Result:
found more than 505 distributions - search limited to the first 2001 files matching your query
( run in 1.214 )
Apache-ASP
view release on metacpan or search on metacpan
the child httpd init cost of StatINC. Documented.
+Made Apache::ASP Basic Authorization friendly so authentication
can be handled by ASP scripts. If AuthName and AuthType Apache
config directives are set, and a $Response->{Status} is set to
401, a user will be prompted for username/password authentication
and the entered data will show up in ServerVariables as:
$env = $Request->ServerVariables
$env->{REMOTE_USER} = $env->{AUTH_USER} = username
$env->{AUTH_PASSWD} = password
$env->{AUTH_NAME} = your realm
$env->{AUTH_TYPE} = 'Basic'
This is the same place to find auth data as if Apache had some
authentication handler deal with the auth phase separately.
Apache-Admin-Config
view release on metacpan or search on metacpan
lib/Apache/Admin/Config.pm view on Meta::CPAN
anonymous CVS repository:
CVS_RSH=ssh cvs -d anonymous@cvs.rhapsodyk.net:/devel co Apache-Admin-Config
(supply an empty string as password)
CVS repository on the web:
http://www.rhapsodyk.net/cgi-bin/cvsweb/Apache-Admin-Config/
Apache-AppSamurai
view release on metacpan or search on metacpan
examples/htdocs/login.pl view on Meta::CPAN
my $serverkey = '';
if (exists($dirconfig->{$auth_name . "SessionServerPass"})) {
my $serverpass = $dirconfig->{$auth_name . "SessionServerPass"};
($serverpass =~ s/^\s*([[:print:]]{8,}?)\s*$/$1/s) ||
die('error', "login.pl(): Invalid ${auth_name}SessionServerPass (must be use at least 8 printable characters\n");
($serverpass =~ /^(password|serverkey|serverpass|12345678)$/i) &&
die("login.pl: ${auth_name}SessionServerPass is $1... That is too lousy\n");
($serverkey = HashPass($serverpass)) || die("login.pl: Problem computing server key hash for $auth_name");
} elsif (exists($dirconfig->{$auth_name . "SessionServerKey"})) {
Apache-Auth-UserDB
view release on metacpan or search on metacpan
lib/Apache/Auth/User.pm view on Meta::CPAN
##############################################################################
sub new;
sub name;
sub password;
sub password_digest;
# Implementation:
##############################################################################
sub new {
lib/Apache/Auth/User.pm view on Meta::CPAN
my ($self, @value) = @_;
$self->{name} = $value[0] if @value;
return $self->{name};
}
sub password {
my ($self, @value) = @_;
if (@value) {
$self->{password} = $value[0];
$self->{password_digest} = undef;
}
return $self->{password};
}
sub password_digest {
my ($self, @value) = @_;
if (@value) {
$self->{password_digest} = $value[0];
}
elsif (not defined($self->{password_digest})) {
$self->{password_digest} = $self->_build_password_digest();
}
return $self->{password_digest};
}
TRUE;
Apache-AuthCAS
view release on metacpan or search on metacpan
lib/Apache/AuthCAS.pm view on Meta::CPAN
my $PROD_DB_PGTIOU_TABLE = "cas_pgtiou_to_pgt";
# the user to connnect to the database with
my $DB_USER = "";
my $DEVEL_DB_USER = "develuser";
my $PROD_DB_USER = "produser";
# the password to connect to the databse with
my $DB_PASS = "";
my $DEVEL_DB_PASS = "develpass";
my $PROD_DB_PASS = "prodpass";
# whether or not we want redirect magic to remove service ticket from URL
my $DEFAULT_REMOVE_TICKET = "0";
lib/Apache/AuthCAS.pm view on Meta::CPAN
$DB_USER = $DEVEL_DB_USER;
Apache->warn("$$: CAS: initialize(): setting database user to $DB_USER") unless ($LOG_LEVEL < $LOG_INFO);
}
if ($tmp = $r->dir_config("CASDatabasePass")) {
$DB_PASS = $tmp;
Apache->warn("$$: CAS: initialize(): setting database password to $DB_PASS") unless ($LOG_LEVEL < $LOG_INFO);
} elsif ($PRODUCTION) {
$DB_PASS = $PROD_DB_PASS;
Apache->warn("$$: CAS: initialize(): setting database password to $DB_PASS") unless ($LOG_LEVEL < $LOG_INFO);
} else {
# default
$DB_PASS = $DEVEL_DB_PASS;
Apache->warn("$$: CAS: initialize(): setting database password to $DB_PASS") unless ($LOG_LEVEL < $LOG_INFO);
}
if (!$DB_HOST or !$DB_PORT or !$DB_NAME or !$DB_USER or !$DB_PASS) {
Apache->warn("$$: CAS: initialize(): database not properly configured. Please specify: 'CASDatabaseHost', 'CASDatabasePort', 'CASDatabaseName', 'CASDatabaseUser', 'CASDatabasePassword'");
}
lib/Apache/AuthCAS.pm view on Meta::CPAN
with PerlSetVar params (see below for examples).
You can configure this module by placing the devel/production settings in the
module itself. This is particular handy if you would like to make
authentication with this module available via .htaccess to users whom you would
rather not share the database username/password with.
Any options that are not set in the Apache configuration will default to the
values preconfigured in the Apache::AuthCAS module. Either explicitly override
those options that do not match your environment or set them in the module
itself.
lib/Apache/AuthCAS.pm view on Meta::CPAN
PerlSetVar CASDatabaseName "cas"
# the user to connnect to the database with
PerlSetVar CASDatabaseUser "dbuser"
# the password to connect to the databse with
PerlSetVar CASDatabasePass "dbpass"
# the name of the session table
PerlSetVar CASDatabaseSessionTable "cas_sessions"
Apache-AuthCASSimple
view release on metacpan or search on metacpan
lib/Apache/AuthCASSimple.pm view on Meta::CPAN
=head1 DESCRIPTION
Apache::AuthCASSimple is a module for Apache/mod_perl. It allow you to
authentificate users trough a CAS server. It means you don't need
to give login/password if you've already be authentificate by the CAS
server, only tickets are exchanged between Web client, Apache server
and CAS server. If you not're authentificate yet, you'll be redirect
on the CAS server login form.
=head1 SYNOPSIS
Apache-AuthChecker
view release on metacpan or search on metacpan
AuthChecker.pm view on Meta::CPAN
require valid-user
Parameters:
AuthUserFile - path to your passwords htpasswd-made file (REQUIRED).
MaxFailedAttempts - Maximum attempts we give user to mistype password
(OPTIONAL, default - 8).
RedirectURI - URI (not URL!) to redirect attacker then he runs out
attempts limit ((OPTIONAL, default - /).
For example: /you_are_blocked.html
Apache-AuthCookie
view release on metacpan or search on metacpan
lib/Apache/AuthCookie.pm view on Meta::CPAN
=over 4
=item 1.
The client doesn't *have* to pass the user credentials on every
subsequent access. If you're using passwords, this means that the
password can be sent on the first request only, and subsequent
requests don't need to send this (potentially sensitive) information.
This is known as "ticket-based" authentication.
=item 2.
lib/Apache/AuthCookie.pm view on Meta::CPAN
( session key cookie) ) | current request and creates sub |
(-----------------------) | request for the error document. |<-+
| Error document is a script that | |
| generates a form where the user | |
return | enters authentication | |
^------------------->| credentials (login & password). | |
/ \ False +---------------------------------+ |
/ \ | |
/ \ | |
/ \ V |
/ \ +---------------------------------+ |
lib/Apache/AuthCookie.pm view on Meta::CPAN
(---------------------)
* The session key that the client gets can be anything you want. For
example, encrypted information about the user, a hash of the
username and password (similar in function to Digest
authentication), or the user name and password in plain text
(similar in function to HTTP Basic authentication).
The only requirement is that the authen_ses_key function that you
create must be able to determine if this session_key is valid and
map it back to the originally authenticated user ID.
lib/Apache/AuthCookie.pm view on Meta::CPAN
server configuration as handled by the ->login() method - see example
in the SYNOPSIS section).
