Apache2-AuthNetLDAP
2 results

 view release on metacpan or  search on metacpan

AuthNetLDAP.pm  view on Meta::CPAN 

require Apache2::RequestUtil;
use Apache2::Const -compile => qw(HTTP_UNAUTHORIZED OK DECLINED);

# Preloaded methods go here.

#handles Apache requests
sub handler
{
   my $r = shift; 

   my ($result, $password) = $r->get_basic_auth_pw;
    return $result if $result; 
 
   # change based on version of mod_perl 
   my $user = $r->user;

   my $binddn = $r->dir_config('BindDN') || "";
   my $bindpwd = $r->dir_config('BindPWD') || "";
   my $basedn = $r->dir_config('BaseDN') || "";
   my $ldapserver = $r->dir_config('LDAPServer') || "localhost";
   my $ldapport = $r->dir_config('LDAPPort') || 389;

AuthNetLDAP.pm  view on Meta::CPAN 

   my $scope = $r->dir_config('SearchScope') || "sub";
   my $pwattr = $r->dir_config('AlternatePWAttribute') || "";
   my $domain = "";

   # remove the domainname if logging in from winxp
   ## Parse $name's with Domain\Username 
   if ($user =~ m|(\w+)[\\/](.+)|) {
       ($domain,$user) = ($1,$2);
   }
   
   if ($password eq "") {
        $r->note_basic_auth_failure;
	$r->log_error("user $user: no password supplied",$r->uri);
        return Apache2::Const::HTTP_UNAUTHORIZED;
   }
 
  
   my $ldap = new Net::LDAP($ldapserver, port => $ldapport);
   if (lc $start_TLS eq 'yes')
   {
       $ldap->start_tls(verify => 'none')
           or $r->log_error( "Unable to start_tls", $r->uri);
   }

   my $mesg;
   #initial bind as user in Apache config
   if ($bindpwd ne "")
   {
       $mesg = $ldap->bind($binddn, password=>$bindpwd);
   }
   else
   {
       $mesg = $ldap->bind();
   }
  
   #each error message has an LDAP error code
   if (my $error = $mesg->code())
   {
        $r->note_basic_auth_failure;

AuthNetLDAP.pm  view on Meta::CPAN 

   }
 
   #now try to authenticate as user
   my $entry = $mesg->shift_entry;

   if ( $pwattr ne "" )
   {
       my $altfieldvalue = $entry->get_value ( $pwattr );
       $altfieldvalue =~ s/^\s+//;
       $altfieldvalue =~ s/\s+$//;
       if ($altfieldvalue eq $password)
       {
	   return Apache2::Const::OK;
       }
       else
       {
	# If user is not found in ldap database, check for the next auth handler before failing 
	if (lc($allowaltauth) eq "yes")
	{
	    return Apache2::Const::DECLINED;
        }
        else
        {
	    return Apache2::Const::HTTP_UNAUTHORIZED;
        }
       }
   }
   else
   {
       $mesg = $ldap->bind($entry->dn(),password=>$password);
   }
 
  if (my $error = $mesg->code())
  {
        $r->note_basic_auth_failure;
        $r->log_error("user $user: failed bind: $error",$r->uri);
        return Apache2::Const::HTTP_UNAUTHORIZED;
   }
        my $error = $mesg->code();
        my $dn = $entry->dn();
        # $r->log_error("AUTHDEBUG user $dn:$password bind: $error",$r->uri);

   return Apache2::Const::OK;
}
# Autoload methods go after =cut, and are processed by the autosplit program.

# Below is the stub of documentation for your module. You better edit it!

=head1 NAME

Apache2::AuthNetLDAP - mod_perl module that uses the Net::LDAP module for user authentication for Apache 

=head1 SYNOPSIS

 AuthName "LDAP Test Auth"
 AuthType Basic

 #only set the next two if you need to bind as a user for searching
 #PerlSetVar BindDN "uid=user1,ou=people,o=acme.com" #optional
 #PerlSetVar BindPWD "password" #optional
 PerlSetVar BaseDN "ou=people,o=acme.com"
 PerlSetVar LDAPServer ldap.acme.com
 PerlSetVar LDAPPort 389
 #PerlSetVar UIDAttr uid
 PerlSetVar UIDAttr mail
 #PerlSetVar AlternatePWAttribute alternateAttribute
 #PerlSetVar SearchScope base | one | sub # default is sub
 #PerlSetVar LDAPFilter "(&(course=CSA)(class=A))" #optional

 # Set if you want to encrypt communication with LDAP server
 # and avoid sending clear text passwords over the network
 PerlSetVar UseStartTLS yes | no
 
 # Set if you want to allow an alternate method of authentication
 PerlSetVar AllowAlternateAuth yes | no

 require valid-user

 PerlAuthenHandler Apache2::AuthNetLDAP

=head1 DESCRIPTION

AuthNetLDAP.pm  view on Meta::CPAN 

The parameters are:

=over 4

=item PerlSetVar BindDN

Used to set initial LDAP user.

