Loading ...
Sorry, an error occurred while loading the content.

[Fwd: AuthenNTLM and slow web server]

Expand Messages
  • Shannon Eric Peevey
    ... Subject: AuthenNTLM and slow web server Date: Thu, 30 Oct 2003 17:59:49 +0100 From: Stefano Ciancio Organization: Italia On
    Message 1 of 27 , Oct 30, 2003
    • 0 Attachment
      -------- Original Message --------
      Subject: AuthenNTLM and slow web server
      Date: Thu, 30 Oct 2003 17:59:49 +0100
      From: Stefano Ciancio <s.ciancio@...>
      Organization: Italia On Line
      To: speeves@...



      Hi,

      I am using the apache module Apache-AuthenNTLM-2.04 with apache 1.3, but I am
      having some problem with it.

      I view some time_wait session to windows pdc and many error in apache's
      error.log.
      Moreover this also seems to cause the web server to go _very_ slow.

      My httpd.conf configuration is standard

      <Location />
      PerlAuthenHandler Apache::AuthenNTLM
      AuthType ntlm,basic
      AuthName test
      require valid-user

      PerlAddVar ntdomain "name_domain1 name_of_pdc1"
      PerlAddVar ntdomain "other_domain pdc_for_domain bdc_for_domain"

      PerlSetVar defaultdomain wingr1
      PerlSetVar ntlmdebug 0
      </Location>

      with keepAlive setted to On.

      Have you an an idea why this is happening?

      Thanks,
      Stefano
    • Shannon Eric Peevey
      ... Hi! Can you set ntlmdebug = 2 and send me the sections of the error_log that you are talking about? thanks, speeves cws BTW, did you have this working
      Message 2 of 27 , Oct 31, 2003
      • 0 Attachment
        Shannon Eric Peevey wrote:

        >
        >
        > -------- Original Message --------
        > Subject: AuthenNTLM and slow web server
        > Date: Thu, 30 Oct 2003 17:59:49 +0100
        > From: Stefano Ciancio <s.ciancio@...>
        > Organization: Italia On Line
        > To: speeves@...
        >
        >
        >
        > Hi,
        >
        > I am using the apache module Apache-AuthenNTLM-2.04 with apache 1.3,
        > but I am
        > having some problem with it.
        >
        > I view some time_wait session to windows pdc and many error in apache's
        > error.log.
        > Moreover this also seems to cause the web server to go _very_ slow.
        >
        > My httpd.conf configuration is standard
        > <Location />
        > PerlAuthenHandler Apache::AuthenNTLM AuthType ntlm,basic
        > AuthName test
        > require valid-user
        >
        > PerlAddVar ntdomain "name_domain1 name_of_pdc1"
        > PerlAddVar ntdomain "other_domain pdc_for_domain
        > bdc_for_domain"
        >
        > PerlSetVar defaultdomain wingr1
        > PerlSetVar ntlmdebug 0
        > </Location>
        >
        > with keepAlive setted to On.
        >
        > Have you an an idea why this is happening?
        >
        > Thanks,
        > Stefano
        >
        Hi!

        Can you set "ntlmdebug" = 2 and send me the sections of the error_log
        that you are talking about?

        thanks,
        speeves
        cws

        BTW, did you have this working correctly with any other version
        Apache-AuthenNTLM?
      • Stefano Ciancio
        Hi, I have seen better the log and the error in apache s error.log was about some gif that the web server not found. But the big problem with this module is
        Message 3 of 27 , Oct 31, 2003
        • 0 Attachment
          Hi,

          I have seen better the log and the error in apache's error.log was about some
          gif that the web server not found.
          But the big problem with this module is that seem for each object it require an
          authentication from pdc/bdc. This behaviour causes the web server to go _very_
          slow. The user must wait ten of seconds to load a single web page.

          I want use this module to obtain a single sign on in the Intranet of my company
          that have thousands of users in some trusted NT pdc/bdc.
          Do you think that this module could working fine? Exists some other mechanism to
          obtain the single sign on with ntlm?

          Thanks
          Stefano

          P.S. this is the first version of AuthentNTLM that I have tried.

          On Fri, 31 Oct 2003 08:41:39 -0600
          Shannon Eric Peevey <speeves@...> wrote:

          > Shannon Eric Peevey wrote:
          >
          > >
          > >
          > > -------- Original Message --------
          > > Subject: AuthenNTLM and slow web server
          > > Date: Thu, 30 Oct 2003 17:59:49 +0100
          > > From: Stefano Ciancio <s.ciancio@...>
          > > Organization: Italia On Line
          > > To: speeves@...
          > >
          > >
          > >
          > > Hi,
          > >
          > > I am using the apache module Apache-AuthenNTLM-2.04 with apache 1.3,
          > > but I am
          > > having some problem with it.
          > >
          > > I view some time_wait session to windows pdc and many error in apache's
          > > error.log.
          > > Moreover this also seems to cause the web server to go _very_ slow.
          > >
          > > My httpd.conf configuration is standard
          > > <Location />
          > > PerlAuthenHandler Apache::AuthenNTLM AuthType ntlm,basic
          > > AuthName test
          > > require valid-user
          > >
          > > PerlAddVar ntdomain "name_domain1 name_of_pdc1"
          > > PerlAddVar ntdomain "other_domain pdc_for_domain
          > > bdc_for_domain"
          > >
          > > PerlSetVar defaultdomain wingr1
          > > PerlSetVar ntlmdebug 0
          > > </Location>
          > >
          > > with keepAlive setted to On.
          > >
          > > Have you an an idea why this is happening?
          > >
          > > Thanks,
          > > Stefano
          > >
          > Hi!
          >
          > Can you set "ntlmdebug" = 2 and send me the sections of the error_log
          > that you are talking about?
          >
          > thanks,
          > speeves
          > cws
          >
          > BTW, did you have this working correctly with any other version
          > Apache-AuthenNTLM?
          >
        • Leo Lapworth
          ... We are working on something similar at the moment, we are planning on creating a wrapper module which checks for a cookie, if that is not set then it used
          Message 4 of 27 , Nov 1, 2003
          • 0 Attachment
            On Fri, Oct 31, 2003 at 08:08:02PM +0100, Stefano Ciancio wrote:
            > But the big problem with this module is that seem for each object it require an
            > authentication from pdc/bdc. This behaviour causes the web server to go _very_
            > slow. The user must wait ten of seconds to load a single web page.

