Apache::AuthDBI Extension
Title: Message At our company we're looking at making an extension on top of AuthDBI that would allow us to make mandatory password changes, match new passwords against dictionaries and other security changes. Hasanyone done something similar already? Thanks, Brian Hann
PATCH: Apache::AuthDBI
I have been having trouble connecting to my user database, according to the logs, there was never any password returned. After browsing through the code, I found the following: ---start code--- undef $passwd if 0 == $sth-rows; # so we can distinguish later on between no password and empty password ---start code--- According to the DBI documentation here: http://search.cpan.org/author/TIMB/DBI-1.30/DBI.pm#rows ---start quote--- So use of the rows method or $DBI::rows with SELECT statements is not recommended. ---end quote--- It seems my particular driver (PgPP) is returning a 0 to $sth-rows, which undefs $passwd, even if there was a password returned. So I cooked up a patch to fix it. (Attached) It simply increments a counter while looping through the recordsets and checks that counter instead $sth-rows. My Configuration: Apache 1.3.26 Apache::AuthDBI 0.88 PostgreSQL 7.2.1 Perl 5.6.1 DBD::PgPP 0.04 --- AuthDBI.pm Wed Nov 20 06:04:19 2002 +++ old/AuthDBI.pm Wed Nov 20 05:30:25 2002 @@ -273,10 +273,9 @@ $dbh-disconnect; return SERVER_ERROR; } - my $password_count = 0; + # fetch result while ($_ = $sth-fetchrow_array) { - $password_count++; # strip trailing blanks for fixed-length data-type $_ =~ s/ +$// if $_; # consider the case with many users sharing the same userid @@ -284,7 +283,7 @@ } chop $passwd if $passwd; -undef $passwd if 0 == $password_count; # so we can distinguish later on between no password and empty password +undef $passwd if 0 == $sth-rows; # so we can distinguish later on between no +password and empty password if ($sth-err) { $dbh-disconnect;
PATCH Apache::AuthDBI
This patch makes Apache::AuthDBI work under mod_perl 1.99 as well under mod_perl 1.X it works fine at least with mysql and Oracle Saludos -- -Por que te contienes? Por que te compadeces? Por que -odiado de los dioses- no odias a un dios? Por que no le traicionas si el traiciono tu honor? - Somos semejantes, nuestras vidas estan unidas. diff -ru Apache-DBI-0.89.old/AuthDBI.pm Apache-DBI-0.89/AuthDBI.pm --- Apache-DBI-0.89.old/AuthDBI.pm 2002-06-18 01:49:39.0 -0400 +++ Apache-DBI-0.89/AuthDBI.pm 2002-10-07 21:29:52.0 -0400 -174,7 +174,7 return $res if $res; # e.g. HTTP_UNAUTHORIZED # get username -my ($user_sent) = $r-connection-user; +my ($user_sent) = $r-user; print STDERR $prefix user sent = $user_sent\n if $Apache::AuthDBI::DEBUG 1; # do we use shared memory for the global cache ? -426,7 +426,7 my ($group_result) = DECLINED; # get username -my ($user_sent) = $r-connection-user; +my ($user_sent) = $r-user; print STDERR $prefix user sent = $user_sent\n if $Apache::AuthDBI::DEBUG 1 ; # here we could read the configuration, but we re-use the configuration from the authentication
Apache::AuthDBI problem