=item 2.
The various user input fields (username, passwords, etc.) must be
named 'credential_0', 'credential_1', etc. on the form. These will
get passed to your authen_cred() method.
=item 3.
lib/Apache/AuthCookie.pm view on Meta::CPAN
=back
In addition, you might want your login page to be able to tell why
the user is being asked to log in. In other words, if the user sent
bad credentials, then it might be useful to display an error message
saying that the given username or password are invalid. Also, it
might be useful to determine the difference between a user that sent
an invalid auth cookie, and a user that sent no auth cookie at all. To
cope with these situations, B<AuthCookie> will set
C<$r-E<gt>subprocess_env('AuthCookieReason')> to one of the following values.
lib/Apache/AuthCookie.pm view on Meta::CPAN
requires user programmør
=head1 ABOUT SESSION KEYS
Unlike the sample AuthCookieHandler, you have you verify the user's
login and password in C<authen_cred()>, then you do something
like:
my $date = localtime;
my $ses_key = MD5->hexhash(join(';', $date, $PID, $PAC));
Apache-AuthCookieDBI
view release on metacpan or search on metacpan
AuthCookieDBI.pm view on Meta::CPAN
PerlSetVar WhatEverDBI_DSN "DBI:mysql:database=test"
PerlSetVar WhatEverDBI_SecretKey "489e5eaad8b3208f9ad8792ef4afca73598ae666b0206a9c92ac877e73ce835c"
# These are optional, the module sets sensible defaults.
PerlSetVar WhatEverDBI_User "nobody"
PerlSetVar WhatEverDBI_Password "password"
PerlSetVar WhatEverDBI_UsersTable "users"
PerlSetVar WhatEverDBI_UserField "user"
PerlSetVar WhatEverDBI_PasswordField "password"
PerlSetVar WhatEverDBI_CryptType "none"
PerlSetVar WhatEverDBI_GroupsTable "groups"
PerlSetVar WhatEverDBI_GroupField "grp"
PerlSetVar WhatEverDBI_GroupUserField "user"
PerlSetVar WhatEverDBI_EncryptionType "none"
AuthCookieDBI.pm view on Meta::CPAN
=head1 DESCRIPTION
This module is an authentication handler that uses the basic mechanism provided
by Apache::AuthCookie with a DBI database for ticket-based protection. It
is based on two tokens being provided, a username and password, which can
be any strings (there are no illegal characters for either). The username is
used to set the remote user as if Basic Authentication was used.
On an attempt to access a protected location without a valid cookie being
provided, the module prints an HTML login form (produced by a CGI or any
other handler; this can be a static file if you want to always send people
to the same entry page when they log in). This login form has fields for
username and password. On submitting it, the username and password are looked
up in the DBI database. The supplied password is checked against the password
in the database; the password in the database can be plaintext, or a crypt()
or md5_hex() checksum of the password. If this succeeds, the user is issued
a ticket. This ticket contains the username, an issue time, an expire time,
and an MD5 checksum of those and a secret key for the server. It can
optionally be encrypted before returning it to the client in the cookie;
encryption is only useful for preventing the client from seeing the expire
time. If you wish to protect passwords in transport, use an SSL-encrypted
connection. The ticket is given in a cookie that the browser stores.
After a login the user is redirected to the location they originally wished
to view (or to a fixed page if the login "script" was really a static file).
AuthCookieDBI.pm view on Meta::CPAN
$c{DBI_user} = _dir_config_var( $r, 'DBI_User' )
|| undef;
=item C<WhatEverDBI_Password>
The password to use to access the database. This is not required
and defaults to undef.
=cut
$c{DBI_password} = _dir_config_var( $r, 'DBI_Password' )
|| undef;
=item C<WhatEverDBI_UsersTable>
The table that user names and passwords are stored in. This is not
required and defaults to 'users'.
=cut
$c{DBI_userstable} = _dir_config_var( $r, 'DBI_UsersTable' )
AuthCookieDBI.pm view on Meta::CPAN
$c{DBI_userfield} = _dir_config_var( $r, 'DBI_UserField' )
|| 'user';
=item C<WhatEverDBI_PasswordField>
The field in the above table that has the password. This is not
required and defaults to 'password'.
=cut
$c{DBI_passwordfield} = _dir_config_var( $r, 'DBI_PasswordField' )
|| 'password';
=item C<WhatEverDBI_CryptType>
What kind of hashing is used on the password field in the database. This can
be 'none', 'crypt', or 'md5'. This is not required and defaults to 'none'.
=cut
$c{DBI_crypttype} = _dir_config_var( $r, 'DBI_CryptType' )
AuthCookieDBI.pm view on Meta::CPAN
=item C<WhatEverDBI_EncryptionType>
What kind of encryption to use to prevent the user from looking at the fields
in the ticket we give them. This is almost completely useless, so don't
switch it on unless you really know you need it. It does not provide any
protection of the password in transport; use SSL for that. It can be 'none',
'des', 'idea', 'blowfish', or 'blowfish_pp'.
This is not required and defaults to 'none'.
=cut
AuthCookieDBI.pm view on Meta::CPAN
# a new session key for this user that can be stored in the cookie.
# If there is a problem, return a bogus session key.
sub authen_cred {
my ( $self, $r, @credentials ) = @_;
my ( $user, $password, @extra_credentials ) = @credentials;
my $auth_name = $r->auth_name;
( $user, $password ) = _defined_or_empty( $user, $password );
if ( !length $user ) {
$r->log_reason(
"Apache::AuthCookieDBI: no username supplied for auth realm $auth_name",
$r->uri
);
return;
}
if ( !length $password ) {
$r->log_reason(
"Apache::AuthCookieDBI: no password supplied for auth realm $auth_name",
$r->uri
);
return;
}
# get the configuration information.
my %c = _dbi_config_vars $r;
# get the crypted password from the users database for this user.
my $dbh = DBI->connect( $c{DBI_DSN}, $c{DBI_user}, $c{DBI_password} );
unless ( defined $dbh ) {
$r->log_reason(
"Apache::AuthCookieDBI: couldn't connect to $c{ DBI_DSN } for auth realm $auth_name",
$r->uri
);
return;
}
my $sth = $dbh->prepare( <<"EOS" );
SELECT $c{ DBI_passwordfield }
FROM $c{ DBI_userstable }
WHERE $c{ DBI_userfield } = ?
EOS
$sth->execute($user);
my ($crypted_password) = $sth->fetchrow_array;
unless ( defined $crypted_password ) {
$r->log_reason(
"Apache::AuthCookieDBI: couldn't select password from $c{ DBI_DSN }, $c{ DBI_userstable }, $c{ DBI_userfield } for user $user for auth realm $auth_name",
$r->uri
);
return;
}
# now return unless the passwords match.
if ( lc $c{DBI_crypttype} eq 'none' ) {
unless ( $password eq $crypted_password ) {
$r->log_reason(
"Apache::AuthCookieDBI: plaintext passwords didn't match for user $user for auth realm $auth_name",
$r->uri
);
return;
}
}
elsif ( lc $c{DBI_crypttype} eq 'crypt' ) {
my $salt = substr $crypted_password, 0, 2;
unless ( crypt( $password, $salt ) eq $crypted_password ) {
$r->log_reason(
"Apache::AuthCookieDBI: crypted passwords didn't match for user $user for auth realm $auth_name",
$r->uri
);
return;
}
}
elsif ( lc $c{DBI_crypttype} eq 'md5' ) {
unless ( md5_hex($password) eq $crypted_password ) {
$r->log_reason(
"Apache::AuthCookieDBI: MD5 passwords didn't match for user $user for auth realm $auth_name",
$r->uri
);
return;
}
}
AuthCookieDBI.pm view on Meta::CPAN
my %c = _dbi_config_vars $r;
my $user = $r->connection->user;
# See if we have a row in the groups table for this user/group.
my $dbh = DBI->connect( $c{DBI_DSN}, $c{DBI_user}, $c{DBI_password} );
unless ( defined $dbh ) {
$r->log_reason(
"Apache::AuthCookieDBI: couldn't connect to $c{ DBI_DSN } for auth realm $auth_name",
$r->uri
);
AuthCookieDBI.pm view on Meta::CPAN
=head1 DATABASE SCHEMAS
For this module to work, the database tables must be laid out at least somewhat
according to the following rules: the user field must be a primary key
so there is only one row per user; the password field must be NOT NULL. If
you're using MD5 passwords the password field must be 32 characters long to
allow enough space for the output of md5_hex(). If you're using crypt()
passwords you need to allow 13 characters.
