Apache2-AuthCookieLDAP
view release on metacpan - search on metacpan
view release on metacpan or search on metacpan
lib/Apache2/AuthCookieLDAP.pm view on Meta::CPAN
Apache2::AuthCookie config (check L<Apache2::AuthCookie> documentation for the additional info)
PerlSetVar MyAuthPath /
PerlSetVar MyAuthLoginScript /
PerlSetVar MyAuthLogoutURL http://127.0.0.1
PerlSetVar MyAuthSecure 1
To make "LogoutURL" working you can subsclass Apache2::ApacheCookieLDAP and provide it with:
sub logout {
my ( $self, $r ) = @_;
$self->SUPER::logout($r);
my $logout_url = $r->dir_config( $r->auth_name . 'LogoutURL' );
if ($logout_url) {
$r->headers_out->set( Location => $logout_url );
$r->status(Apache2::Const::REDIRECT);
}
return Apache2::Const::REDIRECT;
}
Apache2::AuthCookieLDAP config
PerlSetVar MyAuth_SecretKey OGheSWkT1ixd4V0DydSarLVevF77sSibMIoUaIYuQUqp2zvZIwbS4lyWhRTFUcHE
PerlSetVar MyAuth_SessionLifetime 00-24-00-00
PerlSetVar MyAuth_LDAPURI ldap://127.0.0.1
PerlSetVar MyAuth_Base uid=%USER%,ou=staff,dc=company,dc=com
PerlSetVar MyAuth_BindDN cn=ldap,dc=company,dc=com
PerlSetVar MyAuth_BindPW somepassword
PerlSetVar MyAuth_Filter (uid=%USER%)
<Directory /var/www/mysite/protected>
AuthType Apache2::AuthCookieLDAP
AuthName MyAuth
PerlAuthenHandler Apache2::AuthCookieLDAP->authenticate
PerlAuthzHandler Apache2::AuthCookieLDAP->authorize
require valid-user
</Directory>
<Location /login>
SetHandler perl-script
AuthType Apache2::AuthCookieLDAP
AuthName MyAuth
PerlResponseHandler MyAuthCookieLDAP->login
</Location>
<Location /logout>
SetHandler perl-script
AuthType Apache2::AuthCookieLDAP
AuthName MyAuth
PerlResponseHandler Apache2::AuthCookieLDAP->logout
</Location>
=head1 DESCRIPTION
This module acts as an authentication handler under Apache2 environment.
It uses Apache2::AuthCookie as the base class and serves as a backend to
provide user authentication against an LDAP server.
Make sure that you have got a reachable LDAP server and credentials to access it
(ldapuri, base, binddn/bindpw or anonymous bind).
When there is an attempt to access a "protected" directory or location
that has 'require valid-user' option included Apache2::AuthCookieLDAP is used
as the authentication and the authorization handler. It takes a pair of
provided username/password and tries to search the username in the LDAP directory
(it also uses the filter MyAuth_Filter, for puropses where you want to restrict access
to the resource to only a specific group). If the user is found then it tries
to bind with the provided username/password. Once authorized a session key
is generated by taking into account the provided username, authorization time
and a hash generated by including a specific logic plus the user's IP address.
Upon completion the session data is encrypted with the secret key (MyAuth_SecretKey)
and the according cookie is generated by Apache2::AuthCookie.
All the following requests to the protected resource take the cookie (if exists)
and the encrypted session key is validated (decrypted, the user is checked,
the session time is checked for expiration and the hash is regenerated
and compared with the provided one).
Upon success the user is authorized to access the protected resource.
Should you require any additional information how the cookies logic works
please check L<Apache2::AuthCookie> documentation.
=head1 APACHE CONFIGURATION DIRECTIVES
All the configuration directives as used in the following format:
PerlSetVar "AuthName""DirectiveName"
So if your have:
<Directory /var/www/mysite/protected>
AuthType Apache2::AuthCookieLDAP
AuthName WhateverAuthName
...
Then the directive name for you will be (for instance):
PerlSetVar WhatEverAuthName_SecretKey
=over 4
=item C<MyAuth_SecretKey>
Use your own secret key !!!DONT USE THE ONE FROM THE EXAMPLE!!!
=item C<MyAuth_SessionLifetime> [optional, default: 00-24-00-00]
Format is: days-hours-minutes-seconds or 'forever' for endless sessions
=item C<MyAuth_LDAPURI>
Your LDAP server URI
Format: ldap://127.0.0.1 or ldap://myldaphost
Use ldaps:// for secure connections (if your LDAP server supports it)
=item C<MyAuth_Base>
LDAP Base. Please note that '%USER%' macro is substituted in the request
view all matches for this distributionview release on metacpan - search on metacpan
( run in 0.767 second using v1.00-cache-2.02-grep-82fe00e-cpan-2c419f77a38b )