            We are working on something similar at the moment, we are planning
            on creating a wrapper module which checks for a cookie, if that is
            not set then it used AuthenNTML and sets the cookie (just for
            the browser session), but if it is set we know that the user
            has been authenticated and therefor only have to check authentication
            once per user per session.

            Once we get it working I'll post it on the net somewhere and
            a message here.

            Leo
          • Michael Parker
            ... It s fairly easy to knock a PDC/BDC over if you throw enough authentication requests at it. The key is to do everything possible to limit the number of
            Message 5 of 27 , Nov 2, 2003
            • 0 Attachment
              On Fri, Oct 31, 2003 at 08:08:02PM +0100, Stefano Ciancio wrote:
              >
              > Hi,
              >
              > I have seen better the log and the error in apache's error.log was about some
              > gif that the web server not found.
              > But the big problem with this module is that seem for each object it require an
              > authentication from pdc/bdc. This behaviour causes the web server to go _very_
              > slow. The user must wait ten of seconds to load a single web page.
              >
              > I want use this module to obtain a single sign on in the Intranet of my company
              > that have thousands of users in some trusted NT pdc/bdc.
              > Do you think that this module could working fine? Exists some other mechanism to
              > obtain the single sign on with ntlm?
              >

              It's fairly easy to knock a PDC/BDC over if you throw enough
              authentication requests at it. The key is to do everything possible
              to limit the number of authentication requests it has to make.
              Someone mentioned using cookies, which is one way. There have been
              several discussed over the years on this list. You should check the
              archives to give you some ideas on how to solve the problem. I found
              the most success using one of the authentication caching modules.

              Michael
            • Stefano Ciancio
              Hi Shannon Eric, I have set ntlmdebug = 2 and produced an error.log that I have attached. It seems that the error is: [9100] AuthenNTLM: Authorization Header
              Message 6 of 27 , Nov 3, 2003
              • 0 Attachment
                Hi Shannon Eric,

                I have set "ntlmdebug" = 2 and produced an error.log that I have attached.

                It seems that the error is:

                [9100] AuthenNTLM: Authorization Header <not given>

                I don't know its means ...

                Can you help me?

                Stefano



                On Fri, 31 Oct 2003 08:41:39 -0600
                Shannon Eric Peevey <speeves@...> wrote:

                > Shannon Eric Peevey wrote:
                >
                > >
                > >
                > > -------- Original Message --------
                > > Subject: AuthenNTLM and slow web server
                > > Date: Thu, 30 Oct 2003 17:59:49 +0100
                > > From: Stefano Ciancio <s.ciancio@...>
                > > Organization: Italia On Line
                > > To: speeves@...
                > >
                > >
                > >
                > > Hi,
                > >
                > > I am using the apache module Apache-AuthenNTLM-2.04 with apache 1.3,
                > > but I am
                > > having some problem with it.
                > >
                > > I view some time_wait session to windows pdc and many error in apache's
                > > error.log.
                > > Moreover this also seems to cause the web server to go _very_ slow.
                > >
                > > My httpd.conf configuration is standard
                > > <Location />
                > > PerlAuthenHandler Apache::AuthenNTLM AuthType ntlm,basic
                > > AuthName test
                > > require valid-user
                > >
                > > PerlAddVar ntdomain "name_domain1 name_of_pdc1"
                > > PerlAddVar ntdomain "other_domain pdc_for_domain
                > > bdc_for_domain"
                > >
                > > PerlSetVar defaultdomain wingr1
                > > PerlSetVar ntlmdebug 0
                > > </Location>
                > >
                > > with keepAlive setted to On.
                > >
                > > Have you an an idea why this is happening?
                > >
                > > Thanks,
                > > Stefano
                > >
                > Hi!
                >
                > Can you set "ntlmdebug" = 2 and send me the sections of the error_log
                > that you are talking about?
                >
                > thanks,
                > speeves
                > cws
                >
                > BTW, did you have this working correctly with any other version
                > Apache-AuthenNTLM?
              • Shannon Eric Peevey
                ... Are you creating something along the lines of a: Apache-AuthCookieNTML ? It seems that a lot of these questions would be resolved by a module that would
                Message 7 of 27 , Nov 3, 2003
                • 0 Attachment
                  Leo Lapworth wrote:

                  >On Fri, Oct 31, 2003 at 08:08:02PM +0100, Stefano Ciancio wrote:
                  >
                  >
                  >>But the big problem with this module is that seem for each object it require an
                  >>authentication from pdc/bdc. This behaviour causes the web server to go _very_
                  >>slow. The user must wait ten of seconds to load a single web page.
                  >>
                  >>
                  >
                  >We are working on something similar at the moment, we are planning
                  >on creating a wrapper module which checks for a cookie, if that is
                  >not set then it used AuthenNTML and sets the cookie (just for
                  >the browser session), but if it is set we know that the user
                  >has been authenticated and therefor only have to check authentication
                  >once per user per session.
                  >
                  >Once we get it working I'll post it on the net somewhere and
                  >a message here.
                  >
                  >Leo
                  >
                  >
                  Are you creating something along the lines of a:

                  Apache-AuthCookieNTML ?