An minimal CREATE TABLE statement might look like:
CREATE TABLE users (
user VARCHAR(16) PRIMARY KEY,
password VARCHAR(32) NOT NULL
)
For the groups table, the access table is actually going to be a join table
between the users table and a table in which there is one row per group
if you have more per-group data to store; if all you care about is group
Apache-AuthCookieDBIRadius
view release on metacpan or search on metacpan
AuthCookie.pm view on Meta::CPAN
}
} else {
#$r->subprocess_env('AuthCookieReason', 'no_cookie');
# Instead of 'no_cookie, let's return something more useful.
$r->subprocess_env('AuthCookieReason', 'Please enter your user name and password.');
}
# They aren't authenticated, and they tried to get a protected
# document. Send them the authen form.
return $auth_type->login_form;
AuthCookie.pm view on Meta::CPAN
=over 4
=item 1.
The client doesn't *have* to pass the user credentials on every
subsequent access. If you're using passwords, this means that the
password can be sent on the first request only, and subsequent
requests don't need to send this (potentially sensitive) information.
This is known as "ticket-based" authentication.
=item 2.
AuthCookie.pm view on Meta::CPAN
( session key cookie) ) | current request and creates sub |
(-----------------------) | request for the error document. |<-+
| Error document is a script that | |
| generates a form where the user | |
return | enters authentication | |
^------------------->| credentials (login & password). | |
/ \ False +---------------------------------+ |
/ \ | |
/ \ | |
/ \ V |
/ \ +---------------------------------+ |
AuthCookie.pm view on Meta::CPAN
(---------------------)
* The session key that the client gets can be anything you want. For
example, encrypted information about the user, a hash of the
username and password (similar in function to Digest
authentication), or the user name and password in plain text
(similar in function to HTTP Basic authentication).
The only requirement is that the authen_ses_key function that you
create must be able to determine if this session_key is valid and
map it back to the originally authenticated user ID.
AuthCookie.pm view on Meta::CPAN
server configuration as handled by the ->login() method - see example
in the SYNOPSIS section).
=item 2.
The various user input fields (username, passwords, etc.) must be
named 'credential_0', 'credential_1', etc. on the form. These will
get passed to your authen_cred() method.
=item 3.
AuthCookie.pm view on Meta::CPAN
you, you have to handle it yourself.
=head1 ABOUT SESSION KEYS
Unlike the sample AuthCookieHandler, you have you verify the user's
login and password in C<authen_cred()>, then you do something
like:
my $date = localtime;
my $ses_key = MD5->hexhash(join(';', $date, $PID, $PAC));
Apache-AuthCookieLDAP
view release on metacpan or search on metacpan
AuthCookieLDAP.pm view on Meta::CPAN
=head1 DESCRIPTION
This module is an authentication handler that uses the basic mechanism provided
by Apache::AuthCookie with a LDAP database for ticket-based protection. It
is based on two tokens being provided, a username and password, which can
be any strings (there are no illegal characters for either). The username is
used to set the remote user as if Basic Authentication was used.
On an attempt to access a protected location without a valid cookie being
provided, the module prints an HTML login form (produced by a CGI or any
other handler; this can be a static file if you want to always send people
to the same entry page when they log in). This login form has fields for
username and password. On submitting it, the username and password are looked
up in the LDAP database. If this succeeds, the user is issued
a ticket. This ticket contains the username, an issue time, an expire time,
and an MD5 checksum of those and a secret key for the server. It can
optionally be encrypted before returning it to the client in the cookie;
encryption is only useful for preventing the client from seeing the expire
time. If you wish to protect passwords in transport, use an SSL-encrypted
connection. The ticket is given in a cookie that the browser stores.
After a login the user is redirected to the location they originally wished
to view (or to a fixed page if the login "script" was really a static file).
AuthCookieLDAP.pm view on Meta::CPAN
=item C<WhatEverLDAP_EncryptionType>
What kind of encryption to use to prevent the user from looking at the fields
in the ticket we give them. This is almost completely useless, so don't
switch it on unless you really know you need it. It does not provide any
protection of the password in transport; use SSL for that. It can be 'none',
'des', 'idea', 'blowfish', or 'blowfish_pp'.
This is not required and defaults to 'none'.
=cut
AuthCookieLDAP.pm view on Meta::CPAN
$c{ DBI_user } = _dir_config_var( $r, 'DBI_User')
|| undef;
=item C<WhatEverDBI_Password>
The password to use to access the database. This is not required
and defaults to undef.
=cut
$c{ DBI_password } = _dir_config_var( $r, 'DBI_Password' )
|| undef;
=item C<WhatEverDBI_GroupsTable>
AuthCookieLDAP.pm view on Meta::CPAN
unless ( $user =~ /^.+$/ ) {
$r->log_reason( "Apache::AuthCookieLDAP: no username supplied for auth realm $auth_name", $r->uri );
return 'bad';
}
# Password goes in credential_1
my $password = $credentials[ 1 ];
unless ( $password =~ /^.+$/ ) {
$r->log_reason( "Apache::AuthCookieLDAP: no password supplied for auth realm $auth_name", $r->uri );
return 'bad';
}
# get the configuration information.
my %c = _dbi_config_vars $r;
AuthCookieLDAP.pm view on Meta::CPAN
# Take the first user
my $entry = $mess->first_entry;
my $dn = $entry->dn;
# Bind as the user we're authenticating
$mess = $con->bind($dn, password => $password);
unless ($mess->code == LDAP_SUCCESS) {
$r->log_reason("User $user har wrong password", $r->uri);
return 'bad';
}
$con->unbind;
AuthCookieLDAP.pm view on Meta::CPAN
my $user = $r->connection->user;
# See if we have a row in the groups table for this user/group.
my $dbh = DBI->connect( $c{ DBI_DSN },
$c{ DBI_user }, $c{ DBI_password } );
unless ( defined $dbh ) {
$r->log_reason( "Apache::AuthCookieDBI: couldn't connect to $c{ DBI_DSN } for auth realm $auth_name", $r->uri );
return undef;
}
Apache-AuthCookieNTLM
view release on metacpan or search on metacpan
lib/Apache/AuthCookieNTLM.pm view on Meta::CPAN
=head1 DESCRIPTION
As explained in the Apache::AuthenNTLM module, depending on the user's
config, IE will supply your Windows logon credentials to the web server
when the server asks for NTLM authentication. This saves the user typing in
their windows login and password.
Apache::AuthCookieNTLM is an interface to Shannon Peevey's
Apache::AuthenNTLM module. This modules authenticates a user
using their Windows login against the Windows PDC, but to also
stores their login name into a cookie. This means that it can be
Apache-AuthCookiePAM
view release on metacpan or search on metacpan
AuthCookiePAM.pm view on Meta::CPAN
=head1 DESCRIPTION
This module is an authentication handler that uses the basic mechanism
provided by Apache::AuthCookie with PAM (based on DBI) . It is based on
two tokens being provided, a username and password, which can be any
strings (there are no illegal characters for either). The username is
used to set the remote user as if Basic Authentication was used.
On an attempt to access a protected location without a valid cookie being
provided, the module prints an HTML login form (produced by a CGI or any
other handler; this can be a static file if you want to always send people
to the same entry page when they log in). This login form has fields for
username and password. On submitting it, the username and password are verfied
using PAM. If this succeeds, the user is issued a ticket. This ticket contains
the username, an issue time, an expire time, and an MD5 checksum of those and a
secret key for the server. It can optionally be encrypted before returning it
to the client in the cookie;
encryption is only useful for preventing the client from seeing the expire
time. If you wish to protect passwords in transport, use an SSL-encrypted
connection. The ticket is given in a cookie that the browser stores.
