2007 Mar 08 - Thu
Perl Based Active Directory Authentication and Authorization
Most of the customers in which I install the monitoring server have an Active
Directory based organization. As such, the best mechanism for authenticating users onto the
web pages of the monitoring server is to check that they are valid members of an active
directory domain. Authorization to certain specific pages of the monitoring server can then
be authorized through group membership.
isADGroupMember.pm is a Perl Module designed to authorize a user through
Active Directory group membership. It performs a recursive group lookup to ensure the user
is somewhere in the hierarchy. It returns a 1 if the user is found in a group, and 0 if no
match is found.
You'll need to update four search parameters at the top of the module in order to work
with your Active Directory Organization. There is a base search path to act as the root of
the search. A user name and password are required for gaining access to Active Directory.
This will require appropriate rights to perform it search. There is a bind address used for
connecting to a global catalog server, which can be an ip address or a fqdn.
The user name will be a SAMAccount formatted name. The same for the group name. Each
are expanded out to their respective DistinguishedNames, which are then used for matching
purposes.
The AuthNTLM module can be used for automatically supplying the user name used
in the lookup. In the solution I'm building, AuthNTLM will take the user name it
automatically obtained from the browser session and place it into a session record in a
database. Mason's autohandler will then pull out the username when it pulls session
information and then use isADGroupMember to authorize access to any given web page.
|
