password results from the CPAN

password

Apache2-AuthCookieLDAP

view release on metacpan or search on metacpan

lib/Apache2/AuthCookieLDAP.pm view on Meta::CPAN

175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194     my $binddn = $self->config( $r, C_BINDDN );
    my $bindpw = $self->config( $r, C_BINDPW ) || '';
 
    my $ldap_handler = Net::LDAP->new($uri)
      or $self->fatal( $r, "Cannot connect to the LDAP server: $!" );
    unless ($ldap_handler) {
        $ldap_handler = NULL;
        return $ldap_handler;
    }
    if ($binddn) {    # bind with a dn/pass
        my $msg = $ldap_handler->bind( $binddn, password => $bindpw );
        $msg->code && $self->fatal( $r, $msg->error );
    }
    else {            # anonymous bind
        my $msg = $ldap_handler->bind();
        $msg->code && $self->fatal( $r, $msg->error );
    }
 
    return $ldap_handler;
}

lib/Apache2/AuthCookieLDAP.pm view on Meta::CPAN

205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231     my $mesg = $self->ldap($r)->search(
        base   => $base,
        scope  => 'base',
        filter => $filter
    );
 
    return $mesg->code ? 0 : $mesg->count;
}
 
sub ldap_check_user {
    my ( $self, $r, $user, $password ) = @_;
 
    return NULL unless $self->ldap($r);
 
    my $base = $self->config( $r, C_BASE );
    $base =~ s/%USER%/$user/;
    my $mesg = $self->ldap($r)->bind( $base, password => $password );
 
    return $mesg->is_error ? 0 : 1;
}
 
sub rlog {
    my ( $self, $r, $msg ) = @_;
 
    $r->log_rerror( Apache2::Log::LOG_MARK(),
        LOG_LEVELS->{ $self->config( $r, C_DEBUG_LOGLEVEL ) },
        APR::Const::SUCCESS, ${self} . ": " . $msg );

lib/Apache2/AuthCookieLDAP.pm view on Meta::CPAN

315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359         return 1;
    }
 
    my ( $d, $h, $m, $s ) = split '-', $lifetime;
    my $expire_time = $session_time + $d * 86400 + $h * 3600 + $m * 60 + $s;
 
    return $expire_time < time ? 1 : 0;
}
 
sub authen_cred {
    my ( $self, $r, $user, $password, @extra_data ) = @_;
 
    my $auth_name = $r->auth_name;
    my $remote_ip = $r->connection->remote_ip;
 
    unless ($user) {
        $DEBUG && $self->rlog( $r, "No username specified" );
        return;
    }
 
    unless ($password) {
        $DEBUG
          && $self->rlog( $r, "No password specified for user '$user'" );
        return;
    }
 
    unless ( $self->ldap_search( $r, $user ) ) {
        $DEBUG
          && $self->rlog( $r, "User '$user' is not found" );
        return;
    }
 
    unless ( $self->ldap_check_user( $r, $user, $password ) ) {
        $DEBUG
          && $self->rlog( $r, "Incorrect password for '$user'" );
        return;
    }
    else {
        $DEBUG
          && $self->rlog( $r, "Successful login for '$user' ($remote_ip)" );
    }
 
    my $session_data = $self->encode_string( $r, $user ) . ':' . time;
 
    return $self->encrypt_session( $r, $session_data );

lib/Apache2/AuthCookieLDAP.pm view on Meta::CPAN

449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468         return Apache2::Const::REDIRECT;
    }
   
Apache2::AuthCookieLDAP config
 
    PerlSetVar MyAuth_SecretKey OGheSWkT1ixd4V0DydSarLVevF77sSibMIoUaIYuQUqp2zvZIwbS4lyWhRTFUcHE
    PerlSetVar MyAuth_SessionLifetime 00-24-00-00
    PerlSetVar MyAuth_LDAPURI ldap://127.0.0.1
    PerlSetVar MyAuth_Base uid=%USER%,ou=staff,dc=company,dc=com
    PerlSetVar MyAuth_BindDN cn=ldap,dc=company,dc=com
    PerlSetVar MyAuth_BindPW somepassword
    PerlSetVar MyAuth_Filter (uid=%USER%)
 
