Apache::AuthDBI Extension

2003-01-15 Thread Hann, Brian 
Title: Message




At our company we're 
looking at making an extension on top of AuthDBI that would allow us to make 
mandatory password changes, match new passwords against dictionaries and other security 
changes.

Hasanyone done something similar 
already?

Thanks,

Brian Hann

PATCH: Apache::AuthDBI

2002-11-21 Thread mod_perl_users 
I have been having trouble connecting to my user database, according to the logs, 
there was never any password returned.

After browsing through the code, I found the following:
---start code---
undef $passwd if 0 == $sth-rows; # so we can distinguish later on between no password 
and empty password
---start code---

According to the DBI documentation here:
http://search.cpan.org/author/TIMB/DBI-1.30/DBI.pm#rows
---start quote---
So use of the rows method or $DBI::rows with SELECT statements is not recommended.
---end quote---

It seems my particular driver (PgPP) is returning a 0 to $sth-rows, which undefs 
$passwd, even if there was a password returned.

So I cooked up a patch to fix it.  (Attached)

It simply increments a counter while looping through the recordsets and checks that 
counter instead $sth-rows.

My Configuration:
Apache 1.3.26
Apache::AuthDBI 0.88
PostgreSQL 7.2.1
Perl 5.6.1
DBD::PgPP 0.04




--- AuthDBI.pm  Wed Nov 20 06:04:19 2002
+++ old/AuthDBI.pm  Wed Nov 20 05:30:25 2002
@@ -273,10 +273,9 @@
 $dbh-disconnect;
 return SERVER_ERROR;
 }
-   my $password_count = 0;
+
 # fetch result
 while ($_ = $sth-fetchrow_array) {
-   $password_count++;
 # strip trailing blanks for fixed-length data-type
 $_ =~ s/ +$// if $_;
 # consider the case with many users sharing the same userid
@@ -284,7 +283,7 @@
 }
 
 chop  $passwd if $passwd;
-undef $passwd if 0 == $password_count; # so we can distinguish later on 
between no password and empty password
+undef $passwd if 0 == $sth-rows; # so we can distinguish later on between no 
+password and empty password
 
 if ($sth-err) {
 $dbh-disconnect;

PATCH Apache::AuthDBI

2002-10-07 Thread Marcos Ramirez A. 

This patch makes Apache::AuthDBI work under mod_perl 1.99 as well under
mod_perl 1.X

it works fine at least with mysql and Oracle

Saludos
-- 
-Por que te contienes? Por que te compadeces?
  Por que -odiado de los dioses- no odias a un dios?
  Por que no le traicionas si el traiciono tu honor?
- Somos semejantes, nuestras vidas estan unidas.


diff -ru Apache-DBI-0.89.old/AuthDBI.pm Apache-DBI-0.89/AuthDBI.pm
--- Apache-DBI-0.89.old/AuthDBI.pm	2002-06-18 01:49:39.0 -0400
+++ Apache-DBI-0.89/AuthDBI.pm	2002-10-07 21:29:52.0 -0400
 -174,7 +174,7 
 return $res if $res; # e.g. HTTP_UNAUTHORIZED
 
 # get username
-my ($user_sent) = $r-connection-user;
+my ($user_sent) = $r-user;
 print STDERR $prefix user sent = $user_sent\n if $Apache::AuthDBI::DEBUG  1;
 
 # do we use shared memory for the global cache ?
 -426,7 +426,7 
 my ($group_result) = DECLINED;
 
 # get username
-my ($user_sent) = $r-connection-user;
+my ($user_sent) = $r-user;
 print STDERR $prefix user sent = $user_sent\n if $Apache::AuthDBI::DEBUG  1 ;
 
 # here we could read the configuration, but we re-use the configuration from the authentication

Apache::AuthDBI problem

2002-10-03 Thread Robert Boone 

I'm having trouble with the AuthDBI module. If works fine if use require
valid-user or require user. But when I try to require group I get this
error: couldn't check access.  No groups file?: /test/

What am I doing wrong? This is my .htaccess file.

AuthName DBI
AuthType Basic

PerlAuthenHandler Apache::AuthDBI::authen
PerlAuthenHandler Apache::AuthDBI::authz

PerlSetVar Auth_DBI_encrypted off
PerlSetVar Auth_DBI_data_source   dbi:mysql:database=auth;host=localhost
PerlSetVar Auth_DBI_username username
PerlSetVar Auth_DBI_password password

PerlSetVar Auth_DBI_pwd_table passwd
PerlSetVar Auth_DBI_uid_field username
PerlSetVar Auth_DBI_pwd_field password


PerlSetVar Auth_DBI_grp_table   passwd
PerlSetVar Auth_DBI_grp_field grp


require group test1


Any help would be great.