                  It seems that a lot of these questions would be resolved by a module
                  that would check for a cookie first, and then throw the auth box when
                  the user hasn't been authenticated. Then you could just continue to
                  check for a cookie, instead of querying the samba server for every
                  image, etc. on the page.

                  Could I recommend writing this module, (instead of a work-around piece
                  of code)? I think that an Apache-AuthCookieNTLM would benefit a lot of
                  people.

                  If no one is up to it, let me know and I will start working on one when
                  I have the time.

                  thanks,
                  speeves
                  cws


                  --
                  Reporting bugs: http://perl.apache.org/bugs/
                  Mail list info: http://perl.apache.org/maillist/modperl.html
                • Shannon Eric Peevey
                  ... Hi! I m sorry, but I have become foggy on the problem here... Are you talking about problems logging in, or web server performance? [9100] AuthenNTLM:
                  Message 8 of 27 , Nov 3, 2003
                  • 0 Attachment
                    Stefano Ciancio wrote:

                    >Hi Shannon Eric,
                    >
                    >I have set "ntlmdebug" = 2 and produced an error.log that I have attached.
                    >
                    >It seems that the error is:
                    >
                    >[9100] AuthenNTLM: Authorization Header <not given>
                    >
                    >I don't know its means ...
                    >
                    >Can you help me?
                    >
                    > Stefano
                    >
                    >
                    >
                    >
                    Hi!

                    I'm sorry, but I have become foggy on the problem here... Are you
                    talking about problems logging in, or web server performance?

                    [9100] AuthenNTLM: Authorization Header <not given>

                    This is telling us that the browser is not including an "Authorization" header, which is normal on the initial request from the browser. (The server throws a 401 Authorization Required, which tells the browser that it needs to include an Authorization header.

                    There is no error here.

                    speeves
                    cws




                    --
                    Reporting bugs: http://perl.apache.org/bugs/
                    Mail list info: http://perl.apache.org/maillist/modperl.html
                  • Shannon Eric Peevey
                    ... Unfortunately, I don t use this module in a production environment, so cannot comment here. Is anyone else seeing this in a live environment? ... I don t
                    Message 9 of 27 , Nov 3, 2003
                    • 0 Attachment
                      Stefano Ciancio wrote:

                      >Hi,
                      >
                      >I have seen better the log and the error in apache's error.log was about some
                      >gif that the web server not found.
                      >But the big problem with this module is that seem for each object it require an
                      >authentication from pdc/bdc. This behaviour causes the web server to go _very_
                      >slow. The user must wait ten of seconds to load a single web page.
                      >
                      Unfortunately, I don't use this module in a production environment, so
                      cannot comment here. Is anyone else seeing this in a live environment?

                      >
                      >I want use this module to obtain a single sign on in the Intranet of my company
                      >that have thousands of users in some trusted NT pdc/bdc.
                      >Do you think that this module could working fine?
                      >
                      I don't really think that this module was created with this purpose in
                      mind.

                      >Exists some other mechanism to
                      >obtain the single sign on with ntlm?
                      >
                      >
                      Check out my message to Mr. Lapworth at:

                      http://marc.theaimsgroup.com/?l=apache-modperl&m=106788287330640&w=2

                      If he doesn't have the time to create this module, maybe one of you
                      will? If not, I can put it on my to-do list, and could probably have
                      something by late January...

                      speeves
                      cws



                      --
                      Reporting bugs: http://perl.apache.org/bugs/
                      Mail list info: http://perl.apache.org/maillist/modperl.html
                    • Leo Lapworth
                      ... This is the general plan - we ve just got Apache::AuthNTML working properly, so going to work on Apache::AuthCookieNTML this week, I ll report back when
                      Message 10 of 27 , Nov 4, 2003
                      • 0 Attachment
                        On Mon, Nov 03, 2003 at 11:55:28AM -0600, Shannon Eric Peevey wrote:
                        > Are you creating something along the lines of a:
                        >
                        > Apache-AuthCookieNTML ?
                        >
                        > It seems that a lot of these questions would be resolved by a module
                        > that would check for a cookie first, and then throw the auth box when
                        > the user hasn't been authenticated.

                        This is the general plan - we've just got Apache::AuthNTML working
                        properly, so going to work on Apache::AuthCookieNTML this week,
                        I'll report back when we've got something up and running.

