RT with external auth (was Re: [rt-users] HTTP_Auth with rt?)
D. Joe Anderson
deejoe at iastate.edu
Wed Feb 14 18:25:35 EST 2001
On Wed, 14 Feb 2001, Eric Goodman wrote:
> Date: Wed, 14 Feb 2001 13:54:47 -0800
> From: Eric Goodman <ericg at cats.ucsc.edu>
> To: rt-users at fsck.com
> Subject: Re: RT with external auth (was Re: [rt-users] HTTP_Auth with rt?)
>
> > # if the user's submitted password is his MSOE NT domain
> >password, then
> > # update the rt db to have his nt password
> > sub msoe_authenticate {
> > my ($username, $password) = @_;
> > my ($user_id, $pass) = ($dbh->quote("$username"),
> > $dbh->quote("$password"));
> >
> > use Authen::Smb;
> > my $authResult = Authen::Smb::authen($username,
> > $password, 'yamato', 'hood', 'MSOE');
> > if ( $authResult == Authen::Smb::NO_ERROR ) {
> > # user submitted a valid password. Let's put it into RT
> > my $sql = qq[UPDATE users SET password = $pass WHERE
> >user_id = $user_id];
> > $dbh->Query($sql) or
> > warn "[msoe_authenticate] Sql had some
> >problems: $Mysql::db_errstr\n$sql";
> > }
> > }
>
> Hmm. Doesn't this stick the users password into the DB in cleartext?
>
> Seems like you might do better to add a one-time password into the
> mix. You could essentially call your msoe_authenticate() function
> passing in the one-time password. If the MSOE authentication
> succeeds, the onetime password could get stored in the database (in
> place of the domain password).
>
> Still, a very nifty hack/patch!
yes, pretty nifty. That helps me fill out what I might try if I ever get
my head around Authen::Krb5-1.2, which is what I'll use in place of the
recent mod_auth_pam that's been giving me trouble in RedHat 7.0/Mandrake
7.2 environments. Would have the advantage of being more portable too,
since Apache+Perl is more widely available than Apache+PAM+Perl.
I'd probably want to at least work off of some kind of one-way hash of the
passwords themselves, rather than use them unencrypted. But, I don't have
any working code, either now, do I? ;-)
--Joe
More information about the rt-users
mailing list