Robert

Need help with Apache::AuthDBI

2001-08-27 Thread Medi Montaseri 



Hi, 

I am having problem getting Apache::AuthDBI working. It seems like its 
allowing user access anywaysie I have tried it with valid user and
invalid username, 
valid password and invalid password and in all cases it lets you
inhere is some supporting data 

I have the following Apache and mod_perl version... 

[Sun Aug 26 19:56:44 2001] [notice] Apache/1.3.12 (Unix)  (Red
Hat/Linux) mod_ssl/2.6.6
OpenSSL/0.9.5a mod_perl/1.24 configured -- resuming normal operations 
  

I also have the following virtual host definition in my httpd.conf. Note
I'm simply requiring a 
startup.pl file. 


Hi, 

I am having problem getting Apache::AuthDBI working. It seems like its 
allowing user access anywaysie I have tried it with valid user and
invalid username, 
valid password and invalid password and in all cases it lets you
inhere is some supporting data 

I have the following Apache and mod_perl version... 

[Sun Aug 26 19:56:44 2001] [notice] Apache/1.3.12 (Unix)  (Red
Hat/Linux) mod_ssl/2.6.6
OpenSSL/0.9.5a mod_perl/1.24 configured -- resuming normal operations 
  

I also have the following virtual host definition in my httpd.conf. Note
I'm simply requiring a 
startup.pl file. 

VirtualHost xx.xx.xx.xx 
ServerName www.joe.com 
ServerAdmin [EMAIL PROTECTED] 
DocumentRoot /web/joe 
ErrorLog /etc/httpd/logs/joe/error_log 
TransferLog /etc/httpd/logs/joe/access_log 
Directory /web/joe  
PerlRequire /web/joe/mod_perl/startup.pl 
Options Indexes Includes FollowSymLinks ExecCGI 
AddHandler cgi-script .cgi 
AllowOverride All 
/Directory 
ScriptAlias /cgi-bin/ /web/joe/cgi-bin/ 
/VirtualHost 

I also have a statup.pl file that reads 

#!/usr/bin/perl 
use Apache::DBI; 
use Apache::AuthDBI; 
use Carp; 

warn(in startup); 
$Apache::DBI::DEBUG = 2; 
$Apache::AuthDBI::DEBUG = 2; 

And finally I have a .htaccess that reads 


Hi, 

I am having problem getting Apache::AuthDBI working. It seems like its 
allowing user access anywaysie I have tried it with valid user and
invalid username, 
valid password and invalid password and in all cases it lets you
inhere is some supporting data 

I have the following Apache and mod_perl version... 

[Sun Aug 26 19:56:44 2001] [notice] Apache/1.3.12 (Unix)  (Red
Hat/Linux) mod_ssl/2.6.6
OpenSSL/0.9.5a mod_perl/1.24 configured -- resuming normal operations 
  

I also have the following virtual host definition in my httpd.conf. Note
I'm simply requiring a 
startup.pl file. 

VirtualHost xx.xx.xx.xx 
ServerName www.joe.com 
ServerAdmin [EMAIL PROTECTED] 
DocumentRoot /web/joe 
ErrorLog /etc/httpd/logs/joe/error_log 
TransferLog /etc/httpd/logs/joe/access_log 
Directory /web/joe  
PerlRequire /web/joe/mod_perl/startup.pl 
Options Indexes Includes FollowSymLinks ExecCGI 
AddHandler cgi-script .cgi 
AllowOverride All 
/Directory 
ScriptAlias /cgi-bin/ /web/joe/cgi-bin/ 
/VirtualHost 

I also have a statup.pl file that reads 

#!/usr/bin/perl 
use Apache::DBI; 
use Apache::AuthDBI; 
use Carp; 

warn(in startup); 
$Apache::DBI::DEBUG = 2; 
$Apache::AuthDBI::DEBUG = 2; 

And finally I have a .htaccess that reads 

AuthName DBI 
AuthType Basic 

PerlAuthenHandler Apache::AuthDBI::authen 
PerlAuthzHandler Apache::AuthDBI::authz 

PerlSetVar Auth_DBI_data_source  dbi:informix:joe@docware 
PerlSetVar Auth_DBI_username  
PerlSetVar Auth_DBI_password  
PerlSetVar Auth_DBI_pwd_table users 
PerlSetVar Auth_DBI_uid_field user_name 
PerlSetVar Auth_DBI_grp_whereclause  and user_passwd =
$ENV{REMOTE_PASSWD} 
PerlSetVar Auth_DBI_pwd_field user_passwd 
PerlSetVar Auth_DBI_grp_field user_name 