After a login the user is redirected to the location they originally wished
to view (or to a fixed page if the login "script" was really a static file).
AuthCookiePAM.pm view on Meta::CPAN
=item C<WhatEverPAM_EncryptionType>
What kind of encryption to use to prevent the user from looking at the fields
in the ticket we give them. This is almost completely useless, so don't
switch it on unless you really know you need it. It does not provide any
protection of the password in transport; use SSL for that. It can be 'none',
'des', 'idea', 'blowfish', or 'blowfish_pp'.
This is not required and defaults to 'none'.
=cut
AuthCookiePAM.pm view on Meta::CPAN
$r->log_reason( "Apache::AuthCookiePAM: no username supplied for auth realm $auth_name", $r->uri );
$r->subprocess_env('AuthenReason', 'No username provided. Try again.');
return undef;
}
# Password goes in credential_1
my $password; $password = $credentials[ 1 ];
unless ( $password =~ /^.+$/ ) {
$r->log_reason( "Apache::AuthCookiePAM: no password supplied for auth realm $auth_name", $r->uri );
$r->subprocess_env('AuthenReason', 'No password provided. Try again.');
return undef;
}
# service to be used for authentication
my $service; $service = $c{PAM_service};
my ($pamh,$res,$funcref);
$funcref=create_conv_func($r,$user,$password);
ref($pamh = new Authen::PAM($service, $user,$funcref)) || die "Error code $pamh during PAM init!";
# call auth module to authenticate user
$res = $pamh->pam_authenticate;
$funcref=0;
AuthCookiePAM.pm view on Meta::CPAN
$r->subprocess_env('AuthenReason', 'Account for $user is locked. Contact your Administrator.');
return 'bad';
}
if ( $res == PAM_NEW_AUTHTOK_REQD() ) {
$r->log_error("ERROR: PAssword for $user expired. Change Password\n");
$r->subprocess_env('AuthenReason', 'Password Expired. Please Change your password.');
return $r->auth_type->changepwd_form ($user);
}
if ( $res == PAM_SUCCESS() ) {
# Create the expire time for the ticket.
my $expire_time;
AuthCookiePAM.pm view on Meta::CPAN
}
}
#-------------------------------------------------------------------------------
# Conversation function for PAM - authentication and change of password
sub create_conv_func
{
my ($r,$user,$pass,$newpass,$confpass);
($r,$user,$pass,$newpass,$confpass) = @_;
AuthCookiePAM.pm view on Meta::CPAN
$user=~ tr/A-Z/a-z/;
unless ( $user =~ /^.+$/ ) {
$r->log_reason( "Apache::AuthCookiePAM: no username supplied for auth realm $auth_name", $r->uri );
}
# Old Password goes in credential_1
my $oldpassword; $oldpassword = $args{"credential_1"};
unless ( $oldpassword =~ /^.+$/ ) {
$r->log_reason( "Apache::AuthCookiePAM: no password supplied ", $r->uri );
}
# New Password goes in credential_2
my $newpassword ; $newpassword = $args{"credential_2"};
unless ( $newpassword =~ /^.+$/ ) {
$r->log_reason( "Apache::AuthCookiePAM: no password supplied ", $r->uri );
}
# Repeat Password goes in credential_3
my $confirmpassword; $confirmpassword = $args{"credential_3"};
unless ( $confirmpassword =~ /^.+$/ ) {
$r->log_reason( "Apache::AuthCookiePAM: passwords don't match", $r->uri );
}
# Now do password change
#
my ($pamh,$res);
my $funcref;
$funcref=create_conv_func($r,$user,$oldpassword,$newpassword,$confirmpassword);
my %c; %c = _config_vars $r;
my $service; $service = $c{PAM_service};
ref($pamh = new Authen::PAM($service, $user,$funcref)) || die "Error code $pamh during PAM init!";
$res = $pamh->pam_chauthtok();
$pamh=0;
undef $pamh;
if ( $res == PAM_SUCCESS()) {
$r->subprocess_env('AuthenReason', 'Password Updated. Please login with your new password');
$r->log_reason("AuthenCookiePAM:". $args{'destination'}."Password for $user Updated. Please login with your new password");
#
$auth_type->logout($r);
$r->err_header_out("Location" => $args{'destination'});
return REDIRECT;
}
else {
$r->subprocess_env('AuthenReason', "Password Not Updated. New password did not satisfy specified rules or failed authentication");
$r->log_reason("AuthenCookiePAM: Password for $user Not Updated. ");
return $auth_type->changepwd_form($user);
}
}
Apache-AuthCookieURL
view release on metacpan or search on metacpan
AuthCookieURL.pm view on Meta::CPAN
Please see perldoc Apache::AuthCookie for complete instructions. As this is intended to be
a drop-in replacement for Apache::AuthCookie you may wish to install and test with Ken's
Apache::AuthCookie before trying AuthCookieURL.
Basically, this module allows you to catch any unauthenticated access and redirect to a
login script that you define. The login script posts credentials (e.g. username and password)
and your module can then validate and provide a session key. The session key is sent in a cookie,
and also in a munged URL and a redirect is issued and the process starts all over.
Typically, you will write your own module that will override methods in Apache::AuthCookieURL.
These methods are described completely in Ken's Apache::AuthCookie. Your methods will be used
to generate and validate session keys. You can use Apache::AuthCookieURL without overriding
its methods and then AuthCookieURL can be used as a simple session manager.
With this module you should be able to enable session management for an entire site
using E<lt>Location /E<gt>, and then allow access to, say, the images directory, and also require
password access to other locations. One issue at this point is that the session key is
stripped from URLs in a Trans handler. So you would need to use cookies to use different
session keys for different parts of your web tree.
Apache::AuthCookieURL adds the following features to Apache::AuthCookie.
AuthCookieURL.pm view on Meta::CPAN
=over 4
=item * authen_cred()
This method verifies the credentials (e.g. username/password) and returns a session key. If the credentials are
not acceptable then you can return a list, with the second element being an error message
that is placed in a cookie. This allows your login script to display a failure reason. This
method is needed since a redirect is done before your login script is executed again. Of course,
this requires that the client has cookies enabled.
Apache-AuthDigest
view release on metacpan or search on metacpan
request with whatever credentials are stored on the server. the
first argument is the hash reference returned by
get_digest_auth_response(). the second argument is a MD5 digest
of the user credentials. the credentials should be in the form
user:realm:password
before they are hashed. the following Perl one-liner will generate
a suitable digest:
$ perl -MDigest::MD5 -e'print Digest::MD5::md5_hex("user:realm:password"),"\n"'
=back
=head1 EXAMPLE
Apache-AuthLDAP
view release on metacpan or search on metacpan
AuthLDAP.pm view on Meta::CPAN
my $uidattr = $r->dir_config('UIDAttr') || "uid";
if ($sent_pwd eq "")
{
$r->note_basic_auth_failure;
$r->log_reason("user $name: no password supplied",$r->uri);
return AUTH_REQUIRED;
}
my $ld = new Net::LDAPapi($ldapserver,$ldapport);
if ($ld <= 0)
AuthLDAP.pm view on Meta::CPAN
return OK;
}
$ld->unbind;
$r->note_basic_auth_failure;
$r->log_reason("user $name: password mismatch", $r->uri);
return AUTH_REQUIRED;
}
sub authz
{
Apache-AuthLDAPBind
view release on metacpan or search on metacpan
lib/Apache/AuthLDAPBind.pm view on Meta::CPAN
=head1 SYNOPSIS
This is an authentication module for Apache 1.3 (and mod_perl) that
authenticates a user to an LDAP server by binding as that user (with
his supplied password). If the bind succeeds, the user is
authenticated. If not, authentication fails.
This is much more secure than the usual method of checking the
password against a hash, since there's no possibility that the hash
will be viewed while in transit (or worse, simply pulled out of the
LDAP database by an attacker), or that the client somehow miscomputes
the hash (since there are a variety of algorithms for password
hashes).
