Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid

Single sign on with AD

by newbie200 (Initiate)
on Dec 07, 2017 at 15:45 UTC ( #1205099=perlquestion: print w/replies, xml ) Need Help??
newbie200 has asked for the wisdom of the Perl Monks concerning the following question:

Hello, I am currently new to perl. I am trying to implement sso on a perl web app but don't seem to get my head round it. here are the technical details

on apache i downloaded, installed and configured the module. this allowed me to detect a user logged on a computer, I was able to know if the user was in a local domain or global domain. now comes the tricky part. i have to program in my web app an sso which sees the person logged on from apache. I also have ldap configured. It just seems so confusing to me

I would be glad if someone can explain more on this. do i need an sso server? how do i connect my perl webapp to read my apache and get the information required.

Replies are listed 'Best First'.
Re: Single sign on with AD
by rdfield (Priest) on Dec 07, 2017 at 19:06 UTC
    So what you want is a Perl version of mod_auth_sspi? Have a search on CPAN for SSPI or NTLM, there look to be some useful modules there.

    If you want to do full SSO (i.e. not Microsoft specific), then you're looking at something like OpenID or SAML2.


Re: Single sign on with AD
by Arif (Acolyte) on Dec 09, 2017 at 23:52 UTC

    If you are running as a CGI script within an Apache web server then you can look for the environment variable REMOTE_USER (ie. $ENV{REMOTE_USER}). If it is set then that's the user name as authenticated with Apache. With that you can use LDAP modules to extract extra information about the user from the AD.

    To enable user authentication within Apache you could use mod_auth_kerb to allow Kerberos tickets or passwords to authenticate a user

    AuthType Kerberos AuthName "Kerberos Login" SSLRequireSSL KrbAuthRealms DOMAIN KrbServiceName http Krb5Keytab /etc/krb5.keytab KrbMethodNegotiate on KrbMethodK5Passwd on require valid-user

    It's a little tricky to get right and your server needs to be joined to the AD domain, but it works wonderfully. I assume that mod_auth_sspi works similarly.

      I used mod_auth_sspi and was able to see my REMOTE_USER via a script i wrote to check it. What I still don't understand is how do i use Ldap to extract this information about the user from the AD and have it working on my web app.
      ... and be very sure that your software is actually looking at the right thing. I have literally been able to white-hat an internal website by adding &REMOTE_USER=admin to the URL-string, because the (old, PHP) program or its non-tester was not paying attention.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://1205099]
Front-paged by Corion
[Corion]: But it's another The::Net incarnation, too sad ;)
[Corion]: WTF? There is a dev release of Danga::Socket?! I thought that module died a long time ago?! According to its changes, the last release was in 2008 ;)
[Corion]: (and Brad Fitzpatrick long since moved on to Go ;) )
[Corion]: But who am I to worry about necrocpan - I'm revisiting my online banking module, and also I'll somewhat revive WWW::Mechanize:: Firefox, at least if the test suite passes under the Waterfox browser ...
[Corion]: Maybe I should look through my CPAN releases and revisit them in order of last release and think about what to do with the modules :)
[marto]: this cpan day there should be a call to remove old crud :P
[marto]: as well as encourage active development

How do I use this? | Other CB clients
Other Users?
Others taking refuge in the Monastery: (8)
As of 2018-07-17 08:18 GMT
Find Nodes?
    Voting Booth?
    It has been suggested to rename Perl 6 in order to boost its marketing potential. Which name would you prefer?

    Results (359 votes). Check out past polls.