Diff includes:
* Fixes in authz() as suggested by Jason Lehman.
* Apache::Htgroup is optional. I'm eval'in 'require Apache::Htgroup' as shown in the links provided by Eric.
Full source: http://www.quantumfx.com/software/modules/Apache-AuthenSmb.pm
-Carlos
Shannon Eric Peevey wrote:
Carlos Ramirez wrote:
This is fantastic, and should probably be added to the other authen/authz mods, as well!Oops, I sent the wrong diff. I also updated the module on my site. http://www.quantumfx.com/software/modules/Apache-AuthenSmb.pm
-Carlos
Carlos Ramirez wrote:
Included is the diff of the current 0.71 version the my mods.
The mods include the following mods:
* Allows user to use Domain\Username to authenticate. Actually, I'm also allowing Domain/Username. This eliminates alot of the problems experienced by our users not remembering to use the 'back slash' instead of the 'forward slash'.
'use' tries to load the module at compile time, and therefore, would fail the make test, as well as, fail with an "internal server error" when any call to the module is made. Therefore, in keeping with making the function optional, we need to 'require' the module. More specific information can be found at:* Allows 'require group groupname1 groupname2 ... groupnameN'. This feature requires Apache::Htgroup, but in order to avoid problems, I only 'use' this module whenever 'require group' is present, instead of loading it at the beginning. Is this okay?
http://perl.apache.org/docs/general/perl_reference/perl_reference.html#use__
http://perl.apache.org/docs/general/perl_reference/perl_reference.html#require__
Now, that being said, I am not sure that we need this functionality built into the authz function here. (This is a question that I am bringing up for debate). If we want to use a groupfile, etc. for authorizing a user, shouldn't we just let apache take care of it? (By adding a PerlSetVar to make the authz function in this module optional, as well). Then we just bypass the authz function, and apache grabs the group file, etc. by allowing us to specify this in the conf/htaccess file. (Using AuthGroupFile, etc.)
What do you think?
I think this is a good idea, based on what we decide above. (And, we could actually use this in other modules that need this same functionality)* Adds a 'PerlSetVar authzUsername' configuration parameter that allows you to configure the format of the "username" for the authorization phase (the name of this variable is up for suggestions). The value can be one of two values: userid or domain\userid. The default value is set to 'userid', which is the current implmentation.
Hope this is not too confusing.
This is a great explanation! thanks,
--- /Apache-AuthenSmb-0.71/AuthenSmb.pm 2004-03-17 07:39:20.000000000 -0800
+++ /dev/Apache-AuthenSmb/AuthenSmb.pm 2004-03-23 20:43:36.000000000 -0800
@@ -56,6 +56,11 @@
return MP2 ? Apache::HTTP_UNAUTHORIZED :
Apache::Constants::HTTP_UNAUTHORIZED;
}
+ ## Parse $name's with Domain\Username
+ if ($name =~ /(\w+)[\\\/](.+)/) {
+ ($domain,$name) = ($1,$2);
+ }
+
my $return = Authen::Smb::authen($name,
$sent_pwd,
$pdc,
@@ -80,7 +85,25 @@
my $requires = $r->requires;
return (MP2 ? Apache::OK : Apache::Constants::OK) unless $requires;
- my $name = MP2 ? $r->user : $r->connection->user;
+ my $name = MP2 ? $r->user : $r->connection->user;
+ my $error = ""; # Holds error message
+ my $authz_username = $r->dir_config('authzUsername') || 'userid';
+
+ #Convert 'domain/userid' to 'domain\userid'
+ $name =~ s/\//\\/ if $name =~ /\//;
+
+ if ($authz_username eq 'domain\userid') {
+ if ($name !~ /\\/) {
+ #If we authzUsername is set to 'domain\userid' and $name
+ #is not of the form domain\userid, then we prepend the domain
+ $name = $r->dir_config('myDOMAIN').'\\'.$name;
+ }
+ }
+ else {
+ #If authzUsername is set to 'userid' and $name has if the
+ #form Domain\Userid, then set $name = 'userid'
+ $name = $1 if $name =~ /\w+\\(.+)/;
+ }
for my $req (@$requires) {
my($require, @rest) = split /\s+/, $req->{requirement};
@@ -93,6 +116,46 @@
elsif ($require eq "valid-user") {
return MP2 ? Apache::OK : Apache::Constants::OK;
}
+ #ok if user is in the
+ elsif ($require eq 'group') {
+ unless ($r->dir_config('groupFile')) {
+ $error = 'Apache::AuthenSmb - Configuration error: '.
