aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem.moulin@fripost.org>2012-09-24 23:40:27 +0200
committerGuilhem Moulin <guilhem.moulin@fripost.org>2012-09-24 23:40:27 +0200
commitc5abfa216d18d374e493fd309a1f4748af094e50 (patch)
tree2bdc0d4f4f8e9d6a5548433ff38c286ca8195acb
parent33364b4a63d9082eed3a956f7a1567f343839999 (diff)
Use GSSAPI authentication for the WebPanel service.
-rw-r--r--INSTALL2
-rw-r--r--config.in19
-rw-r--r--lib/Fripost/Schema.pm21
3 files changed, 24 insertions, 18 deletions
diff --git a/INSTALL b/INSTALL
index c4bc314..885b217 100644
--- a/INSTALL
+++ b/INSTALL
@@ -15,7 +15,7 @@ apt-get install libcgi-application-perl \
# Fripost Schema
apt-get install libnet-ldap-perl \
- libauthen-sasl-perl \
+ libauthen-sasl-perl libauthen-sasl-cyrus-perl \
libemail-valid-perl \
libdigest-perl \
libstring-mkpasswd-perl \
diff --git a/config.in b/config.in
index c2011d1..da19ad1 100644
--- a/config.in
+++ b/config.in
@@ -1,9 +1,7 @@
# This is the custom configuration for the Fripost Administration Panel,
# which takes precedence over the default configuration in 'default.in'.
-
-# TODO: The secure flag should be left on on HTTPS connections.
-secure_cookie = 0
+secure_cookie = 1
# Where the error reports should be sent to.
report_email = admin@fripost.org
@@ -14,9 +12,14 @@ default_realm = fripost.org
# The LDAP suffix that will be appended to bind and search DN:s.
ldap_suffix = ou=virtual,o=mailHosting,dc=fripost,dc=dev
-# TODO: This should be replaced with a Keberos ticket.
-ldap_authcID = AdminWebPanel@fripost.org
-ldap_authcPW = panel
+# The authentication ID for SASL binds. This has to be a kerberos
+# principal, and a ticket has to be cached for the user running the
+# program.
+krb5_principal = AdminWebPanel/fripost.org@FRIPOST.ORG
+
+# The hostname associated with the 'ldap/...' principal. (Probably the
+# fqdn of the machine running slapd).
+krb5_host = gnu.friprogramvarusyndikatet.se
# The minimum password length.
password_min_length = 12
@@ -26,5 +29,5 @@ gpg_private_key_id = ECFA6E43
gpg_private_key_passphrase = xxxxxxxxxxxx
# URL prefixes of the admin web interface for the list managers.
-listurl_mailman = http://smtp.fripost.org/cgi-bin/mailman/admin/
-listurl_schleuder = http://smtp.fripost.org/
+listurl_mailman = https://lists.fripost.org/mailman/admin/
+listurl_schleuder = https://lists.fripost.org/schleuder/
diff --git a/lib/Fripost/Schema.pm b/lib/Fripost/Schema.pm
index 35c69e2..a0730f9 100644
--- a/lib/Fripost/Schema.pm
+++ b/lib/Fripost/Schema.pm
@@ -34,9 +34,10 @@ use Net::IDN::Encode qw/email_to_ascii/;
=item B<SASLauth> (I<username>, I<CFG>)
-Start a LDAP connection, and SASL-authenticate using proxy
-authentication for the given (fully-qualified) user. I<CFG> should
-contain definitions for the LDAP suffix and the authentication ID.
+Start a LDAP connection, and SASL-authenticate (with the GSSAPI
+mechanism) using proxy authentication for the given (fully-qualified)
+user. I<CFG> should contain definitions for the LDAP suffix and the
+authentication ID.
=cut
@@ -51,12 +52,14 @@ sub SASLauth {
$self->ldap( Net::LDAP::->new( $cfg{ldap_uri}, async => 1 ) );
my $sasl = Authen::SASL::->new(
- mechanism => 'DIGEST-MD5',
- callback => { user => $cfg{ldap_authcID}
- , pass => $cfg{ldap_authcPW}
- , authname => 'dn:'.$self->whoami }
+ mechanism => 'GSSAPI',
+ callback => { user => 'dn:'.$self->whoami
+ , authname => $cfg{krb5_principal} }
);
- my $mesg = $self->ldap->bind( sasl => $sasl );
+ my $conn = $sasl->client_new('ldap', $cfg{krb5_host} );
+ die $conn->error if $conn->code;
+
+ my $mesg = $self->ldap->bind( '', sasl => $conn );
# This is not supposed to happen.
die $mesg->error if $mesg->code;
@@ -66,7 +69,7 @@ sub SASLauth {
=item B<auth> (I<username>, I<password>, I<CFG>)
-Start a LDAP connection, and (simples-) binds the given user.
+Start a LDAP connection, and (simple-) binds the given user.
I<CFG> should contain definitions for the LDAP suffix and URI.
=cut