External authentication in Manila

We’re about to embark on an effort to add external authentication to Manila. We have a Win32 DLL with a single function call, check_password, that takes a username and password and returns an integer. Here is an outline of the tasks as best I can tell. If you know how to do any of these, or if I’m missing something important, please post a comment!

1. Locate the code that runs the login page.
2. Modify the password checking call in one Manila site so that it runs against our DLL instead of against Manila’s object database.
3. Modify password checking in all Manila sites to use the new code.

Once we’ve got the basics working, we can consider bloating it out…

4. Modify the user table giving it a “remote” flag so that we can distinguish between local vs. externally authenticated users.
5. Modify the code in #2 so that it checks the flag and makes the appropriate function call.
6. (Short-term optional) Modify or add a prefs page which lets the user toggle between local and remote authentication. This is to handle the case where we want to preserve the person’s weblog upon leaving or joining the organization running the external authenticator.

10 thoughts on “External authentication in Manila”

  1. Thanks David and Sam. I’m looking at David’s LDAP stuff now. I’m fairly new to Manila and Frontier so there are some basics which I’m still figuring out. Such as, “how do I change #newsSite.membersBoxTemplates.signInBox?” I assume it’s somewhere in the object database but I don’t know where. Reading http://frontier.userland.com/tutorial/ now but feel free to chime in.

    Like

  2. Summary of what I think I know so far

    a) The code that handles login lives at manilaSuite.members.login in manila.root.
    b) The careful way to make changes is to place your hacked version of the call in a separate database.
    c) Introduce your changes into the web site by editing member.login in your site, which probably lives in manilaWebsites.root.

    Open questions:

    d) What should I do if I expect to have a lot of sites and want all of them to use the new login scheme? Is there a best way to set this behavior centrally?

    e) How do I call out to a Win32 DLL?

    Like

  3. Andrew,

    Another option for you is to look at using an Apache reverse proxy for your authentication. That’s what commercial products like Netegrity’s Siteminder do. There are many existing Apache authentication handlers you could slightly customize (NTLM, LDAP, etc) to suit your needs, or you could call your DLL from mod_perl using the .NET COM wrapper.

    I’ve implemented these in the past, and tried to hack Manila, and I would much recommend the former.

    Like

  4. Thanks for the suggestion, John. Manila hacking has been pretty easy so far, helped by great support from David and Dave. I’m going to stick with it. But I want to quiz you further about reverse proxy auth, just somewhere else (email or offline or whatever).

    Like

  5. Figured out the resource file stuff. Running into data marshalling issues. I think it has something to do with proper string termination. Hope to have this figured out by later in the day.

    Like

  6. Yes, it appears that you have to copy the strings out of data->paramdata and terminate each with a null (”) before sending them on to C routines that expect strings. One more hurdle cleared.

    Like

Comments are closed.

%d bloggers like this: