Re: [Slashcode-general] Slashcode using Apache authentication?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

That's a bit tricky. Someone would need to look at how mod_auth_mysql works
and see about adding a custom directive to do that. It wouldn't be wise to
add it to mod_auth_mysql because it isn't portable, and I don't know if it
is possible to link a custom perl module into mod_auth_mysql's validation
chain.

Best way I could think to do it would be to use a custom PerlAccessHandler
to do the ACL checking in addition to the mod_auth_mysql directives.

So, something like this *MIGHT* work:

Require Slash::ACL
<Location /stats>
AuthName "Admin"
AuthType Basic
AuthGroupFile /dev/null
AuthMySQLHost localhost
AuthMySQLDB database
AuthMySQLUser user
AuthMySQLPassword pass
AuthMySQLUserTable users
AuthMySQLNameField nickname
AuthMySQLPasswordField passwd
AuthMySQLMD5Passwords On
AuthMySQLUserCondition seclev>=10000
PerlAccessHandler Slash::ACLCheck::verify
PerlSetVar ReqACL statsaccess
require valid-user
</Location>

Where Slash::ACLCheck uses $ENV{REMOTE_USER} (hopefully it's even set by
this point) to do the check.

I'm sure there are problems that would need to be worked out (if
$ENV{REMOTE_USER} isn't available, how can we find out the proper username).
Other than that, I don't see any real showstoppers. Slash::ACLCheck would be
fairly easy to write, otherwise.

Would be a nice addition.

- Cliff

On 10/7/06, shane <sh...@lo...> wrote:
>
> Anyone know if you can base the UserCondition off the results from a
> stored procedure or function?
> I hate basing anything in slashcode on seclev, because it's limiting. But
> ACL's, ah, you can do so much with them.
>
> What I was thinking was something like
>
> AuthMySQLUserCondition CALL hasACL('statsaccess')
>
> where the function hasACL would look at the users_acl table and return
> 1/0.
>
>  Shane
>
>
> On 3/19/06, Alessio Bragadini <al...@se... > wrote:
> >
> > On 17/mar/06, at 02:02, George Clark wrote:
> >
> > Has anyone out there looked into using Apache authentication for
> > userid/password validation?  Or using mod_auth_mysql against the Slash
> > database?  Any other approaches?
> >
> > Our organization has several web applications.  I really need to figure
> > out a
> > single signon capability.
> >
> >
> > I have a system working more or less this way, using mod_auth_mysql to
> > read the Slash database. The directory containing the site statistics
> > (managed by webalizer) is only accessible to administrators, i.e. Slash
> > users with a seclev >= 10000.
> > <Location /stats>
> > AuthName "Admin"
> > AuthType Basic
> > AuthGroupFile /dev/null
> > AuthMySQLHost localhost
> > AuthMySQLDB database
> > AuthMySQLUser user
> > AuthMySQLPassword pass
> > AuthMySQLUserTable users
> > AuthMySQLNameField nickname
> > AuthMySQLPasswordField passwd
> > AuthMySQLMD5Passwords On
> > AuthMySQLUserCondition seclev>=10000
> > require valid-user
> > </Location>
> >
> >  --
> > Alessio F. Bragadini            al...@se...
> >
> >
> _______________________________________________
> Slashcode-general mailing list
> Sla...@li...
> https://lists.sourceforge.net/lists/listinfo/slashcode-general
>
>
>