Result:
found more than 506 distributions - search limited to the first 2001 files matching your query
( run in 0.972 )
Apache2-AuthCookieDBI
view release on metacpan or search on metacpan
lib/Apache2/AuthCookieDBI.pm view on Meta::CPAN
PerlSetVar WhatEverDBI_DSN "DBI:mysql:database=test"
PerlSetVar WhatEverDBI_SecretKey "489e5eaad8b3208f9ad8792ef4afca73598ae666b0206a9c92ac877e73ce835c"
# These are optional, the module sets sensible defaults.
PerlSetVar WhatEverDBI_User "nobody"
PerlSetVar WhatEverDBI_Password "password"
PerlSetVar WhatEverDBI_UsersTable "users"
PerlSetVar WhatEverDBI_UserField "user"
PerlSetVar WhatEverDBI_PasswordField "password"
PerlSetVar WhatEverDBI_UserActiveField "" # Default is skip this feature
PerlSetVar WhatEverDBI_CryptType "none"
PerlSetVar WhatEverDBI_GroupsTable "groups"
PerlSetVar WhatEverDBI_GroupField "grp"
PerlSetVar WhatEverDBI_GroupUserField "user"
lib/Apache2/AuthCookieDBI.pm view on Meta::CPAN
=head1 DESCRIPTION
This module is an authentication handler that uses the basic mechanism provided
by Apache2::AuthCookie with a DBI database for ticket-based protection. It
is based on two tokens being provided, a username and password, which can
be any strings (there are no illegal characters for either). The username is
used to set the remote user as if Basic Authentication was used.
On an attempt to access a protected location without a valid cookie being
provided, the module prints an HTML login form (produced by a CGI or any
other handler; this can be a static file if you want to always send people
to the same entry page when they log in). This login form has fields for
username and password. On submitting it, the username and password are looked
up in the DBI database. The supplied password is checked against the password
in the database; the password in the database can be plaintext, or a crypt()
or md5_hex() checksum of the password. If this succeeds, the user is issued
a ticket. This ticket contains the username, an issue time, an expire time,
and an MD5 checksum of those and a secret key for the server. It can
optionally be encrypted before returning it to the client in the cookie;
encryption is only useful for preventing the client from seeing the expire
time. If you wish to protect passwords in transport, use an SSL-encrypted
connection. The ticket is given in a cookie that the browser stores.
After a login the user is redirected to the location they originally wished
to view (or to a fixed page if the login "script" was really a static file).
lib/Apache2/AuthCookieDBI.pm view on Meta::CPAN
DBI_SecretKey => undef,
DBI_User => undef,
DBI_Password => undef,
DBI_UsersTable => 'users',
DBI_UserField => 'user',
DBI_PasswordField => 'password',
DBI_UserActiveField => EMPTY_STRING, # Default is don't use this feature
DBI_CryptType => 'none',
DBI_GroupsTable => 'groups',
DBI_GroupField => 'grp',
DBI_GroupUserField => 'user',
lib/Apache2/AuthCookieDBI.pm view on Meta::CPAN
# If we used encryption we need to pull in Crypt::CBC.
if ( $c{'DBI_EncryptionType'} ne 'none' ) {
require Crypt::CBC;
}
# Compile module for password encryption, if needed.
if ( $c{'DBI_CryptType'} =~ /^sha/ ) {
require Digest::SHA;
}
return %c;
lib/Apache2/AuthCookieDBI.pm view on Meta::CPAN
The user to log into the database as. This is not required and
defaults to undef.
=item C<WhatEverDBI_Password>
The password to use to access the database. This is not required
and defaults to undef.
Make sure that the Perl environment variables are
not publically available, for example via the /perl-status handler since the
password could be exposed.
=item C<WhatEverDBI_UsersTable>
The table that user names and passwords are stored in. This is not
required and defaults to 'users'.
=item C<WhatEverDBI_UserField>
The field in the above table that has the user name. This is not
required and defaults to 'user'.
=item C<WhatEverDBI_PasswordField>
The field in the above table that has the password. This is not
required and defaults to 'password'.
=item C<WhatEverDBI_UserActiveField>
The field in the users' table that has a value indicating if the users' account
is "active". This is optional and the default is to not use this field.
lib/Apache2/AuthCookieDBI.pm view on Meta::CPAN
values. The I<user_is_active> class method exposes this setting (and may be
overidden in a subclass.)
=item C<WhatEverDBI_CryptType>
What kind of hashing is used on the password field in the database. This can
be 'none', 'crypt', 'md5', 'sha256', 'sha384', or 'sha512'.
C<md5> will use Digest::MD5::md5hex() and C<sha...> will use
Digest::SHA::sha{n}_hex().
lib/Apache2/AuthCookieDBI.pm view on Meta::CPAN
=item C<WhatEverDBI_EncryptionType>
What kind of encryption to use to prevent the user from looking at the fields
in the ticket we give them. This is almost completely useless, so don't
switch it on unless you really know you need it. It does not provide any
protection of the password in transport; use SSL for that. It can be 'none',
'des', 'idea', 'blowfish', or 'blowfish_pp'.
This is not required and defaults to 'none'.
=item C<WhatEverDBI_SessionLifetime>
lib/Apache2/AuthCookieDBI.pm view on Meta::CPAN
sub _now_year_month_day_hour_minute_second {
return sprintf '%04d-%02d-%02d-%02d-%02d-%02d', Today_and_Now;
}
sub _check_password {
my ( $class, $password, $crypted_password, $crypt_type ) = @_;
return
if not $crypted_password
; # https://rt.cpan.org/Public/Bug/Display.html?id=62470
my %password_checker = (
'none' => sub { return $password eq $crypted_password; },
'crypt' => sub {
return crypt( $password, $crypted_password ) eq $crypted_password;
},
'md5' => sub { return md5_hex($password) eq $crypted_password; },
'sha256' => sub {
return Digest::SHA::sha256_hex($password) eq $crypted_password;
},
'sha384' => sub {
return Digest::SHA::sha384_hex($password) eq $crypted_password;
},
'sha512' => sub {
return Digest::SHA::sha512_hex($password) eq $crypted_password;
},
);
return $password_checker{$crypt_type}->();
}
#-------------------------------------------------------------------------------
# _percent_encode -- Percent-encode (like URI encoding) any non-alphanumberics
# in the supplied string.
lib/Apache2/AuthCookieDBI.pm view on Meta::CPAN
my %c = $config_hash ? %$config_hash : $class->_dbi_config_vars($r);
my $auth_name = $r->auth_name;
# get the crypted password from the users database for this user.
my $dbh = DBI->connect_cached( $c{'DBI_DSN'}, $c{'DBI_User'},
$c{'DBI_Password'} );
if ( defined $dbh ) {
my $info_message
= "${class}\tconnect to $c{'DBI_DSN'} for auth realm $auth_name";
lib/Apache2/AuthCookieDBI.pm view on Meta::CPAN
return;
}
}
#-------------------------------------------------------------------------------
# _get_crypted_password -- Get the users' password from the database.
sub _get_crypted_password {
my ( $class, $r, $user, $config_hash ) = @_;
my %c = $config_hash ? %$config_hash : $class->_dbi_config_vars($r);
my $dbh = $class->_dbi_connect($r, \%c) || return;
my $auth_name = $r->auth_name;
lib/Apache2/AuthCookieDBI.pm view on Meta::CPAN
$class->logger( $r, Apache2::Const::LOG_NOTICE, $message, $user,
LOG_TYPE_AUTH, $r->uri );
return;
}
my $crypted_password = EMPTY_STRING;
my $PasswordField = $dbh->quote_identifier($c{'DBI_PasswordField'});
my $UsersTable = $dbh->quote_identifier($c{'DBI_UsersTable'});
my $UserField = $dbh->quote_identifier($c{'DBI_UserField'});
lib/Apache2/AuthCookieDBI.pm view on Meta::CPAN
$class->logger( $r, Apache2::Const::LOG_ERR, $message, $user,
LOG_TYPE_AUTH, $r->uri );
return;
}
$sth->execute($user);
($crypted_password) = $sth->fetchrow_array();
$sth->finish();
if ( _is_empty($crypted_password) ) {
my $message
= "${class}\tCould not select password using SQL query '$sql_query'";
$class->logger( $r, Apache2::Const::LOG_ERR, $message, $user,
LOG_TYPE_AUTH, $r->uri );
return;
}
return $crypted_password;