I'm having trouble with the AuthDBI module. If works fine if use require valid-user or require user. But when I try to require group I get this error: couldn't check access. No groups file?: /test/ What am I doing wrong? This is my .htaccess file. AuthName DBI AuthType Basic PerlAuthenHandler Apache::AuthDBI::authen PerlAuthenHandler Apache::AuthDBI::authz PerlSetVar Auth_DBI_encrypted off PerlSetVar Auth_DBI_data_source dbi:mysql:database=auth;host=localhost PerlSetVar Auth_DBI_username username PerlSetVar Auth_DBI_password password PerlSetVar Auth_DBI_pwd_table passwd PerlSetVar Auth_DBI_uid_field username PerlSetVar Auth_DBI_pwd_field password PerlSetVar Auth_DBI_grp_table passwd PerlSetVar Auth_DBI_grp_field grp require group test1 Any help would be great. Robert
Need help with Apache::AuthDBI
Hi, I am having problem getting Apache::AuthDBI working. It seems like its allowing user access anywaysie I have tried it with valid user and invalid username, valid password and invalid password and in all cases it lets you inhere is some supporting data I have the following Apache and mod_perl version... [Sun Aug 26 19:56:44 2001] [notice] Apache/1.3.12 (Unix) (Red Hat/Linux) mod_ssl/2.6.6 OpenSSL/0.9.5a mod_perl/1.24 configured -- resuming normal operations I also have the following virtual host definition in my httpd.conf. Note I'm simply requiring a startup.pl file. Hi, I am having problem getting Apache::AuthDBI working. It seems like its allowing user access anywaysie I have tried it with valid user and invalid username, valid password and invalid password and in all cases it lets you inhere is some supporting data I have the following Apache and mod_perl version... [Sun Aug 26 19:56:44 2001] [notice] Apache/1.3.12 (Unix) (Red Hat/Linux) mod_ssl/2.6.6 OpenSSL/0.9.5a mod_perl/1.24 configured -- resuming normal operations I also have the following virtual host definition in my httpd.conf. Note I'm simply requiring a startup.pl file. VirtualHost xx.xx.xx.xx ServerName www.joe.com ServerAdmin [EMAIL PROTECTED] DocumentRoot /web/joe ErrorLog /etc/httpd/logs/joe/error_log TransferLog /etc/httpd/logs/joe/access_log Directory /web/joe PerlRequire /web/joe/mod_perl/startup.pl Options Indexes Includes FollowSymLinks ExecCGI AddHandler cgi-script .cgi AllowOverride All /Directory ScriptAlias /cgi-bin/ /web/joe/cgi-bin/ /VirtualHost I also have a statup.pl file that reads #!/usr/bin/perl use Apache::DBI; use Apache::AuthDBI; use Carp; warn(in startup); $Apache::DBI::DEBUG = 2; $Apache::AuthDBI::DEBUG = 2; And finally I have a .htaccess that reads Hi, I am having problem getting Apache::AuthDBI working. It seems like its allowing user access anywaysie I have tried it with valid user and invalid username, valid password and invalid password and in all cases it lets you inhere is some supporting data I have the following Apache and mod_perl version... [Sun Aug 26 19:56:44 2001] [notice] Apache/1.3.12 (Unix) (Red Hat/Linux) mod_ssl/2.6.6 OpenSSL/0.9.5a mod_perl/1.24 configured -- resuming normal operations I also have the following virtual host definition in my httpd.conf. Note I'm simply requiring a startup.pl file. VirtualHost xx.xx.xx.xx ServerName www.joe.com ServerAdmin [EMAIL PROTECTED] DocumentRoot /web/joe ErrorLog /etc/httpd/logs/joe/error_log TransferLog /etc/httpd/logs/joe/access_log Directory /web/joe PerlRequire /web/joe/mod_perl/startup.pl Options Indexes Includes FollowSymLinks ExecCGI AddHandler cgi-script .cgi AllowOverride All /Directory ScriptAlias /cgi-bin/ /web/joe/cgi-bin/ /VirtualHost I also have a statup.pl file that reads #!