• Your recent searches
Apache2-AuthCookieLDAP
1 match

 view release on metacpan or  search on metacpan

lib/Apache2/AuthCookieLDAP.pm  view on Meta::CPAN 

      : return NULL;
}

sub ldap {
    my ( $self, $r ) = @_;

    return $ldap_handler if $ldap_handler;
    return NULL if defined $ldap_handler;

    my $uri    = $self->config( $r, C_LDAPURI );
    my $binddn = $self->config( $r, C_BINDDN );
    my $bindpw = $self->config( $r, C_BINDPW ) || '';

    my $ldap_handler = Net::LDAP->new($uri)
      or $self->fatal( $r, "Cannot connect to the LDAP server: $!" );
    unless ($ldap_handler) {
        $ldap_handler = NULL;
        return $ldap_handler;
    }
    if ($binddn) {    # bind with a dn/pass
        my $msg = $ldap_handler->bind( $binddn, password => $bindpw );
        $msg->code && $self->fatal( $r, $msg->error );
    }
    else {            # anonymous bind
        my $msg = $ldap_handler->bind();
        $msg->code && $self->fatal( $r, $msg->error );
    }

    return $ldap_handler;
}

sub ldap_search {
    my ( $self, $r, $user ) = @_;

    return NULL unless $self->ldap($r);

lib/Apache2/AuthCookieLDAP.pm  view on Meta::CPAN 

    return $mesg->code ? 0 : $mesg->count;
}

sub ldap_check_user {
    my ( $self, $r, $user, $password ) = @_;

    return NULL unless $self->ldap($r);

    my $base = $self->config( $r, C_BASE );
    $base =~ s/%USER%/$user/;
    my $mesg = $self->ldap($r)->bind( $base, password => $password );

    return $mesg->is_error ? 0 : 1;
}

sub rlog {
    my ( $self, $r, $msg ) = @_;

    $r->log_rerror( Apache2::Log::LOG_MARK(),
        LOG_LEVELS->{ $self->config( $r, C_DEBUG_LOGLEVEL ) },
        APR::Const::SUCCESS, ${self} . ": " . $msg );

lib/Apache2/AuthCookieLDAP.pm  view on Meta::CPAN 

        PerlResponseHandler Apache2::AuthCookieLDAP->logout
    </Location>

=head1 DESCRIPTION

This module acts as an authentication handler under Apache2 environment. 
It uses Apache2::AuthCookie as the base class and serves as a backend to 
provide user authentication against an LDAP server.

Make sure that you have got a reachable LDAP server and credentials to access it 
(ldapuri, base, binddn/bindpw or anonymous bind).

When there is an attempt to access a "protected" directory or location
that has 'require valid-user' option included Apache2::AuthCookieLDAP is used 
as the authentication and the authorization handler. It takes a pair of
provided username/password and tries to search the username in the LDAP directory 
(it also uses the filter MyAuth_Filter, for puropses where you want to restrict access
to the resource to only a specific group). If the user is found then it tries 
to bind with the provided username/password.  Once authorized a session key 
is generated by taking into account the provided username, authorization time 
and a hash generated by including a specific logic plus the user's IP address. 
Upon completion the session data is encrypted with the secret key (MyAuth_SecretKey) 
and the according cookie is generated by Apache2::AuthCookie.  
All the following requests to the protected resource take the cookie (if exists)
and the encrypted session key is validated (decrypted, the user is checked, 
the session time is checked for expiration and the hash is regenerated 
and compared with the provided one).
Upon success the user is authorized to access the protected resource.

lib/Apache2/AuthCookieLDAP.pm  view on Meta::CPAN 


=item C<MyAuth_Base> 

LDAP Base. Please note that '%USER%' macro is substituted in the request
with a username that is being authenticated.

Example: uid=%USER%,ou=staff,dc=company,dc=com

=item C<MyAuth_BindDN> [optional]

Use the option if your LDAP does not accept anonymous bind 
for search.

Example: cn=ldap,dc=company,dc=com

=item C<MyAuth_BindPW> [optional]

If you  BindDN then you most likely want to specify
a password here to bind with.

=item C<MyAuth_Cipher> [optinal, default: 'des']

An encryption method used for the session key.

Supported methods: 'des', 'idea', 'blowfish', 'blowfish_pp'

=item C<MyAuth_Filter> [optinal, default: '(uid=%USER%)']

You can additionally check if a user belongs to a specific group or has

lib/Apache2/AuthCookieLDAP.pm  view on Meta::CPAN 

=back

NOTE: It is also possible to fetch Base/BindDN/BindPW from a file(s)

Use the following syntax for that:

Example: 

PerlSetVar MyAuth_Base file:/etc/ldap_base.conf:^\s*base\s+(.+)\r*\n$

PerlSetVar MyAuth_BindDN file:/etc/pam_ldap.conf:^\s*binddn\s+(.+)\r*\n$

PerlSetVar MyAuth_BindPW file:/etc/pam_ldap.conf:^\s*bindpw\s+(.+)\r*\n$

Format: "file:<filename>:<regular expression>" 
    Where $1 will be the variable.

=over 4

=back

=head1 CLASS METHODS

lib/Apache2/AuthCookieLDAP.pm  view on Meta::CPAN 


Returns Net::LDAP handler or NULL if there were errors.

=head2 ldap_search($r, $user)

Performs Net::LDAP->search(base => $base, scope => 'base', filter => $filter)
and returns '1' if the specified $user is found or otherwise '0'.

=head2 ldap_check_user($r, $user, $password)

Performs Net::LDAP->bind($base, password => $password).

(%USER% is replaced by $user in $base)

=head2 rlog($r, $msg)

Logs $msg using $r->log_rerror and the current debug log level.

=head2 fatal($r, $msg)

Logs $msg using $r->log_rerror and the current error log level.



( run in 2.990 seconds using v1.01-cache-2.11-cpan-2398b32b56e )