    <Directory /var/www/mysite/protected>
        AuthType Apache2::AuthCookieLDAP
        AuthName MyAuth
        PerlAuthenHandler Apache2::AuthCookieLDAP->authenticate
        PerlAuthzHandler Apache2::AuthCookieLDAP->authorize
        require valid-user
    </Directory>

lib/Apache2/AuthCookieLDAP.pm view on Meta::CPAN

486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508 This module acts as an authentication handler under Apache2 environment. 
It uses Apache2::AuthCookie as the base class and serves as a backend to 
provide user authentication against an LDAP server.
 
Make sure that you have got a reachable LDAP server and credentials to access it 
(ldapuri, base, binddn/bindpw or anonymous bind).
 
When there is an attempt to access a "protected" directory or location
that has 'require valid-user' option included Apache2::AuthCookieLDAP is used 
as the authentication and the authorization handler. It takes a pair of
provided username/password and tries to search the username in the LDAP directory 
(it also uses the filter MyAuth_Filter, for puropses where you want to restrict access
to the resource to only a specific group). If the user is found then it tries 
to bind with the provided username/password.  Once authorized a session key 
is generated by taking into account the provided username, authorization time
and a hash generated by including a specific logic plus the user's IP address. 
Upon completion the session data is encrypted with the secret key (MyAuth_SecretKey) 
and the according cookie is generated by Apache2::AuthCookie.  
All the following requests to the protected resource take the cookie (if exists)
and the encrypted session key is validated (decrypted, the user is checked, 
the session time is checked for expiration and the hash is regenerated 
and compared with the provided one).
Upon success the user is authorized to access the protected resource.

lib/Apache2/AuthCookieLDAP.pm view on Meta::CPAN

555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575 =item C<MyAuth_BindDN> [optional]
 
Use the option if your LDAP does not accept anonymous bind 
for search.
 
Example: cn=ldap,dc=company,dc=com
 
=item C<MyAuth_BindPW> [optional]
 
If you  BindDN then you most likely want to specify
a password here to bind with.
 
=item C<MyAuth_Cipher> [optinal, default: 'des']
 
An encryption method used for the session key.
 
Supported methods: 'des', 'idea', 'blowfish', 'blowfish_pp'
 
=item C<MyAuth_Filter> [optinal, default: '(uid=%USER%)']
 
You can additionally check if a user belongs to a specific group or has

lib/Apache2/AuthCookieLDAP.pm view on Meta::CPAN

638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660  
=head2 ldap($r)
 
Returns Net::LDAP handler or NULL if there were errors.
 
=head2 ldap_search($r, $user)
 
Performs Net::LDAP->search(base => $base, scope => 'base', filter => $filter)
and returns '1' if the specified $user is found or otherwise '0'.
 
=head2 ldap_check_user($r, $user, $password)
 
Performs Net::LDAP->bind($base, password => $password).
 
(%USER% is replaced by $user in $base)
 
=head2 rlog($r, $msg)
 
Logs $msg using $r->log_rerror and the current debug log level.
 
=head2 fatal($r, $msg)
 
Logs $msg using $r->log_rerror and the current error log level.

lib/Apache2/AuthCookieLDAP.pm view on Meta::CPAN

677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699  
=head2 decrypt_session($r, $str)
 
Decrypts $str and returns the provided encrypted session string.
 
=head2 check_expire_time($r, $session_time)
 
Checks the provided session time (unixtime) with the current time
and returns '0' if the session time is still valid or '1' if passed.
 
=head2 authen_cred($r, $user, $password, @extra_data) 
 
This is the overridden method of Apache::AuthCookie and is used to
authenticate $user with the provided $password
 
Returns the encrypted session key in case of successfull authentication.
 
Please follow to Apache2::AuthCookie if you need more information about the method.
 
=head2 authen_ses_key($r, $session_key)
 
This is the overridden method of Apache::AuthCookie and is used to
validate the provided $session_key.

( run in 0.739 second using v1.01-cache-2.11-cpan-3cd7ad12f66 )