2008-12-26 20:18:23 +01:00
|
|
|
##@file
|
|
|
|
# SSL authentication backend file
|
|
|
|
|
|
|
|
##@class
|
|
|
|
# SSL authentication backend class
|
2006-12-18 12:32:33 +01:00
|
|
|
package Lemonldap::NG::Portal::AuthSSL;
|
|
|
|
|
|
|
|
use strict;
|
|
|
|
use Lemonldap::NG::Portal::Simple;
|
2008-06-06 05:51:39 +02:00
|
|
|
use Lemonldap::NG::Portal::AuthLDAP;
|
|
|
|
|
2008-12-04 14:53:05 +01:00
|
|
|
use base qw(Lemonldap::NG::Portal::AuthLDAP);
|
2006-12-18 12:32:33 +01:00
|
|
|
|
2009-06-08 18:29:13 +02:00
|
|
|
our $VERSION = '0.2';
|
2007-01-11 07:42:57 +01:00
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
## @apmethod int authInit()
|
2008-12-26 18:58:48 +01:00
|
|
|
# Check if SSL environment variables are set.
|
2008-12-28 09:36:52 +01:00
|
|
|
# @return Lemonldap::NG::Portal constant
|
2008-06-06 05:51:39 +02:00
|
|
|
sub authInit {
|
|
|
|
my $self = shift;
|
|
|
|
$self->{SSLRequire} = 1 unless ( defined $self->{SSLRequire} );
|
|
|
|
$self->{SSLVar} ||= 'SSL_CLIENT_S_DN_Email';
|
|
|
|
$self->{SSLLDAPField} ||= 'mail';
|
2008-10-07 22:15:48 +02:00
|
|
|
PE_OK;
|
2008-06-06 05:51:39 +02:00
|
|
|
}
|
|
|
|
|
2007-01-11 07:42:57 +01:00
|
|
|
# Authentication is made by Apache with SSL and here before searching the LDAP
|
|
|
|
# Directory.
|
|
|
|
# So authenticate is overloaded to return only PE_OK.
|
2006-12-18 12:32:33 +01:00
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
## @apmethod int extractFormInfo()
|
2008-12-26 18:58:48 +01:00
|
|
|
# Read username in SSL environment variables.
|
|
|
|
# If $ENV{$self->{SSLVar}} is not set and SSLRequire is not set to 1, call
|
|
|
|
# Lemonldap::NG::Portal::AuthLDAP::extractFormInfo()
|
|
|
|
# else return an error
|
2008-12-28 09:36:52 +01:00
|
|
|
# @return Lemonldap::NG::Portal constant
|
2008-06-06 05:51:39 +02:00
|
|
|
sub extractFormInfo {
|
|
|
|
my $self = shift;
|
|
|
|
my $user = $self->https ? $ENV{ $self->{SSLVar} } : 0;
|
|
|
|
if ($user) {
|
|
|
|
$self->{user} = $user;
|
2009-04-05 10:12:16 +02:00
|
|
|
$self->{AuthLDAPFilter} ||=
|
2008-06-06 05:51:39 +02:00
|
|
|
'(&(' . $self->{SSLLDAPField} . "=$user)(objectClass=inetOrgPerson))";
|
|
|
|
return PE_OK;
|
|
|
|
}
|
|
|
|
elsif ( $self->{SSLRequire} ) {
|
2009-10-12 18:55:35 +02:00
|
|
|
$self->_sub( 'userError',
|
|
|
|
"No certificate found for $ENV{REMOTE_ADDR}" );
|
2008-06-06 05:51:39 +02:00
|
|
|
return PE_CERTIFICATEREQUIRED;
|
|
|
|
}
|
2009-04-05 10:12:16 +02:00
|
|
|
$self->{AuthLDAPFilter} = '';
|
2008-06-06 05:51:39 +02:00
|
|
|
return $self->SUPER::extractFormInfo(@_);
