Golo has asked for the wisdom of the Perl Monks concerning the following question:

Hi Everyone,

after some reading on the Everything Engine and succesfully doing a test install on a Win2k Server with IIS (following Everything on IIS), it came to my mind that this could be a perfect solution for our team's intranet site.

But since new logins and passwords seem to pose a real hurdle on user acceptance, it would be nice to use NT authentification against our Active Directory.

Here's the quick hack I've come up with so far:

All code modifications need to be done in the Everything::HTML module.
This paragraph in sub loginUser:
if(my $oldcookie = $query->cookie("userpass")) {
    $USER_HASH = confirmUser (split (/\|/,
        Everything::Util::unescape($oldcookie)));
}

[download]
change to
# IIS will set $ENV{AUTH_USER} to "domain\Username", if NT 
# authentication was successful. As I am not 100% certain
# if it always translates a UPN (user@domain.dnsname.com)
# to the backslashed version, I check for that case too.
#
# Please note that this chops off the domain, so there will be no 
# distinction between same usernames on different domains!
# You can secure that using file permissions.

if (my $ntuser = lc($ENV{AUTH_USER})) {
    if ($ntuser =~ /^([a-zA-Z0-9.]+)(\\|\@)([a-zA-Z0-9.]+)/) {
        if ($2 eq '@') {
            $ntuser = $1;
        }elsif ($2 eq '\\'){
            $ntuser = $3;
        }
    }
    # since authentication already happened, we don't need a password 
    $USER_HASH = confirmUser ($ntuser, undef);
} elsif (my $oldcookie = $query->cookie("userpass")) {
    $USER_HASH = confirmUser (split (/\|/,
        Everything::Util::unescape($oldcookie)));
}

[download]

and this line in sub confirmUser
if ($genCrypt eq $crpasswd)

[download]
change to
if (($genCrypt eq $crpasswd) or $ENV{AUTH_USER})

[download]

To allow anonymous access as well as the normal login and cookies, the index.pl needs two be duplicated (in this example: ntauth.pl). Then anonymous access gets disabled on ntauth.pl and it's file permissions being set to groups, which shall be granted to use NT login.

When creating a new User the username needs to match the NT username, for NT authentification simply ignore the supplied password and use the ntauth.pl instead the index.pl (the other password will work as well).

I decided to ignore the domain for two reasons, first being that it looks ugly in the username and second that we have an upcoming migration to a new domain (with a new name) which would render all accounts created before useless.

The above changes are kind of dirty, but it seems to work well and maybe some Monk has a great idea on how to improve that?
Greets,
Golo

P.S. I was not really sure on where to post it, since it's about perl but also about Everything. Also I wasn't really sure on where to post it on pm. So please accept my apologies, if it went to the wrong place.

Replies are listed 'Best First'.
Re: Everything on NT with NT authentication
by demerphq (Chancellor) on Apr 14, 2004 at 22:17 UTC

    Hmm. Personally I wouldnt go the route you are going. I think I would lean towards using an additional column to store the AUTH_USER or to use the AUTH_USER as the password instead of requiring one be typed. The advantage of another column is that they could authenticate either via normal everything procedures or via NT authentication, and could have multiple users as well. This could be useful if you were on a system where you werent logged in as yourself.


    ---
    demerphq

      First they ignore you, then they laugh at you, then they fight you, then you win.
      -- Gandhi
[reply]
[d/l]

Back to Seekers of Perl Wisdom