LEMONLDAP::NG : New features :
* new logout system: URL interception can now be configured in Manager interface
* TLS can now be used in LDAP connexions
This commit is contained in:
Xavier Guimard
parent
bcf560cb13
commit
621afef56b
|
|
@ -9,7 +9,7 @@ print $cgi->start_html( 'Page protected by Lemonldap::NG' );
|
|||
my($headers, $env)=({},{});
|
||||
use Data::Dumper;
|
||||
print "<pre>";
|
||||
foreach(keys %ENV) {
|
||||
foreach(sort keys %ENV) {
|
||||
if($_ =~ /^HTTP_/) {
|
||||
($a=$_) =~ s/^HTTP_//i;
|
||||
#$a =~ s/_/ /g;
|
||||
|
|
@ -30,7 +30,7 @@ print qq#<h1>Authentication succeed</h1>
|
|||
<table border="1" style="font-size: small;">\n
|
||||
<tr><th>Header</th><th>Perl CGI</th><th>PHP script</th><th>Value</th></tr>
|
||||
#;
|
||||
foreach(keys %$headers) {
|
||||
foreach(sort keys %$headers) {
|
||||
$style = $_ eq 'Auth-User' ? 'style="background-color: #FFEEEE;font-weight: bold;"' : '';
|
||||
print "<tr>
|
||||
<td $style>$_</td>
|
||||
|
|
@ -52,7 +52,7 @@ print qq#<h2>Environment for Perl CGI :</h2>
|
|||
same server than Lemonldap::NG handler (\$whatToTrace parameter). If you use
|
||||
it on a reverse-proxy, \$ENV{REMOTE_USER} is not set.</p>
|
||||
<table border="0" style="font-size: small;">\n#;
|
||||
foreach(keys %ENV) {
|
||||
foreach(sort keys %ENV) {
|
||||
my $tmp = $ENV{$_};
|
||||
$tmp =~ s/&/&/g;
|
||||
$tmp =~ s/>/>/g;
|
||||
|
|
|
|||
|
|
@ -3,8 +3,10 @@ lemonldap-ng (0.8.3) unstable; urgency=high
|
|||
* Syntax errors in configuration are now displayed
|
||||
* Security fix: authentication could be replayed with another uid
|
||||
* Debian package uses po-debconf
|
||||
* TLS is now supported in LDAP connections (thanks to Baptiste Grenier)
|
||||
* New logout system: logout urls can be now intercepted in Manager
|
||||
|
||||
-- Xavier Guimard <x.guimard@free.fr> Sun, 08 Jul 2007 15:47:16 +0200
|
||||
-- Xavier Guimard <x.guimard@free.fr> Sun, 22 Jul 2007 21:01:35 +0200
|
||||
|
||||
lemonldap-ng (0.8.2.4) unstable; urgency=low
|
||||
|
||||
|
|
|
|||
|
|
@ -16,6 +16,7 @@
|
|||
</Location>
|
||||
|
||||
# Optional interception of the logout URL => single logout
|
||||
# if not done in configuration interface
|
||||
<Location /logout>
|
||||
PerlHeaderParserHandler My::Package->logout
|
||||
</Location>
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ PerlOptions +GlobalRequest
|
|||
</Location>
|
||||
|
||||
# Optional interception of the logout URL => single logout
|
||||
# if not done in configuration interface
|
||||
<Location /logout>
|
||||
PerlHeaderParserHandler My::Package->logout
|
||||
</Location>
|
||||
|
|
|
|||
|
|
@ -1 +1,3 @@
|
|||
debian/tmp/var/lib/lemonldap-ng/test.pl
|
||||
debian/tmp/var/lib/lemonldap-ng/apache-protected-area.conf
|
