Apache2::AuthzNIS - mod_perl2 NIS Group Authorization module

Apache2-AuthzNIS documentation Contained in the Apache2-AuthzNIS distribution.

Index

Code Index:

NAME

Top

Apache2::AuthzNIS - mod_perl2 NIS Group Authorization module

SYNOPSIS

Top

    <Directory /foo/bar>
    # This is the standard authentication stuff
    AuthName "Foo Bar Authentication"
    AuthType Basic

    # The following is actually only needed when you will authenticate
    # via NIS passwd as well as authorize via NIS group.
    # Apache2::AuthenNIS is a separate module.
    PerlAuthenHandler Apache2::AuthenNIS

    # Standard require stuff, NIS users or groups, and
    # "valid-user" all work OK
    require user username1 username2 ...
    require group groupname1 groupname2 ...
    require valid-user

    PerlAuthzHandler Apache2::AuthzNIS

    </Directory>

    These directives can also be used in the <Location> directive or in
    an .htaccess file.

DESCRIPTION

Top

This perl module is designed to work with mod_perl, the Net::NIS module by Rik Haris (rik.harris@fulcrum.com.au), and the Apache2::AuthenNIS module. Version 0.11 of Apache::AuthzNIS was renamed and modified to use mod_perl2. That module was a direct adaptation of Michael Parker's (parker@austx.tandem.com) Apache::AuthenSmb module (which also included an authorization routine).

The module calls Net::NIS::yp_match using each of the require group elements as keys to the the group.byname map, until a match with the (already authenticated) user is found.

For completeness, the module also handles require user and require valid-user directives.

Apache2::AuthenNIS vs. Apache2::AuthzNIS

The following comments are from Apache::AuthzNIS.

I've taken "authentication" to be meaningful only in terms of a user and password combination, not group membership. This means that you can use Apache::AuthenNIS with the require user and require valid-user directives. In the NIS context I consider require group to be an "authorization" concern. I.e., Group authorization consists of establishing whether the already authenticated user is a member of one of the indicated groups in the require group directive. This process may be handled by Apache::AuthzNIS.

Functions

handler

This is the mod_perl2 handler function.

INSTALLATION

Top

To install this module, run the following commands:

    perl Build.PL
    ./Build
    ./Build test
    ./Build install

AUTHOR

Top

Demetrios E. Paneras <dep at media.mit.edu>

Ported to mod_perl by Shannon Eric Peevey <speeves at unt.edu>

Ported to mod_perl2 by Nguon Hao Ching <hao at iteaha.us>

BUGS

Top

Please report any bugs or feature requests to bug-apache2-authznis at rt.cpan.org, or through the web interface at http://rt.cpan.org/NoAuth/ReportBug.html?Queue=Apache2-AuthzNIS. I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.

SUPPORT & DOCUMENTATION

Top

You can find documentation for this module with the perldoc command.

    perldoc Apache2::AuthzNIS

You can also look for information at:

* RT: CPAN's request tracker

http://rt.cpan.org/NoAuth/Bugs.html?Dist=Apache2-AuthzNIS

* AnnoCPAN: Annotated CPAN documentation

http://annocpan.org/dist/Apache2-AuthzNIS

* CPAN Ratings

http://cpanratings.perl.org/d/Apache2-AuthzNIS

* Search CPAN

http://search.cpan.org/dist/Apache2-AuthzNIS

COPYRIGHT & LICENSE

Top

Copyright (c) 1998 Demetrios E. Paneras, MIT Media Laboratory.

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

Apache2-AuthzNIS documentation Contained in the Apache2-AuthzNIS distribution. 
package Apache2::AuthzNIS;

use warnings;
use strict;
use Net::NIS;
use mod_perl2;

BEGIN {
    require Apache2::Const;
    require Apache2::Access;
    require Apache2::Connection;
    require Apache2::Log;
    require Apache2::RequestRec;
    require Apache2::RequestUtil;
    Apache2::Const->import(
        '-compile' => 'HTTP_UNAUTHORIZED',
                      'OK', 'HTTP_INTERNAL_SERVER_ERROR'
    );
}


our $VERSION = '0.13';



sub handler {
    my $r = shift;
    my $requires = $r->requires;
    return Apache2::Const::OK unless $requires;

    my $name = $r->user;

    for my $req ( @$requires ) {
        my( $require, @list ) = split /\s+/, $req->{'requirement'};

        #ok if user is one of these users
        if ( $require eq 'user' ) {
            return Apache2::Const::OK if grep $name eq $_, @list;
        }
        #ok if user is simply authenticated
        elsif ( $require eq 'valid-user' ) {
            return Apache2::Const::OK;
        }
        elsif ( $require eq 'group' ) {
            my $domain = Net::NIS::yp_get_default_domain();
            unless ( $domain ) {
                $r->note_basic_auth_failure;
                $r->log_error( __PACKAGE__, " - cannot obtain NIS domain", $r->uri );
                return Apache2::Const::HTTP_INTERNAL_SERVER_ERROR;
            }
            foreach my $thisgroup ( @list ) {
                my( $status, $entry )
                    = Net::NIS::yp_match( $domain, "group.byname", $thisgroup );
                if ( $status ) {
                    my $error_msg = Net::NIS::yperr_string( $status );
                    $r->note_basic_auth_failure;
                    $r->log_error( __PACKAGE__,
                        " - group: $thisgroup: yp_match status $status, ",
                        $error_msg, $r->uri
                    );
                    return Apache2::Const::HTTP_INTERNAL_SERVER_ERROR;
                }
                my @names = split /\,/, $entry;
                $names[0] =~ s/^.*:.*:.*://;
                foreach my $oneuser ( @names ) {
                    if ( $oneuser eq $name ) {
                        return Apache2::Const::OK;
                    }
                }
            }
        }
    }

    $r->note_basic_auth_failure;
    $r->log_error( __PACKAGE__, " - user $name: not authorized", $r->uri );
    return Apache2::Const::HTTP_UNAUTHORIZED;
}


1; # End of Apache2::AuthzNIS