I am trying to use Apache to replace a commercial authentication front
end for a legacy application server that needs to be supported for
another year. I need authenticate a user to the corporate LDAP, then
get a PIN stored as another LDAP attribute and build a new
credentials string. I have this part working. Now I need to proxy a
connection to the app server using the new credentials. Some advice
on how to do this would be greatly appreciated. I have tried several
methods with little success.
Here's what I have so far trying to use mod_proxy to forward the connection:
from Apache2 httpd.conf:
<Location /oncall>
AuthType basic
AuthBasicProvider ldap
AuthName "OnCall"
require ldap-user username
PerlAccessHandler MyApache2::AppGate
ProxyPass http://appserver/it/oncall1.nsf
ProxyPassReverse http://apserver/it/oncall1.nsf
</Location>
The AppGate handler script decodes the authentication header, Looks
up the pin for the username and re-encodes the credentials with
username:pin then writes the authentication header back out. Like so:
Tail end of appgate script that looks up info in ldap and modifies
authentication header:
my $newcredentials =
MIME::Base64::encode(join(':',$username,$seqeq->{'vals'}->[0]));
chomp $newcredentials;
$r->headers_in->set(Authorization => "Basic $newcredentials");
If I remark out the handler and the proxy directives, the ldap
authentication on the directory works fine. If I add in the handler,
debuging code in the script show things happening as expected, and
upon exiting, the authentication fails, which is what one would
expect because the authentication header has changed. I figured
forwarding via the proxy directives would still work though but
apparently not, I get an 'Internal Server Error' but noting shoes up
in the apache error-log or system logs.
What would a workable way to proxy this connection to the appserver
but providing the modified credentials. Any advice would be greatly
appreciated as I have to get this done asap.
