I am trying to create a web interface with Perl CGI with 2 pages. The content of these pages is dependent on the user accessing it. Thus, I need some kind of authentication to identify WHO is logging in but I DO NOT WANT to be restricting the pages to a few.
What is the best way to prompt for a username/password from within the Perl CGI code (without building one more form) ? Also, once authenticated, how can I make sure the username/password box is not prompted on moving to the other page.
Appreciate any help in this regard. I can explain in more detail if required
See if HTTP authorization is what you want. Your browser will show a standard popup requesting for username and password. You can set up HTTP authorization in Apache. From what I found, it's not possible to do so with Perl CGI (for mod_perl would be ok). It seems like the entered password will not be passed via the CGI mechanism.
For the Apache-based configuration, say if you apply the authorization on the URL /somedir then everything inside this path will be protected. You will only be prompted for authentication the first time you enter. Once you are in, browsing pages inside require no further authentication. That does not require any Perl code changes.
thanks for this info. But I have one problem with this method which I am not sure how I can address. I do not want to restrict the page to a few. Will this method not require me to explicitly add usernames of who can access?
I want users to be authenticated so that I can track who is logging in and what they run.
I'm not exactly sure what you meant by "I do not want to restrict the page to a few. Will this method not require me to explicitly add usernames of who can access". Well, there must be a list of users defined with password (password store) with any kind of authentication system. However, you can choose a format that allows you to more easily update who can have access (i.e. update the access list). You can also choose between an allow-by-default policy or a deny-by-default policy. That is if you don't want to have everybody authenticate, you can use an allow-by-default policy to define those explicitly require authentication, while the unstated ones can enter without authentication. This is all possible with easy Apache config.
The default password store is a text file. But Apache contains additional modules that allows you to put the authentication info in SQL database or DBM files that you can choose from. You can modify data stored in them from Perl.
I suggest you build yourself a simple test environment and see if that fits your use case because I'm not exactly sure what you meant.
Sorry, my bad. I have to authenticate the user using LDAP and once I get a username/password, I can do that. But my problem is, in the configurations, I do not want to put a list of users like this
require user <user1> <user2> ...
Any user who tries logging in will be authenticated with LDAP. Once validated, the web tool will be displayed in a way dependent on the user. I hope I was clearer this time
And you don't need an explicit user specified at all. If you need to, "Require valid-user" will match any users defined in the configuration. Also check that page for information about this and some examples. It seems to me a rather flexible one that the module does not mandate a specific LDAP schema.
If you insist you need to do it the Perl way, or you think you can't live with this method, you'll be required to deploy your Web application on mod_perl instead of Perl CGI because someone at other sites said Apache would not pass the password to the CGI process. I haven't verified this claim so I can't confirm. Upon HTTP authentication, the username+password will always be available in the HTTP header (that's why it works for Apache), but Apache may filter some of them before making them available to the CGI process (as HTTP_* envvars). But it seems that Apache *will* pass the username, that your CGI process can use that retrieved via an envvar to implement your business logic.
Or you deploy it on your own perl-based Web server daemon without Apache. Of course, I don't think it is too practical although theoretically you can do that. It's just the same line of thought as you can write a new OS from scratch but no one will casually do that.
Cool, I guess the first option here will do. The ' require valid-user' is probably what I was looking for. But what should I put into the config file to be able to enable this?
(1) I cannot test it from my environment
(2) I do not wish to encourage excessive spoon-feeding
Using authentication is a pretty basic area of Apache administration. You should be able to dig it up from other resources for exact details. I'll just give you pointers.
The main idea is, you first need to select the authentication mechanism - basic or digest authentication.
If your pages are served over HTTPS, that having a password essentially unencrypted will not be captured by eavesdropping, you can probably get by using basic authentication: mod_auth_basic - Apache HTTP Server
Then you just plug one of the password stores for use with the authentication, in your case the LDAP one. You will then need configuration specific to LDAP.
Finally, in your Perl pages, check the REMOTE_USER environment variable. According to the CGI Specification, Apache should pass this username to you in case the user has been authenticated successfully. Do confirm this yourself.
If you use CGI object, you may retrieve it by $cgi->remote_user().
Just to give you a bit more supplement in case you still need some, although I think these should be really basic stuff a person who ever runs and uses an Apache should know already.
To apply the access restriction to a physical directory, use <Directory> and put all the access stuff inside the block. If you are referring to URL paths instead, use <Location>.
Depending on how your Apache is compiled, the mod_authnz_ldap may be compiled as module (.so) or compiled into the main Apache binary, or simply not compiled/installed on your system. You have to make sure it is usable (no one else can help you with this), and if being a .so, use a "LoadModule" in the Apache config to load it. There are plenty examples if you open the Apache config file.
At the end you can use "apachectl configtest" command to check your Apache configuration for correctness.
