Carlos Ramirez wrote:
This is fantastic, and should probably be added to the other authen/authz mods, as well!Oops, I sent the wrong diff. I also updated the module on my site. http://www.quantumfx.com/software/modules/Apache-AuthenSmb.pm
-Carlos
Carlos Ramirez wrote:
Included is the diff of the current 0.71 version the my mods.
The mods include the following mods:
* Allows user to use Domain\Username to authenticate. Actually, I'm also allowing Domain/Username. This eliminates alot of the problems experienced by our users not remembering to use the 'back slash' instead of the 'forward slash'.
'use' tries to load the module at compile time, and therefore, would fail the make test, as well as, fail with an "internal server error" when any call to the module is made. Therefore, in keeping with making the function optional, we need to 'require' the module. More specific information can be found at:* Allows 'require group groupname1 groupname2 ... groupnameN'. This feature requires Apache::Htgroup, but in order to avoid problems, I only 'use' this module whenever 'require group' is present, instead of loading it at the beginning. Is this okay?
http://perl.apache.org/docs/general/perl_reference/perl_reference.html#use__
http://perl.apache.org/docs/general/perl_reference/perl_reference.html#require__
Now, that being said, I am not sure that we need this functionality built into the authz function here. (This is a question that I am bringing up for debate). If we want to use a groupfile, etc. for authorizing a user, shouldn't we just let apache take care of it? (By adding a PerlSetVar to make the authz function in this module optional, as well). Then we just bypass the authz function, and apache grabs the group file, etc. by allowing us to specify this in the conf/htaccess file. (Using AuthGroupFile, etc.)
What do you think?
The only problem with letting Apache handle the authz for 'require group', is that it won't know to check for 'Domain\Username' if the user does not enter 'Domain\Username' as the username. That is, if the userrname enters is 'Username' , $r->connection_user is 'Username' and not 'Domain\Username', especially if authzUsername is set to 'Domain\Username'. Even if you set $r->connection_user to 'Domain\Username', returning a DECLINE will erase evverthing, since it kicks you from mod_perl space to Apache space. right?
As you pointed out, we can eval the 'require Apache::Htgroup' when 'require group' is present.
I think this is a good idea, based on what we decide above. (And, we could actually use this in other modules that need this same functionality)* Adds a 'PerlSetVar authzUsername' configuration parameter that allows you to configure the format of the "username" for the authorization phase (the name of this variable is up for suggestions). The value can be one of two values: userid or domain\userid. The default value is set to 'userid', which is the current implmentation.
Hope this is not too confusing.
This is a great explanation! thanks,
-- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
