You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modperl@perl.apache.org by Steve Ensley <st...@gmail.com> on 2007/02/16 22:23:12 UTC

mod_proxy post authentication with modified credentials

I am trying to use Apache to replace a commercial authentication front
end for a legacy application server that needs to be supported for
another year.  I need authenticate a user to the corporate LDAP,  then
get a PIN stored as another  LDAP attribute and build a new
credentials string.  I have  this part working.  Now I need to proxy a
connection to the app server using the new credentials.  Some advice
on how to do this would be greatly appreciated.  I have tried several
methods with little success.

Here's what I have so far trying to use mod_proxy to forward the connection:

from Apache2 httpd.conf:
<Location /oncall>
	AuthType basic
	AuthBasicProvider ldap
	AuthName "OnCall"
	require ldap-user username
	PerlAccessHandler MyApache2::AppGate
	ProxyPass http://appserver/it/oncall1.nsf
	ProxyPassReverse http://apserver/it/oncall1.nsf
</Location>

The AppGate handler script decodes the authentication header,  Looks
up the pin for the username and re-encodes the credentials with
username:pin then writes the authentication header back out. Like so:

Tail end of appgate script that looks up info in ldap and modifies
authentication header:

my $newcredentials =
      MIME::Base64::encode(join(':',$username,$seqeq->{'vals'}->[0]));
chomp $newcredentials;
$r->headers_in->set(Authorization => "Basic $newcredentials");

If I remark out the handler and the proxy directives, the ldap
authentication on the directory works fine.  If I add in the handler,
debuging code in the script show things happening as expected, and
upon exiting,  the authentication fails, which is what one would
expect because the authentication header has changed.  I figured
forwarding via the proxy directives would still work though but
apparently not, I get an 'Internal Server Error' but noting shoes up
in the apache error-log or system logs.

What would a workable way to proxy this connection to the appserver
but providing the modified credentials.  Any advice would be greatly
appreciated as I have to get this done asap.

Re: mod_proxy post authentication with modified credentials

Posted by Perrin Harkins <ph...@gmail.com>.

On 2/16/07, Steve Ensley <st...@gmail.com> wrote:
> What would a workable way to proxy this connection to the appserver
> but providing the modified credentials.

I can think of a few things that would probably work.  You could make
the proxy requests yourself, with LWP.  You could hack the source of
mod_proxy.  You could run your auth translation code on the appserver,
if it's an apache server that you have access to.  You could also
write your code as an input filter, changing the auth credentials
before mod_proxy sees them.

- Perrin