Advice: "The Right" authentication method

Fri Sep 24 18:22:28 PDT 2004

On Thu, Sep 23, 2004 at 12:37:09PM +0100, Matthew Seaman wrote:
> On Thu, Sep 23, 2004 at 11:53:40AM +0100, Andy Holyer wrote:
> > I'm working on writing the "Control Panel" scripts which subscribers to 
> > our ISP will use to set up their eMail accounts and web space.
> > 
> > Here's the Server spec:
> > 
> > FreeBSD-Current;
> > Perl 5.6.1, no problem installing any needed modules;
> > Apache 2;
> > I'm keeping ordinary customers off the machine, so I run Postfix and 
> > Cyus and use sasl2 for customer passwords. I'd like to use these ID to 
> > arrange access to the control panel system.
> > 
> > I'm stuck at the very start of my design process. I have two tasks to 
> > do:
> > 
> > Verify that users have supplied the correct password; and let the perl 
> > scripts know who that visitor is, so that we can select the correct 
> > accounts to show.
> > 
> > Do I use SASL directly? or LDAP? or do I implement an Apache module to 
> > handle access and let Apache do the work?
> > 
> > I want to do "The right thing" - that is, the most general and correct 
> > thing possible, I've got years of experience in perl scripting, but at 
> > the moment I wandering around in a twisty litte maze of standards, all 
> > different.
> > 
> > Clue, please?
> 
> You're basically writing a web application.  For which you need access
> control.  You've got two choices: either use the HTTP basic or HTTP
> digest auth mechanisms built into HTTP, and supported by Apache, or
> (and this is by far the most popular choice) write your own
> authentication mechanism as part of your application[1].
> 
> The second choice gives you a lot more flexibility about how you
> customise things and how you make the login screen look, which is
> probably why it's more popular.  You can also arrange things to avoid
> sending passwords across the net in cleartext if you're cunning
> enough.
> 
> However you do it, the authentication process is essentially that the
> client sends you two pieces of information: their username (ie. who
> they claim to be) and some form of secret.  The secret is usually a
> password, but it can be something more complicated like an Opie
> one-time password or whatever.  Then in your application you compare
> the secret to your stored version of it, and if they match you believe
> that the client is who they say they are and that they should have
> access.  Of course, you don't want to keep the secret values lying
> around in plain text: the standard Unix response to all that is to
> generate a password hash using DES or MD5 to store, and to try and
> recreate that hash using the password supplied by the user.
> 
> That's where SASL comes in: instead of having to code up all that
> stuff your self, SASL is a library of authentication methods that you
> can just plug into your application.
> 
> Yes, you will need some sort of user account database -- often
> implemented using a RDBMS, but could with little extra effort be made
> to operate against an LDAP or RADIUS server.  Or whatever the database
> type you're already using for your Postfix+Cyrus setup.
> 
> There are several examples of doing this sort of thing within the
> ports system -- most are written in PHP, but check out devel/bugzilla
> and www/rt3 for perl based examples.
> 
> 	Cheers,
> 
> 	Matthew

I'd be grateful if someone would point out some examples of SASL
authentication using PHP in the ports.

I've searched through the ports, but had no luck finding any.

-- 
Wager at the Golden Plate Casino!
http://www.landoverbaptist.org/news0502/goldenplate.html