}
#-------------------------------------------------------------------------------
# _prepare_group_query -- Prepare the database query used to determine whether
# the authenticated user is a member of a group.
lib/Apache2/AuthCookieDBI.pm view on Meta::CPAN
#===============================================================================
# P U B L I C F U N C T I O N S
#===============================================================================
sub extra_session_info {
my ( $class, $r, $user, $password, @extra_data ) = @_;
return EMPTY_STRING;
}
sub authen_cred {
my ( $class, $r, $user, $password, @extra_data ) = @_;
my $auth_name = $r->auth_name;
( $user, $password ) = _defined_or_empty( $user, $password );
if ( !length $user ) {
my $message
= "${class}\tno username supplied for auth realm $auth_name";
$class->logger( $r, Apache2::Const::LOG_NOTICE, $message, $user,
LOG_TYPE_AUTH, $r->uri );
return;
}
if ( !length $password ) {
my $message
= "${class}\tno password supplied for auth realm $auth_name";
$class->logger( $r, Apache2::Const::LOG_NOTICE, $message, $user,
LOG_TYPE_AUTH, $r->uri );
return;
}
# get the configuration information.
my %c = $class->_dbi_config_vars($r);
# get the crypted password from the users database for this user.
my $crypted_password = $class->_get_crypted_password( $r, $user, \%c );
return unless ( defined $crypted_password );
# now return unless the passwords match.
my $crypt_type = lc $c{'DBI_CryptType'};
if ( !$class->_check_password( $password, $crypted_password, $crypt_type ) )
{
my $message
= "${class}\tcrypt_type: '$crypt_type' - passwords didn't match for user '$user' for auth realm $auth_name";
$class->logger( $r, Apache2::Const::LOG_NOTICE, $message, $user,
LOG_TYPE_AUTH, $r->uri );
return;
}
lib/Apache2/AuthCookieDBI.pm view on Meta::CPAN
# time and the session id (if any) together to make the public part
# of the session key:
my $current_time = _now_year_month_day_hour_minute_second;
my $public_part = "$enc_user:$current_time:$expire_time:$session_id";
$public_part
.= $class->extra_session_info( $r, $user, $password, @extra_data );
# Now we calculate the hash of this and the secret key and then
# calculate the hash of *that* and the secret key again.
my $secretkey = $c{'DBI_SecretKey'};
if ( !defined $secretkey ) {
lib/Apache2/AuthCookieDBI.pm view on Meta::CPAN
You can subclass this module to override public functions and change
their behaviour.
=head1 CLASS METHODS
=head2 authen_cred($r, $user, $password, @extra_data)
Take the credentials for a user and check that they match; if so, return
a new session key for this user that can be stored in the cookie.
If there is a problem, return a bogus session key.
lib/Apache2/AuthCookieDBI.pm view on Meta::CPAN
=head2 decrypt_session_key($r, $encryptiontype, $encrypted_session_key, $secret_key)
Returns the decrypted session key or false on failure.
=head2 extra_session_info($r, $user, $password, @extra_data)
A stub method that you may want to override in a subclass.
This method returns extra fields to add to the session key.
It should return a string consisting of ":field1:field2:field3"
lib/Apache2/AuthCookieDBI.pm view on Meta::CPAN
=head1 DATABASE SCHEMAS
For this module to work, the database tables must be laid out at least somewhat
according to the following rules: the user field must be a UNIQUE KEY
so there is only one row per user; the password field must be NOT NULL. If
you're using MD5 passwords the password field must be 32 characters long to
allow enough space for the output of md5_hex(). If you're using crypt()
passwords you need to allow 13 characters. If you're using sha256_hex()
then you need to allow for 64 characters, for sha384_hex() allow 96 characters,
and for sha512_hex() allow 128.
An minimal CREATE TABLE statement might look like:
CREATE TABLE users (
user VARCHAR(16) PRIMARY KEY,
password VARCHAR(32) NOT NULL
)
For the groups table, the access table is actually going to be a join table
between the users table and a table in which there is one row per group
if you have more per-group data to store; if all you care about is group
Apache2-AuthCookieDBImg
view release on metacpan or search on metacpan
lib/Apache2/AuthCookieDBImg.pm view on Meta::CPAN
PerlSetVar WhatEverDBI_DSN "DBI:mysql:database=test"
PerlSetVar WhatEverDBI_SecretKey "489e5eaad8b3208f9ad8792ef4afca73598ae666b0206a9c92ac877e73ce835c"
# These are optional, the module sets sensible defaults.
PerlSetVar WhatEverDBI_User "nobody"
PerlSetVar WhatEverDBI_Password "password"
PerlSetVar WhatEverDBI_UsersTable "users"
PerlSetVar WhatEverDBI_UserField "user"
PerlSetVar WhatEverDBI_PasswordField "password"
PerlSetVar WhatEverDBI_CryptType "none"
PerlSetVar WhatEverDBI_GroupsTable "groups"
PerlSetVar WhatEverDBI_GroupField "grp"
PerlSetVar WhatEverDBI_GroupUserField "user"
lib/Apache2/AuthCookieDBImg.pm view on Meta::CPAN
=head1 DESCRIPTION
This module is an authentication handler that uses the basic mechanism provided
by Apache2::AuthCookie with a DBI database for ticket-based protection. It
is based on two tokens being provided, a username and password, which can
be any strings (there are no illegal characters for either). The username is
used to set the remote user as if Basic Authentication was used.
On an attempt to access a protected location without a valid cookie being
provided, the module prints an HTML login form (produced by a CGI or any
other handler; this can be a static file if you want to always send people
to the same entry page when they log in). This login form has fields for
username and password. On submitting it, the username and password are looked
up in the DBI database. The supplied password is checked against the password
in the database; the password in the database can be plaintext, or a crypt()
or md5_hex() checksum of the password. If this succeeds, the user is issued
a ticket. This ticket contains the username, an issue time, an expire time,
and an MD5 checksum of those and a secret key for the server. It can
optionally be encrypted before returning it to the client in the cookie;
encryption is only useful for preventing the client from seeing the expire
time. If you wish to protect passwords in transport, use an SSL-encrypted
connection. The ticket is given in a cookie that the browser stores.
After a login the user is redirected to the location they originally wished
to view (or to a fixed page if the login "script" was really a static file).
lib/Apache2/AuthCookieDBImg.pm view on Meta::CPAN
is the third var.
Your login form should set the 2 required fields for ALL AuthCookieDBI
login forms:
Your login ID: <input type="text" name="credential_0" value="">
Your password: <input type="password" name="credential_1" value="">
PLUS two additional fields for image processing:
The image says: <input type="text" name="credential_2" value="">
<input type="hidden" name="credential_3" value="a_random_key">
lib/Apache2/AuthCookieDBImg.pm view on Meta::CPAN
The user to log into the database as. This is not required and
defaults to undef.
=item C<WhatEverDBI_Password>
The password to use to access the database. This is not required
and defaults to undef.
Make sure that the Perl environment variables are
not publically available, for example via the /perl-status handler since the
password could be exposed.
=item C<WhatEverDBI_UsersTable>
The table that user names and passwords are stored in. This is not
required and defaults to 'users'.
=item C<WhatEverDBI_UserField>
The field in the above table that has the user name. This is not
required and defaults to 'user'.
=item C<WhatEverDBI_PasswordField>
The field in the above table that has the password. This is not
required and defaults to 'password'.
=item C<WhatEverDBI_CryptType>
What kind of hashing is used on the password field in the database. This can
be 'none', 'crypt', or 'md5'. This is not required and defaults to 'none'.
=item C<WhatEverDBI_GroupsTable>
The table that has the user / group information. This is not required and
lib/Apache2/AuthCookieDBImg.pm view on Meta::CPAN
=item C<WhatEverDBI_EncryptionType>
What kind of encryption to use to prevent the user from looking at the fields
in the ticket we give them. This is almost completely useless, so don''t
switch it on unless you really know you need it. It does not provide any
protection of the password in transport; use SSL for that. It can be 'none',
'des', 'idea', 'blowfish', or 'blowfish_pp'.
This is not required and defaults to 'none'.