PerlSetVar Auth_DBI_encrypted off 
PerlSetVar Auth_DBI_uidcasesensitive  off 
PerlSetVar Auth_DBI_authoritative on 

require valid-user 

And the error log shows 

 31496 Apache::AuthDBI::authen passwd not found in cache 
== 
31496 Apache::AuthDBI::authz  request type = initial main 
31496 Apache::AuthDBI::authz  user sent = medi 
31496 Apache::AuthDBI::authz  requirements: valid-user=1 user=
group= 
31496 Apache::AuthDBI::authz  user_result = OK: valid-user 
31496 Apache::AuthDBI::authz  return OK 
  

I have followed step by step instructions of Apache::AuthDBI and I can not
get this thing to 
workperhaps I'm overlooking something 

From my understanding of Authentication and Authorization, it looks like
in spite of 
Auth_DBI_authoritative being set, the authorization (or authentication) is
not doing its job 
of rejectting and returning an OK 

Can someone help please... 

-- 
-
Medi Montaseri   [EMAIL PROTECTED]
Unix Distributed Systems EngineerHTTP://www.CyberShell.com
CyberShell Engineering
-

Re: Apache::AuthDBI

2001-06-21 Thread will trillich 

On Tue, Jun 19, 2001 at 10:38:01AM -0700, Alan E. Derhaag wrote:
 Christian Heiss [EMAIL PROTECTED] writes:
 
  Hi,
  
  I'm using Apache::AuthDBI to verifying the users on my web site.

  then I put it in the database with:
  

  my $sql = INSERT INTO table name VALUES($userid, $groupid, $pass, ...);
  of course, before I'm using the quote funktion ($dbh-quote($userid)...)...

maybe do this instead:

@vars = ($alpha,$bravo,$charlie,$delta);
my $sql = insert into sometable values( . (join '.',('?') x @vars) . );
$sth = $dbh-prepare($sql);
$sth-execute(@vars);
$sth-finish();

just a suggestion...

-- 
I figure: if a man's gonna gamble, may as well do it
without plowing.   -- Bama Dillert, Some Came Running

[EMAIL PROTECTED]
http://sourceforge.net/projects/newbiedoc -- we need your brain!
http://www.dontUthink.com/ -- your brain needs us!

Re: Apache::AuthDBI

2001-06-19 Thread Douglas Leonard 

Standard SQL allows for inserts without specifying field names.
Personally, I think that it is more readable to specify the field names
but it is quite common to not bother doing so.

-- 
Douglas Leonard
[EMAIL PROTECTED]

On 19 Jun 2001, Alan E. Derhaag wrote:

 Christian Heiss [EMAIL PROTECTED] writes:

  [1  text/plain; iso-8859-1 (quoted-printable)]
  Hi,
 
  I'm using Apache::AuthDBI to verifying the users on my web site.
 
 
 
  I can connect to the the protected site, but there is a output in the error log:
 
  

  Use of uninitialized value at /usr/lib/perl5/site_perl/5.005/Apache/AuthDBI.pm 
line 450
  Use of uninitialized value at /usr/lib/perl5/site_perl/5.005/Apache/AuthDBI.pm 
line 480
  Use of uninitialized value at /usr/lib/perl5/site_perl/5.005/Apache/AuthDBI.pm 
line 481

 [...]

  then I put it in the database with:
  

  my $sql = INSERT INTO table name VALUES($userid, $groupid, $pass, ...);
  of course, before I'm using the quote funktion ($dbh-quote($userid)...)...

 What database manager allows SQL without supplying the fields the
 values go into?

Apache::AuthDBI

2001-04-22 Thread Christian Heiss 




Hi,


I’m using Apache::AuthDBI to verifying the 
users on my web site.

I can connect to 
thethe 
protected site, but there is a output in the error log:

Use 
of uninitialized value at /usr/lib/perl5/site_perl/5.005/Apache/AuthDBI.pm line 
450
Use 
of uninitialized value at /usr/lib/perl5/site_perl/5.005/Apache/AuthDBI.pm line 
480
Use 
of uninitialized value at /usr/lib/perl5/site_perl/5.005/Apache/AuthDBI.pm line 
481


To crypt the the passwords I'm using something like 
this:

my $userid = $query-param('userid');my 
$pass = $query-param('pass');my $groupid = 
$query-param('groupid');my $fullname = 
$query-param('fullname');$pass = crypt("$pass", 
"$userid");


then I put it in the database 
with:

my $sql = "INSERT INTOtable 
nameVALUES($userid, $groupid, $pass, 
...);
of course, before I'm using the quote funktion 
($dbh-quote($userid)...)...