                        Cheers

                        Leo

                        --
                        Reporting bugs: http://perl.apache.org/bugs/
                        Mail list info: http://perl.apache.org/maillist/modperl.html
                      • Stefano Ciancio
                        On Mon, 03 Nov 2003 15:39:14 -0600 ... Yes, have you right!! My problem is about web server performance and I thought that it depended from some error of the
                        Message 11 of 27 , Nov 4, 2003
                        • 0 Attachment
                          On Mon, 03 Nov 2003 15:39:14 -0600
                          Shannon Eric Peevey <speeves@...> wrote:

                          > Stefano Ciancio wrote:
                          >
                          > >Hi Shannon Eric,
                          > >
                          > >I have set "ntlmdebug" = 2 and produced an error.log that I have attached.
                          > >
                          > >It seems that the error is:
                          > >
                          > >[9100] AuthenNTLM: Authorization Header <not given>
                          > >
                          > >I don't know its means ...
                          > >
                          > >Can you help me?
                          > >
                          > > Stefano
                          > >
                          > >
                          > >
                          > >
                          > Hi!
                          >
                          > I'm sorry, but I have become foggy on the problem here... Are you
                          > talking about problems logging in, or web server performance?
                          >
                          > [9100] AuthenNTLM: Authorization Header <not given>
                          >
                          > This is telling us that the browser is not including an "Authorization"
                          > header, which is normal on the initial request from the browser. (The server
                          > throws a 401 Authorization Required, which tells the browser that it needs to
                          > include an Authorization header.
                          >
                          > There is no error here.
                          >
                          > speeves
                          > cws
                          >

                          Yes, have you right!! My problem is about web server performance and I thought
                          that it depended from some error of the module.


                          Stefano


                          --
                          Reporting bugs: http://perl.apache.org/bugs/
                          Mail list info: http://perl.apache.org/maillist/modperl.html
                        • Shannon Eric Peevey
                          ... Great!! Keep us posted, and don t forget to request a PAUSE account on CPAN so that you can upload your module there :) speeves cws PS Sorry bout the typo
                          Message 12 of 27 , Nov 4, 2003
                          • 0 Attachment
                            Leo Lapworth wrote:

                            >On Mon, Nov 03, 2003 at 11:55:28AM -0600, Shannon Eric Peevey wrote:
                            >
                            >
                            >>Are you creating something along the lines of a:
                            >>
                            >>Apache-AuthCookieNTML ?
                            >>
                            >>It seems that a lot of these questions would be resolved by a module
                            >>that would check for a cookie first, and then throw the auth box when
                            >>the user hasn't been authenticated.
                            >>
                            >>
                            >
                            >This is the general plan - we've just got Apache::AuthNTML working
                            >properly, so going to work on Apache::AuthCookieNTML this week,
                            >I'll report back when we've got something up and running.
                            >
                            >Cheers
                            >
                            >Leo
                            >
                            >
                            Great!! Keep us posted, and don't forget to request a PAUSE account on
                            CPAN so that you can upload your module there :)

                            speeves
                            cws

                            PS Sorry bout the typo in the previous message :P It's really
                            Apache-AuthCookieNTLM...


                            --
                            Reporting bugs: http://perl.apache.org/bugs/
                            Mail list info: http://perl.apache.org/maillist/modperl.html
                          • Shannon Eric Peevey
                            ... I don t think that you are getting any errors in what I see( on your end). So I guess my question still stands, is anyone else seeing slow performance in
                            Message 13 of 27 , Nov 4, 2003
                            • 0 Attachment
                              Stefano Ciancio wrote:

                              >On Mon, 03 Nov 2003 15:39:14 -0600
                              >Shannon Eric Peevey <speeves@...> wrote:
                              >
                              >
                              >
                              >>Stefano Ciancio wrote:
                              >>
                              >>
                              >>
                              >>>Hi Shannon Eric,
                              >>>
                              >>>I have set "ntlmdebug" = 2 and produced an error.log that I have attached.
                              >>>
                              >>>It seems that the error is:
                              >>>
                              >>>[9100] AuthenNTLM: Authorization Header <not given>
                              >>>
                              >>>I don't know its means ...
                              >>>
                              >>>Can you help me?
                              >>>
                              >>> Stefano
                              >>>
                              >>>
                              >>>
                              >>>
                              >>>
                              >>>
                              >>Hi!
                              >>
                              >>I'm sorry, but I have become foggy on the problem here... Are you
                              >>talking about problems logging in, or web server performance?
                              >>
                              >>[9100] AuthenNTLM: Authorization Header <not given>
                              >>
                              >>This is telling us that the browser is not including an "Authorization"
                              >>header, which is normal on the initial request from the browser. (The server
                              >>throws a 401 Authorization Required, which tells the browser that it needs to
                              >>include an Authorization header.
                              >>
                              >>There is no error here.
                              >>
                              >>speeves
                              >>cws
                              >>
                              >>
                              >>
                              >
                              >Yes, have you right!! My problem is about web server performance and I thought
                              >that it depended from some error of the module.
                              >
                              >
                              > Stefano
                              >
                              >
                              I don't think that you are getting any errors in what I see( on your
                              end). So I guess my question still stands, is anyone else seeing slow
                              performance in a production site with this module?

                              BTW, I don't see the module asking for authorization for every object,
                              only when the client asks for something in a new directory. (It's a
                              little hard to tell from the debug log if the calls to the samba server
                              are made for every object, I need a little more time to follow its logic
                              through. But, on the client side, I am not seeing the 401 returned for
                              every object.)