=item C<WhatEverDBI_SessionLifetime>
lib/Apache2/AuthCookieDBImg.pm view on Meta::CPAN
_log_not_set $r, 'DBI_SecretKey';
return undef;
}
$c{ DBI_user } = _dir_config_var( $r, 'DBI_User' ) || undef;
$c{ DBI_password } = _dir_config_var( $r, 'DBI_Password' ) || undef;
$c{ DBI_userstable } = _dir_config_var( $r, 'DBI_UsersTable' ) || 'users';
$c{ DBI_userfield } = _dir_config_var( $r, 'DBI_UserField' ) || 'user';
$c{ DBI_passwordfield } = _dir_config_var( $r, 'DBI_PasswordField' ) || 'password';
$c{ DBI_crypttype } = _dir_config_var( $r, 'DBI_CryptType' ) || 'none';
$c{ DBI_groupstable } = _dir_config_var( $r, 'DBI_GroupsTable' ) || 'groups';
$c{ DBI_groupfield } = _dir_config_var( $r, 'DBI_GroupField' ) || 'grp';
$c{ DBI_groupuserfield } = _dir_config_var( $r, 'DBI_GroupUserField' ) || 'user';
$c{ DBI_imgtable } = _dir_config_var( $r, 'DBI_ImgTable' ) || '';
lib/Apache2/AuthCookieDBImg.pm view on Meta::CPAN
unless ( $user =~ /^.+$/ ) {
$r->log_error( "Apache2::AuthCookieDBI: no username supplied for auth realm $auth_name", $r->uri );
return undef;
}
# Password goes in credential_1
my $password = shift @credentials;
unless ( $password =~ /^.+$/ ) {
$r->log_error( "Apache2::AuthCookieDBI: no password supplied for auth realm $auth_name", $r->uri );
return undef;
}
# CSA Patch - Use global var
# needed later for authen_sess_key
lib/Apache2/AuthCookieDBImg.pm view on Meta::CPAN
@Extra_Data = @credentials;
# get the configuration information.
my %c = _dbi_config_vars $r;
# get the crypted password from the users database for this user.
my $dbh = DBI->connect( $c{ DBI_DSN },
$c{ DBI_user }, $c{ DBI_password } );
unless ( defined $dbh ) {
$r->log_error( "Apache2::AuthCookieDBI: couldn't connect to $c{ DBI_DSN } for auth realm $auth_name", $r->uri );
return undef;
}
my $sth = $dbh->prepare( <<"EOS" );
SELECT $c{ DBI_passwordfield }
FROM $c{ DBI_userstable }
WHERE $c{ DBI_userfield } = ?
EOS
$sth->execute( $user );
# CSA Patch - No need to add array overhead when fetching a single field
# my( $crypted_password ) = $sth->fetchrow_array;
my $crypted_password = $sth->fetchrow;
unless ( defined $crypted_password ) {
$r->log_error( "Apache2::AuthCookieDBI: couldn't select password from $c{ DBI_DSN }, $c{ DBI_userstable }, $c{ DBI_userfield } for user $user for auth realm $auth_name", $r->uri );
return undef;
}
# now return unless the passwords match.
if ( lc $c{ DBI_crypttype } eq 'none' ) {
unless ( $password eq $crypted_password ) {
$r->log_error( "Apache2::AuthCookieDBI: plaintext passwords didn't match for user $user for auth realm $auth_name", $r->uri );
return undef;
}
} elsif ( lc $c{ DBI_crypttype } eq 'crypt' ) {
my $salt = substr $crypted_password, 0, 2;
unless ( crypt( $password, $salt ) eq $crypted_password ) {
$r->log_error( "Apache2::AuthCookieDBI: crypted passwords didn't match for user $user for auth realm $auth_name", $r->uri );
return undef;
}
} elsif ( lc $c{ DBI_crypttype } eq 'md5' ) {
unless ( md5_hex( $password ) eq $crypted_password ) {
$r->log_error( "Apache2::AuthCookieDBI: MD5 passwords didn't match for user $user for auth realm $auth_name", $r->uri );
return undef;
}
}
# CSA Patch - New gen_key function for activity reset
lib/Apache2/AuthCookieDBImg.pm view on Meta::CPAN
# If we're using a session module, check that their session exist.
if ( defined $c{ DBI_sessionmodule } ) {
my %session;
my $dbh = DBI->connect( $c{ DBI_DSN },
$c{ DBI_user }, $c{ DBI_password } );
unless ( defined $dbh ) {
$r->log_error( "Apache2::AuthCookieDBImg: couldn't connect to $c{ DBI_DSN } for auth realm $auth_name", $r->uri );
return undef;
}
eval {
lib/Apache2/AuthCookieDBImg.pm view on Meta::CPAN
#---- CSA :: NEW 2.03 Session Stuff
# If we are using sessions, we create a new session for this login.
my $session_id = '';
if ( defined $c{ DBI_sessionmodule } ) {
my $dbh = DBI->connect( $c{ DBI_DSN },
$c{ DBI_user }, $c{ DBI_password } );
unless ( defined $dbh ) {
$r->log_error( "Apache2::AuthCookieDBI: couldn't connect to $c{ DBI_DSN } for auth realm $auth_name", $r->uri );
return undef;
}
lib/Apache2/AuthCookieDBImg.pm view on Meta::CPAN
my $user = $r->user;
# See if we have a row in the groups table for this user/group.
my $dbh = DBI->connect( $c{ DBI_DSN },
$c{ DBI_user }, $c{ DBI_password } );
unless ( defined $dbh ) {
$r->log_error( "Apache2::AuthCookieDBImg: couldn't connect to $c{ DBI_DSN } for auth realm $auth_name", $r->uri );
return undef;
}
lib/Apache2/AuthCookieDBImg.pm view on Meta::CPAN
=head1 DATABASE SCHEMAS
For this module to work, the database tables must be laid out at least somewhat
according to the following rules: the user field must be a primary key
so there is only one row per user; the password field must be NOT NULL. If
you're using MD5 passwords the password field must be 32 characters long to
allow enough space for the output of md5_hex(). If you're using crypt()
passwords you need to allow 13 characters.
An minimal CREATE TABLE statement might look like:
CREATE TABLE users (
user VARCHAR(16) PRIMARY KEY,
password VARCHAR(32) NOT NULL
)
For the groups table, the access table is actually going to be a join table
between the users table and a table in which there is one row per group
if you have more per-group data to store; if all you care about is group
Apache2-AuthCookieLDAP
view release on metacpan or search on metacpan
lib/Apache2/AuthCookieLDAP.pm view on Meta::CPAN
unless ($ldap_handler) {
$ldap_handler = NULL;
return $ldap_handler;
}
if ($binddn) { # bind with a dn/pass
my $msg = $ldap_handler->bind( $binddn, password => $bindpw );
$msg->code && $self->fatal( $r, $msg->error );
}
else { # anonymous bind
my $msg = $ldap_handler->bind();
$msg->code && $self->fatal( $r, $msg->error );
lib/Apache2/AuthCookieLDAP.pm view on Meta::CPAN
return $mesg->code ? 0 : $mesg->count;
}
sub ldap_check_user {
my ( $self, $r, $user, $password ) = @_;
return NULL unless $self->ldap($r);
my $base = $self->config( $r, C_BASE );
$base =~ s/%USER%/$user/;
my $mesg = $self->ldap($r)->bind( $base, password => $password );
return $mesg->is_error ? 0 : 1;
}
sub rlog {
lib/Apache2/AuthCookieLDAP.pm view on Meta::CPAN
return $expire_time < time ? 1 : 0;
}
sub authen_cred {
my ( $self, $r, $user, $password, @extra_data ) = @_;
my $auth_name = $r->auth_name;
my $remote_ip = $r->connection->remote_ip;
unless ($user) {
$DEBUG && $self->rlog( $r, "No username specified" );
return;
}
unless ($password) {
$DEBUG
&& $self->rlog( $r, "No password specified for user '$user'" );
return;
}
unless ( $self->ldap_search( $r, $user ) ) {
$DEBUG
&& $self->rlog( $r, "User '$user' is not found" );
return;
}
unless ( $self->ldap_check_user( $r, $user, $password ) ) {
$DEBUG
&& $self->rlog( $r, "Incorrect password for '$user'" );
return;
}
else {
$DEBUG
&& $self->rlog( $r, "Successful login for '$user' ($remote_ip)" );
lib/Apache2/AuthCookieLDAP.pm view on Meta::CPAN
PerlSetVar MyAuth_SecretKey OGheSWkT1ixd4V0DydSarLVevF77sSibMIoUaIYuQUqp2zvZIwbS4lyWhRTFUcHE
PerlSetVar MyAuth_SessionLifetime 00-24-00-00
PerlSetVar MyAuth_LDAPURI ldap://127.0.0.1
PerlSetVar MyAuth_Base uid=%USER%,ou=staff,dc=company,dc=com
PerlSetVar MyAuth_BindDN cn=ldap,dc=company,dc=com
PerlSetVar MyAuth_BindPW somepassword
PerlSetVar MyAuth_Filter (uid=%USER%)
<Directory /var/www/mysite/protected>
AuthType Apache2::AuthCookieLDAP
AuthName MyAuth
lib/Apache2/AuthCookieLDAP.pm view on Meta::CPAN
(ldapuri, base, binddn/bindpw or anonymous bind).
