Oops, I sent the wrong diff. I also updated the module on my site. http://www.quantumfx.com/software/modules/Apache-AuthenSmb.pm
-Carlos
Carlos Ramirez wrote:
Included is the diff of the current 0.71 version the my mods.
The mods include the following mods:
* Allows user to use Domain\Username to authenticate. Actually, I'm also allowing Domain/Username. This eliminates alot of the problems experienced by our users not remembering to use the 'back slash' instead of the 'forward slash'.
* Allows 'require group groupname1 groupname2 ... groupnameN'. This feature requires Apache::Htgroup, but in order to avoid problems, I only 'use' this module whenever 'require group' is present, instead of loading it at the beginning. Is this okay?
* Adds a 'PerlSetVar authzUsername' configuration parameter that allows you to configure the format of the "username" for the authorization phase (the name of this variable is up for suggestions). The value can be one of two values: userid or domain\userid. The default value is set to 'userid', which is the current implmentation.
If you allow users to authenticate with domain\userid but do not want to update your current configuration 'require user' statements from 'require user username' to 'require user domain\username' then leave as is.
If you want to enforce 'domain\username' style matching in your 'require user' statements, then set 'PerlSetVar authzUsername domain\userid'. When this is turned on, users that authenticate using just their username, will have the 'myDomain' pre-pended to their username like so: myDOMAIN\username.
In our group we have mutliple domains inwhich there can be two accounts with the same username. For instance, domain1\ramirezc and domain2\ramirezc. So we have to use 'require use domain1\ramirezc' Make sense?
* Updated documentation
The modified module is available in its entirety at: http://www.quantumfx.com/software/modules/Apache-AuthenSmb.pm
Hope this is not too confusing.
-Carlos
Shannon Eric Peevey wrote:
Lehman, Jason (Registrar's Office) wrote:
I have just uploaded:If Carlos hasn't gotten back to you I wanted to send you a link to his referenced mail to the group originally.
http://marc.theaimsgroup.com/?l=apache-modperl&m=106809701925690&w=2
And do you think you are going to try to incorporate these changes? Because I will hold off adding them if you think they are going to make it in to a release soon.
Apache-AuthenSmb-0.71
This fixes the $r->log_reason/$r->log_error problem in version 0.70. Thanks for the thread, but I feel that it would be more appropriate to use Apache::AuthenCache for the purposes stated in the thread.
http://search.cpan.org/~cgilmore/Apache-AuthenCache-1.00/AuthenCache.pm
Carlos, if you have a different patch for the domain issue, please, send that on.
thanks, speeves cws
------------------------------------------------------------------------
59,63d58
< ## Parse $name's with Domain\Username < if ($name =~ /(\w+)[\\\/](.+)/) {
< ($domain,$name) = ($1,$2);
< }
< 88,99c83
< my $name = MP2 ? $r->user : $r->connection->user;
< my $error = ""; # Holds error message
< my $authz_username = $r->dir_config('authzUsername') || 'userid';
< < #Convert 'domain/userid' to 'domain\userid'
< $name =~ s/\//\\/ if $name =~ /\//;
< < if ($authz_username eq 'domain\userid' && $name !~ /\//) {
< #If we authzUsername is set to 'domain\userid' and $name
< #is not of the form domain\userid, then we prepend the domain < $name = $r->dir_config('myDOMAIN').'\\'.$name;
< }
---
my $name = MP2 ? $r->user : $r->connection->user;112,141d95
< #ok if user is in the < elsif ($require eq 'group') {
< unless ($r->dir_config('groupFile')) {
< $error = 'Apache::AuthenSmb - Configuration error: '.
< 'no groupFile'. $r->uri;
< < $r->note_basic_auth_failure;
< MP2 ? $r->log_error($error) : $r->log_reason($error);
< < return MP2 ? Apache::HTTP_UNAUTHORIZED : < Apache::Constants::HTTP_UNAUTHORIZED;
< }
< unless (-e $r->dir_config('groupFile')) {
< $error = 'Apache::AuthenSmb - groupFile: '.
< $r->dir_config('groupFile').' does not exist!';
< < MP2 ? $r->log_error($error) : $r->log_reason($error);
< < return MP2 ? Apache::HTTP_UNAUTHORIZED : < Apache::Constants::HTTP_UNAUTHORIZED;
< }
< < use Apache::Htgroup;
< my $htgrp = Apache::Htgroup->load($r->dir_config('groupFile'));
< < foreach my $group (@rest) {
< return (MP2 ? Apache::OK : Apache::Constants::OK) < if $htgrp->ismember($name,$group);
< }
< }
171,176d124
< < # Optional Variables
< PerlSetVar groupFile /path/to/htgroups
< # Set the format of the username to check against
< # defaults to userid
< PerlSetVar authzUsername userid or domain\userid
183,185d130
< < # Optional, reqires that you have Apache::Htgroup
< # require group groupname
193c138
< =head1 DESCRIPTION
---
= head1 DESCRIPTION201,215d145
< Users can also specify the Windows Domain name along with the username
< when authenticating using the format: C<Domain\Username>. The Domain < specified will override the domain name set in the myDOMAIN < configuration setting.
< < =head2 Note
< < If you allow users to use B<Domain\Username> and restrict access
< using the C<require user username> or C<require group groupname> make
< sure to set the username with the domain included. The authorization < phase will be looking for C<Domain\Username> string.
