view release on metacpan or  search on metacpan

AuthNetLDAP.pm  view on Meta::CPAN

@ISA = qw(Exporter AutoLoader);
# Items to export into callers namespace by default. Note: do not export
# names by default without a very good reason. Use EXPORT_OK instead.
# Do not simply export all your public functions/methods/constants.
@EXPORT = qw(
	
);
$VERSION = '0.01';

# test for the version of mod_perl, and use the appropriate libraries
require Apache2::Access;
require Apache2::Connection;
require Apache2::Log;
require Apache2::RequestRec;
require Apache2::RequestUtil;
use Apache2::Const -compile => qw(HTTP_UNAUTHORIZED OK DECLINED);

# Preloaded methods go here.

#handles Apache requests
sub handler
{
   my $r = shift; 

   my ($result, $password) = $r->get_basic_auth_pw;
    return $result if $result; 
 
   # change based on version of mod_perl 
   my $user = $r->user;

   my $binddn = $r->dir_config('BindDN') || "";
   my $bindpwd = $r->dir_config('BindPWD') || "";
   my $basedn = $r->dir_config('BaseDN') || "";
   my $ldapserver = $r->dir_config('LDAPServer') || "localhost";
   my $ldapport = $r->dir_config('LDAPPort') || 389;
   my $uidattr = $r->dir_config('UIDAttr') || "uid";
   my $allowaltauth = $r->dir_config('AllowAlternateAuth') || "no"; 
   my $ldapfilter = $r->dir_config('LDAPFilter') || "";
   my $start_TLS = $r->dir_config('UseStartTLS') || "no";
   my $scope = $r->dir_config('SearchScope') || "sub";
   my $pwattr = $r->dir_config('AlternatePWAttribute') || "";
   my $domain = "";

   # remove the domainname if logging in from winxp
   ## Parse $name's with Domain\Username 
   if ($user =~ m|(\w+)[\\/](.+)|) {
       ($domain,$user) = ($1,$2);
   }
   
   if ($password eq "") {
        $r->note_basic_auth_failure;
	$r->log_error("user $user: no password supplied",$r->uri);
        return Apache2::Const::HTTP_UNAUTHORIZED;
   }
 
  
   my $ldap = new Net::LDAP($ldapserver, port => $ldapport);
   if (lc $start_TLS eq 'yes')
   {
       $ldap->start_tls(verify => 'none')
           or $r->log_error( "Unable to start_tls", $r->uri);
   }

   my $mesg;
   #initial bind as user in Apache config
   if ($bindpwd ne "")
   {
       $mesg = $ldap->bind($binddn, password=>$bindpwd);
   }
   else
   {
       $mesg = $ldap->bind();
   }
  
   #each error message has an LDAP error code
   if (my $error = $mesg->code())
   {
        $r->note_basic_auth_failure;
        $r->log_error("user $user: LDAP Connection Failed: $error",$r->uri);
   }
  
  
  #Look for user based on UIDAttr
   my $attrs = [];
   if ($pwattr ne "")
   {
       $attrs = ['dn',$pwattr];
   }
   else
   {
       $attrs = ['dn'];
   }

   my $filter = $ldapfilter
       ? "(&$ldapfilter($uidattr=$user))"
       : "($uidattr=$user)";
  $mesg = $ldap->search(
                  base => $basedn,
                  scope => $scope,                  
                  filter => $filter,
                  attrs => $attrs
                 );

    if (my $error = $mesg->code())
   {
        $r->note_basic_auth_failure;
        $r->log_error("user $user: LDAP Connection Failed: $error",$r->uri);
        return Apache2::Const::HTTP_UNAUTHORIZED;
   }

   unless ($mesg->count())
   {
        $r->note_basic_auth_failure;
	$r->log_error("user $user: user entry not found for filter: $uidattr=$user",$r->uri);
	# If user is not found in ldap database, check for the next auth handler before failing 
	if (lc($allowaltauth) eq "yes")
	{
	    return Apache2::Const::DECLINED;
        }
        else