NAME¶
Lemonldap::NG::Portal::Simple - Base module for building Lemonldap::NG
compatible portals
SYNOPSIS¶
use Lemonldap::NG::Portal::Simple;
my $portal = new Lemonldap::NG::Portal::Simple(
domain => 'example.com',
globalStorage => 'Apache::Session::MySQL',
globalStorageOptions => {
DataSource => 'dbi:mysql:database=dbname;host=127.0.0.1',
UserName => 'db_user',
Password => 'db_password',
TableName => 'sessions',
LockDataSource => 'dbi:mysql:database=dbname;host=127.0.0.1',
LockUserName => 'db_user',
LockPassword => 'db_password',
},
ldapServer => 'ldap.domaine.com,ldap-backup.domaine.com',
securedCookie => 1,
exportedVars => {
uid => 'uid',
cn => 'cn',
mail => 'mail',
appli => 'appli',
},
# Activate SOAP service
Soap => 1
);
if($portal->process()) {
# Write here the menu with CGI methods. This page is displayed ONLY IF
# the user was not redirected here.
print $portal->header('text/html; charset=utf-8'); # DON'T FORGET THIS (see L<CGI(3)>)
print "...";
# or redirect the user to the menu
print $portal->redirect( -uri => 'https://portal/menu');
}
else {
# Write here the html form used to authenticate with CGI methods.
# $portal->error returns the error message if athentification failed
# Warning: by defaut, input names are "user" and "password"
print $portal->header('text/html; charset=utf-8'); # DON'T FORGET THIS (see L<CGI(3)>)
print "...";
print '<form method="POST">';
# In your form, the following value is required for redirection
print '<input type="hidden" name="url" value="'.$portal->param('url').'">';
# Next, login and password
print 'Login : <input name="user"><br>';
print 'Password : <input name="password" type="password" autocomplete="off">';
print '<input type="submit" value="go" />';
print '</form>';
}
SOAP mode authentication (client) :
#!/usr/bin/perl -l
use SOAP::Lite;
use Data::Dumper;
my $soap =
SOAP::Lite->proxy('http://auth.example.com/')
->uri('urn:/Lemonldap::NG::Common::CGI::SOAPService');
my $r = $soap->getCookies( 'user', 'password' );
# Catch SOAP errors
if ( $r->fault ) {
print STDERR "SOAP Error: " . $r->fault->{faultstring};
}
else {
my $res = $r->result();
# If authentication failed, display error
if ( $res->{error} ) {
print STDERR "Error: " . $soap->error( $res->{error} )->result();
}
# print session-ID
else {
print "Cookie: lemonldap=" . $res->{cookies}->{lemonldap};
}
}
DESCRIPTION¶
Lemonldap::NG::Portal::Simple is the base module for building Lemonldap::NG
compatible portals. You can use it either by inheritance or by writing
anonymous methods like in the example above.
See Lemonldap::NG::Portal::SharedConf for a complete example of use of
Lemonldap::Portal::* libraries.
METHODS¶
Constructor (new)¶
Args
- •
- ldapServer: server(s) used to retrive session information and to valid
credentials (localhost by default). More than one server can be set here
separated by commas. The servers will be tested in the specifies order. To
use TLS, set "ldap+tls://server" and to use LDAPS, set
"ldaps://server" instead of server name. If you use TLS, you can
set any of the Net::LDAP-> start_tls() sub like this:
"ldap/tls://server/verify=none&capath=/etc/ssl" You can also
use caFile and caPath parameters.
- •
- ldapPort: tcp port used by ldap server.
- •
- ldapBase: base of the ldap directory.
- •
- managerDn: dn to used to connect to ldap server. By default, anonymous
bind is used.
- •
- managerPassword: password to used to connect to ldap server. By default,
anonymous bind is used.
- •
- securedCookie: set it to 1 if you want to protect user cookies.
- •
- cookieName: name of the cookie used by Lemonldap::NG (lemon by
default).
- •
- domain: cookie domain. You may have to give it else the SSO will work only
on your server.
- •
- globalStorage: required: Apache::Session library to used to store session
information.
- •
- globalStorageOptions: parameters to bind to Apache::Session module
- •
- authentication: sheme to authenticate users (default: "ldap").
It can be set to:
- •
- SSL: See Lemonldap::NG::Portal::AuthSSL.
- •
- caPath, caFile: if you use ldap+tls you can overwrite cafile or capath
options with those parameters. This is useful if you use a shared
configuration.
- •
- ldapPpolicyControl: set it to 1 if you want to use LDAP Password
Policy
- •
- grantSessionRule: rule applied to grant session opening for a user. Can
use all exported attributes, macros, groups and custom functions.