||||
debian/tmp/var/lib/lemonldap-ng/apache2-protected-area.conf
|
||||
|
|
|
|||
|
|
@ -53,6 +53,8 @@ install: build
|
|||
$(MAKE) example EXAMPLEDIRBUILD=debian/tmp/var/lib/lemonldap-ng EXAMPLEDIR=/var/lib/lemonldap-ng/ EXAMPLECONFDIR=/var/lib/lemonldap-ng/conf
|
||||
cp debian/tmp/var/lib/lemonldap-ng/handler/MyHandler.pm debian/tmp/var/lib/lemonldap-ng/handler/MyHandler-Debian.pm
|
||||
mv debian/tmp/var/lib/lemonldap-ng/index.pl debian/tmp/var/lib/lemonldap-ng/test.pl
|
||||
mv debian/tmp/var/lib/lemonldap-ng/handler/lmH-apache.conf debian/tmp/var/lib/lemonldap-ng/apache-protected-area.conf
|
||||
mv debian/tmp/var/lib/lemonldap-ng/handler/lmH-apache2.conf debian/tmp/var/lib/lemonldap-ng/apache2-protected-area.conf
|
||||
perl -000 -i -pe 's/(new\s*\(\s*){[^}]+}/$$1\$$Lemonldap::NG::Conf::configStorage/; s#^use#\nrequire "/usr/share/lemonldap-ng/configStorage.pm";\nuse#m;' \
|
||||
debian/tmp/var/lib/lemonldap-ng/manager/scripts/lmConfigEditor \
|
||||
debian/tmp/var/lib/lemonldap-ng/handler/MyHandler-Debian.pm
|
||||
|
|
|
|||
|
|
@ -29,6 +29,7 @@ sub scan {
|
|||
while (<$IN>) {
|
||||
s/\r//g;
|
||||
if (/lmQuery/) {
|
||||
s/__SCRIPTNAME__\?lmQuery=conf&cfgNum="\+n/conf.xml"/;
|
||||
if (s/__SCRIPTNAME__\?lmQuery=([^"']*)js/$1.js/) {
|
||||
scan( $script, "$1.js", "lmQuery=$1js" );
|
||||
}
|
||||
|
|
@ -36,7 +37,7 @@ sub scan {
|
|||
# Nothing to do here
|
||||
}
|
||||
elsif (s/__SCRIPTNAME__\?lmQuery=conf/conf.xml/) {
|
||||
scan( $script, "conf.xml", "lmQuery=conf" );
|
||||
scan( $script, "conf.xml", "lmQuery=conf&cfgNum=0" );
|
||||
}
|
||||
elsif (s/__SCRIPTNAME__\?lmQuery=([^"']*)css/style$1.css/) {
|
||||
scan( $script, "style$1.css", "lmQuery=$1css" );
|
||||
|
|
|
|||
|
|
@ -1,5 +1,9 @@
|
|||
Revision history for Perl extension Lemonldap::NG::Handler.
|
||||
|
||||
0.83 Sun Jul 22 22:19:12 2007
|
||||
- New logout system : URL can now be declared in Manager
|
||||
interface
|
||||
|
||||
0.82 Fri Jun 1 6:52:43 2007
|
||||
- Little bug: SharedConf.pm needs Manager::Conf and not Manager
|
||||
|
||||
|
|
|
|||
|
|
@ -14,9 +14,9 @@ Makefile.PL
|
|||
MANIFEST
|
||||
META.yml Module meta-data (added by MakeMaker)
|
||||
README
|
||||
t/Lemonldap-NG-Handler-CDA.t
|
||||
t/Lemonldap-NG-Handler-CGI.t
|
||||
t/Lemonldap-NG-Handler-Proxy.t
|
||||
t/Lemonldap-NG-Handler-SharedConf.t
|
||||
t/Lemonldap-NG-Handler-Simple.t
|
||||
t/Lemonldap-NG-Handler-Vhost.t
|
||||
t/01-Lemonldap-NG-Handler-Simple.t
|
||||
t/05-Lemonldap-NG-Handler-Vhost.t
|
||||
t/10-Lemonldap-NG-Handler-SharedConf.t
|
||||
t/20-Lemonldap-NG-Handler-CDA.t
|
||||
t/30-Lemonldap-NG-Handler-CGI.t
|
||||
t/40-Lemonldap-NG-Handler-Proxy.t
|
||||
|
|
|
|||
|
|
@ -196,7 +196,8 @@ Cache::Cache module that does not use disk access.
