|
Al Pacifico
pacifico at drizzle.com
Fri Jun 3 16:09:10 EDT 2005
Apologies in advance because I come from an Apache 1.3 / mod_perl background
and am rusty at that to boot.
I'm wondering how to use PythonAuthenHandler to set my client's directory
viewing permissions. I'm authenticating against an openLDAP server and the
basic authentication works.
Depending on the identity of the client, some directories should be
accessible and some should not. With a little additional code, I can assign
the client a category. I figure that I should be using a require <usertype>
directive within my httpd.conf and setting a variable in the request object
to describe the category. Alternatively, I might need to write a
PythonAuthzHandler, but the documentation on this is sparse and I'd rather
not bind to the LDAP server twice if I can avoid it.
I thought about using mod_auth_ldap instead, but review of documentation
suggest that it doesn't know how to bind to openLDAP using SASL
authentication, and I cannot change to another authentication scheme.
Could someone provide an example or suggest changes to my handler and
corresponding changes to http.conf ?
On a side note, will a 'finally:' clause be executed even if the 'except:'
clause contains 'return' ? Or should I have result = apache.<whatever> and
place return result in the finally clause ?
Here is my authentication handler:
from mod_python import apache
import ldap,ldap.sasl
import MyConfig
def authenhandler(req):
# import our configuration file to find our LDAP server
config = MyConfig.Config()
# show the password dialog, retrieve password and user
pw = req.get_basic_auth_pw()
email = req.user
# get a sasl authentication object
sasl_auth=ldap.sasl.sasl({ldap.sasl.CB_AUTHNAME:email,ldap.sasl.CB_PASS:pw},
'DIGEST-MD5')
# open a connection to our LDAP server
try:
l = ldap.open(config["LDAP:server"])
# attempt to bind to the LDAP server
try:
l.sasl_interactive_bind_s("",sasl_auth)
dn = l.whoami_s()
l.unbind()
return apache.OK
except ldap.LDAPError,e:
l.unbind()
return apache.HTTP_UNAUTHORIZED
except ldap.LDAPError,e:
l.unbind()
return apache.HTTP_UNAUTHORIZED
and my httpd.conf contains:
<snip>
User apache
Group apache
ServerAdmin root at localhost
ServerName powell:80
UseCanonicalName Off
DocumentRoot "/usr/var/www/htdocs"
PythonPath "sys.path+['/usr/var/www/lib']"
# Following did not work as expected
# PythonImport PMHx_Config powell
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory "/usr/var/www/htdocs">
AddHandler mod_python .psp
PythonHandler mod_python.psp
PythonDebug On
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory "/usr/var/www/htdocs/administration">
AddHandler mod_python .psp
PythonHandler mod_python.psp
PythonAuthenHandler authenticate
PythonDebug On
AuthType Basic
AuthName "Restricted Area"
require valid-user
</Directory>
<snip>
Thanks
-al
|