The monitoring server described in these various articles uses an Apache 2.0 based web server loaded with mod_perl and page templating language based upon mason. I'll put up on this site the other pages I have, but for the moment I just wanted to get the authentication stuff documented.
Authentication starts in /etc/apache2/sites-available/default with the following
configuration:
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
PerlAuthenHandler OneUnified::AuthNTLM
AuthType ntlm,basic
AuthName domainname
require valid-user
PerlAddVar ntdomain "domainname globalcat1 globalcat2"
PerlSetVar defaultdomain domainame
PerlSetVar splitdomainprefix 1
PerlSetVar ntlmdebug 0
PerlSetVar ntlmauthoritative 0
# PerlSetVar fallbackdomain fallbackdomain
In this configuration, you'll need to replace 'domainname'and 'globalcatx' with your
netbios based domain name and global catalog server dns entries.
When running this security configuration, a web browser's security may need to be changed
to make this a trusted site so that a user's ntlm security information will be exchanged.
AuthNTLM.pm is a wrapper around the CPAN perl module Apache2::AuthenNTLM. It pulls the username and domain information out and
passes it along in the object's pnotes() method to the actual mason processing.
autohandler is mason's
root file that is executed for every page serviced in a web site. As such, it can be used
to perform page initialization, authentication, and authorization. It also holds the
defaults for the pages of the site, and is used in an object oriented fashion to let other
pages override the defaults. This particular one maintains session and user variables, and
with some upcoming additions, will help to maintain session state. (You may need to use
FireFox to download the file as Internet Explorer interprets the file for what it isn't.)
The autohandler file calls isADGroupMember.pm to perform the actual user and group authentication and
authorization in Active Directory. The routine knows how to recursively search groups
within groups.
The autohandler stores session variables in a PostgreSQL database with the following
schema:
-- Table: users
-- DROP TABLE users;
CREATE TABLE users
(
pkuserid character(36) NOT NULL, -- guid of user
userdomain character varying(100) NOT NULL,
authtype character varying(10) NOT NULL, -- ntlm, basic, ldap, db, builtin
pwdclear character varying(20),
pwdmd5 character varying(50),
CONSTRAINT pk_users_pkuserid PRIMARY KEY (pkuserid)
)
WITHOUT OIDS;
ALTER TABLE users OWNER TO oneunified;
COMMENT ON TABLE users IS 'User list';
COMMENT ON COLUMN users.pkuserid IS 'guid of user';
COMMENT ON COLUMN users.authtype IS 'ntlm, basic, ldap, db, builtin';
-- Table: sessions
-- DROP TABLE sessions;
CREATE TABLE sessions
(
pksessionid character(36) NOT NULL,
fkuserid character(36) NOT NULL,
ts timestamp without time zone NOT NULL,
groupname character varying(50),
grouppermission boolean,
CONSTRAINT pk_sessions_pksessionid PRIMARY KEY (pksessionid),
CONSTRAINT fk_users_pkuserid FOREIGN KEY (fkuserid)
REFERENCES users (pkuserid) MATCH SIMPLE
ON UPDATE NO ACTION ON DELETE NO ACTION
)
WITHOUT OIDS;
ALTER TABLE sessions OWNER TO oneunified;
COMMENT ON TABLE sessions IS 'Contains active web sessions.';
-- Insert these default entries
insert into users ( pkuserid, userdomain, authtype, pwdclear )
values ( 'admin', 'local', 'builtin', 'admin' );
insert into users ( pkuserid, userdomain, authtype, pwdclear )
values ( 'guest', 'local', 'builtin', 'guest' );