@austx.tandem.com>) Apache::AuthenSmb module (which also included
an authorization routine).
The module calls B<Net::NIS::yp_match> using each of the B<require group>
elements as keys to the the B<group.byname> map, until a match with the
(already authenticated) B<user> is found.
For completeness, the module also handles B<require user> and B<require
valid-user> directives.
=head2 Apache2::AuthenNIS vs. Apache2::AuthzNIS
The following comments are from Apache::AuthzNIS.
I've taken "authentication" to be meaningful only in terms of a user and
password combination, not group membership. This means that you can use
Apache::AuthenNIS with the B<require user> and B<require valid-user>
directives. In the NIS context I consider B<require group> to be an
"authorization" concern. I.e., Group authorization consists of
establishing whether the already authenticated user is a member of one of
the indicated groups in the B<require group> directive. This process may
be handled by B<Apache::AuthzNIS>.
=head2 Functions
=over 4
=item handler
This is the mod_perl2 handler function.
=cut
sub handler {
my $r = shift;
my $requires = $r->requires;
return Apache2::Const::OK unless $requires;
my $name = $r->user;
for my $req ( @$requires ) {
my( $require, @list ) = split /\s+/, $req->{'requirement'};
#ok if user is one of these users
if ( $require eq 'user' ) {
return Apache2::Const::OK if grep $name eq $_, @list;
}
#ok if user is simply authenticated
elsif ( $require eq 'valid-user' ) {
return Apache2::Const::OK;
}
elsif ( $require eq 'group' ) {
my $domain = Net::NIS::yp_get_default_domain();
unless ( $domain ) {
$r->note_basic_auth_failure;
$r->log_error( __PACKAGE__, " - cannot obtain NIS domain", $r->uri );
return Apache2::Const::HTTP_INTERNAL_SERVER_ERROR;
}
foreach my $thisgroup ( @list ) {
my( $status, $entry )
= Net::NIS::yp_match( $domain, "group.byname", $thisgroup );
if ( $status ) {
my $error_msg = Net::NIS::yperr_string( $status );
$r->note_basic_auth_failure;
$r->log_error( __PACKAGE__,
" - group: $thisgroup: yp_match status $status, ",
$error_msg, $r->uri
);
return Apache2::Const::HTTP_INTERNAL_SERVER_ERROR;
}
my @names = split /\,/, $entry;
$names[0] =~ s/^.*:.*:.*://;
foreach my $oneuser ( @names ) {
if ( $oneuser eq $name ) {
return Apache2::Const::OK;
( run in 1.429 second using v1.01-cache-2.11-cpan-99c4e6809bf )