[mod_python] PythonAuthenHandler Question

Al Pacifico pacifico at drizzle.com
Sat Jun 4 19:54:47 EDT 2005 

So, I'm perhaps partly able to answer my previous question(s) and will post
some code once I get it working perfectly. At present, I've gotten much
closer using the requires() method of request object.

My error log is cropping up with:
	'access to <page> failed, reason unknown require directive:
"administrator"'
	'access to <page> failed, reason user <user name> not allowed
access'

My authentication handler seems to execute correctly, but then a core apache
handler is picking up the request and canning it.
I've been using the require directive as "require administrator" and therein
lies the problem. But I wish to allocate access on a per-directory basis to
members of the administrator group.

Two questions:
1. How do I remove the core handler from my request's authentication phase
handler chain on a per-directory basis, so that my handler is the only one
registered to authenticate?
2. If I can't do that, how do I pass information on a per-directory basis
from httpd.conf to my handler? If I can do that by some technique, then I
can change 'require administrator' to 'require valid-user' (simply to
trigger the authentication handler) and call it good.

I can think of lots of ugly solutions. One is to place a file in each
directory encoding which groups are able to access that directory and have
my handler read it in (and probably cache it in a dictionary to speed future
authentications), but I prefer the elegance of the httpd.conf solution.

Again, mod_auth_ldap probably will not work with ldap sasl queries, which I
am compelled to use. Grepping the source code for 'sasl' comes up empty.
 
now my httpd.conf contains:

	<snip>
User apache
Group apache
ServerAdmin root at localhost
ServerName powell:80
UseCanonicalName Off
DocumentRoot "/usr/var/www/htdocs"
PythonPath "sys.path+['/usr/var/www/lib']"
# Following did not work as expected
# PythonImport PMHx_Config powell
<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>
<Directory "/usr/var/www/htdocs">
    AddHandler mod_python .psp
    PythonHandler mod_python.psp
    PythonDebug On
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>
<Directory "/usr/var/www/htdocs/administration">
    AddHandler mod_python .psp
    PythonHandler mod_python.psp
	PythonAuthenHandler authenticate
	PythonDebug On
	AuthType Basic
	AuthName "Restricted Area"
	require administrator
</Directory>
	<snip>
Al Pacifico
Seattle, WA

Apologies in advance because I come from an Apache 1.3 / mod_perl background
and am rusty at that to boot.

I'm wondering how to use PythonAuthenHandler to set my client's directory
viewing permissions. I'm authenticating against an openLDAP server and the
basic authentication works.

Depending on the identity of the client, some directories should be
accessible and some should not. With a little additional code, I can assign
the client a category. I figure that I should be using a require <usertype>
directive within my httpd.conf and setting a variable in the request object
to describe the category. Alternatively, I might need to write a
PythonAuthzHandler, but the documentation on this is sparse and I'd rather
not bind to the LDAP server twice if I can avoid it.

I thought about using mod_auth_ldap instead, but review of documentation
suggest that it doesn't know how to bind to openLDAP using SASL
authentication, and I cannot change to another authentication scheme.

Could someone provide an example or suggest changes to my handler and
corresponding changes to http.conf ?

On a side note, will a 'finally:' clause be executed even if the 'except:'
clause contains 'return' ? Or should I have result = apache.<whatever> and
place return result in the finally clause ?

Here is my authentication handler:

from mod_python import apache
import ldap,ldap.sasl
import MyConfig

def authenhandler(req):

	# import our configuration file to find our LDAP server
	config = MyConfig.Config()

	# show the password dialog, retrieve password and user
	pw = req.get_basic_auth_pw()
	email = req.user

	# get a sasl authentication object
	
sasl_auth=ldap.sasl.sasl({ldap.sasl.CB_AUTHNAME:email,ldap.sasl.CB_PASS:pw},
'DIGEST-MD5')
	
	# open a connection to our LDAP server
	try:
		l = ldap.open(config["LDAP:server"])

		# attempt to bind to the LDAP server
		try:
			l.sasl_interactive_bind_s("",sasl_auth)
			dn = l.whoami_s()
			l.unbind()
			return apache.OK
		except ldap.LDAPError,e:
			l.unbind()
			return apache.HTTP_UNAUTHORIZED
	except ldap.LDAPError,e:
		l.unbind()
		return apache.HTTP_UNAUTHORIZED

and my httpd.conf contains:

	<snip>
User apache
Group apache
ServerAdmin root at localhost
ServerName powell:80
UseCanonicalName Off
DocumentRoot "/usr/var/www/htdocs"
PythonPath "sys.path+['/usr/var/www/lib']"
# Following did not work as expected
# PythonImport PMHx_Config powell
<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>
<Directory "/usr/var/www/htdocs">
    AddHandler mod_python .psp
    PythonHandler mod_python.psp
    PythonDebug On
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>
<Directory "/usr/var/www/htdocs/administration">
    AddHandler mod_python .psp
    PythonHandler mod_python.psp
	PythonAuthenHandler authenticate
	PythonDebug On
	AuthType Basic
	AuthName "Restricted Area"
	require valid-user
</Directory>
	<snip>

Thanks
-al



_______________________________________________
Mod_python mailing list
Mod_python at modpython.org
http://mailman.modpython.org/mailman/listinfo/mod_python

More information about the Mod_python mailing list