diff options
author | Guilhem Moulin <guilhem.moulin@fripost.org> | 2012-09-24 23:40:27 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem.moulin@fripost.org> | 2012-09-24 23:40:27 +0200 |
commit | c5abfa216d18d374e493fd309a1f4748af094e50 (patch) | |
tree | 2bdc0d4f4f8e9d6a5548433ff38c286ca8195acb /lib | |
parent | 33364b4a63d9082eed3a956f7a1567f343839999 (diff) |
Use GSSAPI authentication for the WebPanel service.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/Fripost/Schema.pm | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/lib/Fripost/Schema.pm b/lib/Fripost/Schema.pm index 35c69e2..a0730f9 100644 --- a/lib/Fripost/Schema.pm +++ b/lib/Fripost/Schema.pm @@ -34,9 +34,10 @@ use Net::IDN::Encode qw/email_to_ascii/; =item B<SASLauth> (I<username>, I<CFG>) -Start a LDAP connection, and SASL-authenticate using proxy -authentication for the given (fully-qualified) user. I<CFG> should -contain definitions for the LDAP suffix and the authentication ID. +Start a LDAP connection, and SASL-authenticate (with the GSSAPI +mechanism) using proxy authentication for the given (fully-qualified) +user. I<CFG> should contain definitions for the LDAP suffix and the +authentication ID. =cut @@ -51,12 +52,14 @@ sub SASLauth { $self->ldap( Net::LDAP::->new( $cfg{ldap_uri}, async => 1 ) ); my $sasl = Authen::SASL::->new( - mechanism => 'DIGEST-MD5', - callback => { user => $cfg{ldap_authcID} - , pass => $cfg{ldap_authcPW} - , authname => 'dn:'.$self->whoami } + mechanism => 'GSSAPI', + callback => { user => 'dn:'.$self->whoami + , authname => $cfg{krb5_principal} } ); - my $mesg = $self->ldap->bind( sasl => $sasl ); + my $conn = $sasl->client_new('ldap', $cfg{krb5_host} ); + die $conn->error if $conn->code; + + my $mesg = $self->ldap->bind( '', sasl => $conn ); # This is not supposed to happen. die $mesg->error if $mesg->code; @@ -66,7 +69,7 @@ sub SASLauth { =item B<auth> (I<username>, I<password>, I<CFG>) -Start a LDAP connection, and (simples-) binds the given user. +Start a LDAP connection, and (simple-) binds the given user. I<CFG> should contain definitions for the LDAP suffix and URI. =cut |