[mod_python] PythonAuthenHandler Question

Al Pacifico pacifico at drizzle.com
Fri Jun 3 16:09:10 EDT 2005


Apologies in advance because I come from an Apache 1.3 / mod_perl background
and am rusty at that to boot.

I'm wondering how to use PythonAuthenHandler to set my client's directory
viewing permissions. I'm authenticating against an openLDAP server and the
basic authentication works.

Depending on the identity of the client, some directories should be
accessible and some should not. With a little additional code, I can assign
the client a category. I figure that I should be using a require <usertype>
directive within my httpd.conf and setting a variable in the request object
to describe the category. Alternatively, I might need to write a
PythonAuthzHandler, but the documentation on this is sparse and I'd rather
not bind to the LDAP server twice if I can avoid it.

I thought about using mod_auth_ldap instead, but review of documentation
suggest that it doesn't know how to bind to openLDAP using SASL
authentication, and I cannot change to another authentication scheme.

Could someone provide an example or suggest changes to my handler and
corresponding changes to http.conf ?

On a side note, will a 'finally:' clause be executed even if the 'except:'
clause contains 'return' ? Or should I have result = apache.<whatever> and
place return result in the finally clause ?

Here is my authentication handler:

from mod_python import apache
import ldap,ldap.sasl
import MyConfig

def authenhandler(req):

	# import our configuration file to find our LDAP server
	config = MyConfig.Config()

	# show the password dialog, retrieve password and user
	pw = req.get_basic_auth_pw()
	email = req.user

	# get a sasl authentication object
	
sasl_auth=ldap.sasl.sasl({ldap.sasl.CB_AUTHNAME:email,ldap.sasl.CB_PASS:pw},
'DIGEST-MD5')
	
	# open a connection to our LDAP server
	try:
		l = ldap.open(config["LDAP:server"])

		# attempt to bind to the LDAP server
		try:
			l.sasl_interactive_bind_s("",sasl_auth)
			dn = l.whoami_s()
			l.unbind()
			return apache.OK
		except ldap.LDAPError,e:
			l.unbind()
			return apache.HTTP_UNAUTHORIZED
	except ldap.LDAPError,e:
		l.unbind()
		return apache.HTTP_UNAUTHORIZED

and my httpd.conf contains:

	<snip>
User apache
Group apache
ServerAdmin root at localhost
ServerName powell:80
UseCanonicalName Off
DocumentRoot "/usr/var/www/htdocs"
PythonPath "sys.path+['/usr/var/www/lib']"
# Following did not work as expected
# PythonImport PMHx_Config powell
<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>
<Directory "/usr/var/www/htdocs">
    AddHandler mod_python .psp
    PythonHandler mod_python.psp
    PythonDebug On
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>
<Directory "/usr/var/www/htdocs/administration">
    AddHandler mod_python .psp
    PythonHandler mod_python.psp
	PythonAuthenHandler authenticate
	PythonDebug On
	AuthType Basic
	AuthName "Restricted Area"
	require valid-user
</Directory>
	<snip>

Thanks
-al





More information about the Mod_python mailing list