                              thanks,
                              speeves
                              cws


                              --
                              Reporting bugs: http://perl.apache.org/bugs/
                              Mail list info: http://perl.apache.org/maillist/modperl.html
                            • Shannon Eric Peevey
                              ... Hi! I think that is probably a great idea. I don t have time to add it in now, but if you send me a patch, I will be happy to add it into the next
                              Message 14 of 27 , Nov 4, 2003
                              • 0 Attachment
                                Enrico Sorcinelli wrote:

                                >On Tue, 04 Nov 2003 09:13:34 -0600
                                >Shannon Eric Peevey <speeves@...> wrote:
                                >
                                >
                                >
                                >
                                >>BTW, I don't see the module asking for authorization for every object,
                                >>only when the client asks for something in a new directory. (It's a
                                >>little hard to tell from the debug log if the calls to the samba server
                                >>are made for every object, I need a little more time to follow its logic
                                >>through. But, on the client side, I am not seeing the 401 returned for
                                >>every object.)
                                >>
                                >>
                                >
                                >How about improving the module by adding some caching mechanism for
                                >authenticated users?
                                >Moreover it could be nice to control it with PerlSetVar directives
                                >(ttl and so on)
                                >
                                >by
                                >
                                > - Enrico
                                >
                                >
                                Hi!

                                I think that is probably a great idea. I don't have time to add it in
                                now, but if you send me a patch, I will be happy to add it into the next
                                release.

                                thanks,
                                speeves
                                cws


                                --
                                Reporting bugs: http://perl.apache.org/bugs/
                                Mail list info: http://perl.apache.org/maillist/modperl.html
                              • Enrico Sorcinelli
                                On Tue, 04 Nov 2003 09:13:34 -0600 ... How about improving the module by adding some caching mechanism for authenticated users? Moreover it could be nice to
                                Message 15 of 27 , Nov 4, 2003
                                • 0 Attachment
                                  On Tue, 04 Nov 2003 09:13:34 -0600
                                  Shannon Eric Peevey <speeves@...> wrote:


                                  > BTW, I don't see the module asking for authorization for every object,
                                  > only when the client asks for something in a new directory. (It's a
                                  > little hard to tell from the debug log if the calls to the samba server
                                  > are made for every object, I need a little more time to follow its logic
                                  > through. But, on the client side, I am not seeing the 401 returned for
                                  > every object.)

                                  How about improving the module by adding some caching mechanism for
                                  authenticated users?
                                  Moreover it could be nice to control it with PerlSetVar directives
                                  (ttl and so on)

                                  by

                                  - Enrico

                                  --
                                  Reporting bugs: http://perl.apache.org/bugs/
                                  Mail list info: http://perl.apache.org/maillist/modperl.html
                                • Shannon Eric Peevey
                                  ... BTW, has anyone read the documentation in AuthenNTLM.pm? Here is an example on how to only call AuthenNTLM if a precondition is met... =head2 Example for
                                  Message 16 of 27 , Nov 4, 2003
                                  • 0 Attachment
                                    Enrico Sorcinelli wrote:

                                    >On Tue, 04 Nov 2003 09:13:34 -0600
                                    >Shannon Eric Peevey <speeves@...> wrote:
                                    >
                                    >
                                    >
                                    >
                                    >>BTW, I don't see the module asking for authorization for every object,
                                    >>only when the client asks for something in a new directory. (It's a
                                    >>little hard to tell from the debug log if the calls to the samba server
                                    >>are made for every object, I need a little more time to follow its logic
                                    >>through. But, on the client side, I am not seeing the 401 returned for
                                    >>every object.)
                                    >>
                                    >>
                                    >
                                    >How about improving the module by adding some caching mechanism for
                                    >authenticated users?
                                    >Moreover it could be nice to control it with PerlSetVar directives
                                    >(ttl and so on)
                                    >
                                    >by
                                    >
                                    > - Enrico
                                    >
                                    >
                                    >
                                    BTW, has anyone read the documentation in AuthenNTLM.pm? Here is an
                                    example on how to only call AuthenNTLM if a precondition is met...

                                    =head2 Example for overriding


                                    The following code shows the a basic example for creating a module which
                                    overrides the map_user method and calls AuthenNTLM's handler only if a
                                    precondition is met. Note: The functions preconditon_met and lookup_user
                                    do the real work and are not shown here.




                                    package Apache::MyAuthenNTLM ;


                                    use Apache::AuthenNTLM ;


                                    @ISA = ('Apache::AuthenNTLM') ;




                                    sub handler ($$)
                                    {
                                    my ($self, $r) = @_ ;


                                    return Apache::AuthenNTLM::handler ($self, $r) if
                                    (precondition_met()) ;
                                    return DECLINED ;
                                    }


                                    sub map_user


                                    {
                                    my ($self, $r) = @_ ;


                                    return lookup_user ($self->{userdomain}, $self->{username}) ;
                                    }

                                    This should work for now, and I will bang around and see how much work
                                    it will take to add in a caching feature directly into the module.
                                    Seems that it would be useful for a lot of people, right?

                                    speeves
                                    cws


                                    --
                                    Reporting bugs: http://perl.apache.org/bugs/
                                    Mail list info: http://perl.apache.org/maillist/modperl.html
                                  • Shannon Eric Peevey
                                    ... OK, final questions for the day... 1. Apache-AuthenNTLM already caches the connections to the samba server. I am assuming that we are having a problem
                                    Message 17 of 27 , Nov 4, 2003
                                    • 0 Attachment
                                      Shannon Eric Peevey wrote:

