Apache2-AuthTicketLDAP
1 match

 view release on metacpan or  search on metacpan

AuthTicketLDAP.pm  view on Meta::CPAN 

     PerlAuthenHandler Apache2::AuthTicketLDAP->authenticate
     PerlAuthzHandler Apache2::AuthTicketLDAP->authorize
     require ldap_attribute allowedFoo=Yes
     require valid-user
 </Location>
 
 <Location /foologinform>
     AuthType Apache2::AuthTicketLDAP
     AuthName Foo
     SetHandler perl-script
     PerlResponseHandler Apache2::AuthTicketLDAP->login_screen
 </Location>

 # Or for a mod_perl script to handle logins, store /foologinform in here and 
 # change:  PerlSetVar FooLoginScript /my/path/cgi-bin/foologinform
 <Directory /my/path/cgi-bin>
     Options ExecCGI
     SetHandler perl-script
     PerlResponseHandler ModPerl::Registry
     PerlOptions +ParseHeaders
     AllowOverride none
     Order allow,deny
     Allow from all
 </Directory>
 
 <Location /foologin>
     AuthType Apache2::AuthTicketLDAP
     AuthName Foo
     SetHandler perl-script
     PerlResponseHandler Apache2::AuthTicketLDAP->login
 </Location>
 
 <Location /foo/logout>
     AuthType Apache2::AuthTicketLDAP
     AuthName Foo
     SetHandler perl-script
     PerlResponseHandler Apache2::AuthTicketLDAP->logout
 </Location>

=head1 DESCRIPTION

This module builds upon the I<Apache2::AuthTicket> database-backed, cookie 
ticketing system for websites. It provides for authentication and authorization
against an LDAP database. It also implements I<CHI>-based, mmap'd file caching
of LDAP entries and SELECT queries.

Further differences between the two modules include:
 1) Custom dbi_connect, supporting:
    a) passwordless local connections
    b) AutoCommit via TicketDBAutoCommit option
    c) a couple of Informix-specific options (ISOLATION and LOCK MODE)
 2) Use SHA512 instead of MD5 for digests
 3) Support "require ldap_attribute myAttrib=Foo"
 4) TicketThreshold: Only update database when a ticket timestamp is at least
    X seconds old. Reduces database updates.

Keep in mind that the mmap caching will make apache processes look huge. It is 
an illusion -- cached files are only mapped into memory once.

LDAP authentication processing works similarly to mod_ldap/mod_authnz_ldap. 
 1) An anonymous search looks up a user on the LDAP server. 
 Returns 403 if unsuccessful. Otherwise, the entry is cached.
 2) That user's LDAP entry DN and password is used to bind to
 the server. Returns 403 if unsuccessful, OK if successful.

On the database side, everything works the same as I<Apache2::AuthTicket> except
that users are authenticated and authorized with LDAP instead.

Authorization works similarly to mod_ldap/mod_authnz_ldap.
 1) B<require valid-user> works as usual.
 2) B<require ldap-attribute> was changed to B<require ldap_attribute> (note 
 the underscore).
    a) The cache is checked for an LDAP entry for the user. 
    b) If it exists and is not expired, that entry is used. 
    c) Otherwise, a new anonymous search is performed and cached.
    d) If the attribute value does not match, return 403. Otherwise, 
    OK.

=head1 CONFIGURATION

These are the things you must do in order to configure this module: 

 1) Configure your mod_perl apache server.
 2) Create the necessary database tables.
 3) Add a secret to the secrets table.
 4) Ensure the cache directory exists and is read/write for the forked apache 
    user or group.

=head2 Apache Configuration - httpd.conf

There are a number of additional configuration variables required by this
module. Otherwise, configuration is largely the same as with
I<Apache2::AuthTicket>.

Additional per-AuthName variables supported by the I<Apache2::AuthTicket>
configuration mechanism:
  * PerlSetVar SEULDAPURL "ldap://ldap.foo.com:389"
  * PerlSetVar SEULDAPDN "dc=foo,dc=com"
  * PerlSetVar SEULDAPScope "one"
  * PerlSetVar SEULDAPFilter "uid=MYUSER"
  * PerlSetVar SEUTicketDBAutoCommit 0

Additional variables that are defined once in httpd.conf and are global for all
AuthNames and are not configurable through configure():
  * PerlSetVar AuthTicketLDAPCacheDir "/var/cache/apache"
  * PerlSetVar AuthTicketLDAPCacheSize "4m"
  * PerlSetVar AuthTicketLDAPCachePageSize "4096"
  * PerlSetVar AuthTicketLDAPCacheTTL "10m"
  * PerlSetVar AuthTicketLDAPStmtCacheSize "4m"
  * PerlSetVar AuthTicketLDAPStmtCachePageSize "4096"
  * PerlSetVar AuthTicketLDAPStmtCacheTTL "1m"

There are four blocks that need to be entered into httpd.conf.  The first of
these is the block specifying your access restrictions.  This block should look
somrthing like this:

 <Location /foo>
     AuthType Apache2::AuthTicketLDAP
     AuthName Foo
     PerlAuthenHandler Apache2::AuthTicketLDAP->authenticate
     PerlAuthzHandler Apache2::AuthTicketLDAP->authorize



( run in 1.117 second using v1.01-cache-2.11-cpan-39bf76dae61 )