Archive for September 6th, 2017

Mangling Apache2 usernames with mod_perl

No Comments »

I have a Kerberos-authenticated network connected to Active Directory as the KDC. AD is case-insensitive but case-preserving, so clients might log in to my web server using principals in any number of cases; they might be danny or DANNY or Danny. So, to make applications on my sane Linux platform – where differnet characters are actually different – I wrote a quick mod_perl authorization module to force the case down.

The module – at /srv/www/html/test_auth/perl/Danny/loweruser.pm – looks like:

package Danny::loweruser;

use strict;
use warnings;

#use Apache2::Access;
use Apache2::RequestRec;

use Apache2::Const -compile => qw(OK HTTP_UNAUTHORIZED);

sub handler {
my $r = shift;
$r->user( lc $r->user() );
return Apache2::Const::OK;
}

1;

And the Apache config looks vaguely like this:

PerlSwitches -I/srv/www/html/test_auth/perl


#PerlResponseHandler ModPerl::Registry
PerlAuthzHandler Danny::loweruser

AuthType basic
AuthName "Auth test"
AuthBasicProvider file
AuthUserFile "/srv/www/html/test_auth/userdb"
Require valid-user

Yeah, everything is in one directory. That’s not a secure way to do things; it’s a way to quickly test and easily clean up later. :)

I was testing with a PHP page that printes $_SERVER[“PHP_AUTH_USER”], so I’ve consequently pulled out most of my hair, because that stupid variable pulls from the HTTP headers instead of what the web server actually provides; it stays upper-case. The REMOTE_USER key is what I really wanted from the array. What I get from that is that PHP documentation is evil and anyone who uses PHP_AUTH_USER should be banned from writing code.

Actually, I’m not entirely clear on how PHP_AUTH_USER is getting set, and it’s late enough that I’m not going to dig in to it. This will work properly with anything that actually uses REMOTE_USER, per “everything since the 90’s except for PHP”, so it’ll be fine for what I actually needed.