Apache-AuthLDAPBind
view release on metacpan or search on metacpan
Apache-AuthLDAPBind
This is an authentication module for Apache 1.3 (and mod_perl) that
authenticates a user to an LDAP server by binding as that user (with
his supplied password). If the bind succeeds, the user is
authenticated. If not, authentication fails.
This is much more secure than the usual method of checking the
password against a hash, since there's no possibility that the hash
will be viewed while in transit (or worse, simply pulled out of the
LDAP database by an attacker), or that the client somehow miscomputes
the hash (since there are a variety of algorithms for password
hashes).
Since passwords are being sent to the LDAP server over the network,
lib/Apache/AuthLDAPBind.pm view on Meta::CPAN
package Apache::AuthLDAPBind;
use warnings;
use strict;
use Net::LDAP;
use Apache::Constants qw(:common);
=head1 NAME
Apache::AuthLDAPBind - Authentcates a user to Apache by binding to an
LDAP server as that user.
=head1 VERSION
Version 0.02
=cut
our $VERSION = '0.02';
=head1 SYNOPSIS
This is an authentication module for Apache 1.3 (and mod_perl) that
authenticates a user to an LDAP server by binding as that user (with
his supplied password). If the bind succeeds, the user is
authenticated. If not, authentication fails.
This is much more secure than the usual method of checking the
password against a hash, since there's no possibility that the hash
will be viewed while in transit (or worse, simply pulled out of the
LDAP database by an attacker), or that the client somehow miscomputes
the hash (since there are a variety of algorithms for password
hashes).
Since passwords are being sent to the LDAP server over the network,
lib/Apache/AuthLDAPBind.pm view on Meta::CPAN
if (!$sent_password && $sent_password != 0) { # no need to lock out users
# whose password is 000000
# or 0e0, or something.
$r->note_basic_auth_failure;
$r->log_reason("user $username: no password supplied",$r->uri);
return AUTH_REQUIRED;
}
my $ok;
eval {
$ok = _bind_ldap($ldap_server, $ldap_port, $base_dn, $uid_attr,
$username, $sent_password);
};
$ok = 0 if $@;
if(!$ok){
$r->note_basic_auth_failure;
if (!$@) {
$r->log_reason("user $username: ".
"password incorrect or user not in LDAP",
$r->uri);
lib/Apache/AuthLDAPBind.pm view on Meta::CPAN
my $base_dn = $r->dir_config('ldap_base_dn') || "";
my $uid_attr = $r->dir_config('ldap_uid_attr') || "uid";
die "_get_ldap_vars not correctly invoked: must be invoked in array context"
unless wantarray;
return ($ldap_server, $ldap_port, $base_dn, $uid_attr);
}
# returns false if login fails, true if login succeeds. dies on errors.
sub _bind_ldap {
my $ldap_server = shift;
my $ldap_port = shift;
my $base_dn = shift;
my $uid_attr = shift;
my $username = shift;
my $password = shift;
# prevent anonymous binds!
if(!defined $username || !defined $password){
die "null username/password passed to _bind_ldap!";
}
my $ldap = Net::LDAP->new("$ldap_server".
((defined $ldap_port) ? ":$ldap_port" : ""));
my $mesg = $ldap->start_tls();
$mesg = $ldap->bind("$uid_attr=$username,$base_dn",
password=>$password);
$ldap->unbind; # take down session
$mesg->code && return 0; # failed
return 1; # passed
}
=head1 AUTHOR
Jonathan T. Rockway, C<< <jon-cpan@jrock.us> >>
=head1 BUGS
Please report any bugs or feature requests to
C<bug-apache-authldapbind@rt.cpan.org>, or through the web interface at
L<http://rt.cpan.org/NoAuth/ReportBug.html?Queue=Apache-AuthLDAPBind>.
I will be notified, and then you'll automatically be notified of progress on
your bug as I make changes.
=head1 COPYRIGHT & LICENSE
Copyright 2005 Jonathan T. Rockway, all rights reserved.
This program is free software; you can redistribute it and/or modify it
under the same terms as Perl itself.
( run in 1.111 second using v1.01-cache-2.11-cpan-2398b32b56e )