Apache2-AuthCookieLDAP
view release on metacpan or search on metacpan
lib/Apache2/AuthCookieLDAP.pm view on Meta::CPAN
my ( $enc_user, $session_time, $hash ) = split ':', $dec_session_key;
unless ( $enc_user && $session_time && $hash ) {
$DEBUG
&& $self->rlog( $r, "Invalid session key specified: $session_key" );
return;
}
my $user = $self->decode_string( $r, $enc_user );
if ( $self->check_expire_time( $r, $session_time ) ) {
$DEBUG
&& $self->rlog( $r, "Expiration time has passed for user '$user'" );
return;
}
my $session_data = $enc_user . ':' . $session_time;
unless ( $hash eq $self->create_hash( $r, $session_data ) ) {
$DEBUG
&& $self->rlog( $r, "Session hash does not match for user '$user'" );
return;
}
return $user;
}
1;
=pod
=head1 NAME
Apache2::AuthCookieLDAP - An Apache2::AuthCookie backend for LDAP based authentication
=head1 VERSION
Version 1.15
=head1 COMPATIBILITY
The version is compatible with Apache2 and mod_perl2
=head1 SYNOPSIS
1. Make sure that your LDAP server is configured and you have access to it
2. In httpd.conf or .htaccess
Apache2::AuthCookie config (check L<Apache2::AuthCookie> documentation for the additional info)
PerlSetVar MyAuthPath /
PerlSetVar MyAuthLoginScript /
PerlSetVar MyAuthLogoutURL http://127.0.0.1
PerlSetVar MyAuthSecure 1
To make "LogoutURL" working you can subsclass Apache2::ApacheCookieLDAP and provide it with:
sub logout {
my ( $self, $r ) = @_;
$self->SUPER::logout($r);
my $logout_url = $r->dir_config( $r->auth_name . 'LogoutURL' );
if ($logout_url) {
$r->headers_out->set( Location => $logout_url );
$r->status(Apache2::Const::REDIRECT);
}
return Apache2::Const::REDIRECT;
}
Apache2::AuthCookieLDAP config
PerlSetVar MyAuth_SecretKey OGheSWkT1ixd4V0DydSarLVevF77sSibMIoUaIYuQUqp2zvZIwbS4lyWhRTFUcHE
PerlSetVar MyAuth_SessionLifetime 00-24-00-00
PerlSetVar MyAuth_LDAPURI ldap://127.0.0.1
PerlSetVar MyAuth_Base uid=%USER%,ou=staff,dc=company,dc=com
PerlSetVar MyAuth_BindDN cn=ldap,dc=company,dc=com
PerlSetVar MyAuth_BindPW somepassword
PerlSetVar MyAuth_Filter (uid=%USER%)
<Directory /var/www/mysite/protected>
AuthType Apache2::AuthCookieLDAP
AuthName MyAuth
PerlAuthenHandler Apache2::AuthCookieLDAP->authenticate
PerlAuthzHandler Apache2::AuthCookieLDAP->authorize
require valid-user
</Directory>
<Location /login>
SetHandler perl-script
AuthType Apache2::AuthCookieLDAP
AuthName MyAuth
PerlResponseHandler MyAuthCookieLDAP->login
</Location>
<Location /logout>
SetHandler perl-script
AuthType Apache2::AuthCookieLDAP
AuthName MyAuth
PerlResponseHandler Apache2::AuthCookieLDAP->logout
</Location>
=head1 DESCRIPTION
This module acts as an authentication handler under Apache2 environment.
It uses Apache2::AuthCookie as the base class and serves as a backend to
provide user authentication against an LDAP server.
Make sure that you have got a reachable LDAP server and credentials to access it
(ldapuri, base, binddn/bindpw or anonymous bind).
When there is an attempt to access a "protected" directory or location
that has 'require valid-user' option included Apache2::AuthCookieLDAP is used
as the authentication and the authorization handler. It takes a pair of
provided username/password and tries to search the username in the LDAP directory
(it also uses the filter MyAuth_Filter, for puropses where you want to restrict access
to the resource to only a specific group). If the user is found then it tries
to bind with the provided username/password. Once authorized a session key
is generated by taking into account the provided username, authorization time
and a hash generated by including a specific logic plus the user's IP address.
Upon completion the session data is encrypted with the secret key (MyAuth_SecretKey)
( run in 1.832 second using v1.01-cache-2.11-cpan-97f6503c9c8 )