|
|||
Lemonldap::NG provides a single logout system: you can use it by adding a link
|
||||
to the portal with "logout=1" parameter in the portal (See
|
||||
Lemonldap::NG::Portal) and/or by configuring handler to intercept some URL
|
||||
(See Lemonldap::NG::Handler). The logout system:
|
||||
(See Lemonldap::NG::Handler) directly in the manager interface or in apache
|
||||
configuration file. The logout system:
|
||||
* delete session in the global session storage,
|
||||
* replace Lemonldap::NG cookie by '',
|
||||
* delete handler caches only if logout action was started from a protected
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ package Lemonldap::NG::Handler;
|
|||
|
||||
print STDERR
|
||||
"See Lemonldap::NG::Handler(3) to know which Lemonldap::NG::Handler::* module to use.";
|
||||
our $VERSION = "0.82";
|
||||
our $VERSION = "0.83";
|
||||
|
||||
1;
|
||||
|
||||
|
|
@ -68,7 +68,8 @@ You can also unprotect an URI
|
|||
PerlHeaderParserHandler My::Package->unprotect
|
||||
</Files>
|
||||
|
||||
If your application has a "logout" URL, configure it:
|
||||
If your application has a "logout" URL, you can configure it directly in Apache
|
||||
configuration file (or in the manager interface) :
|
||||
|
||||
<Location /logout>
|
||||
PerlHeaderParserHandler My::Package->logout
|
||||
|
|
@ -295,6 +296,9 @@ connected on it in the last 10 minutes.
|
|||
|
||||
=back
|
||||
|
||||
You can also configure rules in the Manager interface to intercept logout URL.
|
||||
See L<Lemonldap::NG::Manager> and L<Lemonldap::NG::Handler> for more.
|
||||
|
||||
=head1 USING LEMONLDAP::NG::HANDLER FOR DEVELOPMENT
|
||||
|
||||
Lemonldap::NG::Handler provides different modules:
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ use Exporter 'import';
|
|||
use Safe;
|
||||
require POSIX;
|
||||
|
||||
our $VERSION = '0.81';
|
||||
our $VERSION = '0.83';
|
||||
|
||||
our %EXPORT_TAGS = (
|
||||
localStorage =>
|
||||
|
|
@ -17,6 +17,7 @@ our %EXPORT_TAGS = (
|
|||
qw(
|
||||
$locationCondition $defaultCondition $locationCount
|
||||
$locationRegexp $apacheRequest $datas $safe $portal
|
||||
$logout
|
||||
)
|
||||
],
|
||||
import => [ qw( import @EXPORT_OK @EXPORT %EXPORT_TAGS ) ],
|
||||
|
|
@ -55,6 +56,7 @@ our (
|
|||
$globalStorage, $globalStorageOptions, $localStorage,
|
||||
$localStorageOptions, $whatToTrace, $https,
|
||||
$refLocalStorage, $safe, $cookieSecured,
|
||||
$logout,
|
||||
);
|
||||
|
||||
##########################################
|
||||
|
|
@ -127,13 +129,14 @@ BEGIN {
|
|||
';
|
||||
}
|
||||
*handler = ( MP() == 2 ) ? \&handler_mp2 : \&handler_mp1;
|
||||
*logout = ( MP() == 2 ) ? \&logout_mp2 : \&logout_mp1;
|
||||
}
|
||||
|
||||
sub handler_mp1 ($$) { shift->run(@_) }
|
||||
sub handler_mp2 : method { shift->run(@_); }
|
||||
|
||||
sub handler_mp2 : method {
|
||||
shift->run(@_);
|
||||
}
|
||||
sub logout_mp1 ($$) { shift->unlog(@_) }
|
||||
sub logout_mp2 : method { shift->unlog(@_); }
|
||||
|
||||
sub lmLog {
|
||||
my ( $class, $mess, $level ) = @_;
|
||||
|
|
@ -320,6 +323,36 @@ sub conditionSub {