When there is an attempt to access a "protected" directory or location
that has 'require valid-user' option included Apache2::AuthCookieLDAP is used
as the authentication and the authorization handler. It takes a pair of
provided username/password and tries to search the username in the LDAP directory
(it also uses the filter MyAuth_Filter, for puropses where you want to restrict access
to the resource to only a specific group). If the user is found then it tries
to bind with the provided username/password. Once authorized a session key
is generated by taking into account the provided username, authorization time
and a hash generated by including a specific logic plus the user's IP address.
Upon completion the session data is encrypted with the secret key (MyAuth_SecretKey)
and the according cookie is generated by Apache2::AuthCookie.
All the following requests to the protected resource take the cookie (if exists)
lib/Apache2/AuthCookieLDAP.pm view on Meta::CPAN
Example: cn=ldap,dc=company,dc=com
=item C<MyAuth_BindPW> [optional]
If you BindDN then you most likely want to specify
a password here to bind with.
=item C<MyAuth_Cipher> [optinal, default: 'des']
An encryption method used for the session key.
lib/Apache2/AuthCookieLDAP.pm view on Meta::CPAN
=head2 ldap_search($r, $user)
Performs Net::LDAP->search(base => $base, scope => 'base', filter => $filter)
and returns '1' if the specified $user is found or otherwise '0'.
=head2 ldap_check_user($r, $user, $password)
Performs Net::LDAP->bind($base, password => $password).
(%USER% is replaced by $user in $base)
=head2 rlog($r, $msg)
lib/Apache2/AuthCookieLDAP.pm view on Meta::CPAN
=head2 check_expire_time($r, $session_time)
Checks the provided session time (unixtime) with the current time
and returns '0' if the session time is still valid or '1' if passed.
=head2 authen_cred($r, $user, $password, @extra_data)
This is the overridden method of Apache::AuthCookie and is used to
authenticate $user with the provided $password
Returns the encrypted session key in case of successfull authentication.
Please follow to Apache2::AuthCookie if you need more information about the method.
Apache2-AuthNetLDAP
view release on metacpan or search on metacpan
AuthNetLDAP.pm view on Meta::CPAN
#handles Apache requests
sub handler
{
my $r = shift;
my ($result, $password) = $r->get_basic_auth_pw;
return $result if $result;
# change based on version of mod_perl
my $user = $r->user;
AuthNetLDAP.pm view on Meta::CPAN
## Parse $name's with Domain\Username
if ($user =~ m|(\w+)[\\/](.+)|) {
($domain,$user) = ($1,$2);
}
if ($password eq "") {
$r->note_basic_auth_failure;
$r->log_error("user $user: no password supplied",$r->uri);
return Apache2::Const::HTTP_UNAUTHORIZED;
}
my $ldap = new Net::LDAP($ldapserver, port => $ldapport);
AuthNetLDAP.pm view on Meta::CPAN
my $mesg;
#initial bind as user in Apache config
if ($bindpwd ne "")
{
$mesg = $ldap->bind($binddn, password=>$bindpwd);
}
else
{
$mesg = $ldap->bind();
}
AuthNetLDAP.pm view on Meta::CPAN
if ( $pwattr ne "" )
{
my $altfieldvalue = $entry->get_value ( $pwattr );
$altfieldvalue =~ s/^\s+//;
$altfieldvalue =~ s/\s+$//;
if ($altfieldvalue eq $password)
{
return Apache2::Const::OK;
}
else
{
AuthNetLDAP.pm view on Meta::CPAN
}
}
}
else
{
$mesg = $ldap->bind($entry->dn(),password=>$password);
}
if (my $error = $mesg->code())
{
$r->note_basic_auth_failure;
$r->log_error("user $user: failed bind: $error",$r->uri);
return Apache2::Const::HTTP_UNAUTHORIZED;
}
my $error = $mesg->code();
my $dn = $entry->dn();
# $r->log_error("AUTHDEBUG user $dn:$password bind: $error",$r->uri);
return Apache2::Const::OK;
}
# Autoload methods go after =cut, and are processed by the autosplit program.
AuthNetLDAP.pm view on Meta::CPAN
AuthName "LDAP Test Auth"
AuthType Basic
#only set the next two if you need to bind as a user for searching
#PerlSetVar BindDN "uid=user1,ou=people,o=acme.com" #optional
#PerlSetVar BindPWD "password" #optional
PerlSetVar BaseDN "ou=people,o=acme.com"
PerlSetVar LDAPServer ldap.acme.com
PerlSetVar LDAPPort 389
#PerlSetVar UIDAttr uid
PerlSetVar UIDAttr mail
#PerlSetVar AlternatePWAttribute alternateAttribute
#PerlSetVar SearchScope base | one | sub # default is sub
#PerlSetVar LDAPFilter "(&(course=CSA)(class=A))" #optional
# Set if you want to encrypt communication with LDAP server
# and avoid sending clear text passwords over the network
PerlSetVar UseStartTLS yes | no
# Set if you want to allow an alternate method of authentication
PerlSetVar AllowAlternateAuth yes | no
AuthNetLDAP.pm view on Meta::CPAN
Used to set initial LDAP user.
=item PerlSetVar BindPWD
Used to set initial LDAP password.
=item PerlSetVar BaseDN
This sets the search base used when looking up a user in an LDAP server.
AuthNetLDAP.pm view on Meta::CPAN
The attribute used to lookup the user.
=item PerlSetVar AlternatePWAttribute
The an alternate attribute with which the $password will be tested.
This allows you to test with another attribute, instead of just
trying to bind the userdn and password to the ldap server.
If this option is used, then a BindDN and BindPWD must be used for the
initial bind.
=item PerlSetVar AllowAlternateAuth
AuthNetLDAP.pm view on Meta::CPAN
(&(&(course=41300)(year=3)(classCode=Y))(uid=nicku))
This will then allow nicku access only if nicku's LDAP entry has the
attribute course equal to 41300, the attribute year equal to 3, and
attribute classCode equal to Y. And of course, if the password is
correct. This may be useful for restricting access to a group of
users in a large directory, e.g., at a university.
=item PerlSetVar UseStartTLS
Optional; can be yes or no. If yes, will fail unless can start a TLS
encrypted connection to the LDAP server before sending passwords over
the network. Note that this requires that the optional module
IO::Socket::SSL is installed; this depends on Net::SSLeay, which
depends on openssl. Of course, the LDAP server must support Start TLS
also.
AuthNetLDAP.pm view on Meta::CPAN
AuthName "LDAP Test Auth"
AuthType Basic
#only set the next two if you need to bind as a user for searching
#PerlSetVar BindDN "uid=user1,ou=people,o=acme.com" #optional
#PerlSetVar BindPWD "password" #optional
PerlSetVar BaseDN "ou=people,o=acme.com"
PerlSetVar LDAPServer ldap.acme.com
PerlSetVar LDAPPort 389
PerlSetVar UIDAttr uid
PerlSetVar UseStartTLS yes # Assuming you installed IO::Socket::SSL, etc.
Apache2-AuthPAM
view release on metacpan or search on metacpan
my $r = shift;
# check first request
return OK unless $r->is_initial_req;
# get user password
my ($rc, $pw) = $r->get_basic_auth_pw;
# decline if not basic
return $rc if $rc;
or locations in your web server filesystem space.
Apache2::AuthPAM works as follows:
calls pam_start with the selected service.
calls pam_authenticate with the browser/apache supplied username and password.
calls pam_acct_mgmt.
calls pam_end.
If any of the PAM functions fail, Apache2::AuthPAM logs an info level message and returns C<AUTH_REQUIRED>.
If all PAM functions are succesfull, Apache2::AuthPAM logs an info level message and returns C<OK>.
Remember that if you don't use https (SSL) then your username and password is
transmitted on the network in plain text with each request. So if you are going
to use your system password database, you B<MUST> also use B<mod_ssl> or you
accounts will be easily compromised.
=head1 BUGS
Apache2::AuthPAM is running as the same user mod_perl is running
Apache2-AuthTicketLDAP
view release on metacpan or search on metacpan
AuthTicketLDAP.pm view on Meta::CPAN
return undef;
}
sub check_credentials {
my ($self, $user, $password) = @_;
my ($entry, $mesg);
# 1) check_ldap_cache for UID entry. Avoids anonymous search.
# 2) if not in cache, run a search and cache the result
# 3) lastly, bind with supplied password.
$entry = $self->ldap_cache($user) or return 0;
$mesg = $self->ldap->bind($entry->dn(), password => $password)
or die "$@";
if (!$mesg->is_error()) {
return 1;
}
AuthTicketLDAP.pm view on Meta::CPAN
against an LDAP database. It also implements I<CHI>-based, mmap'd file caching
of LDAP entries and SELECT queries.