Since passwords are being sent to the LDAP server over the network,
the server is required to support SSL. Authentications will fail if
the server doesn't support StartTLS. Cutting corners is not an option
when dealing with passwords!
Example Apache 1.3 configuration:
<Directory /foo/bar>
# Authentication Realm and Type (only Basic supported)
AuthName "Foo Bar Authentication"
AuthType Basic # use SSL, or your passwords will be sent cleartext!!
# Any of the following variables can be set. Defaults are listed
# to the right.
PerlSetVar ldap_base_dn o=Foo,c=Bar # Default: Empty String ("")
PerlSetVar ldap_server ldap.foo.com # Default: localhost
lib/Apache/AuthLDAPBind.pm view on Meta::CPAN
=cut
sub handler {
my $r = shift;
my ($res, $sent_password) = $r->get_basic_auth_pw;
return $res if $res;
my $username = $r->connection->user;
my ($ldap_server, $ldap_port, $base_dn, $uid_attr) = _get_ldap_vars($r);
if (!$sent_password && $sent_password != 0) { # no need to lock out users
# whose password is 000000
# or 0e0, or something.
$r->note_basic_auth_failure;
$r->log_reason("user $username: no password supplied",$r->uri);
return AUTH_REQUIRED;
}
my $ok;
eval {
$ok = _bind_ldap($ldap_server, $ldap_port, $base_dn, $uid_attr,
$username, $sent_password);
};
$ok = 0 if $@;
if(!$ok){
$r->note_basic_auth_failure;
if (!$@) {
$r->log_reason("user $username: ".
"password incorrect or user not in LDAP",
$r->uri);
}
else {
r->log_reason("user $username: LDAP error: $@", $r->uri);
}
return AUTH_REQUIRED;
}
# password was acceptable
$r->push_handlers(PerlAuthzHandler => \&_authz);
return OK;
}
lib/Apache/AuthLDAPBind.pm view on Meta::CPAN
my $ldap_server = shift;
my $ldap_port = shift;
my $base_dn = shift;
my $uid_attr = shift;
my $username = shift;
my $password = shift;
# prevent anonymous binds!
if(!defined $username || !defined $password){
die "null username/password passed to _bind_ldap!";
}
my $ldap = Net::LDAP->new("$ldap_server".
((defined $ldap_port) ? ":$ldap_port" : ""));
my $mesg = $ldap->start_tls();
$mesg = $ldap->bind("$uid_attr=$username,$base_dn",
password=>$password);
$ldap->unbind; # take down session
$mesg->code && return 0; # failed
return 1; # passed
}
Apache-AuthNetLDAP
view release on metacpan or search on metacpan
AuthNetLDAP.pm view on Meta::CPAN
#handles Apache requests
sub handler
{
my $r = shift;
my ($result, $password) = $r->get_basic_auth_pw;
return $result if $result;
# change based on version of mod_perl
my $user = MP2 ? $r->user : $r->connection->user;
AuthNetLDAP.pm view on Meta::CPAN
## Parse $name's with Domain\Username
if ($user =~ m|(\w+)[\\/](.+)|) {
($domain,$user) = ($1,$2);
}
if ($password eq "") {
$r->note_basic_auth_failure;
MP2 ? $r->log_error("user $user: no password supplied",$r->uri) : $r->log_reason("user $user: no password supplied",$r->uri);
return MP2 ? Apache::HTTP_UNAUTHORIZED : Apache::Constants::HTTP_UNAUTHORIZED;
}
my $ldap = new Net::LDAP($ldapserver, port => $ldapport);
AuthNetLDAP.pm view on Meta::CPAN
my $mesg;
#initial bind as user in Apache config
if ($bindpwd ne "")
{
$mesg = $ldap->bind($binddn, password=>$bindpwd);
}
else
{
$mesg = $ldap->bind();
}
AuthNetLDAP.pm view on Meta::CPAN
if ( $pwattr ne "" )
{
my $altfieldvalue = $entry->get_value ( $pwattr );
$altfieldvalue =~ s/^\s+//;
$altfieldvalue =~ s/\s+$//;
if ($altfieldvalue eq $password)
{
return MP2 ? Apache::OK : Apache::Constants::OK;
}
else
{
AuthNetLDAP.pm view on Meta::CPAN
}
}
}
else
{
$mesg = $ldap->bind($entry->dn(),password=>$password);
}
if (my $error = $mesg->code())
{
$r->note_basic_auth_failure;
MP2 ? $r->log_error("user $user: failed bind: $error",$r->uri) : $r->log_reason("user $user: failed bind: $error",$r->uri);
return MP2 ? Apache::HTTP_UNAUTHORIZED : Apache::Constants::HTTP_UNAUTHORIZED;
}
my $error = $mesg->code();
my $dn = $entry->dn();
# MP2 ? $r->log_error("AUTHDEBUG user $dn:$password bind: $error",$r->uri) : $r->log_reason("AUTHDEBUG user $dn:$password bind: $error",$r->uri);
return MP2 ? Apache::OK : Apache::Constants::OK;
}
# Autoload methods go after =cut, and are processed by the autosplit program.
AuthNetLDAP.pm view on Meta::CPAN
AuthName "LDAP Test Auth"
AuthType Basic
#only set the next two if you need to bind as a user for searching
#PerlSetVar BindDN "uid=user1,ou=people,o=acme.com" #optional
#PerlSetVar BindPWD "password" #optional
PerlSetVar BaseDN "ou=people,o=acme.com"
PerlSetVar LDAPServer ldap.acme.com
PerlSetVar LDAPPort 389
#PerlSetVar UIDAttr uid
PerlSetVar UIDAttr mail
#PerlSetVar AlternatePWAttribute alternateAttribute
#PerlSetVar SearchScope base | one | sub # default is sub
#PerlSetVar LDAPFilter "(&(course=CSA)(class=A))" #optional
# Set if you want to encrypt communication with LDAP server
# and avoid sending clear text passwords over the network
PerlSetVar UseStartTLS yes | no
# Set if you want to allow an alternate method of authentication
PerlSetVar AllowAlternateAuth yes | no
AuthNetLDAP.pm view on Meta::CPAN
Used to set initial LDAP user.
=item PerlSetVar BindPWD
Used to set initial LDAP password.
=item PerlSetVar BaseDN
This sets the search base used when looking up a user in an LDAP server.
AuthNetLDAP.pm view on Meta::CPAN
The attribute used to lookup the user.
=item PerlSetVar AlternatePWAttribute
The an alternate attribute with which the $password will be tested.
This allows you to test with another attribute, instead of just
trying to bind the userdn and password to the ldap server.
If this option is used, then a BindDN and BindPWD must be used for the
initial bind.
=item PerlSetVar AllowAlternateAuth
AuthNetLDAP.pm view on Meta::CPAN
(&(&(course=41300)(year=3)(classCode=Y))(uid=nicku))
This will then allow nicku access only if nicku's LDAP entry has the
attribute course equal to 41300, the attribute year equal to 3, and
attribute classCode equal to Y. And of course, if the password is
correct. This may be useful for restricting access to a group of
users in a large directory, e.g., at a university.
=item PerlSetVar UseStartTLS
Optional; can be yes or no. If yes, will fail unless can start a TLS
encrypted connection to the LDAP server before sending passwords over
the network. Note that this requires that the optional module
IO::Socket::SSL is installed; this depends on Net::SSLeay, which
depends on openssl. Of course, the LDAP server must support Start TLS
also.
AuthNetLDAP.pm view on Meta::CPAN
AuthName "LDAP Test Auth"
AuthType Basic
#only set the next two if you need to bind as a user for searching
#PerlSetVar BindDN "uid=user1,ou=people,o=acme.com" #optional
#PerlSetVar BindPWD "password" #optional
PerlSetVar BaseDN "ou=people,o=acme.com"
PerlSetVar LDAPServer ldap.acme.com
PerlSetVar LDAPPort 389
PerlSetVar UIDAttr uid
PerlSetVar UseStartTLS yes # Assuming you installed IO::Socket::SSL, etc.