+ 'no groupFile'. $r->uri;
+
+ $r->note_basic_auth_failure;
+ MP2 ? $r->log_error($error) : $r->log_reason($error);
+
+ return MP2 ? Apache::HTTP_UNAUTHORIZED :
+ Apache::Constants::HTTP_UNAUTHORIZED;
+ }
+ unless (-e $r->dir_config('groupFile')) {
+ $error = 'Apache::AuthenSmb - groupFile: '.
+ $r->dir_config('groupFile').' does not exist!';
+
+ MP2 ? $r->log_error($error) : $r->log_reason($error);
+
+ return MP2 ? Apache::HTTP_UNAUTHORIZED :
+ Apache::Constants::HTTP_UNAUTHORIZED;
+ }
+
+ eval { require "Apache::Htgroup"};
+ if ($@) {
+ $error = 'Apache::AuthenSmb - Unable to load '.
+ 'Apache::Htgroup: '. @$;
+ MP2 ? $r->log_error($error) : $r->log_reason($error);
+
+ return MP2 ? Apache::HTTP_UNAUTHORIZED:
+ Apache::Constants::HTTP_UNAUTHORIZED;
+
+ }
+
+ my $htgrp = Apache::Htgroup->load($r->dir_config('groupFile'));
+
+ foreach my $group (@rest) {
+ return (MP2 ? Apache::OK : Apache::Constants::OK)
+ if $htgrp->ismember($name,$group);
+ }
+ }
}
$r->note_basic_auth_failure;
@@ -122,12 +185,21 @@
PerlSetVar myPDC workgroup-pdc
PerlSetVar myBDC workgroup-bdc
PerlSetVar myDOMAIN WORKGROUP
+
+ # Optional Variables
+ PerlSetVar groupFile /path/to/htgroups
+ # Set the format of the username to check against
+ # defaults to userid
+ PerlSetVar authzUsername userid or domain\userid
PerlAuthenHandler Apache::AuthenSmb
# Standard require stuff, only user and
# valid-user work currently
require valid-user
+
+ # Optional, reqires that you have Apache::Htgroup
+ # require group groupname
</Directory>
These directives can be used in a .htaccess file as well.
@@ -135,7 +207,7 @@
If you wish to use your own PerlAuthzHandler then the require
directive should follow whatever handler you use.
-= head1 DESCRIPTION
+=head1 DESCRIPTION
This perl module is designed to work with mod_perl and the Authen::Smb
module by Patrick Michael Kane (See CPAN). You need to set your PDC,
@@ -143,6 +215,21 @@
set a PDC, if no BDC is set it defaults to the PDC, if no DOMAIN is
set it defaults to WORKGROUP.
+Users can also specify the Windows Domain name along with the username
+when authenticating using the format: C<Domain\Username>. The Domain
+specified will override the domain name set in the myDOMAIN
+configuration setting.
+
+=head2 Note
+
+If you allow users to use B<Domain\Username> and restrict access
+using the C<require user username> or C<require group groupname> make
+sure to set the username with the domain included. The authorization
+phase will be looking for C<Domain\Username> string.
+
+Example: require user mydomain\ramirezc
+
+
If you are using this module please let me know, I'm curious how many
people there are that need this type of functionality.
-- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
