Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change

Cross-Platform Pluggable Authentication & Authorization

by flyingmoose (Priest)
on Mar 11, 2004 at 17:51 UTC ( #335898=perlquestion: print w/replies, xml ) Need Help??
flyingmoose has asked for the wisdom of the Perl Monks concerning the following question:


Does anyone know of any Perl-mechanisms for doing relatively cross platform (and somewhat pluggable) authentication? Admittedly, this is a pipe dream, but it would be gold if it exists. I see tools such as some starting with Authen and some plugins from OpenThought (but those appear to be only partially completed).

Example API's I would like to call from a daemon running as root:

validateUser($user,$pass) -> 1 or 0 validateUserInGroup($user,$pass,$group) -> 1 or 0

Ideally I would like to support ActiveDirectory, LDAP, and so on... but at a bare minimum support for local Windows passwords and local Linux passwords (/etc/passwd) would be a start. I don't need to use foreign authentication systems (aka Unix boxen don't need to know how to check ActiveDirectory), I just need to authenticate with whatever mechanisms are available on the box. Unfortunately, we aren't only supporting Linux, so I can't use PAM and be done with it. Ah, wouldn't THAT be nice :)

Why I'm asking -- well, I need to retrofit some authentication into a Java (ack! run away!) app. Hand-rolled authentication systems are not acceptable per requirements. The logical choice (just using JAAS -- since this is a Java daemon) does not support anything but checking the current user's permissions, so that doesn't meet my requirements of logging in with a username and password for any user. The JAAS folks did a good job of making a tool that doesn't do much, essentially.

Calling out to Perl on the server-side is an admitted hack, but it seems to be a good short-term solution. Writing tons of C++ code and calling JNI (the endorsed way) isn't *that* much better that shelling out to Perl, given logins will not be attempted often. Overhead will be minimal. Plus, if this bails us out, it's bonus points for Perl in the organization.

Any ideas?

Replies are listed 'Best First'.
Re: Cross-Platform Pluggable Authentication & Authorization
by chip (Curate) on Mar 11, 2004 at 17:56 UTC
    I believe that Authen::PAM, combined with the underlying PAM (pluggable authentication modules) system, will solve your problem for Unix-like systems. If PAM hasn't yet been ported to Windows, well, somebody's gotta go first. :-)

        -- Chip Salzenberg, Free-Floating Agent of Chaos

      No kidding.... Looking at the POD, I think the PAM module on one side and Win32::NetAdmin might work (maybe). If someone can point me towards any favorite Win32 authentication modules, that would be a great help. update: NetAdmin must be run on the PDC, no good for directory authentication there. Darn :)

      I think due to work agreements I wouldn't be able to submit my cross-platform GLUE back to CPAN, but I suppose I could re-invent it on my own time if it ended up working out. Or I could ask my dog to do it -- I'd have to get a dog first though :)

Re: Cross-Platform Pluggable Authentication & Authorization
by lachoy (Parson) on Mar 11, 2004 at 18:05 UTC
      Looks awesome -- do you know right-offhand whether it will play nice in a non-web application? It seems to, I'm exploring it now... the end goal pretty much will be a single-standalone exe/a.out executable, compiled with PAR.

      Update: does not appear to be Win32 friendly. Is there anything in PPM that does the job? (i.e. directory authentication) -- doesn't appear to be. It appears these OpenPlugin guys are supporting SMB from the Linux/Unix side only (or something -- I can't say I blame them), given that even with VC++, etc, the makefiles still don't work. I seem to be cursed here :)

      I appreciate the help -- 'moose

        A few things --

        While it is OpenPlugin's written goal to be a plugin manager for web applications, that description is a bit inaccurate. Perhaps it should just be "A plugin manager for applications". But that sounds a little silly :-) It's just a plugin framework, trying to make it so that both framework developers, and individual application developers, rewrite as little code as possible.

        It takes common things, such as Sessions, Logging, Exceptions, and Authentication, and attempts to provide a single API for each, yet allowing you to use any number of backends. It does the same thing for mod_perl, mod_perl2, and CGI, allowing you to switch from one environment to the other by simply changing the driver name. All the above are plugins, and you can enable and disable them as you see fit.

        I use it every day in a production environment, mostly in web applications, but I have few non-web apps. However, one plugin that goes nearly unused, and is a bit incomplete, is the Authentication plugin. Why? I just really haven't gotten around to it :-) My efforts have gone into other parts of that framework, along with OpenThought. You're the first one to ask about it :-) I'd love to see it have a complete and robust Authentication API and drivers.

        As far as Windows goes, it doesn't surprise me that OpenPlugin doesn't work there. All my development is generally done on Linux and BSD boxes, I don't have an opportunity to test there much.

        Your initial question of seeking a cross-platform authentication mechanism is something I'd like to see in OpenPlugin. As you also saw, it's not there yet. I'd be happy to work with you to help make it meet your needs.

        You said you had some trouble during the install -- the version on CPAN now, because of it's Log::Log4perl dependency, requires a boatload of modules. Newer versions of Log::Log4perl moved some functionality "in-house", significantly reducing it's dependencies. I've put code into CVS taking advantage of that, and could send you a working snapshot if you like.

        If you wish, feel free to msg me, we could take this discussion to email where we could go over the parts that aren't working for you.

        Have fun!


        Lucy: "What happens if you practice the piano for 20 years and then end up not being rich and famous?"
        Schroeder: "The joy is in the playing."

        I've exhausted my knowledge in this area. My only thought is: if Win32 authen/authz is easy enough to do you should be able to create a plugin to OpenPlugin for it. Kind of a cop-out ("see if you can do it yourself") but at least some of the plumbing is done for you.

        Good luck!

        M-x auto-bs-mode

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://335898]
Approved by kvale
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others chanting in the Monastery: (3)
As of 2018-01-22 05:08 GMT
Find Nodes?
    Voting Booth?
    How did you see in the new year?

    Results (231 votes). Check out past polls.