                                      > Enrico Sorcinelli wrote:
                                      >
                                      >> On Tue, 04 Nov 2003 09:13:34 -0600
                                      >> Shannon Eric Peevey <speeves@...> wrote:
                                      >>
                                      >>
                                      >>
                                      >>
                                      >>> BTW, I don't see the module asking for authorization for every
                                      >>> object, only when the client asks for something in a new directory.
                                      >>> (It's a little hard to tell from the debug log if the calls to the
                                      >>> samba server are made for every object, I need a little more time to
                                      >>> follow its logic through. But, on the client side, I am not seeing
                                      >>> the 401 returned for every object.)
                                      >>>
                                      >>
                                      >>
                                      >> How about improving the module by adding some caching mechanism for
                                      >> authenticated users?
                                      >> Moreover it could be nice to control it with PerlSetVar directives
                                      >> (ttl and so on)
                                      >>
                                      >> by
                                      >>
                                      >> - Enrico
                                      >>
                                      >>
                                      >>
                                      > BTW, has anyone read the documentation in AuthenNTLM.pm? Here is an
                                      > example on how to only call AuthenNTLM if a precondition is met...
                                      >
                                      > =head2 Example for overriding
                                      >
                                      >
                                      > The following code shows the a basic example for creating a module which
                                      > overrides the map_user method and calls AuthenNTLM's handler only if a
                                      > precondition is met. Note: The functions preconditon_met and lookup_user
                                      > do the real work and are not shown here.
                                      >
                                      >
                                      >
                                      >
                                      > package Apache::MyAuthenNTLM ;
                                      >
                                      >
                                      > use Apache::AuthenNTLM ;
                                      >
                                      >
                                      > @ISA = ('Apache::AuthenNTLM') ;
                                      >
                                      >
                                      >
                                      >
                                      > sub handler ($$)
                                      > {
                                      > my ($self, $r) = @_ ;
                                      >
                                      >
                                      > return Apache::AuthenNTLM::handler ($self, $r) if
                                      > (precondition_met()) ;
                                      > return DECLINED ;
                                      > }
                                      >
                                      >
                                      > sub map_user
                                      >
                                      >
                                      > {
                                      > my ($self, $r) = @_ ;
                                      >
                                      >
                                      > return lookup_user ($self->{userdomain}, $self->{username}) ;
                                      > }
                                      >
                                      > This should work for now, and I will bang around and see how much work
                                      > it will take to add in a caching feature directly into the module.
                                      > Seems that it would be useful for a lot of people, right?
                                      >
                                      > speeves
                                      > cws
                                      >
                                      >
                                      OK, final questions for the day...

                                      1. Apache-AuthenNTLM already caches the connections to the samba
                                      server. I am assuming that we are having a problem with queries passing
                                      through this connection, and not a "too many connections" problem on the
                                      samba server end, right?

                                      (NOTE: (Mathias) Apache-AuthenSMB does not cache the connections, so
                                      what are we seeing with it exactly? )

                                      2. Do we really need to handle caching within this module? Might it
                                      not be handled by one of the Caching modules that Michael Parker
                                      mentioned in an earlier email?
                                      (http://marc.theaimsgroup.com/?l=apache-modperl&m=106780304521226&w=2)

                                      3. If we do add caching into the Apache-AuthenNTLM mod, where do we
                                      cache the yes/no variable, and when do we destroy it?

                                      thanks for your input,
                                      speeves
                                      cws


                                      --
                                      Reporting bugs: http://perl.apache.org/bugs/
                                      Mail list info: http://perl.apache.org/maillist/modperl.html
                                    • Leo Lapworth
                                      Hi All, The first version is available at: http://leo.cuckoo.org/projects/AuthCookieNTLM/ I ll tidy up the docs and add a bit more functionality tomorrow,
                                      Message 18 of 27 , Nov 5, 2003
                                      • 0 Attachment
                                        Hi All,

                                        The first version is available at:

                                        http://leo.cuckoo.org/projects/AuthCookieNTLM/

                                        I'll tidy up the docs and add a bit more functionality tomorrow,
                                        debugging for example! - before uploading to CPAN.

                                        We decided against using Apache::AuthCookie in the end,
                                        it just seemed over kill.

                                        By default the user's login and a test value are set in the
                                        cookie, there is the choose_cookie_values() so you can
                                        inherit Apache::AuthCookieNTLM and overwride this and
                                        therefor add any additional information you want to the
                                        cookie at this stage. For example we want to lookup
                                        people's email addresses and other info we have in a
                                        DB to personalise other pages on the intranet.

                                        Feedback welcome.

                                        Cheers

                                        Leo

                                        --
                                        Reporting bugs: http://perl.apache.org/bugs/
                                        Mail list info: http://perl.apache.org/maillist/modperl.html
                                      • Shannon Eric Peevey
                                        ... Bravo!! Way to get on the ball :) I will see if I get a chance to check it out tomorrow. thanks, speeves cws -- Reporting bugs:
                                        Message 19 of 27 , Nov 5, 2003
                                        • 0 Attachment
                                          Leo Lapworth wrote:

                                          >Hi All,
                                          >
                                          >The first version is available at:
                                          >
                                          >http://leo.cuckoo.org/projects/AuthCookieNTLM/
                                          >
                                          >I'll tidy up the docs and add a bit more functionality tomorrow,
                                          >debugging for example! - before uploading to CPAN.
                                          >
                                          >We decided against using Apache::AuthCookie in the end,
                                          >it just seemed over kill.
                                          >
                                          >By default the user's login and a test value are set in the
                                          >cookie, there is the choose_cookie_values() so you can
                                          >inherit Apache::AuthCookieNTLM and overwride this and
                                          >therefor add any additional information you want to the
                                          >cookie at this stage. For example we want to lookup
                                          >people's email addresses and other info we have in a
                                          >DB to personalise other pages on the intranet.
                                          >
                                          >Feedback welcome.
                                          >
                                          >Cheers
                                          >
                                          >Leo
                                          >
                                          >
                                          Bravo!! Way to get on the ball :) I will see if I get a chance to
                                          check it out tomorrow.

