Use GSSAPI authentication for the WebPanel service.

1 files changed, 12 insertions, 9 deletions

diff --git a/lib/Fripost/Schema.pm b/lib/Fripost/Schema.pm
index 35c69e2..a0730f9 100644
--- a/lib/Fripost/Schema.pm
+++ b/lib/Fripost/Schema.pm
@@ -34,9 +34,10 @@ use Net::IDN::Encode qw/email_to_ascii/;
 
 =item B<SASLauth> (I<username>, I<CFG>)
 
-Start a LDAP connection, and SASL-authenticate using proxy
-authentication for the given (fully-qualified) user. I<CFG> should
-contain definitions for the LDAP suffix and the authentication ID.
+Start a LDAP connection, and SASL-authenticate (with the GSSAPI
+mechanism) using proxy authentication for the given (fully-qualified)
+user. I<CFG> should contain definitions for the LDAP suffix and the
+authentication ID.
 
 =cut
 
@@ -51,12 +52,14 @@ sub SASLauth {
     $self->ldap( Net::LDAP::->new( $cfg{ldap_uri}, async => 1 ) );
 
     my $sasl = Authen::SASL::->new(
-                   mechanism => 'DIGEST-MD5',
-                   callback => { user => $cfg{ldap_authcID}
-                               , pass => $cfg{ldap_authcPW}
-                               , authname => 'dn:'.$self->whoami }
+                   mechanism => 'GSSAPI',
+                   callback => { user => 'dn:'.$self->whoami
+                               , authname => $cfg{krb5_principal} }
     );
-    my $mesg = $self->ldap->bind( sasl => $sasl );
+    my $conn = $sasl->client_new('ldap', $cfg{krb5_host} );
+    die $conn->error if $conn->code;
+
+    my $mesg = $self->ldap->bind( '', sasl => $conn );
     # This is not supposed to happen.
     die $mesg->error if $mesg->code;
 
@@ -66,7 +69,7 @@ sub SASLauth {
 
 =item B<auth> (I<username>, I<password>, I<CFG>)
 
-Start a LDAP connection, and (simples-) binds the given user.
+Start a LDAP connection, and (simple-) binds the given user.
 I<CFG> should contain definitions for the LDAP suffix and URI.
 
 =cut