NAME

Lemonldap::NG::Portal - Perl extension for building Lemonldap compatible portals

SYNOPSIS

  use Lemonldap::NG::Portal;
  my $portal = new Lemonldap::NG::Portal(
	 domain         => 'gendarmerie.defense.gouv.fr',
         storageModule  => 'Apache::Session::MySQL',
	 storageOptions => {
	   DataSource   => 'dbi:mysql:database=dbname;host=127.0.0.1',
	   UserName     => 'db_user',
	   Password     => 'db_password',
	   TableName    => 'sessions',
	   LockDataSource   => 'dbi:mysql:database=dbname;host=127.0.0.1',
	   LockUserName     => 'db_user',
	   LockPassword     => 'db_password',
	 },
	 ldapServer     => 'ldap.domaine.com',
	 cookie_secure  => 1,
    );
  # Example of overloading: choose the LDAP variables to store
  $portal->{setSessionInfo} = sub {
    my ($self) = @_;
    foreach $_ qw(uid cn mail appli) {
        $self->{sessionInfo}->{$_} = $entry->get_value($_);
    }
    PE_OK;
  };

  if($portal->process()) {
    # Write here the menu with CGI methods. This page is displayed ONLY IF
    # the user was not redirected here.
    print $portal->header; # DON'T FORGET THIS (see L<CGI(3)>)
    print "...";

    # or redirect the user to the menu
    print $portal->redirect( -uri => 'https://portal/menu');
  }
  else {
    # Write here the html form used to authenticate with CGI methods.
    # $portal->error returns the error message if athentification failed
    # Warning: by defaut, input names are "user" and "password"
    print $portal->header; # DON'T FORGET THIS (see L<CGI(3)>)
    print "...";
    print '<form method="POST">';
    # In your form, the following value is required for redirection
    print '<input type="hidden" name="url" value="'.$portal->param('url').'">';
    # Next, login and password
    print 'Login : <input name="user"><br>';
    print 'Password : <input name="pasword" type="password" autocomplete="off">';
    print '</form>';
  }

DESCRIPTION

Lemonldap is a simple Web-SSO based on Apache::Session modules. It simplifies the build of a protected area with a few changes in the application (they just have to read some headers for accounting).

It manages both authentication and authorization and provides headers for accounting. So you can have a full AAA protection for your web space. There are two ways to build a cross domain authentication:

• Cross domain authentication itself (Lemonldap::Portal::Cda (not yet implemented in Lemonldap::NG))

• Liberty Alliance (See Lemonldap::ServiceProvider and Lemonldap::IdentityProvider)

This library is a way to build Lemonldap compatible portals. You can use it either by inheritance or by writing anonymous methods like in the example above.

METHODS

Constructor (new)

Args

• ldapServer: server used to retrive session informations and to valid credentials (localhost by default).

• ldapPort: tcp port used by ldap server.

• managerDn: dn to used to connect to ldap server. By default, anonymous bind is used.

• managerPassword: password to used to connect to ldap server. By default, anonymous bind is used.

• ldapBase: base of the ldap directory.

• cookie_secure: set it to 1 if you want to protect user cookies

• coolie_name: name of the cookie used by Lemonldap (lemon by default)

• domain: cookie domain. You may have to give it else the SSO will work only on your server.

• storageModule: required: Apache::Session library to used to store session informations

• storageOptions: parameters to bind to Apache::Session module

Methods that can be overloaded

All the functions above can be overloaded to adapt Lemonldap to your environment. They MUST return one of the exported constants (see above) and are called in this order by process().

controlUrlOrigin

If the user was redirected by a Lemonldap NG handler, stores the url that will be used to redirect the user after authentication.

controlExistingSession

Controls if a previous session is always available.

extractFormInfo

Converts form input into object variables ($self->{user} and $self->{password}).

formateParams

Does nothing. To be overloaded if needed.

formateFilter

Creates the ldap filter using $self->{user}. By default :

$self->{filter} = "(&(uid=" . $self->{user} . ")(objectClass=person))";

connectLDAP

Connects to LDAP server.

bind

Binds to the LDAP server using $self->{managerDn} and $self->{managerPassword} if exist. Anonymous bind is provided else.

search

Retrives the LDAP entry corresponding to the user using $self->{filter}.

setSessionInfo

Prepares variables to store in central cache (stored temporarily in $self->{sessionInfo}).

authenticate

Authenticates the user by rebinding to the LDAP server using the dn retrived with search() and the password.

store

Stores the informations collected by setSessionInfo into the central cache. The portal connects the cache using the Apache::Session module passed by the storageModule parameters (see constructor).

unbind

Disconnects from the LDAP server.

buildCookie

Creates the Lemonldap cookie.

autoRedirect

Redirects the user to the url stored by controlUrlOrigin().

log

Does nothing. To be overloaded if wanted.