                                          thanks,
                                          speeves
                                          cws


                                          --
                                          Reporting bugs: http://perl.apache.org/bugs/
                                          Mail list info: http://perl.apache.org/maillist/modperl.html
                                        • Leo Lapworth
                                          I ve just uploaded Apache::AuthCookieNTLM 0.04 to CPAN, it s available from http://leo.cuckoo.org/projects/ if you can t wait for it to be processed. I ll
                                          Message 20 of 27 , Nov 7, 2003
                                          • 0 Attachment
                                            I've just uploaded Apache::AuthCookieNTLM 0.04 to
                                            CPAN, it's available from http://leo.cuckoo.org/projects/
                                            if you can't wait for it to be processed.

                                            I'll consider it finished (ie. working) unless
                                            I hear from anyone :)

                                            Cheers

                                            Leo

                                            --
                                            Reporting bugs: http://perl.apache.org/bugs/
                                            Mail list info: http://perl.apache.org/maillist/modperl.html
                                          • Shannon Eric Peevey
                                            ... Actually, I am looking into it now. (I know that your module as it stands only works with mp1). But, I am going to download the libapreq 2 release and
                                            Message 21 of 27 , Nov 7, 2003
                                            • 0 Attachment
                                              >Fraid I haven't a clue, not used mod_perl2 yet, it requires
                                              >Apache::Request and Apache::Cookie, can't remember if they are
                                              >abailable yet.
                                              >
                                              >Leo
                                              >
                                              >
                                              Actually, I am looking into it now. (I know that your module as it
                                              stands only works with mp1). But, I am going to download the libapreq 2
                                              release and see how it plays with your module. (It is still in beta,
                                              and I don't know how far they are in the process of porting to mp2, so
                                              you might be nervous about using it... OTOH, if you are using mp2, who
                                              cares right?! Cause it's still in beta too ;) ) BTW, any and all
                                              installs of the new libapreq2 will be helping in the dev process, so it
                                              would be great if we all mess with it, and give them a heads-up on bugs
                                              and stuff :)

                                              thanks,
                                              speeves
                                              cws

                                              BTW, can you include the list in your replies? thanks :)


                                              --
                                              Reporting bugs: http://perl.apache.org/bugs/
                                              Mail list info: http://perl.apache.org/maillist/modperl.html
                                            • Stefano Ciancio
                                              Hi Leo, I have donwloaded your module and testing it. First of all a question. The AuthenNTLM module setted an env variable REMOTE_USER to domain username
                                              Message 22 of 27 , Nov 7, 2003
                                              • 0 Attachment
                                                Hi Leo,

                                                I have donwloaded your module and testing it.

                                                First of all a question. The AuthenNTLM module setted an env variable
                                                REMOTE_USER to domain\\username value.
                                                Set the new module this variable?

                                                Thanks,
                                                Stefano



                                                On Fri, 7 Nov 2003 14:01:13 +0000
                                                Leo Lapworth <leo@...> wrote:

                                                > I've just uploaded Apache::AuthCookieNTLM 0.04 to
                                                > CPAN, it's available from http://leo.cuckoo.org/projects/
                                                > if you can't wait for it to be processed.
                                                >
                                                > I'll consider it finished (ie. working) unless
                                                > I hear from anyone :)
                                                >
                                                > Cheers
                                                >
                                                > Leo

                                                --
                                                Reporting bugs: http://perl.apache.org/bugs/
                                                Mail list info: http://perl.apache.org/maillist/modperl.html
                                              • Leo Lapworth
                                                Hi Stefano, ... Ahh, this wasn t something I was checking for - I ll have a look at how / if it can be implimented next week (don t have a windowz machine at
                                                Message 23 of 27 , Nov 7, 2003
                                                • 0 Attachment
                                                  Hi Stefano,

                                                  On Fri, Nov 07, 2003 at 06:11:48PM +0100, Stefano Ciancio wrote:
                                                  > I have donwloaded your module and testing it.
                                                  >
                                                  > First of all a question. The AuthenNTLM module setted an env variable
                                                  > REMOTE_USER to domain\\username value.
                                                  > Set the new module this variable?

                                                  Ahh, this wasn't something I was checking for - I'll have a look
                                                  at how / if it can be implimented next week (don't have a windowz
                                                  machine at home to test it all on).

                                                  Patch welcome if you figure it out before then.

                                                  Cheers

                                                  Leo

                                                  --
                                                  Reporting bugs: http://perl.apache.org/bugs/
                                                  Mail list info: http://perl.apache.org/maillist/modperl.html
                                                • John Day
                                                  I have been trying to install Apache::Test which is a pre-requisite for something else. But I get this message: *** result: NOK !!! You are running the test
                                                  Message 24 of 27 , Nov 7, 2003
                                                  • 0 Attachment
                                                    I have been trying to install Apache::Test which is a pre-requisite for something else. But I get this message:

                                                    *** result: NOK
                                                    !!! You are running the test suite under user 'root'.
                                                    Apache cannot spawn child processes as 'root', therefore
                                                    we attempt to run the test suite with user 'nobody' (99:99).
                                                    The problem is that the path:
                                                    /root/.cpan/build/Apache-Test-1.05/t
                                                    must be 'rwx' by user 'nobody', so Apache can read and write under that
                                                    path.

                                                    Yet the directory is chmod=777 for nobody.

                                                    Anybody got any clues where I go from here?

