You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Dmitri Colebatch <di...@colebatch.com> on 2007/04/26 06:08:10 UTC

[users@httpd] hack to provide "single username/password store" appearance to another app

Hi all,

I've been asked to provide a proxy that authenticates users against
our LDAP tree, and then proxies their requests to an external system
that requires a different password (for the same user).  I can do this
with a hardcoded username/password for the external system like this:

                AuthType Basic
                AuthName "LDAP Authentication"
                AuthLDAPURL ldap://ldap/o=users?cn?sub?(objectclass=Person)
                AuthLDAPBindDN ldap-admin-user
                AuthLDAPBindPassword ldap-admin-pass
                require valid-user

                SetEnv OurAuthHeader "Basic VDEyNjcwOnM5MzdDMQ=="

                RequestHeader set Authorization "%{OurAuthHeader}e"

                ProxyPass http://other-system/
                ProxyPassReverse http://other-system/

But what I would like to do is write something to set the value of
OurAuthHeader based on the currently logged in user (ie lookup the
current user's password for the external system and generate an auth
header based on that).

I've tried doing this with a filter, but can't even get a basic filter working:

        PerlModule Apache::AuthFilter
        PerlInputFilterHandler Apache::AuthFilter

with the AuthFilter.pm:

        sub handler : FilterConnectionHandler {
                print STDERR "test\n";
                Apache::Const::OK;
        }
        1;

This just drops the connection as soon as I make the request.
Obviously the above does nothing, I would like to change it to replace
the hardcoded "OurAuthHeader" value.

I've been looking at http://modperlbook.org/html/ch25_03.html and
trying to learn what I can, but am not having much luck.  I'm also
restricted to mod_perl 1.99 which rules out a couple of other options
I've found.  Does anyone have any suggestions for me?

cheers,
dim

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Re: hack to provide "single username/password store" appearance to another app

Posted by Dmitri Colebatch <di...@colebatch.com>.

Sorry - I'd been experimenting, my filter isn't:

On 4/26/07, Dmitri Colebatch <di...@colebatch.com> wrote:
>        sub handler : FilterConnectionHandler {
>                print STDERR "test\n";
>                Apache::Const::OK;
>        }
>        1;

bug is:

        sub handler : FilterConnectionHandler {
                print STDERR "test\n";
                return Apache2::Const::DECLINED;
        }
        1;

which on my limited understanding is what I should be doing to have a
no-op filter.  Please correct me if this is wrong.

cheers,
dim

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org