|
|||
if ( $cond =~ /^accept$/i );
|
||||
return sub { 0 }
|
||||
if ( $cond =~ /^deny$/i );
|
||||
if ( $cond =~ /^logout(?:_sso)?(?:\s+(.*))?$/i ) {
|
||||
my $url = $1 || $class->encodeUrl ( "/" );
|
||||
return sub { $logout = $url; return 0 }
|
||||
}
|
||||
if( MP() == 2 ) {
|
||||
if ( $cond =~ /^logout_app(?:\s+(.*))?$/i ) {
|
||||
my $u = $1;
|
||||
eval 'use Apache2::Filter' unless($INC{"Apache2/Filter.pm"});
|
||||
return sub {
|
||||
$apacheRequest->add_output_filter(sub {
|
||||
return $class->redirectFilter( $u, @_ );
|
||||
}
|
||||
);
|
||||
1;
|
||||
};
|
||||
}
|
||||
elsif ( $cond =~ /^logout_app_sso(?:\s+(.*))?$/i ) {
|
||||
eval 'use Apache2::Filter' unless($INC{"Apache2/Filter.pm"});
|
||||
my $u = encode_base64($1);
|
||||
$u =~ s/[\r\n]//g;
|
||||
return sub {
|
||||
$class->localUnlog;
|
||||
$apacheRequest->add_output_filter(sub {
|
||||
return $class->redirectFilter( "$portal?url=$u&logout=1", @_ );
|
||||
}
|
||||
);
|
||||
1;
|
||||
};
|
||||
}
|
||||
}
|
||||
$cond =~ s/\$date/&POSIX::strftime("%Y%m%d%H%M%S",localtime())/e;
|
||||
$cond =~ s/\$(\w+)/\$datas->{$1}/g;
|
||||
my $sub;
|
||||
|
|
@ -408,8 +441,12 @@ sub grant {
|
|||
# forbidden : used to reject non authorizated requests
|
||||
sub forbidden {
|
||||
my $class = shift;
|
||||
|
||||
# We use Apache::Log here
|
||||
if( $logout ) {
|
||||
$apacheRequest->headers_out->set(
|
||||
'Location' => "$portal?url=$logout"
|
||||
);
|
||||
return REDIRECT;
|
||||
}
|
||||
$class->lmLog(
|
||||
'The user "' . $datas->{$whatToTrace} . '" was reject when he tried to access to ' . shift,
|
||||
'notice'
|
||||
|
|
@ -426,27 +463,33 @@ sub hideCookie {
|
|||
lmSetHeaderIn( $apacheRequest, 'Cookie' => $tmp );
|
||||
}
|
||||
|
||||
# Redirect non-authenticated users to the portal
|
||||
sub goToPortal() {
|
||||
my ( $class, $url, $arg ) = @_;
|
||||
sub encodeUrl {
|
||||
my ( $class, $url ) = @_;
|
||||
my $port = $apacheRequest->get_server_port();
|
||||
$port =
|
||||
( $https && $port == 443 ) ? ''
|
||||
: ( !$https && $port == 80 ) ? ''
|
||||
: ':' . $apacheRequest->get_server_port();
|
||||
my $urlc_init =
|
||||
my $u =
|
||||
encode_base64( "http"
|
||||
. ( $https ? "s" : "" ) . "://"
|
||||
. $apacheRequest->get_server_name()
|
||||
. $port
|
||||
. $url );
|
||||
$urlc_init =~ s/[\n\s]//sg;
|
||||
$u =~ s/[\r\n\s]//sg;
|
||||
return $u;
|
||||
}
|
||||
|
||||
# Redirect non-authenticated users to the portal
|
||||
sub goToPortal() {
|
||||
my ( $class, $url, $arg ) = @_;
|
||||
$class->lmLog(
|
||||
"Redirect "
|
||||
. $apacheRequest->connection->remote_ip
|
||||
. " to portal (url was $url)",
|
||||
'debug'
|
||||
);
|
||||
my $urlc_init = $class->encodeUrl ( $url );
|
||||
$apacheRequest->headers_out->set(
|
||||
'Location' => "$portal?url=$urlc_init" . ( $arg ? "&$arg" : "" )
|
||||
);
|
||||
|
|
@ -551,9 +594,8 @@ sub unprotect {
|
|||
OK;
|
||||
}
|
||||
|
||||
sub logout ($$) {
|
||||
my $class;
|
||||
($class, $apacheRequest ) = @_;
|
||||
sub localUnlog {
|
||||
my $class = shift;
|
||||
if( my $id = $class->fetchId ) {