/usr/bin/perl use Apache::DBI; use Apache::AuthDBI; use Carp; warn(in startup); $Apache::DBI::DEBUG = 2; $Apache::AuthDBI::DEBUG = 2; And finally I have a .htaccess that reads AuthName DBI AuthType Basic PerlAuthenHandler Apache::AuthDBI::authen PerlAuthzHandler Apache::AuthDBI::authz PerlSetVar Auth_DBI_data_source dbi:informix:joe@docware PerlSetVar Auth_DBI_username PerlSetVar Auth_DBI_password PerlSetVar Auth_DBI_pwd_table users PerlSetVar Auth_DBI_uid_field user_name PerlSetVar Auth_DBI_grp_whereclause and user_passwd = $ENV{REMOTE_PASSWD} PerlSetVar Auth_DBI_pwd_field user_passwd PerlSetVar Auth_DBI_grp_field user_name PerlSetVar Auth_DBI_encrypted off PerlSetVar Auth_DBI_uidcasesensitive off PerlSetVar Auth_DBI_authoritative on require valid-user And the error log shows 31496 Apache::AuthDBI::authen passwd not found in cache == 31496 Apache::AuthDBI::authz request type = initial main 31496 Apache::AuthDBI::authz user sent = medi 31496 Apache::AuthDBI::authz requirements: valid-user=1 user= group= 31496 Apache::AuthDBI::authz user_result = OK: valid-user 31496 Apache::AuthDBI::authz return OK I have followed step by step instructions of Apache::AuthDBI and I can not get this thing to workperhaps I'm overlooking something From my understanding of Authentication and Authorization, it looks like in spite of Auth_DBI_authoritative being set, the authorization (or authentication) is not doing its job of rejectting and returning an OK Can someone help please... -- - Medi Montaseri [EMAIL PROTECTED] Unix Distributed Systems EngineerHTTP://www.CyberShell.com CyberShell Engineering -
Re: Apache::AuthDBI
On Tue, Jun 19, 2001 at 10:38:01AM -0700, Alan E. Derhaag wrote: Christian Heiss [EMAIL PROTECTED] writes: Hi, I'm using Apache::AuthDBI to verifying the users on my web site. then I put it in the database with: my $sql = INSERT INTO table name VALUES($userid, $groupid, $pass, ...); of course, before I'm using the quote funktion ($dbh-quote($userid)...)... maybe do this instead: @vars = ($alpha,$bravo,$charlie,$delta); my $sql = insert into sometable values( . (join '.',('?') x @vars) . ); $sth = $dbh-prepare($sql); $sth-execute(@vars); $sth-finish(); just a suggestion... -- I figure: if a man's gonna gamble, may as well do it without plowing. -- Bama Dillert, Some Came Running [EMAIL PROTECTED] http://sourceforge.net/projects/newbiedoc -- we need your brain! http://www.dontUthink.com/ -- your brain needs us!
Re: Apache::AuthDBI
Standard SQL allows for inserts without specifying field names. Personally, I think that it is more readable to specify the field names but it is quite common to not bother doing so. -- Douglas Leonard [EMAIL PROTECTED] On 19 Jun 2001, Alan E. Derhaag wrote: Christian Heiss [EMAIL PROTECTED] writes: [1 text/plain; iso-8859-1 (quoted-printable)] Hi, I'm using Apache::AuthDBI to verifying the users on my web site. I can connect to the the protected site, but there is a output in the error log: Use of uninitialized value at /usr/lib/perl5/site_perl/5.005/Apache/AuthDBI.pm line 450 Use of uninitialized value at /usr/lib/perl5/site_perl/5.005/Apache/AuthDBI.pm line 480 Use of uninitialized value at /usr/lib/perl5/site_perl/5.005/Apache/AuthDBI.pm line 481 [...] then I put it in the database with: my $sql = INSERT INTO table name VALUES($userid, $groupid, $pass, ...); of course, before I'm using the quote funktion ($dbh-quote($userid)...)... What database manager allows SQL without supplying the fields the values go into?
