Apache-AuthzNetLDAP
view release on metacpan or search on metacpan
AuthzNetLDAP.pm view on Meta::CPAN
#stop as soon as we have a winner
# last if $isMember;
return $isMember if $isMember;
}
}
if (my $error = $mesg->code())
{
$r->note_basic_auth_failure;
MP2 ? $r->log_error("user $userDN: group ($groupDN) LDAP search Failed: $error",$r->uri) : $r->log_reason("user $userDN: group ($groupDN) LDAP search Failed: $error",$r->uri);
return MP2 ? Apache::HTTP_UNAUTHORIZED : Apache::Constants::HTTP_UNAUTHORIZED;
}
#if make it this far then you must be a member
return $isMember;
#if this far we are not a member
return 0;
}
#says whether a user's entry matches search query in LDAP URL
#need to replace code in isMember with a call to this routine
sub _checkURL
{
my ($r,$ldap,$userDN,$urlval) = @_;
my $uri = new URI ($urlval);
my $filter = $uri->filter();
my @attrs = $uri->attributes();
my $mesg = $ldap->search(
base => $userDN,
scope => "base",
filter => $filter,
attrs => \@attrs
);
if (my $error = $mesg->code())
{
$r->note_basic_auth_failure;
MP2 ? $r->log_error("user $userDN: group ($urlval) LDAP search Failed: $error",$r->uri) : $r->log_reason("user $userDN: group ($urlval) LDAP search Failed: $error",$r->uri);
return MP2 ? Apache::HTTP_UNAUTHORIZED : Apache::Constants::HTTP_UNAUTHORIZED;
}
#if we find an entry it returns true
# my $entry = $mesg->pop_entry();
if ($mesg->pop_entry())
{
return 1;
}
else
{
return 0;
}
}
# Autoload methods go after =cut, and are processed by the autosplit program.
1;
__END__
# Below is the stub of documentation for your module. You better edit it!
=head1 NAME
Apache::AuthzNetLDAP - Apache-Perl module that enables you to authorize a user for Website
based on LDAP attributes.
=head1 SYNOPSIS
PerlSetVar BindDN "cn=Directory Manager"
PerlSetVar BindPWD "password"
PerlSetVar BaseDN "ou=people,o=unt.edu"
PerlSetVar LDAPServer ldap.unt.edu
PerlSetVar LDAPPort 389
PerlSetVar UIDAttr uid
#PerlSetVar UIDAttr mail
PerlAuthenHandler Apache::AuthNetLDAP
PerlAuthzHandler Apache::AuthzNetLDAP
#require valid-user
#require user mewilcox
#require user mewilcox@venus.acs.unt.edu
#require group "cn=Peoplebrowsers1,ou=UNTGroups,ou=People, o=unt.edu"
#require ldap-url ldap://pandora.acs.unt.edu/o=unt.edu??sub?sn=wilcox
#require ldap-url ldap://pandora.acs.unt.edu/o=unt.edu??sub?sn=smith
#require ldap-url ldap://castor.acs.unt.edu/ou=people,o=unt.edu??sub?untcourse=
untcoursenumber=1999CCOMM2040001,ou=courses,ou=acad,o=unt.edu
=head1 DESCRIPTION
After you have authenticated a user (perhaps with Apache::AuthNetLDAP ;)
you can use this module to determine whether they are authorized to access
the Web resource under this modules control.
You can control authorization via one of four methods. The first two are
pretty standard, the second two are unique to LDAP.
"require" options --
user -> Will authorize access if the authenticated user's I<username>.
valid-user -> Will authorize any authenticated user.
group -> Will authorize any authenticated user who is a member of the LDAP group
specified by I<groupdn>. This module supports groupOfMember, groupOfUniquemember
and Netscape's dynamic group object classes.
ldap-url -> This will authorize any authenticated user who matches the query specified
in the given LDAP URL. This is enables users to get the flexibility of Netscape's
dynamic groups, even if their LDAP server does not support such a capability.
=head1 CONFIGURATION NOTES
It is important to note that this module must be used in conjunction with an authentication module. (...?
Is this true? I just thought, that you might want to only authorize a user, instead of authenticate...)
If you are using an authentication module, then the following lines will not need to be duplicated:
PerlSetVar BindDN "cn=Directory Manager"
PerlSetVar BindPWD "password"
( run in 1.928 second using v1.01-cache-2.11-cpan-13bb782fe5a )