"Fossies" - the Fresh Open Source Software Archive

Member "Apache2-AuthenMSAD-0.02/AuthenMSAD.pm" (29 Nov 2005, 4256 Bytes) of package /linux/www/apache_httpd_modules/old/Apache2-AuthenMSAD-0.02.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Perl source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file.

    1 package Apache2::AuthenMSAD;
    2 
    3 use mod_perl2 ;
    4 use Apache2::Access ;
    5 use Apache2::Log ;
    6 use Apache2::RequestRec ;
    7 use Apache2::RequestUtil ;
    8 use Apache2::Const -compile => qw(HTTP_UNAUTHORIZED HTTP_INTERNAL_SERVER_ERROR DECLINED HTTP_FORBIDDEN OK) ;
    9 use Net::LDAP;
   10 use strict;
   11 
   12 $Apache2::AuthenMSAD::VERSION = '0.02';
   13 
   14 # $Id: AuthenMSAD.pm,v 1.7 2005/11/29 13:46:04 reggers Exp $
   15 
   16 sub handler
   17 {
   18    my $r = shift;
   19    # Continue only if the first request.
   20 
   21  #  return OK unless $r->is_initial_req;
   22 
   23    # Grab the password, or return in HTTP_UNAUTHORIZED
   24 
   25    my ($res, $pass) = $r->get_basic_auth_pw;
   26    return $res if $res;
   27 
   28    my $user = $r->user;
   29 
   30    my $domain = $r->dir_config('MSADDomain') || "no-domain";
   31    my $server = $r->dir_config('MSADServer') || $domain;
   32 
   33    if ($pass eq "") {
   34       $r->note_basic_auth_failure;
   35       $r->log_reason("user - no password supplied",$r->uri);
   36       return Apache2::Const::HTTP_UNAUTHORIZED;
   37    }
   38 
   39    if ($user eq "") {
   40       $r->note_basic_auth_failure;
   41       $r->log_reason("user - no userid supplied",$r->uri);
   42       return Apache2::Const::HTTP_UNAUTHORIZED;
   43    }
   44 
   45    my $ldap = Net::LDAP->new($server, version=>3);
   46    unless ($ldap) {
   47       $r->note_basic_auth_failure;
   48       $r->log_reason("user - MSAD LDAP Connect Failed",$r->uri);
   49       return Apache2::Const::HTTP_UNAUTHORIZED;
   50    }
   51 
   52    my $result= $ldap->bind (dn => "$user\@$domain", password => $pass);
   53    if (!$result || ($result && $result->code)) {
   54       $r->note_basic_auth_failure;
   55       $r->log_reason("user - Active Directory Authen Failed",$r->uri);
   56       return Apache2::Const::HTTP_UNAUTHORIZED;
   57    }
   58 
   59    return Apache2::Const::OK;
   60 }
   61 
   62 
   63 1;
   64 __END__
   65 
   66 =head1 NAME
   67 
   68 Apache2::AuthenMSAD - Microsoft Active Directory authentication for Apache
   69 
   70 =head1 SYNOPSIS
   71 
   72     <Directory /foo/bar>
   73     # Authentication Realm and Type (only Basic supported)
   74 
   75     AuthName "Microsoft Active Directory Authentication"
   76     AuthType Basic
   77 
   78     # Authentication  method/handler
   79 
   80     PerlAuthenHandler Apache2::AuthenMSAD
   81 
   82     # The Microsoft Active Directory Domain Name must be set
   83     # The Active Directory Server Name will default to the domain.
   84 
   85     PerlSetVar MSADDomain ads.foo.com
   86     PerlSetVar MSADServer dc.ads.foo.com
   87 
   88     # Require lines can be any of the following -- any user, one of a list
   89 
   90     require valid-user
   91     require user joe mary tom
   92     </Directory>
   93 
   94     These directives can also be used in a .htaccess file.
   95 
   96 =head1 DESCRIPTION
   97 
   98 This perl module is designed to work with mod_perl2 and Net::LDAP. It
   99 will authenticate users in a Windows 2000 or later Microsoft Active
  100 Directory -- hence the acronym MSAD. Configuration parameters give the
  101 DNS name used for the cluster of Microsoft Domain Controllers and the
  102 Microsoft Domain name used within the Active Directory.
  103 
  104 This relies on a surprising feature first brought to our attention by
  105 Yvan Rodrigues here at the University of Waterloo. You can
  106 authenticate with a Distinguished Name like "reggers@ads.foo.com"
  107 (ie. the userPrincipalName in the Active Directory) and you don't need
  108 to resort to the X509 Distinguished Name. Most LDAP authentication
  109 methods require a guest account where you can login to find the user's
  110 Distinguished Name and then login again as that name. Active Directory
  111 has this extra feature which makes life much simpler.
  112 
  113 At our site the domain mentioned in the userPrincipalName is
  114 "ads.uwaterloo.ca" -- that is also the name we use for our collection
  115 of Domain Controllers. You might not implement that convention. If you
  116 do the MSADServer parameter is optional -- it defaults to the
  117 MSADDomain.This version is patched to use mod_per2 (>=2.0x) and apache2.
  118 It was tested in an production environment to work perfectly.
  119 
  120 =head1 BEWARE
  121 
  122 This builds on the Net::LDAP interface and as such passes the userid
  123 and password in the clear. We've not been able to get Net::LDAPS to
  124 work with Microsoft Active Directory. If anyone else has we'd dearly
  125 love to hear from them.
  126 
  127 =head1 AUTHOR
  128 
  129 Yvan Rodrigues <yrodrigu@uwaterloo.ca>
  130 Reg Quinton <reggers@ist.uwaterloo.ca>
  131 Franz Skale <franz.skale@cubit.at>
  132 
  133 =head1 COPYRIGHT
  134 
  135 Copyright (c) 2005 by the authors.
  136 
  137 This library is free software; you can redistribute it and/or modify
  138 it under the same terms as Perl itself.
  139 
  140 =cut
  141