Apache-AuthPAM
view release on metacpan or search on metacpan
my $r = shift;
# check first request
return OK unless $r->is_initial_req;
# get user password
my ($rc, $pw) = $r->get_basic_auth_pw;
# decline if not basic
return $rc if $rc;
or locations in your web server filesystem space.
Apache::AuthPAM works as follows:
First, it calls C<pam_start> with the selected service.
Second, it calls C<pam_authenticate> with the browser/apache supplied username and password.
Later, it calls C<pam_acct_mgmt>.
And finally it calls C<pam_end>.
If any of the PAM functions fail, Apache::AuthPAM logs an info level message and returns C<AUTH_REQUIRED>.
If all PAM functions are succesfull, Apache::AuthPAM logs an info level message and returns C<OK>.
If you are going to use your system password database, you
B<MUST> also use B<mod_ssl>.
=head1 BUGS
I'am using a global symbol.
Apache-AuthPOP3
view release on metacpan or search on metacpan
lib/Apache/AuthPOP3.pm view on Meta::CPAN
}
sub authenticate {
my ($mailhost, $user_sent, $passwd_sent) = @_;
$user_sent and $passwd_sent or return 'either username or password is empty';
# cache sha1-ed password
my $cache = new Cache::FileCache({ 'namespace' => __PACKAGE__, 'default_expires_in' => 120 });
my $passwd_cached_sha1 = $cache->get($user_sent);
my $passwd_sent_sha1 = sha1_hex($passwd_sent);
if (defined $passwd_cached_sha1) {
return "user $user_sent: POP3 login failed" if $passwd_cached_sha1 ne $passwd_sent_sha1;
lib/Apache/AuthPOP3.pm view on Meta::CPAN
=head1 DESCRIPTION
This module allows authentication and authorization against a POP3 server.
Received username and password are looked up in the cache. If nothing was
stored in the cache with that particular username and password within
the past two minutes, they are passed to the POP3 server and cached
once authenticated; SHA1 checksum of password is used in caching.
After being authorized, the username or the name that maps to it based
on the UserMap configuration is used to set the remote user.
=head1 CONFIGURATION
Apache-AuthPerLDAP
view release on metacpan or search on metacpan
AuthPerLDAP.pm view on Meta::CPAN
$Apache::AuthPerLDAP::VERSION = '0.5';
sub handler {
my $r = shift;
my ($result, $password) = $r->get_basic_auth_pw;
return $result if $result;
my $username = $r->connection->user;
my $basedn = $r->dir_config('BaseDN') || "";
my $ldapserver = $r->dir_config('LDAPServer') || "localhost";
my $ldapport = $r->dir_config('LDAPPort') || 389;
my $uidattr = $r->dir_config('UIDAttr') || "uid";
if ($password eq "") {
$r->note_basic_auth_failure;
$r->log_reason("user $username: no password supplied",$r->uri);
return AUTH_REQUIRED;
}
my $conn = new Mozilla::LDAP::Conn({ "host" => $ldapserver,
"port" => $ldapport} );
AuthPerLDAP.pm view on Meta::CPAN
# Found username in LDAP database, get its DN
my $dn = $entry->getDN();
#
# Try to rebind with the users DN and password.
#
unless (($dn ne "") && ($conn->simpleAuth($dn, $password))) {
$r->note_basic_auth_failure;
$r->log_reason("user $username: invalid password", $r->uri);
return AUTH_REQUIRED;
}
return OK;
AuthPerLDAP.pm view on Meta::CPAN
These directives can also be used in a .htaccess file.
=head1 DESCRIPTION
AuthPerLDAP provides Basic Authentication, with username/password
lookups against an LDAP server, using Netscape's PerLDAP kit.
It is heavily based on Clayton Donley's Apache::AuthLDAP module,
but uses the newer Netscape PerLDAP (Mozilla::LDAP), which in turn
uses the Netscape Directory SDK for C. Thus Donley's original
AuthPerLDAP.pm view on Meta::CPAN
works for me. If this module is the only Apache/Perl module you are going to use,
you probably don't need anything but the PERL_AUTHEN hook enabled.
Unlike Donley's Apache::AuthLDAP module, AuthPerLDAP is only used for
authentication, and thus only supports the require-user directive.
If a user enters the correct username and password, the authentication
is considered to be OK.
=head1 TODO
=over 4
Apache-AuthTicket
view release on metacpan or search on metacpan
lib/Apache/AuthTicket.pm view on Meta::CPAN
This directive specifys the username to use when connecting to the databse.
=item B<TicketDBPassword>
This directive specifys the password to use when connecting to the databse.
=item B<TicketTable>
This directive specifys the ticket hash table as well as the column name for
the hash.
lib/Apache/AuthTicket.pm view on Meta::CPAN
Example: tickets:ticket_hash:ts
=item B<TicketUserTable>
This directive specifys the users table and the username and password column
names.
Format: table_name:username_column:password_column
Example: users:usrname:passwd
=item B<TicketPasswordStyle>
This directive specifys what type of passwords are stored in the database. The
default is to use I<cleartext> passwords. Currently supported password styles
are:
=over 3
=item I<cleartext>
This password style is just plain text passwords. When using this password
style, the supplied user password is simply compared with the password stored
in the database.
=item I<md5>
This password style generates an MD5 hex hash of the supplied password before
comparing it against the password stored in the database. Passwords should be
stored in the database by passing them through Digest::MD5::md5_hex().
=item I<crypt>
This password style uses traditional crypt() to encrypt the supplied password
before comparing it to the password saved in the database.
=back
=item B<TicketSecretTable>
lib/Apache/AuthTicket.pm view on Meta::CPAN
=over 3
=item B<users table>
This table stores the actual usernames and passwords of the users. This table
needs to contain at least a username and password column. This table is
confgured by the I<TicketUserTable> directive.
example:
CREATE TABLE users (
lib/Apache/AuthTicket.pm view on Meta::CPAN
=item void make_login_screen($r, String action, String destination)
This method creats the "login" screen that is shown to the user. You can
overload this method to create your own login screen. The log in screen only
needs to contain a hidden field called "destination" with the contents of
I<destination> in it, a text field named I<credential_0> and a password field
named I<credential_1>. You are responsible for sending the http header as well
as the content. See I<Apache::AuthCookie> for the description of what each of
these fields are for.
I<action> contains the action URL for the form. You must set the action of
Apache-Authen-Generic
view release on metacpan or search on metacpan
my $cookie = $auth_obj->($data, $key);
print "Set-Cookie: $cookie\n";
print "Location: $redirect_url\n";
print "\n";
} else {
&handle_invalid_password()
}
# Efforts have been made to make this module work under Apache
# 1.3.* and mod_perl 1.0, but it has only been tested under
# Apache 2.0.* and mod_perl 2.0.
Apache-Authen-Program
view release on metacpan or search on metacpan
# Apache::Authen::Program allows you to call an external program
# that performs username/password authentication in Apache.
#
# Copyright (c) 2002-2004 Mark Leighton Fisher, Fisher's Creek Consulting, LLC
#
# This module is free software; you can redistribute it and/or
# modify it under the same terms as Perl itself.
sub handler {
my $request = shift; # Apache request object
my @args = (); # authentication program arguments
my $cmd = ""; # program command string
my $i = 0; # counter for @args
my $ofh = ""; # output file handle for password temp file
my $password = ""; # password from Basic Authentication
my $passfile = ""; # temporary file containing password
my $passtype = ""; # "File" if communicating password by temp file
my $program = ""; # authentication program filename
my $response = ""; # Apache response object
my $success = ""; # success string from authentication program
my $username = ""; # username from Basic Authentication
# get password, decline if not Basic Authentication
($response, $password) = $request->get_basic_auth_pw;
return $response if $response;
# get username
$username = $request->connection->user;
if ($username eq "") {
for ($i = 1; $i < 10; $i++) {
$args[$i] = $request->dir_config("AuthenProgramArg$i");
}
$success = $request->dir_config("AuthenProgramSuccess");
# write temp. password file on request
$passtype = $request->dir_config("AuthenProgramPassword");
if ($passtype eq "File") {
($ofh, $passfile) = tempfile();
if (!defined($ofh) || $ofh eq "") {
$request->log_reason("Apache::Authen::Program can't create password file",
$request->uri);
return SERVER_ERROR;
}
chmod(0600, $passfile)
|| $request->log_reason(
"Apache::Authen::Program can't chmod 0600 password file '$passfile' because: $!",
$request->uri);
if (!print $ofh $password,"\n") {
$request->log_reason("Apache::Authen::Program can't write password file '$ofh'",
$request->uri);
return SERVER_ERROR;
}
if (!close($ofh)) {
$request->log_reason("Apache::Authen::Program can't close password file '$ofh'",
$request->uri);
return SERVER_ERROR;
}
$password = $passfile;
}
# execute command, then examine output for success or failure
$cmd = "$program '$username' '$password' ";
$cmd .= join(' ', @args);
my @output = `$cmd`;
if ($passtype eq "File") {
if (!unlink($passfile)) {
$request->log_reason("Apache::Authen::Program can't delete password file '$ofh'",
$request->uri);
}
}
if (!grep(/$success/, @output)) {
$request->note_basic_auth_failure;
directive should follow whatever handler you use.