|
||||
# Delete Apache thread datas
|
||||
if ( $id eq $datas->{_session_id} ) {
|
||||
|
|
@ -564,9 +606,31 @@ sub logout ($$) {
|
|||
$refLocalStorage->remove($id);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
sub unlog ($$) {
|
||||
my $class;
|
||||
$logout = 0;
|
||||
($class, $apacheRequest ) = @_;
|
||||
$class->localUnlog;
|
||||
return $class->goToPortal( '/', 'logout=1' );
|
||||
}
|
||||
|
||||
sub redirectFilter {
|
||||
my $class = shift;
|
||||
my $url = shift;
|
||||
my $f = shift;
|
||||
unless ($f->ctx) {
|
||||
$f->r->status(REDIRECT);
|
||||
$f->r->status_line("302 Temporary Moved");
|
||||
$f->r->err_headers_out->set('Location' => $url);
|
||||
$f->ctx(1);
|
||||
}
|
||||
while ($f->read(my $buffer, 1024)) {
|
||||
}
|
||||
return REDIRECT;
|
||||
}
|
||||
|
||||
1;
|
||||
__END__
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,9 @@
|
|||
Revision history for Perl extension Lemonldap::NG::Manager.
|
||||
|
||||
0.82 Sat jul 21 15:21:32 2007
|
||||
- TLS support in LDAP
|
||||
- Help for new logout system
|
||||
|
||||
0.8 Sat jun 23 21:54:27 2007
|
||||
- New feature: syntax errors are now displayed in the manager interface
|
||||
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ use MIME::Base64;
|
|||
|
||||
our @ISA = qw(Lemonldap::NG::Manager::Base);
|
||||
|
||||
our $VERSION = '0.8';
|
||||
our $VERSION = '0.82';
|
||||
|
||||
sub new {
|
||||
my ( $class, $args ) = @_;
|
||||
|
|
@ -522,7 +522,7 @@ sub checkConf {
|
|||
}
|
||||
}
|
||||
# Test boolean expressions
|
||||
unless ( $v eq 'deny' or $v eq 'accept' ) {
|
||||
unless ( $v =~ /^(?:accept$|deny$|logout)/ ) {
|
||||
# "=" may be a fault (but not "==")
|
||||
if ( $v =~ /(?<=[^=<\?])=(?!=)/ ) {
|
||||
$response->warning( &txt_rule . " $vh -> \"$reg\" : " . &txt_containsAnAssignment );
|
||||
|
|
|
|||
|
|
@ -190,11 +190,25 @@ authentication is done by another system (SSL for example).</p>
|
|||
base). Example :
|
||||
<pre> dc=example, dc=com </pre></li>
|
||||
<li>LDAP server port : 389 by default ;</li>
|
||||
<li>LDAP server : Name (or IP address) of the LDAP server. To use LDAPS, set
|
||||
here :
|
||||
<pre> ldaps://server/</pre>
|
||||
and don't forget to change port (636 for example). You can specify more than
|
||||
one server separated by commas. They will be tried in the specified order.
|
||||
<li>LDAP server : Name(s) (or IP address(es)) of the LDAP server(s).
|
||||
You can specify more than one server separated by commas and/or spaces,
|
||||
they will be tried in the specified order.
|
||||
You can also use encrypted connections :
|
||||
<ul>
|
||||
<li>LDAPS : instead of a server name, use :
|
||||
<pre> ldaps://server/</pre>
|
||||
and don't forget to change port (636 for example).
|
||||
</li>
|
||||
<li>TLS : instead of a server name, use :
|
||||
<pre> ldap+tls://server/</pre>
|
||||
you can also set any of the parameters needed by Net::LDAP start_tls
|
||||
function :
|
||||
<pre> ldap+tls://server/?verify=none&capath=/etc/ssl</pre>
|
||||
See Net::LDAP(3) manual page to know all available parameters.
