Apache Auth

Steve smorrey at gmail.com
Sun Dec 30 13:17:30 MST 2007


I had to do something similar recently and found that all the webapps
we have installed on the server supported LDAP.
Now obviously it's not exactly the same since you still need to log in
to each app individually, but at least moving to LDAP unified the
logins across the board.
Anyways if you are able to pull this off please let me know how you
did it, I am always interested in making things easier around here.
However like I said, to the best of my knowledge what you propose
cannot be done very easily, if at all.
Wouldn't be the first time I'm wrong though, so give it a go and let
me know what you find.

Sincerely,
Steve



On Dec 30, 2007 12:45 PM, Jeff Anderson <jefferya at programmerq.net> wrote:
> Apache can do simpleauth, but it can also authenticate against other
> sources. You can authenticate against an ldap, pam users, kerberos, etc...
> Apache authentication is really very very nice. It is also a lowest
> common denominator between web apps. Many web apps can be configured (or
> very easily modified) to honor the current apache user instead of its
> own authentication mechanism. That way, if I present the ugly box, all
> the web apps that are protected are now all available to the user, so
> they can click back and forth between apps without having to log in
> multiple times.
> If I can make any app log in to this common authentication system
> through its own interface, it will be completely transparent to the user.
> This is easier than writing extensions for each web app that I want to
> use to allow authentication from other web apps.
> Also, I can create a database-driven session database, so if someone
> logs into a web app via server A, when they click a link to server B, I
> can have the web app there make a call that checks the database to see
> if the user authenticated against server A, and then automatically
> authenticate them on server B.
> So there you have the boring 'why' that I avoided earlier.
>
> The reason I am interested in doing this is at work, there are some
> rather silly hoops you have to jump through to get to certain features--
> 1) login on server A, get a menu of features/items
> 2) click a link to open a ticket, ticket system is a different web app
> on server B.
> 3) login again on server B for ticket system
> 4) go back to server A, click on another link on server C
> 5) the link is for a feature embedded deep inside another web app that
> forces a screen to be shown before prompting for username and password
> 6) move past forced-screen
> 7) login again
> 8) click on the link to take you to where you wanted to go in the first
> place
>
> All these apps and servers are maintained by different people. It would
> be much nicer to just give everyone a bit of code for their web app (be
> it a joomla app, custom site, django, drupal, mediawiki, trac, etc...)
> and have all the apps on all the servers play nicely together. The end
> result would be a cleaner, more professional system. The apache
> authentication from the server side is the lowest common denominator,
> and would make it the easiest to integrate as many web apps as possible.
>
> Jeff Anderson
>
> Steve wrote:
> > I could be wrong here, but I think simpleauth is the only
> > authentication apache directly supports.
> > There might be a way to pull it off using server side includes, but I
> > highly doubt it.
> > Someone care to correct me if I'm wrong here?
> >
> >
> > On Dec 30, 2007 12:25 PM, Jeff Anderson <jefferya at programmerq.net> wrote:
> >
> >> Steve wrote:
> >>
> >>> You are going to need to use PHP or PERL and create a login box, tie
> >>> it into a backend DB such as MySQL or PostGRES or even just a flat
> >>> file.
> >>> A ton of examples can be found here...
> >>> http://www.hotscripts.com/search?q=authentication&cat=All
> >>>
> >>> The easiest way is probably a simple PHP script that checks for the
> >>> presence of an authentication cookie, and if not present then it will
> >>> direct the user to a login box for the pages being viewed.
> >>> Something along the lines of
> >>>
> >>> <?php
> >>> $auth  = $_COOKIE['auth'];
> >>> if(!$auth){
> >>>     die("You must login to view this page!");
> >>> }else{
> >>>    ShowPage();
> >>> }
> >>> ?>
> >>>
> >>> Sincerely,
> >>> Steve Morrey
> >>>
> >>> On Dec 30, 2007 12:08 PM, Jeff Anderson <jefferya at programmerq.net> wrote:
> >>>
> >>>
> >>>> Hello,
> >>>>
> >>>> I am not going to bore you with 'why' but this is what I want to do:
> >>>> Authenticate a user behind the apache authentication from the server-side.
> >>>> Basically I want to get rid of the box if I have a password area on apache.
> >>>>
> >>>> The user would provide their credentials in the login form of <insert
> >>>> your web app or framework here> and the web app would make a call or run
> >>>> a command that tells apache that the current user is trying to
> >>>> authenticate. Apache processes the request just like it had come from
> >>>> the http request packet in the user agent.
> >>>>
> >>>> I am not interested in alternatives to this, as I have thought of many
> >>>> of them already, and rejected them.
> >>>> Any and all insight is appreciated, even if you don't have a solution.
> >>>>
> >>>> Thanks!
> >>>>
> >>>> Jeff Anderson
> >>>>
> >>>>
> >>>>
> >>>> /*
> >>>> PLUG: http://plug.org, #utah on irc.freenode.net
> >>>> Unsubscribe: http://plug.org/mailman/options/plug
> >>>> Don't fear the penguin.
> >>>> */
> >>>>
> >>>>
> >>>>
> >>> /*
> >>> PLUG: http://plug.org, #utah on irc.freenode.net
> >>> Unsubscribe: http://plug.org/mailman/options/plug
> >>> Don't fear the penguin.
> >>> */
> >>>
> >>>
> >>>
> >> Hello,
> >>
> >> This is a nice alternative, but I still want it to be apache
> >> authentication. I've done the alternative authentications plenty of
> >> times, but it still isn't apache authentication. I want the same
> >> authentication to happen, so if I have the apache mod_kerberos
> >> installed, I want to be able to have that handle the authentication
> >> without presenting the ugly box to my users.
> >> Thanks for the reply!
> >>
> >> Jeff Anderson
> >>
> >>
> >>
> >> /*
> >> PLUG: http://plug.org, #utah on irc.freenode.net
> >> Unsubscribe: http://plug.org/mailman/options/plug
> >> Don't fear the penguin.
> >> */
> >>
> >>
> >
> > /*
> > PLUG: http://plug.org, #utah on irc.freenode.net
> > Unsubscribe: http://plug.org/mailman/options/plug
> > Don't fear the penguin.
> > */
> >
> >
>
>
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>



More information about the PLUG mailing list