I've been trying to figure out how apache authentication interacts
with web2py's built-in Auth - in order to fulfil my objectives
described below. I've ended modifying tools.auth.login_bare() - and
that does not feel quite right. Comments on my approach are most
welcome.
My setup:
Apache 2.2. AuthType Basic, mod_wsgi, authentication backend: Ldap via
Apache configuration directive AuthBasicProvider "ldap"
My objective:
Have Apache handle all authentication and thus all LDAP awareness and
communication. For the following reasons:
1) In the long term, I want to deploy Apache's "seamless
authentication" against Active Directory so that windows domain users
are not at all required to enter their credentials when accessing
internal web sites..
2) My unfortunate end users are tied to IE7 (possibly 8). Compared to
Firefox, IE is is rather incapable of remembering users' credentials
pertaining to specific web sites - when using form-based
authentication, that is. When using Basic authentication, Windows
happens to remember the credentials, thus the situation is reasonably
comfortable to end users as long as they do not change their passwords
too often.
3) To stay in line with other internal web applications.
I have set
auth.settings.allow_basic_login = True.
WSGIPassAuthorization On
I have modified the auth.table_user to have a 'username' field
However, in all cases, a user is redirected to the default login form.
Which - in my setup - is erroneous, because the user already has
entered her credentials during the basic authentication phase.
Analysis:
1) Login_bare() insists on validating the password retrieved from
http_authorization against the contents of auth.table_user. I think
that that is meaningless because the password already *has been
validated* by apache. Moreover, you'll get into trouble when LDAP
exprires your password.
2) Offering users the option of altering passwords in the present
context seems meaningless too: Credentials are managed through LDAP
management applications and web2py cannot be involved in this process
My workaround:
I took the easy route and changed login_bare() from
if not user.registration_key and \
user[passfield] == password :
to
if not user.registration_key and \
(self.settings.allow_basic_login
or user[passfield] == password ):
... and something similar could be done with change_password().
However, a cleaner (but more complex) approach could be to allow
auth.settings.password_field = None
... and then have diverse functions behave accordingly.
Given a bit of authoritative guidance on which way to go, I'd be happy
to submit a patch on the latter approach. We should try to make it
work with https as well - I believe that
SSLOptions +FakeBasicAuth
will do the trick...
While at it: I would also like to add a hook to Auth.register()
enabling it - given http_authorization - to call an application-
defined function retrieveing the user's detail information from an
external source (LDAP or other) - so that users need not type in what
is already known to other IT systems.
Regards
Theodor Norup
--
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To post to this group, send email to web...@googlegroups.com.
To unsubscribe from this group, send email to
web2py+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en.