Other methods

process

Main method.

error

Returns the error message corresponding to the error returned by the methods described above

_bind( $ldap, $dn, $password )

Non-object method used to bind to the ldap server.

header

Overloads the CGI::header method to add Lemonldap cookie.

redirect

Overloads the CGI::redirect method to add Lemonldap cookie.

EXPORT

Constants

• PE_OK: all is good

• PE_SESSIONEXPIRED: the user session has expired

• PE_FORMEMPTY: Nothing was entered in the login form

• PE_USERNOTFOUND: the user was not found in the (ldap) directory

• PE_WRONGMANAGERACCOUNT: the account used to bind to LDAP server in order to find the user distinguished name (dn) was refused by the server

• PE_BADCREDENTIALS: bad login or password

• PE_LDAPERROR: abnormal error from ldap

• PE_APACHESESSIONERROR: abnormal error from Apache::Session

• PE_FIRSTACCESS: First access to the portal

• PE_BADCERTIFICATE: Wrong certificate

AUTHENTICATION-AUTHORIZATION-ACCOUNTING

This section presents Lemonldap characteristics from the point-of-vue of AAA.

Authentication

If a user isn't authenticated and attemps to connect to an area protected by a Lemonldap compatible handler, he is redirected to the portal. The portal authenticates user with a ldap bind by default, but you can also use another authentication sheme like using x509 user certificates (see Lemonldap::NG::Portal::AuthSsl for more).

Lemonldap use session cookies generated by Apache::Session so as secure as a 128-bit random cookie. You may use the cookie_secure options of Lemonldap::NG::Portal to avoid session hijacking.

You have to manage life of sessions by yourself since Lemonldap knows nothing about the Apache::Session module you've choose, but it's very easy using a simple cron script because Lemonldap::NG::Portal stores the start time in the _utime field.

Authorization

Authorization is controled only by handlers because the portal knows nothing about the way the user will choose. Lemonldap::NG::Portal is designed to help you to store all the user datas you wants to use to manage authorization.

When initializing an handler, you have to describe what you want to protect and who can connect to. This is done by the locationRules parameters of init method. It is a reference to a hash who contains entries where:

• keys are regular expression who are compiled by init using qr() or the keyword default who points to the default police.

• values are conditional expressions or the keyword accept or the keyword deny:

  • Conditional expressions are converted into subroutines. You can use the variables stored in the global store by calling them $<varname>.

    Exemple:

    '^/rh/.*$' => '$ou =~ /brh/'

  • Keyword deny denies any access while keyword accept allows all authenticated users.

    Exemple:

    'default'  => 'accept'

Accounting

Logging portal access

Lemonldap::NG::Portal doesn't log anything by default, but it's easy to overload log method for normal portal access or using error method to know what was wrong if process method has failed.

Logging application access

Because an handler knows nothing about the protected application, it can't do more than logging URL. As Apache does this fine, Lemonldap::NG::Handler gives it the name to used in logs. The whatToTrace parameters indicates which variable Apache has to use ($uid by default).

The real accounting has to be done by the application itself which knows the result of SQL transaction for example.

Lemonldap can export http headers either using a proxy or protecting directly the application. By default, the User-Auth field is used but you can change it using the exportedHeaders parameters of the init method. It is a reference to a hash where:

• keys are the names of the choosen headers

• values are perl expressions where you can use user datas stored in the global store by calling them $<varname>.

SEE ALSO

Lemonldap::NG::Handler(3), http://lemonldap.sourceforge.net/, CGI(3)

AUTHOR

Xavier Guimard, <x.guimard@free.fr>

COPYRIGHT AND LICENSE

Copyright (C) 2004, 2005 by Eric German & Xavier Guimard

Lemonldap was originaly written by Eric german who decided to publish him in 2003 under the terms of the GNU General Public License version 2.

This library is free software; you can redistribute it and/or modify it under same terms as Perl itself, either Perl version 5.8.4 or, at your option, any later version of Perl 5 you may have available.

The primary copyright holder is Eric German.

Portions are copyrighted under the GNU General Public License, Version 2

Portions are copyrighted by Doug MacEachern and Lincoln Stein.

cpanm Lemonldap::NG::Portal

perl -MCPAN -e shell
install Lemonldap::NG::Portal