Further differences between the two modules include:
1) Custom dbi_connect, supporting:
a) passwordless local connections
b) AutoCommit via TicketDBAutoCommit option
c) a couple of Informix-specific options (ISOLATION and LOCK MODE)
2) Use SHA512 instead of MD5 for digests
3) Support "require ldap_attribute myAttrib=Foo"
4) TicketThreshold: Only update database when a ticket timestamp is at least
AuthTicketLDAP.pm view on Meta::CPAN
an illusion -- cached files are only mapped into memory once.
LDAP authentication processing works similarly to mod_ldap/mod_authnz_ldap.
1) An anonymous search looks up a user on the LDAP server.
Returns 403 if unsuccessful. Otherwise, the entry is cached.
2) That user's LDAP entry DN and password is used to bind to
the server. Returns 403 if unsuccessful, OK if successful.
On the database side, everything works the same as I<Apache2::AuthTicket> except
that users are authenticated and authorized with LDAP instead.
Apache2-AuthZLDAP
view release on metacpan or search on metacpan
lib/Apache2/AuthZLDAP.pm view on Meta::CPAN
PerlSetVar LDAPTLScapath /path/to/cadir
# Set to a file that contains the CA cert
PerlSetVar LDAPTLScafile /path/to/cafile.pem
# Specifies a user/password to use for the bind
# If LDAPuser is not specified, AuthZLDAP will attempt an anonymous bind
PerlSetVar LDAPuser cn=user,o=org
PerlSetVar LDAPpassword secret
# Sets the LDAP search scope
# (base|one|sub)
# Defaults to sub
PerlSetVar LDAPscope sub
lib/Apache2/AuthZLDAP.pm view on Meta::CPAN
$LDAPTLS="no";
}
## bind
my $LDAPuser = $r->dir_config('LDAPuser');
my $LDAPpassword = $r->dir_config('LDAPpassword');
## baseDN and Filters
my $LDAPbaseDN = $r->dir_config('LDAPbaseDN');
my $LDAPscope = lc($r->dir_config('LDAPscope'));
my $LDAPfilter = $r->dir_config('LDAPfilter');
lib/Apache2/AuthZLDAP.pm view on Meta::CPAN
$r->log_error("Apache2::AuthZLDAP : $location, LDAP error could not start TLS : ".$mesg->error);
}
return Apache2::Const::HTTP_UNAUTHORIZED;
}
## user password bind if configured else anonymous
if (defined $LDAPuser and defined $LDAPpassword){
$mesg = $session->bind($LDAPuser,password=>$LDAPpassword);
}else{
$mesg = $session->bind();
}
if($mesg->code){
Apache2-AuthZSympa
view release on metacpan or search on metacpan
lib/Apache2/AuthNSympa.pm view on Meta::CPAN
'servers' => [ $cacheserver ],
'namespace' => 'AuthNSympa',
};
##collect informations from connection
my ($status, $password) = $r->get_basic_auth_pw;
$mail_user = $r->user;
unless ($status == Apache2::Const::OK){
$r->note_basic_auth_failure;
return $status
}
unless ($mail_user && $password){
$r->note_basic_auth_failure;
return Apache2::Const::AUTH_REQUIRED;
}
## key generation for cache : md5($mail_user + server name) -> prevents from errors when updating
my $user_key = md5_hex($mail_user.$SympaSoapServer);
my $hash_pass = md5_hex($password);
if (defined $cache){
my $cache_pass = $cache->get($user_key);
$cache_pass |= "";
if ($cache_pass eq $hash_pass){
return Apache2::Const::OK;
}
}
## authentify using SympaSoapServer
unless($soap->login($mail_user,$password)){
$r->note_basic_auth_failure;
return Apache2::Const::DECLINED;
}else{
$response=$soap->login($mail_user,$password);
}
## verify if error during soap service request
if ($soap_error==1){
my ($type_error,$detail) = &traite_soap_error($soap, $soap_res);
Apache2-Authen-Passphrase
view release on metacpan or search on metacpan
lib/Apache2/Authen/Passphrase.pm view on Meta::CPAN
our $VERSION = 0.002002;
use constant USER_REGEX => qr/^\w{2,20}$/pas;
use constant PASSPHRASE_VERSION => 1;
use constant INVALID_USER => "invalid-user\n";
use constant BAD_PASSWORD => "bad-password\n";
use if $ENV{MOD_PERL}, 'Apache2::RequestRec';
use if $ENV{MOD_PERL}, 'Apache2::RequestUtil';
use if $ENV{MOD_PERL}, 'Apache2::Access';
use if $ENV{MOD_PERL}, 'Apache2::Const' => qw/OK HTTP_UNAUTHORIZED/;
lib/Apache2/Authen/Passphrase.pm view on Meta::CPAN
=head1 SYNOPSIS
use Apache2::Authen::Passphrase qw/pwcheck pwset pwhash/;
$Apache2::Authen::Passphrase::rootdir = "/path/to/user/directory"
my $hash = pwhash $username, $password;
pwset $username, "pass123";
eval { pwcheck $username, "pass123" };
# In Apache2 config
<Location /secret>
lib/Apache2/Authen/Passphrase.pm view on Meta::CPAN
=head1 DESCRIPTION
Apache2::Authen::Passphrase is a perl module which provides easy-to-use Apache2 authentication. It exports some utility functions and it contains a PerlAuthenHandler.
The password hashes are stored in YAML files in an directory (called the C<rootdir>), one file per user.
Set the C<rootdir> like this:
$Apache2::Authen::Passphrase::rootdir = '/path/to/rootdir';
lib/Apache2/Authen/Passphrase.pm view on Meta::CPAN
=over
=item B<pwhash>()
Takes the password as a single argument and returns the password hash.
=item B<pwset>(I<$username>, I<$password>)
Sets the password of $username to $password.
=item B<pwcheck>(I<$username>, I<$password>)
Checks the given username and password, throwing an exception if the username is invalid or the password is incorrect.
=item B<handler>
The PerlAuthenHandler for use in apache2. It uses Basic Access Authentication.
lib/Apache2/Authen/Passphrase.pm view on Meta::CPAN
Exception thrown if the username does not match C<USER_REGEX>.
=item B<BAD_PASSWORD>
Exception thrown if the password is different from the one stored in the user's yml file.
=item B<PASSPHRASE_VERSION>
The version of the passphrase. It is incremented each time the passphrase hashing scheme is changed. Versions so far:
Apache2-AuthenDBMCache
view release on metacpan or search on metacpan
AuthenDBMCache.pm view on Meta::CPAN
dbmclose(%DBM);
}
# squish userid, password, config and realm into a hash
sub Digest {
use Digest::MD5;
my ($string)=Digest::MD5->md5_hex(@_);
AuthenDBMCache.pm view on Meta::CPAN
sub handler {
my $r = shift;
my $tmp;
# Get response and password
my($status, $passwd) = $r->get_basic_auth_pw;
return Apache2::Const::OK unless $r->is_initial_req;
return $status unless ($status == Apache2::Const::OK); # e.g. HTTP_UNAUTHORIZED
# Get configuration... are we debugging?
AuthenDBMCache.pm view on Meta::CPAN
# Get all parameters -- current config (to limit cache poison).
my $config=$r->dir_config(); $config=join(":",%$config);
# construct a unique key for userid/realm/config/password
my $key = Digest("$user $realm $config $passwd");
$r->log->debug("handler: user=$user") if $debug;
AuthenDBMCache.pm view on Meta::CPAN
$r->log->debug("handler: user cache stale") if $debug;
$r->push_handlers(PerlFixupHandler => \&manage_cache);
return Apache2::Const::DECLINED;
}
# Hash hasn't expired, password is ok, clear the stacked handlers
$r->log->debug("handler: $user cache hit") if $debug;
$r->set_handlers(PerlAuthenHandler => undef);
return Apache2::Const::OK;
}
AuthenDBMCache.pm view on Meta::CPAN
my $ttl = $r->dir_config('AuthenDBMCache_TTL') || 3600;
my $debug = (lc($r->dir_config('AuthenDBMCache_Debug')) eq 'on');
$cache=$tmp if ($tmp = $r->dir_config('AuthenDBMCache_file'));
# Get response and password
my ($status, $passwd) = $r->get_basic_auth_pw;
# Get username and Realm
AuthenDBMCache.pm view on Meta::CPAN
# Get all parameters -- current config
my $config=$r->dir_config(); $config=join(":",%$config);
# construct a unique key for userid/realm/config/password
my $key = Digest("$user $realm $config $passwd");
$r->log->debug("manage_cache: user=$user") if $debug;
AuthenDBMCache.pm view on Meta::CPAN
methods but it can be used with any perl authentication module).