Methods that can be overloaded¶
All the functions above can be overloaded to adapt Lemonldap::NG to your
environment. They MUST return one of the exported constants (see above) and
are called in this order by
process().
controlUrlOrigin
If the user was redirected by a Lemonldap::NG handler, stores the url that will
be used to redirect the user after authentication.
controlExistingSession
Controls if a previous session is always available. If true, it call the sub
"existingSession" with two parameters: id and a scalar tied on
Apache::Session module choosed to store sessions. See bellow
existingSession
This sub is called only if a previous session exists and is available. By
defaults, it returns PE_OK so user is re-authenticated. You can overload it:
for example if existingSession just returns PE_DONE: authenticated users are
not re-authenticated and ""process> returns true.
extractFormInfo
Method implemented into Lemonldap::NG::Portal::Auth* modules. By default (ldap
bind), converts form input into object variables ($self->{user} and
$self->{password}).
formateParams
Does nothing. To be overloaded if needed.
formateFilter
Creates the ldap filter using $self->{user}. By default :
$self->{filter} = "(&(uid=" . $self->{user} . ")(objectClass=inetOrgPerson))";
If $self->{AuthLDAPFilter} is set, it is used instead of this. This is used
by Lemonldap::NG::Portal::Auth* modules to overload filter.
connectLDAP
Connects to LDAP server.
bind
Binds to the LDAP server using $self->{managerDn} and
$self->{managerPassword} if exist. Anonymous bind is provided else.
search
Retrives the LDAP entry corresponding to the user using $self->{filter}.
setAuthSessionInfo
Same as setSessionInfo but implemented in Lemonldap::NG::Portal::Auth* modules.
setSessionInfo
Prepares variables to store in central cache (stored temporarily in
"$self-"{sessionInfo}>). It use "exportedVars" entry
(passed to the new sub) if defined to know what to store else it stores uid,
cn and mail attributes.
getSessionInfo
Pick up an information stored in session.
setGroups
Does nothing by default.
authenticate
Method implemented in Lemonldap::NG::Portal::Auth* modules. By default (ldap),
authenticates the user by rebinding to the LDAP server using the dn retrived
with
search() and the password.
grantSession
Use grantSessionRule parameter to allow session opening.
store
Stores information collected by setSessionInfo into the central cache. The
portal connects the cache using the Apache::Session module passed by the
globalStorage parameters (see constructor).
unbind
Disconnects from the LDAP server.
buildCookie
Creates the Lemonldap::NG cookie.
log
Does nothing. To be overloaded if wanted.
autoRedirect
Redirects the user to the url stored by
controlUrlOrigin().
Other methods¶
process
Main method.
error
Returns the error message corresponding to the error returned by the methods
described above
error_type
Give the type of the error (positive, warning or positive)
_bind( $ldap, $dn, $password )
Method used to bind to the ldap server.
header
Overloads the CGI::header method to add Lemonldap::NG cookie.
redirect
Overloads the CGI::redirect method to add Lemonldap::NG cookie.
EXPORT¶
Constants
- •
- PE_OK: all is good
- •
- PE_SESSIONEXPIRED: the user session has expired
- •
- PE_FORMEMPTY: Nothing was entered in the login form
- •
- PE_USERNOTFOUND: the user was not found in the (ldap)
directory
- •
- PE_WRONGMANAGERACCOUNT: the account used to bind to LDAP server in
order to find the user distinguished name (dn) was refused by the
server
- •
- PE_BADCREDENTIALS: bad login or password
- •
- PE_LDAPERROR: abnormal error from ldap
- •
- PE_APACHESESSIONERROR: abnormal error from Apache::Session
- •
- PE_FIRSTACCESS: First access to the portal
- •
- PE_BADCERTIFICATE: Wrong certificate
- •
- PE_PP_ACCOUNT_LOCKED: account locked
- •
- PE_PP_PASSWORD_EXPIRED: password axpired
- •
- PE_CERTIFICATEREQUIRED: certificate required
- •
- PE_ERROR: unclassified error
SEE ALSO¶
Lemonldap::NG::Handler, Lemonldap::NG::Portal::SharedConf, CGI,
<
http://lemonldap-ng.org/>
AUTHOR¶
- Clement Oudot, <clem.oudot@gmail.com>
- Francois-Xavier Deltombe, <fxdeltombe@gmail.com.>
- Xavier Guimard, <x.guimard@free.fr>
- Sandro Cazzaniga, <cazzaniga.sandro@gmail.com>
- Thomas Chemineau, <thomas.chemineau@gmail.com>
BUG REPORT¶
Use OW2 system to report bug or ask for features: <
http://jira.ow2.org>
DOWNLOAD¶
Lemonldap::NG is available at
<
http://forge.objectweb.org/project/showfiles.php?group_id=274>
COPYRIGHT AND LICENSE¶
- Copyright (C) 2006, 2007, 2008, 2009, 2010, 2012 by Xavier Guimard,
<x.guimard@free.fr>
- Copyright (C) 2012 by Sandro Cazzaniga,
<cazzaniga.sandro@gmail.com>
- Copyright (C) 2012, 2012, 2013 by Francois-Xavier Deltombe,
<fxdeltombe@gmail.com.>
- Copyright (C) 2006, 2008, 2009, 2010, 2011, 2012, 2012, 2013 by Clement
Oudot, <clem.oudot@gmail.com>
- Copyright (C) 2010, 2011 by Thomas Chemineau,
<thomas.chemineau@gmail.com>
This library is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation; either version 2, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with
this program. If not, see <
http://www.gnu.org/licenses/>.