                                                    John


                                                    --
                                                    Reporting bugs: http://perl.apache.org/bugs/
                                                    Mail list info: http://perl.apache.org/maillist/modperl.html
                                                  • Geoffrey Young
                                                    ... well, first try installing as somebody other than root, perhaps not using the CPAN.pm shell. try just grabing the tarball from
                                                    Message 25 of 27 , Nov 7, 2003
                                                    • 0 Attachment
                                                      John Day wrote:
                                                      > I have been trying to install Apache::Test which is a pre-requisite for something else. But I get this message:
                                                      >
                                                      > *** result: NOK
                                                      > !!! You are running the test suite under user 'root'.
                                                      > Apache cannot spawn child processes as 'root', therefore
                                                      > we attempt to run the test suite with user 'nobody' (99:99).
                                                      > The problem is that the path:
                                                      > /root/.cpan/build/Apache-Test-1.05/t
                                                      > must be 'rwx' by user 'nobody', so Apache can read and write under that
                                                      > path.
                                                      >
                                                      > Yet the directory is chmod=777 for nobody.
                                                      >
                                                      > Anybody got any clues where I go from here?

                                                      well, first try installing as somebody other than root, perhaps not using
                                                      the CPAN.pm shell. try just grabing the tarball from

                                                      http://search.cpan.org/CPAN/authors/id/G/GE/GEOFF/Apache-Test-1.05.tar.gz

                                                      unzip to your personal (non-root) home directory or something and then just

                                                      $ perl Makefile.PL
                                                      $ make && make test
                                                      $ su
                                                      # make install

                                                      HTH

                                                      --Geoff


                                                      --
                                                      Reporting bugs: http://perl.apache.org/bugs/
                                                      Mail list info: http://perl.apache.org/maillist/modperl.html
                                                    • Stas Bekman
                                                      ... Or change your /root/.cpan to be /tmp/cpan or be under some other dir which is accessible (rwx) under nobody or your normal username.
                                                      Message 26 of 27 , Nov 7, 2003
                                                      • 0 Attachment
                                                        Geoffrey Young wrote:
                                                        >
                                                        >
                                                        > John Day wrote:
                                                        >
                                                        >> I have been trying to install Apache::Test which is a pre-requisite
                                                        >> for something else. But I get this message:
                                                        >>
                                                        >> *** result: NOK
                                                        >> !!! You are running the test suite under user 'root'.
                                                        >> Apache cannot spawn child processes as 'root', therefore
                                                        >> we attempt to run the test suite with user 'nobody' (99:99).
                                                        >> The problem is that the path:
                                                        >> /root/.cpan/build/Apache-Test-1.05/t
                                                        >> must be 'rwx' by user 'nobody', so Apache can read and write under that
                                                        >> path.
                                                        >>
                                                        >> Yet the directory is chmod=777 for nobody.
                                                        >>
                                                        >> Anybody got any clues where I go from here?
                                                        >
                                                        >
                                                        > well, first try installing as somebody other than root, perhaps not
                                                        > using the CPAN.pm shell. try just grabing the tarball from
                                                        >
                                                        > http://search.cpan.org/CPAN/authors/id/G/GE/GEOFF/Apache-Test-1.05.tar.gz
                                                        >
                                                        > unzip to your personal (non-root) home directory or something and then just
                                                        >
                                                        > $ perl Makefile.PL
                                                        > $ make && make test
                                                        > $ su
                                                        > # make install

                                                        Or change your /root/.cpan to be /tmp/cpan or be under some other dir which is
                                                        accessible (rwx) under 'nobody' or your normal username.


                                                        __________________________________________________________________
                                                        Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
                                                        http://stason.org/ mod_perl Guide ---> http://perl.apache.org
                                                        mailto:stas@... http://use.perl.org http://apacheweek.com
                                                        http://modperlbook.org http://apache.org http://ticketmaster.com


                                                        --
                                                        Reporting bugs: http://perl.apache.org/bugs/
                                                        Mail list info: http://perl.apache.org/maillist/modperl.html
                                                      • Leo Lapworth
                                                        ... The uploaded file Apache-AuthCookieNTLM-0.05.tar.gz has entered CPAN as file: $CPAN/authors/id/L/LL/LLAP/Apache-AuthCookieNTLM-0.05.tar.gz size: 4590 bytes
                                                        Message 27 of 27 , Nov 10, 2003
                                                        • 0 Attachment
                                                          > On Fri, Nov 07, 2003 at 06:11:48PM +0100, Stefano Ciancio wrote:
                                                          > > First of all a question. The AuthenNTLM module setted an env variable
                                                          > > REMOTE_USER to domain\\username value.

                                                          The uploaded file

                                                          Apache-AuthCookieNTLM-0.05.tar.gz

                                                          has entered CPAN as

                                                          file: $CPAN/authors/id/L/LL/LLAP/Apache-AuthCookieNTLM-0.05.tar.gz
                                                          size: 4590 bytes
                                                          md5: e902cc73ff25c384fd3e8e1b11d96702

                                                          Available NOW from:

                                                          http://leo.cuckoo.org/projects/

                                                          This version now defaults to setting the REMOTE_USER value as
                                                          userdomain\\username this will be the case as long as
                                                          'username' and 'userdomain' are set in choose_cookie_values().

                                                          Enjoy.

                                                          Leo

                                                          --
                                                          Reporting bugs: http://perl.apache.org/bugs/
                                                          Mail list info: http://perl.apache.org/maillist/modperl.html
                                                        Your message has been successfully submitted and would be delivered to recipients shortly.