and my .htacces is:

PerlModule Apache::AuthDBIAuthName "something 
else"AuthType BasicPerlAuthenHandler 
Apache::AuthDBI::authenPerlAuthzHandler 
Apache::AuthDBI::authzPerlSetVar Auth_DBI_encrypted onPerlSetVar 
Auth_DBI_data_source 
dbi:mysql:database
PerlSetVar Auth_DBI_username user 
name
PerlSetVar Auth_DBI_password 
passwordPerlSetVar Auth_DBI_pwd_table table 
name
PerlSetVar Auth_DBI_uid_field userid 
fieldPerlSetVar Auth_DBI_grp_field groupid 
field
PerlSetVar Auth_DBI_pwd_field password 
field

require valid-user

allow from all




Anybody knows how to stop this error 
output?

Thanks a lot

Christian 
Heiß

Re: Apache::AuthDBI

2001-04-22 Thread Edmund Mergl 

Christian Heiss wrote:

and my .htacces is:
---
PerlModule Apache::AuthDBI
AuthName "something else"
...


how does your startup.pl look like ?
The configuration 'PerlModule Apache::AuthDBI'
is not supposed to be in .htaccess. Also it
would be helpful to know the version of ApacheDBI.


Edmund

-- 
http://www.edmund-mergl.de
fon: +49 700 edemergl

Apache::AuthDBI not setting $ENV{REMOTE_GROUP}

2000-05-18 Thread Rob Fugina 

I've been using Apache::AuthDBI (and earlier, Apache::AuthenDBI) for a
while, but never before have I used groups.

I recently started trying to use groups, and with Apache::AuthDBI::DEBUG
set to 2, I can get something like this in my error_log...

22310 Apache::AuthDBI::authz  request type = initial main 
22310 Apache::AuthDBI::authz  user sent = robf
22310 Apache::AuthDBI::authz  requirements: valid-user=1 user= group=admin 
22310 Apache::AuthDBI::authz  user_result = OK: valid-user
22310 Apache::AuthDBI::authz  return OK

As you can see, Apache::AuthDBI::authz is getting the group name 'admin'
from the database, but the group name isn't passed in to my CGI script
(I'm using Apache::Registry) at all.  Any hints where the problem
might be?  Is it a bug in Apache::AuthDBI?

Thanx,
Rob

-- 
Rob Fugina, Systems Guy
[EMAIL PROTECTED] -- http://www.geekthing.com
EA CF 09 1B AF 76 A9 D8  75 FE 26 6A E4 14 0A 3C
   Prenatal discretion is advised.

Apache::AuthCookie or Apache::AuthDBI or Apache::???

2000-04-17 Thread Kenneth Frankel 

What's the best way to authenticate users?  I have a site where the entire 
site is to be protected. I want to log users in at the front of the web 
site, and keep them logged in as they travel around.   I was trying to get 
AuthCookie to work but haven't been successful so far.  Should I continue 
down this route?  Is Apache::Session + AuthBasic better?  Or is AuthDBI?  I 
have a mysql database handy.  What's the most popular Auth method 
nowadays?  Is there a popularity/usage chart compiled anywhere?

Thanks in advance!

Kenneth

Re: Apache::AuthCookie or Apache::AuthDBI or Apache::???

2000-04-17 Thread Vivek Khera 

 "KF" == Kenneth Frankel [EMAIL PROTECTED] writes:

KF What's the best way to authenticate users?  I have a site where the entire 
KF site is to be protected. I want to log users in at the front of the web 

For a site whose contents are entirely protected, I'd use basic auth
with a cookie override.  That's what I've done in the past.  Neither
of these require perl or mod_perl, though.

See the apache module registry at www.apache.org for references to my
mod_auth_cookie which tricks Apache into converting a cookie into a
basic auth header.  How you set the cookie is up to you...

How you authenticate depends mostly on your needs of maintaining the
database.  I've used flat files with htpasswd, dbm files with htpasswd
and my own home brew scripts, and MySQL tables with my own scripts.

None of these require mod_perl, either, but you can use mod_perl based
versions of the necessary authentication modules.

Apache::AuthDBI example wanted

2000-04-03 Thread Adam Gotheridge 

can someone please post an example of hot use Apache::AuthDBI? The perldoc for it
is vague to me. It says to put all this stuff in httpd.conf and it just generates
errors, i.e. it doesn't have one little working example.

thanks