|
|
|
|
You can also specify a script, program or batch file to use for authentication. When Traverse runs the program the user's login name and password are passed as arguments. Following the convention of using a zero return code for successful program execution, your script must return a zero value to indicate that authentication was successful. You can specify the format of the arguments passed to your program.
Here's an example Perl script (auth.pl) that only lets a user named jane log in, and only if she gives the password secret.
Sample Login Authentication Script
#!/usr/bin/perl
if($#ARGV \!= 1) {
print STDERR "not enough arguments\!\n";
# exit with a non-zero
exit 2;
}
# get the username and password from the arguments
#
# we've set up our parameter string so that username
# is the first argument, and password is the second
#
$username = $ARGV[0];
$password = $ARGV[1];
if($username eq "jane" && $password eq "secret") {
# return 0 so that jane can log in to Traverse
exit 0;
} else {
# return a non-zero failure code, since the username
# and/or password was wrong.
exit 1;
}
Once you're done with your script, place it in the Traverse plugin authentication directory ($TRAVERSE_HOME/plugin/auth). To instruct Traverse to use your script for authentication, you'll need to modify $TRAVERSE_HOME/etc/emerald.xml. Update the authentication element, which initially may look like this:
<authentication
method="des"
class=""
execute=""
parameters=""
/>
Change this so that the method attribute is script. This tells Traverse that you want to do authentication with a script. Leave the class attribute empty, since that's only used for plugin authentication using a Java class described in Authentication Plugin Java Class. Place the name of your script in the execute attribute. Use the parameters attribute to specify the order that the username and password should be passed to your script, along with any other flags you want passed. You can use the special variables ${username} and ${password} as placeholders for the username and password respectively. For example, you may want your script to take GNU-style long parameters, so you could set the parameters attribute to something like this:
--username=${username} --password=${password}
Since our example script doesn't use any flags for the username and password, we'll use ${username} and ${password} for the parameters. The authentication section of emerald.xml would look like this after we're done:
<authentication
method="script"
class="class=""
execute="auth.pl"
parameters="${username} ${password}"
/>
Note that any existing Traverse users still continue to be authenticated using the older authentication method, since the authentication method is stored with each user entry in the database. To switch them to the new scheme, simply change their password once. This allows you to keep the password for superuser tied to the local authentication scheme and not dependent on an external resource or database.
Warning: Any parameters passed to the plugin script you specify on the command line may be viewed by anyone on your system with the ps command during the time it takes the script to execute.
Samples for Windows AD, Radius
Sample scripts for authentication using Windows Active Directory, Radius, etc. have been contributed by Traverse users and are available on the Kaseya Community web site by searching for the keywords authenticate against active directory.