2007 Mar 29 - Thu

Web Page Authorization with Perl and Mason

The monitoring server described in these various articles uses an Apache 2.0 based web server loaded with mod_perl and page templating language based upon mason. I'll put up on this site the other pages I have, but for the moment I just wanted to get the authentication stuff documented.

Authentication starts in /etc/apache2/sites-available/default with the following configuration:

        
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all

          PerlAuthenHandler OneUnified::AuthNTLM
          AuthType ntlm,basic
          AuthName domainname
          require valid-user

          PerlAddVar ntdomain "domainname globalcat1 globalcat2"

          PerlSetVar defaultdomain domainame
          PerlSetVar splitdomainprefix 1
          PerlSetVar ntlmdebug 0
          PerlSetVar ntlmauthoritative 0
#          PerlSetVar fallbackdomain fallbackdomain

        

In this configuration, you'll need to replace 'domainname'and 'globalcatx' with your netbios based domain name and global catalog server dns entries.

When running this security configuration, a web browser's security may need to be changed to make this a trusted site so that a user's ntlm security information will be exchanged.

AuthNTLM.pm is a wrapper around the CPAN perl module Apache2::AuthenNTLM. It pulls the username and domain information out and passes it along in the object's pnotes() method to the actual mason processing.

autohandler is mason's root file that is executed for every page serviced in a web site. As such, it can be used to perform page initialization, authentication, and authorization. It also holds the defaults for the pages of the site, and is used in an object oriented fashion to let other pages override the defaults. This particular one maintains session and user variables, and with some upcoming additions, will help to maintain session state. (You may need to use FireFox to download the file as Internet Explorer interprets the file for what it isn't.)

The autohandler file calls isADGroupMember.pm to perform the actual user and group authentication and authorization in Active Directory. The routine knows how to recursively search groups within groups.

The autohandler stores session variables in a PostgreSQL database with the following schema:

-- Table: users

-- DROP TABLE users;

CREATE TABLE users
(
  pkuserid character(36) NOT NULL, -- guid of user
  userdomain character varying(100) NOT NULL,
  authtype character varying(10) NOT NULL, -- ntlm, basic, ldap, db, builtin
  pwdclear character varying(20),
  pwdmd5 character varying(50),
  CONSTRAINT pk_users_pkuserid PRIMARY KEY (pkuserid)
)
WITHOUT OIDS;
ALTER TABLE users OWNER TO oneunified;
COMMENT ON TABLE users IS 'User list';
COMMENT ON COLUMN users.pkuserid IS 'guid of user';
COMMENT ON COLUMN users.authtype IS 'ntlm, basic, ldap, db, builtin';

-- Table: sessions

-- DROP TABLE sessions;

CREATE TABLE sessions
(
  pksessionid character(36) NOT NULL,
  fkuserid character(36) NOT NULL,
  ts timestamp without time zone NOT NULL,
  groupname character varying(50),
  grouppermission boolean,
  CONSTRAINT pk_sessions_pksessionid PRIMARY KEY (pksessionid),
  CONSTRAINT fk_users_pkuserid FOREIGN KEY (fkuserid)
      REFERENCES users (pkuserid) MATCH SIMPLE
      ON UPDATE NO ACTION ON DELETE NO ACTION
)
WITHOUT OIDS;
ALTER TABLE sessions OWNER TO oneunified;
COMMENT ON TABLE sessions IS 'Contains active web sessions.';

-- Insert these default entries
insert into users ( pkuserid, userdomain, authtype, pwdclear )
  values ( 'admin', 'local', 'builtin', 'admin' );
insert into users ( pkuserid, userdomain, authtype, pwdclear )
  values ( 'guest', 'local', 'builtin', 'guest' );