package Apache2::AuthenSmb;
use strict;
use Authen::Smb;
use Apache::Htgroup;
$Apache2::AuthenSmb::VERSION = '0.01';
use mod_perl2 ;
use Apache2::Access;
use Apache2::Connection;
use Apache2::Log;
use Apache2::RequestRec;
use Apache2::RequestUtil;
use Apache2::Const -compile => qw(HTTP_UNAUTHORIZED OK);
sub handler {
my $r = shift;
my($res, $sent_pwd) = $r->get_basic_auth_pw;
return $res if $res; #decline if not Basic
my $name = $r->user;
my $pdc = $r->dir_config('myPDC');
my $bdc = $r->dir_config('myBDC') || $pdc;
my $domain = $r->dir_config('myDOMAIN') || "WORKGROUP";
if ($name eq "") {
$r->note_basic_auth_failure;
$r->log_error("Apache2::AuthenSmb - No Username Given", $r->uri);
return Apache2::Const::HTTP_UNAUTHORIZED;
}
if (!$pdc) {
$r->note_basic_auth_failure;
$r->log_error("Apache2::AuthenSmb - Configuration error, no PDC", $r->uri);
return Apache2::Const::HTTP_UNAUTHORIZED;
}
## Parse $name's with Domain\Username
if ($name =~ m|(\w+)[\\/](.+)|) {
($domain,$name) = ($1,$2);
}
my $return = Authen::Smb::authen($name,
$sent_pwd,
$pdc,
$bdc,
$domain);
unless($return == 0) {
$r->note_basic_auth_failure;
$r->log_error("user $name: password mismatch", $r->uri);
return Apache2::Const::HTTP_UNAUTHORIZED;
}
unless (@{ $r->get_handlers("PerlAuthzHandler") || []}) {
$r->push_handlers(PerlAuthzHandler => \&authz);
}
return Apache2::Const::OK;
}
sub authz {
my $r = shift;
my $requires = $r->requires;
return Apache2::Const::OK unless $requires;
my $name = $r->user;
my $error = ""; # Holds error message
my $authz_username = $r->dir_config('authzUsername') || 'username';
# Convert 'domain/username' to 'domain\username'
$name =~ s|/|\\| if $name =~ m|/|;
if ($authz_username eq 'domain\username') {
if ($name !~ m/\\/) {
#If we authzUsername is set to 'domain\username' and $name
#is not of the form domain\username, then we prepend the domain
$name = $r->dir_config('myDOMAIN') . '\\' . $name;
}
}
else {
#If authzUsername is set to 'username' and $name has if the
#form domain\username, then set $name = 'username'
$name = $1 if $name =~ m/\w+\\(.+)/;
}
for my $req (@$requires) {
my($require, @rest) = split /\s+/, $req->{requirement};
#ok if user is one of these users
if ($require eq "user") {
return Apache2::Const::OK if grep $name eq $_, @rest;
}
#ok if user is simply authenticated
elsif ($require eq "valid-user") {
return Apache2::Const::OK;
}
#ok if user is in the
elsif ($require eq 'group') {
unless ($r->dir_config('groupFile')) {
$error = 'Apache2::AuthenSmb - Configuration error: no groupFile' . $r->uri;
$r->note_basic_auth_failure;
$r->log_error($error);
return Apache2::Const::HTTP_UNAUTHORIZED;
}
unless (-e $r->dir_config('groupFile')) {
$error = 'Apache2::AuthenSmb - groupFile: ' . $r->dir_config('groupFile') . ' does not exist!';
$r->log_error($error);
return Apache2::Const::HTTP_UNAUTHORIZED;
}
if ($@) {
$error = 'Apache2::AuthenSmb - Unable to load Apache::Htgroup: ' . @$;
$r->log_error($error);
return Apache2::Const::HTTP_UNAUTHORIZED;
}
my $htgrp = Apache::Htgroup->load($r->dir_config('groupFile'));
foreach my $group (@rest) {
return Apache2::Const::OK if $htgrp->ismember($name,$group);
}
}
}
$r->note_basic_auth_failure;
$r->log_error("user $name: not authorized", $r->uri);
return Apache2::Const::HTTP_UNAUTHORIZED;
}
1;
__END__
=head1 NAME
Apache2::AuthenSMB - mod_perl NT Authentication module
=head1 SYNOPSIS
<Directory /foo/bar>
# This is the standard authentication stuff
AuthName "Foo Bar Authentication"
AuthType Basic
# Variables you need to set, you must set at least
# the myPDC variable, the DOMAIN defaults to WORKGROUP
PerlSetVar myPDC workgroup-pdc
PerlSetVar myBDC workgroup-bdc
PerlSetVar myDOMAIN WORKGROUP
# Optional Variables
PerlSetVar groupFile /path/to/htgroups
# Set the format of the username to check against
# defaults to username
PerlSetVar authzUsername username or domain\username
PerlAuthenHandler Apache2::AuthenSmb
# Standard require stuff, only user and
# valid-user work currently
require valid-user
# Optional, reqires that you have Apache::Htgroup
# require group groupname
</Directory>
These directives can be used in a .htaccess file as well.
If you wish to use your own PerlAuthzHandler then the require
directive should follow whatever handler you use.
=head1 DESCRIPTION
This perl module is designed to work with mod_perl and the Authen::Smb
module by Patrick Michael Kane (See CPAN). You need to set your PDC,
BDC, and NT domain name for the script to function properly. You MUST
set a PDC, if no BDC is set it defaults to the PDC, if no DOMAIN is
set it defaults to WORKGROUP.
Users can also specify the Windows Domain name along with the username
when authenticating using the format: C<Domain\Username>. The Domain
specified will override the domain name set in the myDOMAIN
configuration setting.
= item PerlSetVar myPDC
Set to the FQDN or IP Address of your Primary Domain Controller
= item PerlSetVar my BDC
Set to the FQDN or IP Address of your Backup Domain Controller
= item PerlSetVar myDOMAIN
Set this to the Domain Name you want to authenticate against
= item PerlSetVar groupFile
Set this to the path of the htgroup file you wish this module
to check in. It allows you to specify your users in groups
found on the web server, as opposed to groups within Active
Directory, etc.
= item PerlSetVar authzUsername
Set this to "username" or "domain\username" depending on your preference.
(This simply formats the input username to allowing checking the username
as "domain\username" or "username".) For example:
# speeves is a DOMAIN user of DOMAIN
domain\username => DOMAIN\speeves
# speeves is a DOMAIN user of DOMAIN,
# but the server administrator wants to
# check this user against groups in the
# htgroup file as:
# groupname: speeves userA userB
username => speeves
If you allow users to use B<Domain\Username> and restrict access
using the C<require user username> or C<require group groupname> make
sure to set the username with the domain included. The authorization
phase will be looking for C<Domain\Username> string.
Example: require user mydomain\ramirezc
=head2 Note
If you are using this module please let me know, I'm curious how many
people there are that need this type of functionality.
=head1 AUTHOR
Michael Parker <parkerm@pobox.com>
Ported by Shannon Eric Peevey <speeves@erikin.com>
=head1 COPYRIGHT
Copyright (c) 1998 Michael Parker, Tandem Computers.
This library is free software; you can redistribute it and/or
modify it under the same terms as Perl itself.
=cut