When a authorization request is received this handler uses a DBM data
base cache to answer the request. Each entry in the cache is indexed
by a key which is a hash of user name, the authentication "realm", the
authentication parameters and the password. The value at the key is an
expiration date. If the supplied user name and password hash to a key
which exists and has not expired then the handler returns OK and
clears the downstream Authen handlers from the stack. Otherwise, it
returns DECLINED and allows the next PerlAuthenHandler in the stack to
be called.
AuthenDBMCache.pm view on Meta::CPAN
A caching mechanism is vulnerable to cache-poisoning -- we have made
an effort to prevent that but you should be cautious. Especially on
multi-user systems with users who aren't trustworthy.
The cache is not indexed by "userid" and the key is a one way hash
that includes the userid, password and more -- that is intentional. We
don't want bad guys cracking passwords out of the cache.
=head1 SEE ALSO
httpd(8), mod_perl2(1), Digest::MD5
Apache2-AuthenMSAD
view release on metacpan or search on metacpan
AuthenMSAD.pm view on Meta::CPAN
my $r = shift;
# Continue only if the first request.
# return OK unless $r->is_initial_req;
# Grab the password, or return in HTTP_UNAUTHORIZED
my ($res, $pass) = $r->get_basic_auth_pw;
return $res if $res;
my $user = $r->user;
AuthenMSAD.pm view on Meta::CPAN
my $domain = $r->dir_config('MSADDomain') || "no-domain";
my $server = $r->dir_config('MSADServer') || $domain;
if ($pass eq "") {
$r->note_basic_auth_failure;
$r->log_reason("user - no password supplied",$r->uri);
return Apache2::Const::HTTP_UNAUTHORIZED;
}
if ($user eq "") {
$r->note_basic_auth_failure;
AuthenMSAD.pm view on Meta::CPAN
$r->note_basic_auth_failure;
$r->log_reason("user - MSAD LDAP Connect Failed",$r->uri);
return Apache2::Const::HTTP_UNAUTHORIZED;
}
my $result= $ldap->bind (dn => "$user\@$domain", password => $pass);
if (!$result || ($result && $result->code)) {
$r->note_basic_auth_failure;
$r->log_reason("user - Active Directory Authen Failed",$r->uri);
return Apache2::Const::HTTP_UNAUTHORIZED;
}
AuthenMSAD.pm view on Meta::CPAN
It was tested in an production environment to work perfectly.
=head1 BEWARE
This builds on the Net::LDAP interface and as such passes the userid
and password in the clear. We've not been able to get Net::LDAPS to
work with Microsoft Active Directory. If anyone else has we'd dearly
love to hear from them.
=head1 AUTHOR
Apache2-AuthenNIS
view release on metacpan or search on metacpan
lib/Apache2/AuthenNIS.pm view on Meta::CPAN
was a direct adaptation of Michael Parker's (B<parker@austx.tandem.com>)
Apache::AuthenSmb module.
The module uses Net::NIS::yp_match to retrieve the "passwd" entry from the
passwd.byname map, using the supplied username as the search key. It then
uses crypt() to verify that the supplied password matches the retrieved
hashed password.
=head2 Parameters
=over 4
lib/Apache2/AuthenNIS.pm view on Meta::CPAN
if ( lc( $allowaltauth ) eq "yes" ) {
return Apache2::Const::DECLINED;
}
else {
$r->note_basic_auth_failure;
$r->log_error( __PACKAGE__, " - user $name: bad password", $r->uri );
return Apache2::Const::HTTP_UNAUTHORIZED;
}
}
return Apache2::Const::OK;
Apache2-AuthenNTLM-Cookie
view release on metacpan or search on metacpan
lib/Apache2/AuthenNTLM/Cookie.pm view on Meta::CPAN
This module extends L<Apache2::AuthenNTLM> with a cookie mechanism.
The parent module L<Apache2::AuthenNTLM> performs user authentication
via Microsoft's NTLM protocol; thanks to this mechanism, users are
automatically recognized from their Windows login, without having to
type a username and password. The server does not have to be a Windows
machine : it can be any platform, provided that it has access to a
Windows domain controller. On the client side, both Microsoft
Internet Explorer and Mozilla Firefox implement the NTLM protocol.
The NTLM handshake involves several packet exchanges, and furthermore
Apache2-AuthenNTLM
view release on metacpan or search on metacpan
AuthenNTLM.pm view on Meta::CPAN
print STDERR "[$$] AuthenNTLM: Verify user $self->{username} via smb server\n" if ($debug) ;
if ($self -> {basic})
{
$rc = Authen::Smb::Valid_User_Auth ($self -> {smbhandle}, $self->{username}, $self -> {password}) ;
}
else
{
$rc = Authen::Smb::Valid_User_Auth ($self -> {smbhandle}, $self->{username}, $self -> {usernthash}, 1, $self->{userdomain}) ;
}
AuthenNTLM.pm view on Meta::CPAN
$self -> {smbhandle} = undef ;
$self -> {lock} = undef ;
if ($rc == &Authen::Smb::NTV_LOGON_ERROR)
{
$r->log_error("Wrong password/user (rc=$rc/$errno/$smberr): $self->{userdomain}\\$self->{username} for " . $r -> uri) ;
print STDERR "[$$] AuthenNTLM: rc = $rc ntlmhash = $self->{usernthash}\n" if ($debug) ;
return ;
}
if ($rc)
AuthenNTLM.pm view on Meta::CPAN
sub get_basic
{
my ($self, $r, $data) = @_ ;
($self -> {username}, $self -> {password}) = split (/:/, $data) ;
my ($domain, $username) = split (/\\|\//, $self -> {username}) ;
if ($username)
{
$self -> {domain} = $domain ;
AuthenNTLM.pm view on Meta::CPAN
The purpose of this module is to perform a user authentication via Microsoft's
NTLM protocol. This protocol is supported by all versions of the Internet
Explorer and is mainly useful for intranets. Depending on your preferences
setting IE will supply your windows logon credentials to the web server
when the server asks for NTLM authentication. This saves the user to type in
his/her password again.
The NTLM protocol performs a challenge/response to exchange a random number
(nonce) and get back a md4 hash, which is built from the user's password
and the nonce. This makes sure that no password goes over the wire in plain text.
The main advantage of the Perl implementation is, that it can be easily extended
to verify the user/password against other sources than a windows domain controller.
The defaultf implementation is to go to the domain controller for the given domain
and verify the user. If you want to verify the user against another source, you
can inherit from Apache2::AuthenNTLM and override it's methods.
To support users that aren't using Internet Explorer, Apache2::AuthenNTLM can
AuthenNTLM.pm view on Meta::CPAN
=item $self -> {username}
The username
=item $self -> {password}
The password when doing basic authentication
=item $self -> {usernthash}
The md4 hash when doing ntlm authentication
Apache2-AuthenRadius
view release on metacpan or search on metacpan
AuthenRadius.pm view on Meta::CPAN
use APR::SockAddr;
use Authen::Radius;
$VERSION = '0.9';
# Create my own method to check a password
# The Authen::Radius->check_pwd method was too restrictive
# to use. We needed a function that returned all possible
# values.
sub chk_passwd {
my ($rad, $uname, $upwd, $nas) = @_;
AuthenRadius.pm view on Meta::CPAN
return OK unless $r->is_initial_req();
my $reqs_arr = $r->requires;
return OK unless $reqs_arr;
# Grab the password, or return if HTTP_UNAUTHORIZED
my($res,$pass) = $r->get_basic_auth_pw;
return $res if $res;
# Get the user name.
my $user = $r->user;
AuthenRadius.pm view on Meta::CPAN
my $secret2 = $r->dir_config("Auth_Radius_secret2");
# Timeout to wait for a response from the radius server.
my $timeout = $r->dir_config("Auth_Radius_timeout") || 5;
# Sanity for usernames and passwords.
if (length $user > 64 or $user =~ /[^A-Za-z0-9\@\.\-\_\#\:]/) {
$r->log_reason("Apache2::AuthenRadius username too long or"
."contains illegal characters. URI:", $r->uri);
$r->note_basic_auth_failure;
return HTTP_UNAUTHORIZED;
AuthenRadius.pm view on Meta::CPAN
if ($r->dir_config("Auth_Radius_postfixToUsername")) {
$user .= $r->dir_config("Auth_Radius_postfixToUsername");
}
if (length $pass > 256) {
$r->log_reason("Apache2::AuthenRadius password too long. URI:",$r->uri);
$r->note_basic_auth_failure;
return HTTP_UNAUTHORIZED;
}
# Create the object for the primary RADIUS query
AuthenRadius.pm view on Meta::CPAN
Auth_Radius_prependToUsername
Prefix's a string to the beginning of the user name that is sent to
the Radius Server. This would typically be in the form of REALM/ or
REALM%. Most Radius servers support prefixed or suffixed realms and
so allow for different user name / password lists.
