comment on

Hi Everyone,

after some reading on the Everything Engine and succesfully doing a test install on a Win2k Server with IIS (following Everything on IIS), it came to my mind that this could be a perfect solution for our team's intranet site.

But since new logins and passwords seem to pose a real hurdle on user acceptance, it would be nice to use NT authentification against our Active Directory.

Here's the quick hack I've come up with so far:

All code modifications need to be done in the Everything::HTML module.
This paragraph in sub loginUser:

if(my $oldcookie = $query->cookie("userpass")) {
    $USER_HASH = confirmUser (split (/\|/,
        Everything::Util::unescape($oldcookie)));
}
[download]

change to

# IIS will set $ENV{AUTH_USER} to "domain\Username", if NT 
# authentication was successful. As I am not 100% certain
# if it always translates a UPN (user@domain.dnsname.com)
# to the backslashed version, I check for that case too.
#
# Please note that this chops off the domain, so there will be no 
# distinction between same usernames on different domains!
# You can secure that using file permissions.

if (my $ntuser = lc($ENV{AUTH_USER})) {
    if ($ntuser =~ /^([a-zA-Z0-9.]+)(\\|\@)([a-zA-Z0-9.]+)/) {
        if ($2 eq '@') {
            $ntuser = $1;
        }elsif ($2 eq '\\'){
            $ntuser = $3;
        }
    }
    # since authentication already happened, we don't need a password 
    $USER_HASH = confirmUser ($ntuser, undef);
} elsif (my $oldcookie = $query->cookie("userpass")) {
    $USER_HASH = confirmUser (split (/\|/,
        Everything::Util::unescape($oldcookie)));
}
[download]

and this line in sub confirmUser

if ($genCrypt eq $crpasswd)
[download]

change to

if (($genCrypt eq $crpasswd) or $ENV{AUTH_USER})
[download]

To allow anonymous access as well as the normal login and cookies, the index.pl needs two be duplicated (in this example: ntauth.pl). Then anonymous access gets disabled on ntauth.pl and it's file permissions being set to groups, which shall be granted to use NT login.

When creating a new User the username needs to match the NT username, for NT authentification simply ignore the supplied password and use the ntauth.pl instead the index.pl (the other password will work as well).

I decided to ignore the domain for two reasons, first being that it looks ugly in the username and second that we have an upcoming migration to a new domain (with a new name) which would render all accounts created before useless.

The above changes are kind of dirty, but it seems to work well and maybe some Monk has a great idea on how to improve that?
Greets,
Golo

P.S. I was not really sure on where to post it, since it's about perl but also about Everything. Also I wasn't really sure on where to post it on pm. So please accept my apologies, if it went to the wrong place.

In reply to Everything on NT with NT authentication by Golo

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		`&`
	<		`<`
	>		`>`
	[		`[`
	]		`]`

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.