= head1 DESCRIPTION
This mod_perl module provides a reasonably general mechanism
to perform username/password authentication in Apache by
calling an external program. Authentication by an external
program is useful when a program can perform an authentication
not supported by any Apache modules (for example, cross-domain
authentication is not supported by Apache::NTLM or
Apache::AuthenSmb, but is supported by Samba's smbclient
program).
You must define the program pathname AuthenProgram and the
standard output success string AuthenProgramSuccess.
The first two arguments to the program are the username and
either the password or a temporary file with the password,
depending on whether AuthenProgramPassword has the value "File".
"File" forces sending the password to AuthenProgram through a
temporary file to avoid placing passwords on the command line where
they can be seen by ps(1).
Additional program arguments can be passed in the variables
AuthenProgramArg1, AuthenProgramArg2, etc. Up to 9 of these
variables are supported.
The examples/ subdirectory has sample programs for doing
Samba-based SMB authentication (examples/smblogon),
Oracle authentication (examples/oralogon), and
a simple example (examples/filelogon) that demonstrates communicating
the password through a temporary file.
If you are using this module please let me know, I'm curious how many
people there are that need this type of functionality.
This module was adapted from Apache::AuthenSmb.
Apache-AuthenCache
view release on metacpan or search on metacpan
AuthenCache.pm view on Meta::CPAN
my $auth_name = $r->auth_name;
# Clear for paranoid security precautions
$r->notes('AuthenCache' => 'miss');
# Get response and password
my($res, $passwd_sent) = $r->get_basic_auth_pw;
return $res if $res; # e.g. HTTP_UNAUTHORIZED
# Get username
my $user_sent = $r->connection->user;
AuthenCache.pm view on Meta::CPAN
my $passwd = $cache->get($user_sent);
# Is the user in the cache
if ($passwd) {
$r->log->debug("handler: using cached passwd for $user_sent");
# Allow no password
if ($nopasswd eq 'on' and not length($passwd)) {
$r->log->debug("handler: no password required; returning DONE");
# Must return DECLINED so that user has a chance to put in
# no password
return DONE;
}
# If nopasswd is off, reject user
unless (length($passwd_sent) and length($passwd)) {
$r->log->debug("handler: user $user_sent: empty password(s) rejected" .
$r->uri);
# Must return DECLINED so that user has a chance to put in a
# new password
return DECLINED;
}
# Is crypt is needed
if ($encrypted eq 'on') {
AuthenCache.pm view on Meta::CPAN
$passwd_sent = crypt($passwd_sent, $salt);
}
unless ($passwd_sent eq $passwd) {
$r->log->debug("AuthenCache::handler: user $user_sent: " .
"password mismatch" . $r->uri);
# Must return DECLINED so that user has a chance to put in a
# new password
return DECLINED;
}
# Password matches so end stage
# The required patch was not introduced in 1.26. It is no longer
AuthenCache.pm view on Meta::CPAN
# (according to Doug MacEachern) I have to work around it by
# cobbling together cheat sheets for the subsequent handlers
# in this phase. I get the willies about the security implications
# in a general environment where you might be using someone else's
# handlers upstream or downstream...
$r->log->debug("handler: user in cache and password matches; ",
"returning OK and clearing authen handler stack");
$r->set_handlers(PerlAuthenHandler => undef);
# } else {
# $r->log->debug("handler: user in cache and password matches; ",
# "returning OK and setting notes");
# $r->notes('AuthenCache' => 'hit');
#}
return OK;
} # End if()
AuthenCache.pm view on Meta::CPAN
###############################################################################
sub manage_cache {
my $r = shift;
return OK unless $r->is_initial_req; # only the first internal request
# Get response and password
my ($res, $passwd_sent) = $r->get_basic_auth_pw;
return $res if $res; # e.g. HTTP_UNAUTHORIZED
# Get username
my $user_sent = $r->connection->user;
AuthenCache.pm view on Meta::CPAN
if ($casesensitive eq 'off') {
$user_sent = lc($user_sent);
$passwd_sent = lc($passwd_sent);
}
# Do we need to crypt the password?
if ($encrypted eq 'on') {
my @alphabet = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '.', '/');
my $salt = join ('', @alphabet[rand (64), rand (64)]);
$passwd_sent = crypt($passwd_sent, $salt);
}
AuthenCache.pm view on Meta::CPAN
http://www.cpan.org/modules/by-module/Apache/apache-modlist.html
When a request that requires authorization is received,
AuthenCache::handler looks up the REMOTE_USER in a perl-realm shared-memory
cache (using IPC::Cache) and compares the cached password to the
sent password. A new cache is created for the first request in a realm or if
the realm's cache has expired. If the passwords match, the handler
returns OK and clears the downstream Authen handlers from the
stack. Otherwise, it returns DECLINED and allows the next
PerlAuthenHandler in the chain to be called.
After the primary authentication handler completes with an OK,
AuthenCache.pm view on Meta::CPAN
=over 4
=item B<AuthenCache_Encrypted>
If this directive is set to 'Off', passwords are not encrypted.
Default is 'On', ie passwords use standard Unix crypt.
=back
=over 4
=item B<AuthenCache_NoPasswd>
If this directive is set to 'On', passwords must be blank.
Default is 'Off'.
=back
=head1 PREREQUISITES
AuthenCache.pm view on Meta::CPAN
#
# Revision 1.4 2000/10/18 16:31:12 cgilmore
# removed note_basic_auth_failure lines
#
# Revision 1.3 2000/08/03 21:12:07 cgilmore
# changed from AUTH_REQUIRED to DECLINED to allow for new passwords
# to enter the cache
#
# Revision 1.2 2000/07/18 18:58:05 cgilmore
# corrected mis-use of log (commas instead of periods)
#
Apache-AuthenLDAP
view release on metacpan or search on metacpan
AuthenLDAP.pm view on Meta::CPAN
my $ldapport = $r->dir_config('AuthenLDAPPort') || 389;
my $uidattrtype = $r->dir_config('AuthenUidAttrType') || "uid";
my $expire = lc($r->dir_config('AuthenExpire')) || 'false';
my $exp_attrtype = $r->dir_config('AuthenExpireAttrType') ||
'passwordIsExpired';
my $exp_lastmodattrtype =
$r->dir_config('AuthenExpireLastModAttrType') ||
'passwordModifyTimestamp';
my $exp_time = $r->dir_config('AuthenExpireTime') ||
186;
my $exp_redirect = $r->dir_config('AuthenExpireRedirect') || '';
$r->log->debug("handler: ",
AuthenLDAP.pm view on Meta::CPAN
"ExpireLastModAttrType - $exp_lastmodattrtype; ",
"ExpireTime - $exp_time; ExpireRedirect - $exp_redirect");
if ($sent_pwd eq "") {
$r->note_basic_auth_failure;
$r->log_reason("user $name: no password supplied", $r->uri);
return AUTH_REQUIRED;
}
# Connect to the server
my $ld;
AuthenLDAP.pm view on Meta::CPAN
# Only want the first if we've received more than one
my $entry = $msg->first_entry;
my $dn = $entry->dn;
# Bind as the user we're authenticating
$msg = $ld->bind($dn, password => $sent_pwd);
unless ($msg->code == LDAP_SUCCESS) {
$r->note_basic_auth_failure;
$r->log_reason("user $name: password mismatch", $r->uri);
return AUTH_REQUIRED;
}
$ld->unbind;