|
|
|
|
}
|
|
|
|
|
2009-05-25 14:59:57 +02:00
|
|
|
## @apmethod int setAuthSessionInfo()
|
2010-04-14 17:37:57 +02:00
|
|
|
# Set _user and authenticationLevel.
|
2009-05-25 14:59:57 +02:00
|
|
|
# @return Lemonldap::NG::Portal constant
|
|
|
|
sub setAuthSessionInfo {
|
2009-05-26 14:24:03 +02:00
|
|
|
my $self = shift;
|
2009-05-25 14:59:57 +02:00
|
|
|
|
|
|
|
# Store user certificate login for basic rules
|
|
|
|
$self->{sessionInfo}->{'_user'} = $self->{'user'};
|
|
|
|
|
2010-04-14 17:37:57 +02:00
|
|
|
# authenticationLevel 5 for SSL
|
|
|
|
$self->{sessionInfo}->{authenticationLevel} = 5;
|
2009-05-25 14:59:57 +02:00
|
|
|
PE_OK;
|
|
|
|
}
|
|
|
|
|
2009-02-17 15:56:38 +01:00
|
|
|
## @apmethod int authenticate()
|
2008-12-26 18:58:48 +01:00
|
|
|
# Call Lemonldap::NG::Portal::AuthLDAP::authenticate() if user was not
|
|
|
|
# authenticated by SSL.
|
2008-12-28 09:36:52 +01:00
|
|
|
# @return Lemonldap::NG::Portal constant
|
2008-06-06 05:51:39 +02:00
|
|
|
sub authenticate {
|
|
|
|
my $self = shift;
|
|
|
|
if ( $self->{sessionInfo}->{authenticationLevel}
|
|
|
|
and $self->{sessionInfo}->{authenticationLevel} > 4 )
|
|
|
|
{
|
|
|
|
return PE_OK;
|
|
|
|
}
|
|
|
|
return $self->SUPER::authenticate(@_);
|
|
|
|
}
|
2006-12-18 12:32:33 +01:00
|
|
|
|
|
|
|
1;
|
|
|
|
__END__
|
|
|
|
|
|
|
|
=head1 NAME
|
|
|
|
|
2010-01-03 09:09:59 +01:00
|
|
|
=encoding utf8
|
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
Lemonldap::NG::Portal::AuthSSL - Perl extension for building Lemonldap::NG
|
|
|
|
compatible portals with SSL authentication.
|
|
|
|
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
|
2007-02-23 06:31:32 +01:00
|
|
|
With Lemonldap::NG::Portal::SharedConf, set authentication field to "SSL" in
|
|
|
|
configuration database.
|
2006-12-18 12:32:33 +01:00
|
|
|
|
|
|
|
With Lemonldap::NG::Portal::Simple:
|
|
|
|
|
|
|
|
use Lemonldap::NG::Portal::Simple;
|
|
|
|
my $portal = new Lemonldap::NG::Portal::Simple(
|
2007-04-10 07:15:26 +02:00
|
|
|
domain => 'example.com',
|
2006-12-18 12:32:33 +01:00
|
|
|
globalStorage => 'Apache::Session::MySQL',
|
2007-01-14 20:39:07 +01:00
|
|
|
globalStorageOptions => {
|
|
|
|
DataSource => 'dbi:mysql:database',
|
|
|
|
UserName => 'db_user',
|
|
|
|
Password => 'db_password',
|
|
|
|
TableName => 'sessions',
|
|
|
|
},
|
|
|
|
ldapServer => 'ldap.domaine.com',
|
|
|
|
securedCookie => 1,
|
|
|
|
authentication => 'SSL',
|
2007-08-21 14:06:59 +02:00
|
|
|
|
2008-05-25 14:54:45 +02:00
|
|
|
# SSLVar: field to search in client certificate
|
|
|
|
# default: SSL_CLIENT_S_DN_Email the mail address
|
2007-08-21 14:06:59 +02:00
|
|
|
SSLVar => 'SSL_CLIENT_S_DN_CN',
|
2008-05-25 14:54:45 +02:00
|
|
|
|
|
|
|
# SSLLDAPField: field to use in ldap filter to search SSLVar
|
|
|
|
# default: mail
|
|
|
|
SSLLDAPField => 'cn',
|
|
|
|
|
|
|
|
# SSLRequire: if set to 1, login/password are disabled
|
|
|
|
# default: 1
|
|
|
|
SSLRequire => 1,
|
2006-12-18 12:32:33 +01:00
|
|
|
);