|
||||
You can also set caPath or caFile parameters in the new() function when
|
||||
building the portal (because they should depend on local file system).
|
||||
</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li>LDAP account : optional, must be set if anonymous connection cannot
|
||||
access to the wanted LDAP attributes. This account is used before LDAP
|
||||
|
|
@ -216,13 +230,28 @@ réalisée par un autre moyen (SSL par exemple).</p>
|
|||
accepte les requêtes sans base). Exemple :
|
||||
<pre> dc=example, dc=com </pre></li>
|
||||
<li>Port du serveur LDAP : 389 par défaut ;</li>
|
||||
<li>Serveur LDAP : Nom (ou adresse IP) du serveur LDAP. Pour une connexion
|
||||
LDAPS, indiquez ici :
|
||||
<pre> ldaps://server/</pre>
|
||||
et n'oubliez pas de changer le port (636 en général). Vous
|
||||
pouvez indiquer plusieurs serveurs ici séparés par des virgules. Ils seront
|
||||
testés dans l'ordre indiqué.
|
||||
</li>
|
||||
<li>Serveur LDAP : Nom(s) (ou adresse(s) IP) du(des) serveur(s) LDAP.
|
||||
Vous pouvez indiquer plusieurs serveurs ici séparés par des
|
||||
virgules et/ou des espaces. Ils seront testés dans l'ordre indiqué.
|
||||
Vous pouvez également utiliser des connexions chiffrées :
|
||||
<ul>
|
||||
<li>LDAPS : au lieu de noms de serveurs, indiquez ici :
|
||||
<pre> ldaps://serveur/</pre>
|
||||
et n'oubliez pas de changer le port (636 en général).
|
||||
</li>
|
||||
<li>TLS : au lieu de noms de serveurs, indiquez ici :
|
||||
<pre> ldap+tls://serveur/</pre>
|
||||
vous pouvez également y ajouter tous les paramètres
|
||||
demandés par la fonction start_tls de Net::LDAP :
|
||||
<pre> ldap+tls://serveur/?verify=none&capath=/etc/ssl</pre>
|
||||
Reportez-vous à la page de manuel de Net::LDAP(3) pour
|
||||
connaître les paramètres disponibles.
|
||||
Vous pouvez également utiliser les paramètres caPath ou
|
||||
caFile lors de la construction du portail dans la fonction new() (car
|
||||
ils peuvent dépendre du système de fichier local).
|
||||
</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li>Compte de connexion LDAP : optionnel, à renseigner si les attributs LDAP
|
||||
utilisés ne sont pas accessibles par une session anonyme. Ce compte est
|
||||
utilisé avant l'authentification pour trouver le dn de l'utilisateur ;
|
||||
|
|
@ -404,6 +433,21 @@ users member of 'group1'. You can also use 'accept' and 'deny' keywords.
|
|||
<p> If URL doesn't match any regular expression, 'default' rule is called to
|
||||
grant or not.</p>
|
||||
|
||||
<h5> Logout </h5>
|
||||
|
||||
You can also write Logout rules to intercept application logout url using the
|
||||
reserved words :
|
||||
<ul>
|
||||
<li>logout_sso URL : the request generates a redirection to the portal to call
|
||||
logout mechanism. The request is not given to the application so its logout
|
||||
function is not called. After logout, the user is redirected to the URL,</li>
|
||||
<li>logout_app URL : the request is transmitted to the application, but the
|
||||
result is not displayed : the user is redirected to the URL,</li>
|
||||
<li>logout_app_sso URL : the request is transmitted to the application and
|
||||
then, the user is redirected to the portal with the logout call and then,
|
||||
he is redirected to the given URL.</li>
|
||||
</ul>
|
||||
|
||||
<h4> Headers </h4>
|
||||
|
||||
<p> Headers are used to inform the remote application on the connected user.
