• Your recent searches
Apache-AuthzNetLDAP
1 match

 view release on metacpan or  search on metacpan

AuthzNetLDAP.pm  view on Meta::CPAN 


@ISA = qw(Exporter DynaLoader);
# Items to export into callers namespace by default. Note: do not export
# names by default without a very good reason. Use EXPORT_OK instead.
# Do not simply export all your public functions/methods/constants.
@EXPORT = qw(

);
$VERSION = '0.07';
#bootstrap Apache::AuthzNetLDAP $VERSION;

# setting the constants to help identify which version of mod_perl
# is installed
use constant MP2 => ($mod_perl::VERSION >= 1.99);

# test for the version of mod_perl, and use the appropriate libraries
BEGIN {
	if (MP2) {
		require Apache::Const;
		require Apache::Access;
		require Apache::Connection;
		require Apache::Log;
		require Apache::RequestRec;
		require Apache::RequestUtil;
		require URI;
		require URI::ldap;
		Apache::Const->import(-compile => 'HTTP_UNAUTHORIZED','OK', 'DECLINED');
	} else {
		require Apache::Constants;
		require URI;
		Apache::Constants->import('HTTP_UNAUTHORIZED','OK', 'DECLINED');
	}
}

# Preloaded methods go here.

#will determine if an entry in LDAP server is a member of a givengroup
#will handle groupofmembers, groupofuniquemembers, or Netscape's dynamic group
#eventually will handle LDAP url to add support for LDAP servers that don't support
#dynamic groups

#in future we should store user's DN in global cache to reduce searches on LDAP server
#also share LDAP connection


#proccesses a require directive
sub handler

{
 my $r = shift; 

   my $requires = $r->requires;

   return MP2 ? Apache::DECLINED : Apache::Constants::DECLINED unless $requires;


   my $username = MP2 ? $r->user : $r->connection->user;


  #need to step through each requirement, handle valid-user, return OK once have match , otherwise return failure
   my $binddn = $r->dir_config('BindDN') || "";
   my $bindpwd = $r->dir_config('BindPWD') || "";
   my $basedn = $r->dir_config('BaseDN') || ""; 
   my $ldapserver = $r->dir_config('LDAPServer') || "localhost";
   my $ldapport = $r->dir_config('LDAPPort') || 389;
   my $uidattr = $r->dir_config('UIDAttr') || "uid";

   #first we connect to the LDAP server 
   my $ldap = new Net::LDAP($ldapserver, port => $ldapport);

   #initial bind as user in Apache config
   my $mesg = $ldap->bind($binddn, password=>$bindpwd);
  
   #each error message has an LDAP error code
   if (my $error = $mesg->code())
   {
        $r->note_basic_auth_failure;
        MP2 ? $r->log_error("user $username: LDAP Connection Failed: $error",$r->uri) : $r->log_reason("user $username: LDAP Connection Failed: $error",$r->uri);
        return MP2 ? Apache::HTTP_UNAUTHORIZED : Apache::Constants::HTTP_UNAUTHORIZED;
   }

   #first let's get the user's DN 
   my $attrs = ['dn'];
   $mesg = $ldap->search(
                  base => $basedn,
                  scope => 'sub',                  
                  filter => "($uidattr=$username)",
                  attrs => $attrs
                 );

  				 
    if (my $error = $mesg->code())
   {
        $r->note_basic_auth_failure;
        MP2 ? $r->log_error("user $username: LDAP Connection Failed: $error",$r->uri) : $r->log_reason("user $username: LDAP Connection Failed: $error",$r->uri);
        return MP2 ? Apache::HTTP_UNAUTHORIZED : Apache::Constants::HTTP_UNAUTHORIZED;
   }
   my $entry = $mesg->shift_entry(); 
 
   #now let's find out if they are a member or not!
   #now process require
      
   for my $req(@{$requires})
   {
     # my $temps = $req->{requirement};
     # $r->log_reason("DEBUG requirement is $temps",$r->uri);

       my ($requirement,@rest) = split(/\s+/, $req->{requirement});
     if (lc $requirement eq 'user')
     {
        foreach (@rest) {return MP2 ? Apache::OK : Apache::Constants::OK if $username eq $_;}
     }
     elsif (lc $requirement eq 'group')
    {
      my $temps = $req->{requirement};
      MP2 ? $r->log_error("DEBUG requirement is $temps",$r->uri) : $r->log_reason("DEBUG requirement is $temps",$r->uri);
        my ($foo,$group) = split(/"/,$req->{requirement}); 
         my $isMember = Apache::AuthzNetLDAP::_getIsMember($ldap,$r,$group,$entry->dn());
         MP2 ? $r->log_error("user $username: group($group) DEBUG - isMember: $isMember",$r->uri) : $r->log_reason("user $username: group($group) DEBUG - isMember: $isMember",$r->uri);
         return MP2 ? Apache::OK : Apache::Constants::OK if $isMember;
     }
	  elsif (lc $requirement eq 'ldap-url')
	 {
	     my ($foo,$url) = split (/ldap-url/,$req->{requirement});
        my $isMember = Apache::AuthzNetLDAP::_checkURL($r,$ldap,$entry->dn(),$url);
		MP2 ? $r->log_error("user $username: group($url) DEBUG - isMember: $isMember",$r->uri) : $r->log_reason("user $username: group($url) DEBUG - isMember: $isMember",$r->uri);
		return MP2 ? Apache::OK : Apache::Constants::OK if $isMember;
      }	     
     elsif (lc $requirement eq 'valid-user') {
         return MP2 ? Apache::OK : Apache::Constants::OK;
              }
   }



( run in 3.167 seconds using v1.01-cache-2.11-cpan-2398b32b56e )