|
|
|
|
|
|
|
|
if($portal->process()) {
|
|
|
|
# Write here the menu with CGI methods. This page is displayed ONLY IF
|
|
|
|
# the user was not redirected here.
|
2008-06-06 05:51:39 +02:00
|
|
|
print $portal->header('text/html; charset=utf8'); # DON'T FORGET THIS (see CGI(3))
|
2006-12-18 12:32:33 +01:00
|
|
|
print "...";
|
|
|
|
|
|
|
|
# or redirect the user to the menu
|
|
|
|
print $portal->redirect( -uri => 'https://portal/menu');
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
# If the user enters here, IT MEANS THAT YOUR SSL PARAMETERS ARE BAD
|
2008-06-06 05:51:39 +02:00
|
|
|
print $portal->header('text/html; charset=utf8'); # DON'T FORGET THIS (see CGI(3))
|
2006-12-18 12:32:33 +01:00
|
|
|
print "<html><body><h1>Unable to work</h1>";
|
|
|
|
print "This server isn't well configured. Contact your administrator.";
|
|
|
|
print "</body></html>";
|
|
|
|
}
|
|
|
|
|
|
|
|
Modify your httpd.conf:
|
|
|
|
|
|
|
|
<Location /My/File>
|
2008-05-25 14:54:45 +02:00
|
|
|
SSLVerifyClient optional # or 'require' if login/password are disabled
|
|
|
|
SSLOptions +StdEnvVars
|
2006-12-18 12:32:33 +01:00
|
|
|
</Location>
|
|
|
|
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
|
|
|
|
This library just overload few methods of Lemonldap::NG::Portal::Simple to use
|
|
|
|
Apache SSLv3 mechanism: we've just to verify that
|
|
|
|
C<$ENV{SSL_CLIENT_S_DN_Email}> exists. So remenber to export SSL variables
|
|
|
|
to CGI.
|
|
|
|
|
2008-05-25 14:54:45 +02:00
|
|
|
The parameter SSLRequire can be used to authenticate users by SSL or ldap bind.
|
|
|
|
If SSL is used, authenticationLevel is set to 5. You can use this parameter in
|
|
|
|
L<Lemonldap::NG::Handler> rules to force users to use certificates in some
|
|
|
|
applications:
|
|
|
|
|
|
|
|
virtualHost1 => {
|
|
|
|
'default' => '$authenticationLevel > 5 and $uid = "jeff"',
|
|
|
|
},
|
|
|
|
|
|
|
|
Note that you can use Apache SSL environment variables in "exported variables".
|
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
See L<Lemonldap::NG::Portal::Simple> for usage and other methods.
|
|
|
|
|
|
|
|
=head1 SEE ALSO
|
|
|
|
|
2007-04-02 21:13:05 +02:00
|
|
|
L<Lemonldap::NG::Portal>, L<Lemonldap::NG::Portal::Simple>,
|
|
|
|
http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Presentation
|
2006-12-18 12:32:33 +01:00
|
|
|
|
|
|
|
=head1 AUTHOR
|
|
|
|
|
|
|
|
Xavier Guimard, E<lt>x.guimard@free.frE<gt>
|
|
|
|
|
2007-04-14 15:12:11 +02:00
|
|
|
=head1 BUG REPORT
|
|
|
|
|
|
|
|
Use OW2 system to report bug or ask for features:
|
|
|
|
L<http://forge.objectweb.org/tracker/?group_id=274>
|
|
|
|
|
|
|
|
=head1 DOWNLOAD
|
|
|
|
|
|
|
|
Lemonldap::NG is available at
|
|
|
|
L<http://forge.objectweb.org/project/showfiles.php?group_id=274>
|
|
|
|
|
2006-12-18 12:32:33 +01:00
|
|
|
=head1 COPYRIGHT AND LICENSE
|
|
|
|
|
2007-02-23 06:31:32 +01:00
|
|
|
Copyright (C) 2005-2007 by Xavier Guimard E<lt>x.guimard@free.frE<gt>
|
2006-12-18 12:32:33 +01:00
|
|
|
|
|
|
|
This library is free software; you can redistribute it and/or modify
|
|
|
|
it under the same terms as Perl itself, either Perl version 5.8.4 or,
|
|
|
|
at your option, any later version of Perl 5 you may have available.
|
|
|
|
|
|
|
|
=cut
|
|
|
|
|