Apache::AuthDBI
Hi, Im using Apache::AuthDBI to verifying the users on my web site. I can connect to thethe protected site, but there is a output in the error log: Use of uninitialized value at /usr/lib/perl5/site_perl/5.005/Apache/AuthDBI.pm line 450 Use of uninitialized value at /usr/lib/perl5/site_perl/5.005/Apache/AuthDBI.pm line 480 Use of uninitialized value at /usr/lib/perl5/site_perl/5.005/Apache/AuthDBI.pm line 481 To crypt the the passwords I'm using something like this: my $userid = $query-param('userid');my $pass = $query-param('pass');my $groupid = $query-param('groupid');my $fullname = $query-param('fullname');$pass = crypt("$pass", "$userid"); then I put it in the database with: my $sql = "INSERT INTOtable nameVALUES($userid, $groupid, $pass, ...); of course, before I'm using the quote funktion ($dbh-quote($userid)...)... and my .htacces is: PerlModule Apache::AuthDBIAuthName "something else"AuthType BasicPerlAuthenHandler Apache::AuthDBI::authenPerlAuthzHandler Apache::AuthDBI::authzPerlSetVar Auth_DBI_encrypted onPerlSetVar Auth_DBI_data_source dbi:mysql:database PerlSetVar Auth_DBI_username user name PerlSetVar Auth_DBI_password passwordPerlSetVar Auth_DBI_pwd_table table name PerlSetVar Auth_DBI_uid_field userid fieldPerlSetVar Auth_DBI_grp_field groupid field PerlSetVar Auth_DBI_pwd_field password field require valid-user allow from all Anybody knows how to stop this error output? Thanks a lot Christian Heiß
Re: Apache::AuthDBI
Christian Heiss wrote: and my .htacces is: --- PerlModule Apache::AuthDBI AuthName "something else" ... how does your startup.pl look like ? The configuration 'PerlModule Apache::AuthDBI' is not supposed to be in .htaccess. Also it would be helpful to know the version of ApacheDBI. Edmund -- http://www.edmund-mergl.de fon: +49 700 edemergl
Apache::AuthDBI not setting $ENV{REMOTE_GROUP}
I've been using Apache::AuthDBI (and earlier, Apache::AuthenDBI) for a while, but never before have I used groups. I recently started trying to use groups, and with Apache::AuthDBI::DEBUG set to 2, I can get something like this in my error_log... 22310 Apache::AuthDBI::authz request type = initial main 22310 Apache::AuthDBI::authz user sent = robf 22310 Apache::AuthDBI::authz requirements: valid-user=1 user= group=admin 22310 Apache::AuthDBI::authz user_result = OK: valid-user 22310 Apache::AuthDBI::authz return OK As you can see, Apache::AuthDBI::authz is getting the group name 'admin' from the database, but the group name isn't passed in to my CGI script (I'm using Apache::Registry) at all. Any hints where the problem might be? Is it a bug in Apache::AuthDBI? Thanx, Rob -- Rob Fugina, Systems Guy [EMAIL PROTECTED] -- http://www.geekthing.com EA CF 09 1B AF 76 A9 D8 75 FE 26 6A E4 14 0A 3C Prenatal discretion is advised.
Apache::AuthCookie or Apache::AuthDBI or Apache::???
What's the best way to authenticate users? I have a site where the entire site is to be protected. I want to log users in at the front of the web site, and keep them logged in as they travel around. I was trying to get AuthCookie to work but haven't been successful so far. Should I continue down this route? Is Apache::Session + AuthBasic better? Or is AuthDBI? I have a mysql database handy. What's the most popular Auth method nowadays? Is there a popularity/usage chart compiled anywhere? Thanks in advance! Kenneth
Re: Apache::AuthCookie or Apache::AuthDBI or Apache::???
"KF" == Kenneth Frankel [EMAIL PROTECTED] writes: KF What's the best way to authenticate users? I have a site where the entire KF site is to be protected. I want to log users in at the front of the web For a site whose contents are entirely protected, I'd use basic auth with a cookie override. That's what I've done in the past. Neither of these require perl or mod_perl, though. See the apache module registry at www.apache.org for references to my mod_auth_cookie which tricks Apache into converting a cookie into a basic auth header. How you set the cookie is up to you... How you authenticate depends mostly on your needs of maintaining the database. I've used flat files with htpasswd, dbm files with htpasswd and my own home brew scripts, and MySQL tables with my own scripts. None of these require mod_perl, either, but you can use mod_perl based versions of the necessary authentication modules.
Apache::AuthDBI example wanted
can someone please post an example of hot use Apache::AuthDBI? The perldoc for it is vague to me. It says to put all this stuff in httpd.conf and it just generates errors, i.e. it doesn't have one little working example. thanks