Apache2-AuthTicketLDAP
view release on metacpan or search on metacpan
AuthTicketLDAP.pm view on Meta::CPAN
}
return undef;
}
sub check_credentials {
my ($self, $user, $password) = @_;
my ($entry, $mesg);
# 1) check_ldap_cache for UID entry. Avoids anonymous search.
# 2) if not in cache, run a search and cache the result
# 3) lastly, bind with supplied password.
$entry = $self->ldap_cache($user) or return 0;
$mesg = $self->ldap->bind($entry->dn(), password => $password)
or die "$@";
if (!$mesg->is_error()) {
return 1;
}
return 0;
}
sub ldap_attribute {
AuthTicketLDAP.pm view on Meta::CPAN
if (!$row && !$cache_stmt) {
return undef;
}
# Store and return stmt result
return $_stmt_cache->set($cache_stmt, $row);
}
sub stmt_cache {
my ($self, $stmt, @bind) = @_;
if (!$stmt) {
return undef;
}
my $cache_stmt = join($CACHE_ENTRY_DELIMITER, $stmt, @bind);
# Retrieve
my $cached_entry = $_stmt_cache->get($cache_stmt);
if ($cached_entry) {
return $cached_entry;
}
my $dbh = $self->dbh;
my $row = eval {
$dbh->selectrow_arrayref($stmt, undef, @bind);
};
if ($@) {
$dbh->rollback;
die $@;
}
if ($row) {
return $self->stmt_cache_set($cache_stmt, $row);
}
AuthTicketLDAP.pm view on Meta::CPAN
}
sub fetch_secret {
my ($self, $version) = @_;
my ($secret_table, $secret_field, $secret_version_field) = $self->secret_table;
# generate SQL
my @fields = ($secret_field, $secret_version_field);
my %where = ( $secret_version_field => $version ) if defined $version;
my $order = " $secret_version_field DESC ";
my ($stmt, @bind) = $self->sql->select($secret_table, \@fields, \%where, $order);
# SQL::Abstract is quoting the version number. DBD::Informix doesn't like that.
@bind = ($version) if $version;
# Originally, had DESC LIMIT 1, which Informix doesn't support.
$stmt =~ s/SELECT/SELECT FIRST 1/;
# Using our statement cache
return @{$self->stmt_cache($stmt, @bind)};
}
sub is_hash_valid {
my ($self, $hash) = @_;
my ($table, $tick_field, $ts_field) = $self->ticket_table;
my ($query, @bind) = $self->sql->select($table, [$tick_field, $ts_field],
{ $tick_field => $hash });
my ($db_hash, $ts) = (undef, undef);
# Using our statement cache
($db_hash, $ts) = @{$self->stmt_cache($query, @bind) || []};
if ($ts) {
$self->{DBTicketTimeStamp} = $ts; # cache for later use.
}
return (defined $db_hash and $db_hash eq $hash) ? 1 : 0;
}
sub _update_ticket_timestamp {
my ($self, $hash) = @_;
AuthTicketLDAP.pm view on Meta::CPAN
# If the difference between the old timestamp and the new one is not
# above the threshold, return. Reduces database updates.
if ($threshold && $time - $db_time < $threshold) {
return;
}
my $dbh = $self->dbh;
my ($table, $tick_field, $ts_field) = $self->ticket_table;
my ($query, @bind) = $self->sql->update($table,
{$ts_field => $time},
{$tick_field => $hash});
eval {
my $sth = $dbh->do($query, undef, @bind);
$dbh->commit unless $dbh->{AutoCommit};
};
if ($@) {
$dbh->rollback;
die $@;
}
}
# We do a local connection. Username/Password not required.
# Have to override to make this happen.
AuthTicketLDAP.pm view on Meta::CPAN
3) Support "require ldap_attribute myAttrib=Foo"
4) TicketThreshold: Only update database when a ticket timestamp is at least
X seconds old. Reduces database updates.
Keep in mind that the mmap caching will make apache processes look huge. It is
an illusion -- cached files are only mapped into memory once.
LDAP authentication processing works similarly to mod_ldap/mod_authnz_ldap.
1) An anonymous search looks up a user on the LDAP server.
Returns 403 if unsuccessful. Otherwise, the entry is cached.
2) That user's LDAP entry DN and password is used to bind to
the server. Returns 403 if unsuccessful, OK if successful.
On the database side, everything works the same as I<Apache2::AuthTicket> except
that users are authenticated and authorized with LDAP instead.
Authorization works similarly to mod_ldap/mod_authnz_ldap.
1) B<require valid-user> works as usual.
2) B<require ldap-attribute> was changed to B<require ldap_attribute> (note
the underscore).
a) The cache is checked for an LDAP entry for the user.
( run in 0.635 second using v1.01-cache-2.11-cpan-2398b32b56e )