Use GSSAPI authentication for the WebPanel service.

3 files changed, 24 insertions, 18 deletions

diff --git a/INSTALL b/INSTALL
index c4bc314..885b217 100644
--- a/INSTALL
+++ b/INSTALL
@@ -15,7 +15,7 @@ apt-get install libcgi-application-perl \
 
 # Fripost Schema
 apt-get install libnet-ldap-perl \
-                libauthen-sasl-perl \
+                libauthen-sasl-perl libauthen-sasl-cyrus-perl \
                 libemail-valid-perl \
                 libdigest-perl \
                 libstring-mkpasswd-perl \
diff --git a/config.in b/config.in
index c2011d1..da19ad1 100644
--- a/config.in
+++ b/config.in
@@ -1,9 +1,7 @@
 # This is the custom configuration for the Fripost Administration Panel,
 # which takes precedence over the default configuration in 'default.in'.
 
-
-# TODO: The secure flag should be left on on HTTPS connections.
-secure_cookie = 0
+secure_cookie = 1
 
 # Where the error reports should be sent to.
 report_email = admin@fripost.org
@@ -14,9 +12,14 @@ default_realm = fripost.org
 # The LDAP suffix that will be appended to bind and search DN:s.
 ldap_suffix = ou=virtual,o=mailHosting,dc=fripost,dc=dev
 
-# TODO: This should be replaced with a Keberos ticket.
-ldap_authcID = AdminWebPanel@fripost.org
-ldap_authcPW = panel
+# The authentication ID for SASL binds. This has to be a kerberos
+# principal, and a ticket has to be cached for the user running the
+# program.
+krb5_principal = AdminWebPanel/fripost.org@FRIPOST.ORG
+
+# The hostname associated with the 'ldap/...' principal. (Probably the
+# fqdn of the machine running slapd).
+krb5_host = gnu.friprogramvarusyndikatet.se
 
 # The minimum password length.
 password_min_length = 12
@@ -26,5 +29,5 @@ gpg_private_key_id = ECFA6E43
 gpg_private_key_passphrase = xxxxxxxxxxxx
 
 # URL prefixes of the admin web interface for the list managers.
-listurl_mailman = http://smtp.fripost.org/cgi-bin/mailman/admin/
-listurl_schleuder = http://smtp.fripost.org/
+listurl_mailman = https://lists.fripost.org/mailman/admin/
+listurl_schleuder = https://lists.fripost.org/schleuder/
diff --git a/lib/Fripost/Schema.pm b/lib/Fripost/Schema.pm
index 35c69e2..a0730f9 100644
--- a/lib/Fripost/Schema.pm
+++ b/lib/Fripost/Schema.pm
@@ -34,9 +34,10 @@ use Net::IDN::Encode qw/email_to_ascii/;
 
 =item B<SASLauth> (I<username>, I<CFG>)
 
-Start a LDAP connection, and SASL-authenticate using proxy
-authentication for the given (fully-qualified) user. I<CFG> should
-contain definitions for the LDAP suffix and the authentication ID.
+Start a LDAP connection, and SASL-authenticate (with the GSSAPI
+mechanism) using proxy authentication for the given (fully-qualified)
+user. I<CFG> should contain definitions for the LDAP suffix and the
+authentication ID.
 
 =cut
 
@@ -51,12 +52,14 @@ sub SASLauth {
     $self->ldap( Net::LDAP::->new( $cfg{ldap_uri}, async => 1 ) );
 
     my $sasl = Authen::SASL::->new(
-                   mechanism => 'DIGEST-MD5',
-                   callback => { user => $cfg{ldap_authcID}
-                               , pass => $cfg{ldap_authcPW}
-                               , authname => 'dn:'.$self->whoami }
+                   mechanism => 'GSSAPI',
+                   callback => { user => 'dn:'.$self->whoami
+                               , authname => $cfg{krb5_principal} }
     );
-    my $mesg = $self->ldap->bind( sasl => $sasl );
+    my $conn = $sasl->client_new('ldap', $cfg{krb5_host} );
+    die $conn->error if $conn->code;
+
+    my $mesg = $self->ldap->bind( '', sasl => $conn );
     # This is not supposed to happen.
     die $mesg->error if $mesg->code;
 
@@ -66,7 +69,7 @@ sub SASLauth {
 
 =item B<auth> (I<username>, I<password>, I<CFG>)
 
-Start a LDAP connection, and (simples-) binds the given user.
+Start a LDAP connection, and (simple-) binds the given user.
 I<CFG> should contain definitions for the LDAP suffix and URI.
 
 =cut