Re: logging out
I used Net::LDAP, a pure Perl implementation, against a Novell eDirectory LDAP server. You can find it at CPAN or at http://sourceforge.net/project/?group_id=5050 I coded the authen_cred method to authenicate against LDAP and then store the username in the session hash. The authen_ses_key method then recovers the username from the session hash. I created a custom require method to check group membership so I can include something like this in httpd.conf : require LDAPGroup cn=administrators,ou=groups,o=wl I want to extend it to check for container membership too but I don't need that just now. I could send you the code if it would be of interest. Simon Wilcox Intranet Development Manager From Drew Taylor [EMAIL PROTECTED] Date 23:18:04 3 August 2000 To: Simon Wilcox/BASE/WilliamsLea@WilliamsLea cc: [EMAIL PROTECTED] Fax to: Subject: Re: logging out [EMAIL PROTECTED] wrote: I recommend Apache::AuthCookie. This has worked really well for me, and allows me to use an HTML form which is much nicer for my users than the default dialog box. FWIW - I sub-classed AuthCookie to authenticate against an LDAP directory (using Net::LDAP) but you can use a RDBMS just as easily. I have used Apache::AuthCookie also and liked it. What module did you use to authenticate against the LDAP server? We are setting one up here for internal use and I am still trying to find the best (read easiest) way to authenticate against it. -- Drew Taylor Vialogix Communications, Inc. 501 N. College Street Charlotte, NC 28202 704 370 0550 http://www.vialogix.com/
Re: logging out
Angel R. Rivera ([EMAIL PROTECTED]) said something to this effect: I authenticate against a database but need to carry more information than just their name so if I have read the readme at CPAN correctely, this just may do the trick. Thanks to all who have written me. -ar depending on how you're handling the session information you may be able to just delete it in an appropriate action (/...etcetc/logout.html or whatever). In my case I'm using Apache::Session so deleting the session means the next time the user accesses a page they're assigned a new session which starts at ground zero. If that is too heavy weight for you (sometimes all you need is one or two bits of info and they're relatively static), you can put that info into pnotes immediately after you authenticate. That makes it available for the duration of the request, with a minimum of fuss. (darren) -- He who would trade liberty for safety deserves neither.
Re: logging out
[EMAIL PROTECTED] wrote: I used Net::LDAP, a pure Perl implementation, against a Novell eDirectory LDAP server. You can find it at CPAN or at http://sourceforge.net/project/?group_id=5050 I coded the authen_cred method to authenicate against LDAP and then store the username in the session hash. The authen_ses_key method then recovers the username from the session hash. I remember writing those methods long ago... :-) I created a custom require method to check group membership so I can include something like this in httpd.conf : require LDAPGroup cn=administrators,ou=groups,o=wl I want to extend it to check for container membership too but I don't need that just now. I could send you the code if it would be of interest. That would be great if you don't mind. At least then I would have a starting point. My biggest decision right now is whether to use something like mod_auth_ldap compiled into Apache or to use Apache::AuthCookie with LDAP authentication like you used. Does anyone have experience with either situation? -- Drew Taylor Vialogix Communications, Inc. 501 N. College Street Charlotte, NC 28202 704 370 0550 http://www.vialogix.com/
logging out
Ok folks, I am stumped. I am writing an authentication handler for our site and so far so good-it is coming on line. It makes sense. What does not make sense is how can I log myself off without having to exit the browser? If someone can point me in the right direction I shall be in your debt. TIA, -ar Angel R. Rivera, [EMAIL PROTECTED] -- Website: http://www.wolf.com Our Wolf: http://www.wolf.com/Ookami.html -- "The Quality of a person's life is in direct proportion to their commitment to excellence, regardless of their chosen field of endeavor." Vincent T. Lombardi
Re: logging out
I authenticate against a database but need to carry more information than just their name so if I have read the readme at CPAN correctely, this just may do the trick. Thanks to all who have written me. -ar depending on how you're handling the session information you may be able to just delete it in an appropriate action (/...etcetc/logout.html or whatever). In my case I'm using Apache::Session so deleting the session means the next time the user accesses a page they're assigned a new session which starts at ground zero. Angel R. Rivera, [EMAIL PROTECTED] -- Website: http://www.wolf.com Our Wolf: http://www.wolf.com/Ookami.html -- "The Quality of a person's life is in direct proportion to their commitment to excellence, regardless of their chosen field of endeavor." Vincent T. Lombardi
Re: logging out
Angel, I recommend Apache::AuthCookie. This has worked really well for me, and allows me to use an HTML form which is much nicer for my users than the default dialog box. FWIW - I sub-classed AuthCookie to authenticate against an LDAP directory (using Net::LDAP) but you can use a RDBMS just as easily. You might also argue that it's more secure as you don't have to keep passing the username/password combination as you do with basic authentication but you should use SSL for hte authentication to be really secure. If you need to store session data, you can hook it up to Apache::Session. A combination which works superbly in my experience. Simon Wilcox. From "Angel R. Rivera" [EMAIL PROTECTED] Date 19:55:51 3 August 2000 To: [EMAIL PROTECTED] cc:(bcc: Simon Wilcox/BASE/WilliamsLea) Fax to: Subject: logging out Ok folks, I am stumped. I am writing an authentication handler for our site and so far so good-it is coming on line. It makes sense. What does not make sense is how can I log myself off without having to exit the browser? If someone can point me in the right direction I shall be in your debt. TIA, -ar Angel R. Rivera, [EMAIL PROTECTED] -- Website: http://www.wolf.com Our Wolf: http://www.wolf.com/Ookami.html -- "The Quality of a person's life is in direct proportion to their commitment to excellence, regardless of their chosen field of endeavor." Vincent T. Lombardi
Re: logging out
[EMAIL PROTECTED] wrote: I recommend Apache::AuthCookie. This has worked really well for me, and allows me to use an HTML form which is much nicer for my users than the default dialog box. FWIW - I sub-classed AuthCookie to authenticate against an LDAP directory (using Net::LDAP) but you can use a RDBMS just as easily. I have used Apache::AuthCookie also and liked it. What module did you use to authenticate against the LDAP server? We are setting one up here for internal use and I am still trying to find the best (read easiest) way to authenticate against it. -- Drew Taylor Vialogix Communications, Inc. 501 N. College Street Charlotte, NC 28202 704 370 0550 http://www.vialogix.com/
Re: logging out
Angel R. Rivera ([EMAIL PROTECTED]) said something to this effect: Ok folks, I am stumped. I am writing an authentication handler for our site and so far so good-it is coming on line. It makes sense. What does not make sense is how can I log myself off without having to exit the browser? If someone can point me in the right direction I shall be in your debt. TIA, -ar If you are using Apache's authentication (i.e., having Apache send an Auth Required header), then the only way is to close the browser. The approach I like is something like this: It requires two AuthHandlers, and cookies. Set up a Location that doesn't exists, like /some/where/that/doesnt/exist, and set your first AuthHandler to work on that uri. In this auth handler, do the password checks and set a cookie if the checks pass (i.e., return OK), or return AUTH_REQUIRED. For every page you want protected, create a second AuthHandler that checks for this cookie. If it exists, then the user has visisted you first handler (the one on the non-existent location) and has authenticated there. Why 2 handlers, and why a non-existent location? If you use a real location, the the browser will send it's own Auth headers, which is precisely what you want to avoid (this is what can't be logged out). The second handler merely checks for the existence of that cookie, no other checks are necessary. If it is missing, then redirect to the login Location, possibly with some redirect info back to the current URI. (darren) -- Cole's Law: Thinly sliced cabbage.