|
||||
|
|
@ -452,6 +496,24 @@ tous les utilisateurs authentifiés peuvent accéder.</p>
|
|||
droit d'accès est calculé à partir de l'expression booléenne définie dans
|
||||
la règle par défaut (default).</p>
|
||||
|
||||
<h5> Logout </h5>
|
||||
|
||||
Vous pouvez également écrire des règles pour intercepter
|
||||
les URL de déconnexions des applications en utilisant les mots-clefs :
|
||||
<ul>
|
||||
<li>logout_sso URL : la requête entraine une redirection vers le portail
|
||||
avec l'appel au système de déloguage. La requête n'est
|
||||
pas transmise à l'applicationthe. Après déloguage,
|
||||
l'utilisateur est renvoyé vers l'URL,</li>
|
||||
<li>logout_app URL : la requête est transmise à l'applications
|
||||
mais le résultat n'est pas affiché : l'utilisateur est
|
||||
redirigé vers l'URL,</li>
|
||||
<li>logout_app_sso URL : la requête est transmise à l'application
|
||||
et ensuite, l'utilisateur est redirigé vers le portail avec appel au
|
||||
système de déloguage. Il est ensuite redirigé vers
|
||||
l'URL.</li>
|
||||
</ul>
|
||||
|
||||
<h4> En-têtes</h4>
|
||||
|
||||
<p> Les en-têtes servant à l'application à savoir qui est connecté se déclarent
|
||||
|
|
@ -478,9 +540,9 @@ EOT
|
|||
|
||||
sub help_whatToTrace_fr {
|
||||
print <<EOT;
|
||||
<h3>Donnée à journaliser dans Apache</h3>
|
||||
<p> Indiquez ici le nom de la variable (attribut) ou de la macro qui doit être
|
||||
utilisée pour alimenter les journaux Apache des applications protégées
|
||||
(n'oubliez pas le "\$"). Par défaut : \$uid</p>
|
||||
<h3>Donnée à journaliser dans Apache</h3>
|
||||
<p> Indiquez ici le nom de la variable (attribut) ou de la macro qui doit être
|
||||
utilisée pour alimenter les journaux Apache des applications protégées
|
||||
(n'oubliez pas le "\$"). Par défaut : \$uid</p>
|
||||
EOT
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,9 @@
|
|||
Revision history for Perl extension Lemonldap::NG::Portal.
|
||||
|
||||
0.76 Sat Jul 21 15:21:57 2007
|
||||
- LDAP+TLS support (thanks to Baptiste Grenier)
|
||||
- New logout system: URL can now be declared in Manager interface
|
||||
|
||||
0.75 Tue Jul 3 20:42:09 2007
|
||||
- Security fix: authentication could be replayed with another uid
|
||||
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ package Lemonldap::NG::Portal;
|
|||
|
||||
print STDERR
|
||||
"See Lemonldap::NG::Portal(3) to know which Lemonldap::NG::Portal::* module to use.";
|
||||
our $VERSION = "0.75";
|
||||
our $VERSION = "0.76";
|
||||
|
||||
1;
|
||||
|
||||
|
|
@ -259,8 +259,8 @@ L<Cache::Cache> module that does not use disk access.
