You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modperl@perl.apache.org by Krist van Besien <kr...@gmail.com> on 2007/09/18 14:53:02 UTC

Checking for group membership in a mod perl handler.

Hello,

I've implemented authentication in my web server using a mod_perl
authentication handler.
I now have the following in my httpd.conf:

PerlAuthenHandler Apache2::AuthenDBMCache Apache2::AuthenMSAD
        PerlSetVar MSADDomain mydomain
Require valid-user

(The two modules I found on CPAN, and they're just right for what I needed)

This works perfectly. The authentication handler checks the username
and password, and allows or denies access.

Require user user1 user2

works fine too.

Now I want to do a bit more. I want to use:

Require group department1 department2

The problem is that I don't want to use a group file. I want to use a
perl module to check group membership. Specifically I want to check
the "department" property in our active directory, and use this to
allow or deny access.

Writing Perl code that gets this info from the AD is not the problem.
My problem is that its not clear to me how to tie this code in the
whole apache processing.

Do I need to write a PerlAuthzHandler? Or something else?

apache is 2.0.59, mod_perl is 2.0

Thanks in advance,

Krist van Besien

-- 
krist.vanbesien@gmail.com
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

RE: Checking for group membership in a mod perl handler.

Posted by "Dami Laurent (PJ)" <la...@justice.ge.ch>.

 

>.... I want to use a
>perl module to check group membership. Specifically I want to check
>the "department" property in our active directory, and use this to
>allow or deny access.
>
>Writing Perl code that gets this info from the AD is not the problem.
>My problem is that its not clear to me how to tie this code in the
>whole apache processing.
>
>Do I need to write a PerlAuthzHandler? Or something else?
>

Hi Krist,

You already have the answer : what you need is a PerlAuthzHandler. 
See the example in
http://perl.apache.org/docs/2.0/user/handlers/http.html#PerlAuthzHandler
.

Your handler code can use Apache2::Access::requires to find out about
require directives for this request, and then use that info to ask your
AD server.

Best regards, Laurent Dami