if ($expire eq 'true') {
# Is the password set to expired in LDAP?
if (($entry->get($exp_attrtype))[0] eq 'true') {
$r->log->debug("handler: password flag expired");
$r->custom_response(FORBIDDEN, "$exp_redirect");
return FORBIDDEN;
}
# Has the password passed the age limit?
my ($modyear, $modmonth, $modday) =
(($entry->get($exp_lastmodattrtype))[0] =~ /(\d{4})(\d{2})(\d{2})/);
my ($year, $month, $day) = Today([time]);
if (Date_to_Days($year, $month, $day) -
Date_to_Days($modyear, $modmonth, $modday) > $exp_time) {
$r->log->debug("handler: password age expired");
$r->custom_response(FORBIDDEN, "$exp_redirect");
return FORBIDDEN;
}
}
AuthenLDAP.pm view on Meta::CPAN
=over 4
=item B<AuthenExpireAttrType>
The attribute type name that contains whether or not the password is
expired. By default, AuthenExpireAttrType is passwordIsExpired.
=back
=over 4
=item B<AuthenExpireLastModAttrType>
The attribute type name that contains the password last modified
timestamp in YYYYMMDD format. By default AuthenExpireLastModAttrType
is set to passwordModifyTimestamp.
=back
=over 4
=item B<AuthenExpireTime>
The time in days at which a password expires. By default,
AuthenExpireTime is set to 186.
=back
=over 4
=item B<AuthenExpireRedirect>
The location to which you wish to redirect users whose passwords are
expired. If this value is left blank, the server will respond with a
401 error.
=back
Apache-AuthenMSAD
view release on metacpan or search on metacpan
lib/Apache/AuthenMSAD.pm view on Meta::CPAN
my $r = shift;
# Continue only if the first request.
# return OK unless $r->is_initial_req;
# Grab the password, or return in HTTP_UNAUTHORIZED
my ($res, $pass) = $r->get_basic_auth_pw;
return $res if $res;
my $user = $r->user;
lib/Apache/AuthenMSAD.pm view on Meta::CPAN
my $domain = $r->dir_config('MSADDomain') || "no-domain";
my $server = $r->dir_config('MSADServer') || $domain;
if ($pass eq "") {
$r->note_basic_auth_failure;
$r->log_reason("user - no password supplied",$r->uri);
return Apache::Constants::HTTP_UNAUTHORIZED;
}
if ($user eq "") {
$r->note_basic_auth_failure;
lib/Apache/AuthenMSAD.pm view on Meta::CPAN
$r->note_basic_auth_failure;
$r->log_reason("user - MSAD LDAP Connect Failed",$r->uri);
return Apache::Constants::HTTP_UNAUTHORIZED;
}
my $result= $ldap->bind (dn => "$user\@$domain", password => $pass);
if (!$result || ($result && $result->code)) {
$r->note_basic_auth_failure;
$r->log_reason("user - Active Directory Authen Failed",$r->uri);
return Apache::Constants::HTTP_UNAUTHORIZED;
}
lib/Apache/AuthenMSAD.pm view on Meta::CPAN
It was tested in an production environment to work perfectly.
=head1 BEWARE
This builds on the Net::LDAP interface and as such passes the userid
and password in the clear. We've not been able to get Net::LDAPS to
work with Microsoft Active Directory. If anyone else has we'd dearly
love to hear from them.
=head1 AUTHOR
Apache-AuthenMT
view release on metacpan or search on metacpan
AuthenMT.pm view on Meta::CPAN
my $app = MT::App->new(
Config => $MT_DIR . 'mt.cfg',
Directory => $MT_DIR
) or $reason = MT::App::->errstr;
# check password
$reason = authenticate($r, $user, $sent_pw) unless ($reason);
# reason for failure
if ($reason) {
#$r->note_basic_auth_failure;
AuthenMT.pm view on Meta::CPAN
# authenticated
return OK;
}
# check user and password against Movable Type's database
sub authenticate {
my $r = shift;
my $user = shift;
my $sent_pw = shift;
my $crypted = 0;
# print STDERR "authmt: $user $sent_pw\n";
if (my $author = MT::Author->load({ name => $user })) {
if ($author->is_valid_password($sent_pw, $crypted)) {
return "";
} else {
return "invalid pass";
}
} else {
AuthenMT.pm view on Meta::CPAN
mod_perl auth handler
=item authenticate
This checks the user and password against database.
=back
=head1 VARIABLES
Apache-AuthenN2
view release on metacpan or search on metacpan
AuthenN2.pm view on Meta::CPAN
my $r = shift;
# service only the first internal request
return OK unless $r->is_initial_req;
# get password user entered in browser
my($res, $sent_pwd) = $r->get_basic_auth_pw;
# decline if not basic
return $res if $res;
AuthenN2.pm view on Meta::CPAN
}
# try nis+
# get passwd table name
my $passwd_table = $dir_config->get('NISPlus_Passwd_Table');
# get user password entry
my $pwd_table = Net::NISPlus::Table->new($passwd_table);
unless ($pwd_table){
$r->note_basic_auth_failure;
$r->log_reason($self . ': cannot get nis+ passwd table', $r->uri);
return AUTH_REQUIRED;
AuthenN2.pm view on Meta::CPAN
order of checking.
Note that this scheme is quite permissive. Valid nt credentials
against any of the controllers or domains, or valid nis+ credentials
will allow access. This multiplies exposure to poorly selected
passwords.
<Files *challenge*> is just a way of specifying which files should be
protected by this authenticator. In this example, a script named
newbug-challenge.pl would be protected, regardless of where it is
located in the apache htdocs or cgi directories. If you prefer, you
AuthenN2.pm view on Meta::CPAN
require group eng
require user john larry
</Files>
A couple of tips about AuthenCache: 1 comment out the $r->warn lines
that echo the password to the apache error log (they are fine for
debugging but not good for production), and 2 keep in mind that the
cache has to be established separately in each current httpd child
process, so it does not appear to be working consistently until all
the children know about the user. This is nothing to panic about; we
are just playing the odds: the more active the user is, the more they
Apache-AuthenNIS
view release on metacpan or search on metacpan
AuthenNIS.pm view on Meta::CPAN
return MP2 ? Apache::DECLINED : Apache::Constants::DECLINED;
}
else
{
$r->note_basic_auth_failure;
MP2 ? $r->log_error("Apache::AuthenNIS - user $name: bad password", $r->uri) : $r->log_reason("Apache::AuthenNIS - user $name: bad password", $r->uri);
return MP2 ? Apache::HTTP_UNAUTHORIZED : Apache::Constants::HTTP_UNAUTHORIZED;
}
}
return MP2 ? Apache::OK : Apache::Constants::OK;
AuthenNIS.pm view on Meta::CPAN
adaptation (i.e. I modified the code) of Michael Parker's
(B<parker@austx.tandem.com>) Apache::AuthenSmb module.
The module uses Net::NIS::yp_match to retrieve the "passwd" entry from the
passwd.byname map, using the supplied username as the search key. It then
uses crypt() to verify that the supplied password matches the retrieved
hashed password.
= head2 Apache::AuthenNIS vs. Apache::AuthzNIS
I've taken "authentication" to be meaningful only in terms of a user and
password combination, not group membership. This means that you can use
Apache::AuthenNIS with the B<require user> and B<require valid-user>
directives. In the NIS context I consider B<require group> to be an
"authorization" concern. I.e., Group authorization consists of
establishing whether the already authenticated user is a member of one of
the indicated groups in the B<require group> directive. This process may
( run in 1.214 second using v1.01-cache-2.11-cpan-49f99fa48dc )