Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

NT Authentication - CGI as valid NT domain account

by emilford (Friar)
on Aug 06, 2004 at 15:17 UTC ( [id://380591]=perlquestion: print w/replies, xml ) Need Help??

emilford has asked for the wisdom of the Perl Monks concerning the following question:

I have been tasked to create a web-based account creation tool for one of our customers. I have been provided w/ a Win2k box with an IBM HTTPServer version of Apache and ActiveState Perl installed. My question pertains to user authentication. The CGI script will need to run external commands (Tivoli CLI - for the curious) to create the user account. The external commands require appropriate permissions themselves to be executed, based on who the command is being run as. I need to be able to do the following:
  1. Authenticate the user as being a valid user in the NT domain
  2. Run all subsquent commands as that authenticated user
I've looked around the monastery and found information on setuid, suidperl, etc., but that these won't work properly on a NT box. Does anyone have experience along these lines? Any help or guidance would be appreciated.
  • Comment on NT Authentication - CGI as valid NT domain account

Replies are listed 'Best First'.
Re: NT Authentication - CGI as valid NT domain account
by allyc (Scribe) on Aug 06, 2004 at 15:45 UTC
    One way to achieve this is to use a Module for Apache, so each time Apache receives a request it will authenticate the user with the Domain and then make the user’s name available to your script in $ENV{REMOTE_USER} variable.

    There are 2 modules that I know of. One is for Apache 1 (mod_ntlm) and the other is for Apache 2 (mod_sspi).

    I have never used mod_ntlm, however use mod_sspi and Apache 2 in many cases with great success.

    I believe that there are also some perl modules that you can use under mod_perl but I have never used any of them.

    Hope this gives you some pointers.

    Alistair

[reply]
      We're running Apache 2, so I've found mod_sspi. A few more tweaks need to be made so everything is configured correctlyl, but I'm fairly confident this will work fine. My problem now is getting the CGI script to run as the logged in user. On an NT box, under which user will the script run? If it is not as the logged in user, how would I go about changing this? I've seen many options for Unix, but Windows is a different beast. Thanks for your suggestions.
[reply]
        I have never needed to get the scripts executed as the logged on user. I tend to run apache with an account that has the correct permissions for what I require. If I need the scripts to access more resources, I then grant it to the account.

        You might be able to use SUSExec but I have never used it, and I believe that it can cause security issues.

        Alistair

[reply]
Re: NT Authentication - CGI as valid NT domain account
by inman (Curate) on Aug 06, 2004 at 17:05 UTC
    You may be better off under IIS as a web server since what you are describing is it's default authentication behaviour (Integrated Windows Authentication). You can create a script directory, set the NTFS permissions on the files so that only the selected Domain users can run the script (presumably an admin team). The script then runs using their account i.e. with their permissions.
[reply]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://380591]
Approved by gellyfish
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others sharing their wisdom with the Monastery: (7)
As of 2024-04-19 09:05 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found