< < Example: require user mydomain\ramirezc
< <
*** AuthenSmb.pm 2004-03-18 20:01:16.000000000 -0800
--- /tmp/Apache-AuthenSmb-0.71/AuthenSmb.pm 2004-03-17 07:39:20.000000000 -0800
***************
*** 56,66 ****
return MP2 ? Apache::HTTP_UNAUTHORIZED :
Apache::Constants::HTTP_UNAUTHORIZED;
}
- ## Parse $name's with Domain\Username
- if ($name =~ /(\w+)[\\\/](.+)/) {
- ($domain,$name) = ($1,$2);
- }
-
my $return = Authen::Smb::authen($name,
$sent_pwd,
$pdc,
--- 56,61 ----
***************
*** 85,109 ****
my $requires = $r->requires;
return (MP2 ? Apache::OK : Apache::Constants::OK) unless $requires;
! my $name = MP2 ? $r->user : $r->connection->user;
! my $error = ""; # Holds error message
! my $authz_username = $r->dir_config('authzUsername') || 'userid';
!
! #Convert 'domain/userid' to 'domain\userid'
! $name =~ s/\//\\/ if $name =~ /\//;
!
! if ($authz_username eq 'domain\userid') {
! if ($name !~ /\//) {
! #If we authzUsername is set to 'domain\userid' and $name
! #is not of the form domain\userid, then we prepend the domain
! $name = $r->dir_config('myDOMAIN').'\\'.$name;
! }
! }
! else {
! #If authzUsername is set to 'userid' and $name has if the
! #form Domain\Userid, then set $name = 'userid'
! $name = $1 if $name =~ /\w+[\/\\](.+)/;
! }
for my $req (@$requires) {
my($require, @rest) = split /\s+/, $req->{requirement};
--- 80,86 ----
my $requires = $r->requires;
return (MP2 ? Apache::OK : Apache::Constants::OK) unless $requires;
! my $name = MP2 ? $r->user : $r->connection->user;
for my $req (@$requires) {
my($require, @rest) = split /\s+/, $req->{requirement};
***************
*** 116,151 ****
elsif ($require eq "valid-user") {
return MP2 ? Apache::OK : Apache::Constants::OK;
}
- #ok if user is in the
- elsif ($require eq 'group') {
- unless ($r->dir_config('groupFile')) {
- $error = 'Apache::AuthenSmb - Configuration error: '.
- 'no groupFile'. $r->uri;
-
- $r->note_basic_auth_failure;
- MP2 ? $r->log_error($error) : $r->log_reason($error);
-
- return MP2 ? Apache::HTTP_UNAUTHORIZED :
- Apache::Constants::HTTP_UNAUTHORIZED;
- }
- unless (-e $r->dir_config('groupFile')) {
- $error = 'Apache::AuthenSmb - groupFile: '.
- $r->dir_config('groupFile').' does not exist!';
-
- MP2 ? $r->log_error($error) : $r->log_reason($error);
-
- return MP2 ? Apache::HTTP_UNAUTHORIZED :
- Apache::Constants::HTTP_UNAUTHORIZED;
- }
-
- use Apache::Htgroup;
- my $htgrp = Apache::Htgroup->load($r->dir_config('groupFile'));
-
- foreach my $group (@rest) {
- return (MP2 ? Apache::OK : Apache::Constants::OK)
- if $htgrp->ismember($name,$group);
- }
- }
}
$r->note_basic_auth_failure;
--- 93,98 ----
***************
*** 175,195 ****
PerlSetVar myPDC workgroup-pdc
PerlSetVar myBDC workgroup-bdc
PerlSetVar myDOMAIN WORKGROUP
-
- # Optional Variables
- PerlSetVar groupFile /path/to/htgroups
- # Set the format of the username to check against
- # defaults to userid
- PerlSetVar authzUsername userid or domain\userid
PerlAuthenHandler Apache::AuthenSmb
# Standard require stuff, only user and
# valid-user work currently
require valid-user
-
- # Optional, reqires that you have Apache::Htgroup
- # require group groupname
</Directory>
These directives can be used in a .htaccess file as well.
--- 122,133 ----
***************
*** 197,203 ****
If you wish to use your own PerlAuthzHandler then the require
directive should follow whatever handler you use.
! =head1 DESCRIPTION
This perl module is designed to work with mod_perl and the Authen::Smb
module by Patrick Michael Kane (See CPAN). You need to set your PDC,
--- 135,141 ----
If you wish to use your own PerlAuthzHandler then the require
directive should follow whatever handler you use.
! = head1 DESCRIPTION
This perl module is designed to work with mod_perl and the Authen::Smb
module by Patrick Michael Kane (See CPAN). You need to set your PDC,
***************
*** 205,225 ****
set a PDC, if no BDC is set it defaults to the PDC, if no DOMAIN is
set it defaults to WORKGROUP.
- Users can also specify the Windows Domain name along with the username
- when authenticating using the format: C<Domain\Username>. The Domain
- specified will override the domain name set in the myDOMAIN
- configuration setting.
-
- =head2 Note
-
- If you allow users to use B<Domain\Username> and restrict access
- using the C<require user username> or C<require group groupname> make
- sure to set the username with the domain included. The authorization
- phase will be looking for C<Domain\Username> string.
-
- Example: require user mydomain\ramirezc
-
-
If you are using this module please let me know, I'm curious how many
people there are that need this type of functionality.
--- 143,148 ------ Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