|
|||
|
||||
Lemonldap::NG provides a single logout system: you can use it by adding a link
|
||||
to the portal with "logout=1" parameter (See Synopsis) and/or by configuring
|
||||
Handler to intercept some URL (See L<Lemonldap::NG::Handler>). The logout
|
||||
system:
|
||||
Handler to intercept some URL directly in the manager interface and/or in
|
||||
Apache configuration file (See L<Lemonldap::NG::Handler>). The logout system:
|
||||
|
||||
=over
|
||||
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ use CGI::Cookie;
|
|||
require POSIX;
|
||||
use Lemonldap::NG::Portal::_i18n;
|
||||
|
||||
our $VERSION = '0.75';
|
||||
our $VERSION = '0.76';
|
||||
|
||||
our @ISA = qw(CGI Exporter);
|
||||
|
||||
|
|
@ -199,6 +199,14 @@ sub controlExistingSession {
|
|||
# Delete cookie
|
||||
$self->{id} = "";
|
||||
$self->buildCookie();
|
||||
if( $self->{urldc} ) {
|
||||
if( $self->{autoRedirect} ) {
|
||||
&{ $self->{autoRedirect} }($self);
|
||||
}
|
||||
else {
|
||||
$self->autoRedirect();
|
||||
}
|
||||
}
|
||||
return PE_FIRSTACCESS;
|
||||
}
|
||||
$self->{id} = $id;
|
||||
|
|
@ -265,7 +273,17 @@ sub formateFilter {
|
|||
sub connectLDAP {
|
||||
my $self = shift;
|
||||
return PE_OK if ( $self->{ldap} );
|
||||
my $useTls = 0;
|
||||
my $tlsParam;
|
||||
foreach my $server ( split /[\s,]+/, $self->{ldapServer} ) {
|
||||
if ( $server =~ m{^ldap\+tls://([^/]+)/?\??(.*)$} ) {
|
||||
$useTls = 1;
|
||||
$server = $1;
|
||||
$tlsParam = $2 || "";
|
||||
}
|
||||
else {
|
||||
$useTls = 0;
|
||||
}
|
||||
last if $self->{ldap} = Net::LDAP->new(
|
||||
$server,
|
||||
port => $self->{ldapPort},
|
||||
|
|
@ -273,6 +291,13 @@ sub connectLDAP {
|
|||
);
|
||||
}
|
||||
return PE_LDAPCONNECTFAILED unless ( $self->{ldap} );
|
||||
if ($useTls) {
|
||||
my %h = split( /[&=]/, $tlsParam );
|
||||
$h{cafile} = $self->{caFile} if( $self->{caFile} );
|
||||
$h{capath} = $self->{caPath} if( $self->{caPath} );
|
||||
my $mesg = $self->{ldap}->start_tls(%h);
|
||||
$mesg->code && return PE_LDAPCONNECTFAILED;
|
||||
}
|
||||
PE_OK;
|
||||
}
|
||||
|
||||
|
|
@ -510,6 +535,11 @@ Lemonldap::Portal::* libraries.
|
|||
=item * ldapServer: server(s) used to retrive session informations and to valid
|
||||
credentials (localhost by default). More than one server can be set here
|
||||
separated by commas. The servers will be tested in the specifies order.
|
||||
To use TLS, set "ldap+tls://server" and to use LDAPS, set "ldaps://server"
|
||||
instead of server name. If you use TLS, you can set any of the
|
||||
Net::LDAP->start_tls() sub like this:
|
||||
"ldap/tls://server/verify=none&capath=/etc/ssl"
|
||||
You can also use caFile and caPath parameters.
|
||||
|
||||
=item * ldapPort: tcp port used by ldap server.
|
||||
|
||||
|
|
@ -521,15 +551,15 @@ bind is used.
|
|||
=item * managerPassword: password to used to connect to ldap server. By
|
||||
default, anonymous bind is used.
|
||||
|
||||
=item * securedCookie: set it to 1 if you want to protect user cookies
|
||||
=item * securedCookie: set it to 1 if you want to protect user cookies.
|
||||
|
||||
=item * cookieName: name of the cookie used by Lemonldap::NG (lemon by default)
|
||||
=item * cookieName: name of the cookie used by Lemonldap::NG (lemon by default).
|
||||
|
||||
=item * domain: cookie domain. You may have to give it else the SSO will work
|
||||
only on your server.
|
||||
|
||||
=item * globalStorage: required: L<Apache::Session> library to used to store
|
||||
session informations
|
||||
session informations.
|
||||
|
||||
=item * globalStorageOptions: parameters to bind to L<Apache::Session> module
|
||||
|
||||
|
|
@ -542,6 +572,10 @@ be set to:
|
|||
|
||||
=back
|
||||
|
||||
=item * caPath, caFile: if you use ldap+tls you can overwrite cafile or capath
|
||||
options with those parameters. This is usefull if you use a shared
|
||||
configuration.
|
||||
|
||||
=back
|
||||
|
||||
=head2 Methods that can be overloaded
|
||||
|
|
|
|||
Loading…
Reference in New Issue