You can both postfix and prefix a realm at the same time. Your
radius server might not deal with it very well.
=item *
Auth_Radius_postfixToUsername
Postfix's a string to the end of the user name that is sent to
the Radius Server. This would typically be in the form of @REALM or
%REALM. Most Radius servers support prefixed or suffixed realms and
so allow for different user name / password lists.
You can both postfix and prefix a realm at the same time. Your
radius server might not deal with it very well.
=head1 CONFIGURATION
Apache2-AuthenSecurID
view release on metacpan or search on metacpan
Auth/Auth.pm view on Meta::CPAN
6 digit SecurID code. If you do not have<br/>
a PIN yet just enter the 6 digit SecurID code.
};
$extra_input = qq{
<label for="passcode">Passcode :</label>
<input type="password" name="passcode" id="passcode"/>
<input type="hidden" name="type" value="check"/>
<input type="hidden" name="a" value="$uri"/>
};
}
else {
Auth/Auth.pm view on Meta::CPAN
my $message;
my $extra_info = qq{
<span style="font-weight: bold;">User Authenticated</span>
<label for="pin1">PIN :</label>
<input type="password" name="pin1" id="pin1"/>
<input type="hidden" name="type" value="pin"/>
<input type="hidden" name="a" value="$uri"/>
<input type="hidden" name="alphanumeric" value="$alphanumeric"/>
<input type="hidden" name="min_pin_len" value="$min_pin_len"/>
<input type="hidden" name="max_pin_len" value="$max_pin_len"/>
<label for="pin1">PIN ( Again ) :</label>
<input type="password" name="pin2" id="pin2"/>
};
if ( $pin1 != $pin2 ) {
$message = qq{
<span style="font-weight: bold;">New Pin Required</span>
Auth/Auth.pm view on Meta::CPAN
my ( $result, $info, $r, $crypt, $req, $username ) = @_;
my $message;
my $uri = $req->param('a');
my $extra_input = qq{
<label for="passcode">Passcode :</label>
<input type="password" name="passcode" id="passcode"/>
<input type="hidden" name="type" value="check"/>
<input type="hidden" name="a" value="$uri"/>
};
my $time = time();
Auth/Auth.pm view on Meta::CPAN
the 6 digit SecurID token code.
</p>
};
$extra_input = qq{
<label for="passcode">Passcode :</label>
<input type="password" name="passcode" id="passcode"/>
<input type="hidden" name="type" value="next"/>
<input type="hidden" name="a" value="$uri"/>
};
}
elsif ( $result == 5 ) {
Auth/Auth.pm view on Meta::CPAN
Please enter a $$info{min_pin_len} to $$info{max_pin_len} digit pin.
</p>
|;
$extra_input = qq|
<label for="pin1">PIN :</label>
<input type="password" name="pin1" id="pin1"/>
<input type="hidden" name="type" value="pin"/>
<input type="hidden" name="a" value="$uri"/>
<input type="hidden" name="alphanumeric" value="$$info{alphanumeric}"/>
<input type="hidden" name="min_pin_len" value="$$info{min_pin_len}"/>
<input type="hidden" name="max_pin_len" value="$$info{max_pin_len}"/>
<label for="pin1">PIN ( Again ) :</label>
<input type="password" name="pin2" id="pin2"/>
|;
}
else {
$message = qq|
Apache2-AuthenSmb
view release on metacpan or search on metacpan
AuthenSmb.pm view on Meta::CPAN
$bdc,
$domain);
unless($return == 0) {
$r->note_basic_auth_failure;
$r->log_error("user $name: password mismatch", $r->uri);
return Apache2::Const::HTTP_UNAUTHORIZED;
}
unless (@{ $r->get_handlers("PerlAuthzHandler") || []}) {
$r->push_handlers(PerlAuthzHandler => \&authz);
Apache2-AuthzNIS
view release on metacpan or search on metacpan
lib/Apache2/AuthzNIS.pm view on Meta::CPAN
=head2 Apache2::AuthenNIS vs. Apache2::AuthzNIS
The following comments are from Apache::AuthzNIS.
I've taken "authentication" to be meaningful only in terms of a user and
password combination, not group membership. This means that you can use
Apache::AuthenNIS with the B<require user> and B<require valid-user>
directives. In the NIS context I consider B<require group> to be an
"authorization" concern. I.e., Group authorization consists of
establishing whether the already authenticated user is a member of one of
the indicated groups in the B<require group> directive. This process may
Apache2-ClickPath
view release on metacpan or search on metacpan
lib/Apache2/ClickPath.pm view on Meta::CPAN
C<ClickPathSecret> is given as C<http:>, C<https:>, C<file:> or C<data:> URL.
Thus the secret can be stored directly as data-URL in the httpd.conf or in a
separate file on the local disk or on a possibly secured server. To enable
all modes of accessing the WEB the http(s)-URL syntax is a bit extented.
Maybe you have already used C<http://user:password@server.tld/...>. Many
browsers allow this syntax to specify a username and password for HTTP
authentication. But how about proxies, SSL-authentication etc? Well, add
another colon (:) after the password and append a semicolon (;) delimited
list of C<key=value> pairs. The special characters (@:;\) can be quoted
with a backslash (\). In fact, all characters can be quoted. Thus, C<\a> and
C<a> produce the same string C<a>.
The following keys are defined:
lib/Apache2/ClickPath.pm view on Meta::CPAN
=item B<https_proxy>
=item B<https_proxy_username>
=item B<https_proxy_password>
=item B<https_version>
=item B<https_cert_file>
lib/Apache2/ClickPath.pm view on Meta::CPAN
=item B<https_ca_dir>
=item B<https_pkcs12_file>
=item B<https_pkcs12_password>
their meaning is defined in L<Crypt::SSLeay>.
=item B<http_proxy>
=item B<http_proxy_username>
=item B<http_proxy_password>
these are passed to L<LWP::UserAgent>.
Remember a HTTP-proxy is accessed with the GET or POST, ... methods whereas
a HTTPS-proxy is accessed with CONNECT. Don't mix them, see L<Crypt::SSLeay>.
lib/Apache2/ClickPath.pm view on Meta::CPAN
B<Examples>
ClickPathSecret https://john:a\@b\;c\::https_ca_file=/my/ca.pem@secrethost.tld/bin/secret.pl?host=me
fetches the secret from C<https://secrethost.tdl/bin/secret.pl?host=me>
using C<john> as username and C<a@b;c:> as password. The server certificate
of secrethost.tld is verified against the CA certificate found in
C</my/ca.pem>.
ClickPathSecret https://::https_pkcs12_file=/my/john.p12;https_pkcs12_password=a\@b\;c\:;https_ca_file=/my/ca.pem@secrethost.tld/bin/secret.pl?host=me
fetches the secret again from C<https://secrethost.tdl/bin/secret.pl?host=me>
using C</my/john.p12> as client certificate with C<a@b;c:> as password.
The server certificate of secrethost.tld is again verified against the CA
certificate found in C</my/ca.pem>.
ClickPathSecret data:,password:very%20secret%20password
here a data-URL is used that produces the content
C<password:very secret password>.
The URL's content is fetched by L<LWP::UserAgent> once at server startup.
Its content defines the secret either in binary form or as string of
hexadecimal characters or as a password. If it starts with C<binary:> the
rest of the content is taken as is as the key. If it starts with C<hex:>
C<pack( 'H*', $arg )> is used to convert it to binary. If it starts with
C<password:> or with neither of them the MD5 digest of the rest of the
content is used as secret.
The Blowfish algorithm allows up to 56 bytes as secret. In hex and binary
mode the starting 56 bytes are used. You can specify more bytes but they
won't be regarded. In password mode the MD5 algorithm produces
16 bytes long secret.
=back
=head2 Working with a load balancer
Apache2-Controller
view release on metacpan or search on metacpan
lib/Apache2/Controller/Directives.pm view on Meta::CPAN
},
{
name => 'A2C_DBI_Password',
req_override => Apache2::Const::OR_ALL,
args_how => Apache2::Const::TAKE1,
errmsg => 'example: A2C_DBI_Password database_password',
},
{
name => 'A2C_DBI_Options',
req_override => Apache2::Const::OR_ALL,
args_how => Apache2::Const::ITERATE2,
lib/Apache2/Controller/Directives.pm view on Meta::CPAN
=head2 A2C_DBI_Password
A2C_DBI_Password jeebee
Single argument, the DBI password.
