view release on metacpan or  search on metacpan

lib/Apache2/AuthZSympa.pm  view on Meta::CPAN

This module is an authorization handler for Apache 2. Its authorization method relies on mailing lists membership ; it is designed for Sympa mailing list software (http://sympa.org). This authorization handler has been initially designed to work with...

=over

=item *
Apache2::AuthNSympa (default)

=item *
SSL authentication (mod_ssl)

=item *
CAS authentication (mod_cas)

=item *
Shibboleth authentication (mod_shib)

=back 

This module needs the associated authentication handler to provide a trusted user email address ; the user email address is later used to query list membership. Because some authentication modules (CAS) don't provide the user email address, the autho...



=head1 GENERAL CONFIGURATION TIPS

Regardless what authentication module is used, the following rules are  needed in your Apache configuration file :

=over 

=item *
URL of your Sympa SOAP server

=item *
list of mailing lists for which the user has to be a member

=item *
handler calling rule

=item *
optionaly, because SOAP can be slow, you can configure a cache server based on memcached (http://www.danga.com/memcached/).

=back

Of course, your mod_perl2 Apache module has to be correctly configured.

For example, in a location section of your Apache configuration file, you have to put the following rules :

    PerlSetVar SympaSoapServer http://mysympa.server/soap # URL of the sympa SOAP server
    PerlAuthzHandler Apache2::AuthZSympa 
    require SympaLists sympa-users@demo.sympa.org,sympa-test@demo.sympa.org # lists for which the member has to be a member (he needs to be at least a member for one of them)
    PerlSetVar MemcachedServer 10.219.213.24:11211 # URL for cache server (option)
    PerlSetVar CacheExptime 3600 # Cache expiration time in seconds for the cache server (default 1800)

We provide a working example of a web page that has a restricted access for members of test@cru.fr mailing list only. You should subscribe to the test mailing list if you wish to try it : http://listes.cru.fr/sympa/info/test

The following page will request your email address and Sympa password : http://www.cru.fr/demo_authsympa/



=head1 SYMPA AUTHENTICATION MODULE

It is based on a basic  HTTP authentication authentication (popup on client side). Once the user has authenticated, the REMOTE_USER environnement var contains the user email address.  The authentication module implements a SOAP client that validates ...
Example: 

    <Directory "/var/www/somewhere">
    AuthName SympaAuth
    AuthType Basic
    PerlSetVar SympaSoapServer http://mysympa.server/soap
    PerlAuthenHandler Apache2::AuthNSympa
    PerlAuthzHandler Apache2::AuthZSympa
    require valid-user
    require SympaLists sympa-users@demo.sympa.org,sympa-test@demo.sympa.org
    </Directory>



=head1 SSL AUTHENTICATION

Mod_ssl can be used to do the user authentication, based on user client certificates. Your mod_ssl configuration should look like this :

=over

=item *
SSLCACertificateFile # or SSLCACertificatePath

=item *
SSLRequireSSL # to prevent from disabling SSL

=item *
SSLVerifyClient require

=item *
AuthType SSL


=back

Because Apache does not consider mod_ssl as an authentication handler, an authentication handler must be  added. So we recommend to call Apache2::AuthNSympa because it is bypassed  if "AuthType" is different from "Sympa" 
The authentication handler will get the expected  user email address extracted from the certificate.

Example :

    <Directory "/var/www/somewhere">
    SSLVerifyClient require 
    SSLRequireSSL 
    SSLOptions +StdEnvVars
    AuthType SSL
    PerlSetVar SympaSoapServer http://mysympa.server/soap
    PerlAuthenHandler Apache2::AuthNSympa
    PerlAuthzHandler Apache2::AuthZSympa
    require SympaLists sympa-users@demo.sympa.org,sympa-test@demo.sympa.org
    </Directory>



=head1 CAS AUTHENTICATION 

CAS is a web single sign-on software, developped by the university of Yale : http://www.ja-sig.org/products/cas/

CAS does not provide any email address . Therefore the authorization module will first query an LDAP directory to get the user email address, given his UID.