[mod_python] PythonAuthenHandler Question SOLVED

Al Pacifico pacifico at drizzle.com
Sun Jun 5 13:32:10 EDT 2005

I answered my question posed yesterday moments after submitting it. The idea
of subclassing a handler occurred to me, but I realized it was inflexible
(if there were five groups and there were various required combinations I'd
need 5! handlers). The PythonOption directive was what I needed (rather than
the require method) and not thinking of it was a novice move!

I'm posting the handler and the corresponding httpd.conf section in case it
helps anyone. If you look it over and have any input, please post it. To
those who responded to my posts, thanks for your input.


<--- authenticate.py --->

from mod_python import apache
import ldap,ldap.sasl
import example_Config
import re

# this dictionary "client_group_match" contains keys that should match the
first argument to
# PythonOption directives in the httpd.conf file. The values are python
regular expression object
# that determine if the argument to the method (a single string which
represents the distinguished
# methods name of the client) matches the corresponding directive. Calls to
these methods return a
# match object if there is a match and None if there is not.
client_group_match['clientadministrator'] = \
client_group_match['clientagent'] = \
client_group_match['exampleadministrator'] = \

def authenhandler(req):

	# import our configuration file to find our LDAP server
	config = Config.Config()

	# show the password dialog, retrieve password and user
	pw = req.get_basic_auth_pw()
	email = req.user

	# get a sasl authentication object
	sasl_auth =
	# open a connection to our LDAP server
	# initialize LDAPObject with domain name / ip of our sever
	l = ldap.open(config["LDAP:server"])

	# attempt to bind to the LDAP server
			# retrieve client's distinguished name (dn), remove
the prepended dn: that the
			# LDAPObject.whomai_s() method returns, and
normalize it to lower case
			client_dn = l.whoami_s().lower()[3:]
			# Access to this page is restricted to whom?
			restricted_to =

			if restricted_to:
				# process arguments to the 'permitted'
PythonOption : split on commas, remove whitespace
				# at end and beginning, condense whitespace
between the words to a single space, and
				# normalize to all lower case
'.join(perm_args.split(None)).lower() for perm_args in
				# determine which groups the client belongs
to by searching all the groups in the LDAP tree
				# the following code is dependent on the
ldap directory structure
				for (group_dn,group_attr) in groups:
					# lower case the distinguished names
of the members of the group to permit string
					# equality comparison with the
distinguished name returned by the LDAPObject.whoami_s()
					# method
					group_attr['member'] = [s.lower()
for s in group_attr['member']]
					# debugging
					req.log_error('%s contains %s' %
					# if the client's dn is a member of
the group, add the group to our list
					if client_dn in
group_attr['member']: client_groups.append(group_dn.lower())

				# test if the dn of any member of client's
groups matches the dn's of the groups which are
				# permitted to access this request At this
point, client is authenticated and only possible
				# results are HTTP_FORBIDDEN and OK
				result = apache.HTTP_FORBIDDEN
				for client_role in client_groups:
					if result == apache.HTTP_FORBIDDEN:
						for role_permitted in
client_group_match.has_key(role_permitted) and \
								result =
								# require
directive contains bad arguments - log this to the  error log
req.log_error('Bad arguments to require directive at %s.' % req.filename)
					else: break

				return result
				# restricted_to was None, so there are no
				return apache.OK
	except ldap.SERVER_DOWN,e:
		# can't contact the LDAP server
	except ldap.LDAPError,e:
		# client couldn't authenticate. Returning HTTP_UNAUTHORIZED
gives him an opportunity to try again
		return apache.HTTP_UNAUTHORIZED

httpd.conf section follows:

PythonPath "sys.path+['/usr/var/www/lib']"
# Following did not work as expected
# PythonImport PMHx_Config powell
<Directory />
    Options FollowSymLinks
    AllowOverride None
<Directory "/usr/var/www/htdocs">
    AddHandler mod_python .psp
    PythonHandler mod_python.psp
    PythonDebug On
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
<Directory "/usr/var/www/htdocs/administration">
    AddHandler mod_python .psp
    PythonHandler mod_python.psp
	PythonAuthenHandler authenticate
	PythonOption permitted ExampleAdministrator
	PythonDebug On
	AuthType Basic
	AuthName "Example Administration"
	require valid-user

Al Pacifico
Seattle, WA

More information about the Mod_python mailing list