=item PerlSetVar BindPWD

Used to set initial LDAP password.

=item PerlSetVar BaseDN

This sets the search base used when looking up a user in an LDAP server.

=item PerlSetVar LDAPServer 

This is the hostname of the LDAP server you wish to use.

=item PerlSetVar LDAPPort 

This is the port the LDAP server is listening on.

=item PerlSetVar UIDAttr

The attribute used to lookup the user.

=item PerlSetVar AlternatePWAttribute

The an alternate attribute with which the $password will be tested.  
This allows you to test with another attribute, instead of just
trying to bind the userdn and password to the ldap server.

If this option is used, then a BindDN and BindPWD must be used for the
initial bind.

=item PerlSetVar AllowAlternateAuth

This attribute allows you to set an alternative method of authentication
(Basically, this allows you to mix authentication methods, if you don't have
 all users in the LDAP database). It does this by returning a DECLINE and checking 
 for the next handler, which could be another authentication, such as

AuthNetLDAP.pm  view on Meta::CPAN 

 PerlSetVar UIDAttr uid
 PerlSetVar LDAPFilter "(&(course=41300)(year=3)(classCode=Y))"

and a user authenticates with the username "nicku" then the following
filter will be generated to search for the entry to authenticate against:

 (&(&(course=41300)(year=3)(classCode=Y))(uid=nicku))

This will then allow nicku access only if nicku's LDAP entry has the
attribute course equal to 41300, the attribute year equal to 3, and
attribute classCode equal to Y.  And of course, if the password is
correct.  This may be useful for restricting access to a group of
users in a large directory, e.g., at a university.

=item PerlSetVar UseStartTLS

Optional; can be yes or no.  If yes, will fail unless can start a TLS
encrypted connection to the LDAP server before sending passwords over
the network.  Note that this requires that the optional module
IO::Socket::SSL is installed; this depends on Net::SSLeay, which
depends on openssl.  Of course, the LDAP server must support Start TLS
also.

=back

=head2 Uses for UIDAttr

For example if you set the UIDAttr to uid, and a user enters the UID

AuthNetLDAP.pm  view on Meta::CPAN 

 make test 
 make install

Then in your httpd.conf file or .htaccess file, in either a <Directory> or <Location> section put:

 AuthName "LDAP Test Auth"
 AuthType Basic

 #only set the next two if you need to bind as a user for searching
 #PerlSetVar BindDN "uid=user1,ou=people,o=acme.com" #optional
 #PerlSetVar BindPWD "password" #optional
 PerlSetVar BaseDN "ou=people,o=acme.com"
 PerlSetVar LDAPServer ldap.acme.com
 PerlSetVar LDAPPort 389
 PerlSetVar UIDAttr uid
 PerlSetVar UseStartTLS yes # Assuming you installed IO::Socket::SSL, etc.
 
 # Set if you want base or one level scope for search:
 PerlSetVar SearchScope one # default is sub

 # Set if you want to limit access to a subset of users:

Changes  view on Meta::CPAN 


0.27  Mon Mar 22 2004
	- Added LDAPFilter, SearchScope and TLS connections to module (Thanks to Nick Urbanik!)
	- Added documentation for LDAPFilter, SearchScope and TLS connections to module 
	  (Also, thanks to Nick Urbanik)

0.28  Wed Mar 24 2004
	- Split domain\username as seen coming from winxp (Based on code from Carlos Ramirez)

0.29  Sat May 01 2004
	- add ability to test $password against an alternate password attribute.
  	  The alt attribute is signified by PerlSetVar PWAttr.

Split Apache::AuthNetLDAP into Apache2::AuthNetLDAP

0.01  Wed May 04 2005
	- Remove Apache mp1 code and prepare package for life >= mp2-rc5 renaming
	- Push into Apache2::AuthNetLDAP namespace



( run in 0.541 second using v1.01-cache-2.11-cpan-49f99fa48dc )