=cut
sub A2C_DBI_Password {
my ($self, $parms, $password) = @_;
($password) = $password =~ m{ \A (.*) \z }mxs;
$self->{A2C_DBI_Password} = $password;
}
=head2 A2C_DBI_Options
Multiple arguments.
Apache2-Dummy-RequestRec
view release on metacpan or search on metacpan
RequestRec.pm view on Meta::CPAN
my $result = $ct =~ /json/i ? from_json(unescapeURIString($body)) : $body;
ok(Compare($result, $exp_res), "body");
}
test_http_handler('My::Apache::Request::handler', { redirect => "https://localhost/" }, 55, 'application/json', login => 'mylogin', password => 'mypasswd');
=head1 DESCRIPTION
B<Apache2::Dummy::RequestRec> can be used to test Apache2 mod_perl request handlers without an actual web server running. The difference to other similar modules is, that it uses L<APR::Table> and L<APR::Pool> to act much more like a real Apache.
Apache2-POST200
view release on metacpan or search on metacpan
SYNOPSIS
LoadModule perl_module ...
PerlLoadModule Apache2::POST200;
POST200Storage dbi:mysql:db=db:localhost user password
POST200Table p200 session data
PerlOutputFilterHandler Apache2::POST200::Filter
<Location "/-redirect-">
SetHandler modperl
PerlResponseHandler Apache2::POST200::Response
# This is now a forward proxy setup.
Listen localhost:8080
<VirtualHost localhost:8080>
POST200Storage dbi:mysql:db=db:localhost user password
POST200Table p200 session data
PerlOutputFilterHandler Apache2::POST200::Filter
<Location "/-localhost-8080-">
SetHandler modperl
PerlResponseHandler Apache2::POST200::Response
The module itself is loaded from the Apache configuration file via a
"PerlLoadModule" directive. It then provides a few configuration
directives of its own. All directives are allowed in server config,
virtual host and directory contexts.
Post200Storage dsn user password
"Post200Storage" describes the database to be used. All 3 parameter
are passed to the DBI::connect method, see DBI. User and password
can be omitted if the database supports it.
"Post200Storage None" disables the output filter. That means replies
with a HTTP code 200 to a POST request are delivered as is.
Apache2-PageKit
view release on metacpan or search on metacpan
eg/Model/MyPageKit/Common.pm view on Meta::CPAN
my $sql_str = "SELECT user_id, passwd FROM pkit_user WHERE login=?";
my ($user_id, $dbpasswd) = $dbh->selectrow_array($sql_str, {}, $login);
unless ($user_id && $dbpasswd && $epasswd eq crypt($dbpasswd,$epasswd)){
$model->pkit_gettext_message("Your login/password is invalid. Please try again.",
is_error => 1);
return;
}
no strict 'refs';
Apache2-REST
view release on metacpan or search on metacpan
lib/Apache2/REST/Handler/login.pm view on Meta::CPAN
sub GET{
my ( $self , $req , $resp ) = @_ ;
my $email = $req->param('email') ;
my $password = $req->param('password') ;
## DUMMY
if ( $email ne 'fail'){
my $uid = $SERIAL++ ;
$resp->data()->{'uid'} = $uid ;
Apache2-SQLRequest
view release on metacpan or search on metacpan
lib/Apache2/SQLRequest.pm view on Meta::CPAN
(__PACKAGE__.'::Config', $r->server);
my $dconf = Apache2::Module::get_config
(__PACKAGE__.'::Config', $r->server, $r->per_dir_config);
map { $r->{$_} ||= defined $dconf->{$_} ? $dconf->{$_} :
defined $conf->{$_} ? $conf->{$_} : '' } qw(dsn user password);
# guarantee the dbi
$r->log->debug(sprintf("dsn: '%s', user: '%s', pass: '%s'",
map { defined $_ ? $_ : '' } @{$r}{qw(dsn user password)}));
require DBI;
$r->log->debug("DBI loaded.");
my $dbh = $r->{dbh} = $DBCONNS{$r->{dsn}} ||=
#join(" ", @{$r}{qw(dsn user password)});
DBI->connect(@{$r}{qw(dsn user password)}) or die
"Cannot connect to database with dsn $r->{dsn}: " . DBI->errstr;
$r->log->debug("DBI really loaded.");
# configuration is transient
$r->{sth} ||= {};
Apache2-SiteControl
view release on metacpan or search on metacpan
lib/Apache2/SiteControl/Radius.pm view on Meta::CPAN
sub check_credentials
{
my $r = shift; # Apache request object
my $username = shift;
my $password = shift;
my $host = $r->dir_config("RadiusSiteControlHost") || "localhost";
my $secret = $r->dir_config("RadiusSiteControlSecret") || "unknown";
my $radius;
# Get my IP address to pass as the
lib/Apache2/SiteControl/Radius.pm view on Meta::CPAN
$radius = new Authen::Radius(Host => $host, Secret => $secret);
if(!$radius) {
$r->log_error("Could not contact radius server!");
return 0;
}
if($radius->check_pwd($username, $password, $nas_ip_address)) {
return 1;
}
$r->log_error("User $username failed authentication:" . $radius->strerror);
return 0;
}
Apache2-Translation
view release on metacpan or search on metacpan
lib/Apache2/Translation/DB.pm view on Meta::CPAN
use strict;
use warnings;
no warnings qw(uninitialized);
use DBI;
use Class::Member::HASH -CLASS_MEMBERS=>qw/database user password table
key uri block order action notes
cachesize cachetbl cachecol
singleton id is_initialized
seqtbl seqnamecol seqvalcol
idseqname dbinit
lib/Apache2/Translation/DB.pm view on Meta::CPAN
}
sub connect {
my $I=shift;
my $dbh=$I->_dbh=DBI->connect( $I->database, $I->user, $I->password,
{
AutoCommit=>1,
PrintError=>0,
RaiseError=>1,
} );
Apache2-UploadProgress
view release on metacpan or search on metacpan
extra/progress.js view on Meta::CPAN
return ret;
};
this.setRequestHeader = function(header, value) {
this._headers[this._headers.length] = {h:header, v:value};
};
this.open = function(method, url, async, user, password) {
this.method = method;
this.url = url;
this._async = true;
this._aborted = false;
if (arguments.length >= 3) {
this._async = async;
}
if (arguments.length > 3) {
// user/password support requires a custom Authenticator class
opera.postError('XMLHttpRequest.open() - user/password not supported');
}
this._headers = [];
this.readyState = 1;
if (this.onreadystatechange) {
this.onreadystatechange();
Apache2-WebApp-Extra-Admin
view release on metacpan or search on metacpan
lib/Apache2/WebApp/Extra/Admin.pm view on Meta::CPAN
The login information below is currently set-up by default. In order to
manage user access this account must exist within your C<htpasswd>
User Name admin
Password password
=head1 OPTIONAL
If database support is available, you can log control panel user actions
to a database. The database table to store logging information is
lib/Apache2/WebApp/Extra/Admin.pm view on Meta::CPAN
=head1 DEBUG MODE
If debugging is enabled, the URI and query string are logged. This can
pose as a security risk when running in a production environment since
personal information (including passwords) may be exposed.
=head1 SEE ALSO
L<Apache2::WebApp>, L<Apache2::WebApp::Plugin::DBI>,
L<Apache2::WebApp::Plugin::DateTime>, L<Apache::Htpasswd>
Apache2-WebApp-Plugin-DBI
view release on metacpan or search on metacpan
lib/Apache2/WebApp/Plugin/DBI.pm view on Meta::CPAN
my $driver = $config->{driver};
my $host = $config->{host} || 'localhost';
my $name = $config->{name};
my $user = $config->{user};
my $password = $config->{password};
my $commit = $config->{commit};
return if (!$name && !$user && !$password);
return DBI->connect(
"dbi:$driver:$name:$host", $user, $password,
{
PrintError => 1,
RaiseError => 1,
AutoCommit => ($commit) ? 1 : 0,
}
lib/Apache2/WebApp/Plugin/DBI.pm view on Meta::CPAN
[database]
driver = mysql
host = localhost
name = database
user = foo
password = bar
auto_commit = 0
=head1 OBJECT METHODS
=head2 connect
lib/Apache2/WebApp/Plugin/DBI.pm view on Meta::CPAN
my $dbh = $c->plugin('DBH')->connect({
driver => 'mysql',
host => 'localhost',
name => 'database',
user => 'bar',
password => 'baz',
commit => 1 || 0,
});
my $sth = $dbh->prepare("SELECT * FR..");
( run in 0.972 second using v1.01-cache-2.11-cpan-ff066701436 )