From c5abfa216d18d374e493fd309a1f4748af094e50 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 24 Sep 2012 23:40:27 +0200 Subject: Use GSSAPI authentication for the WebPanel service. --- INSTALL | 2 +- config.in | 19 +++++++++++-------- lib/Fripost/Schema.pm | 21 ++++++++++++--------- 3 files changed, 24 insertions(+), 18 deletions(-) diff --git a/INSTALL b/INSTALL index c4bc314..885b217 100644 --- a/INSTALL +++ b/INSTALL @@ -15,7 +15,7 @@ apt-get install libcgi-application-perl \ # Fripost Schema apt-get install libnet-ldap-perl \ - libauthen-sasl-perl \ + libauthen-sasl-perl libauthen-sasl-cyrus-perl \ libemail-valid-perl \ libdigest-perl \ libstring-mkpasswd-perl \ diff --git a/config.in b/config.in index c2011d1..da19ad1 100644 --- a/config.in +++ b/config.in @@ -1,9 +1,7 @@ # This is the custom configuration for the Fripost Administration Panel, # which takes precedence over the default configuration in 'default.in'. - -# TODO: The secure flag should be left on on HTTPS connections. -secure_cookie = 0 +secure_cookie = 1 # Where the error reports should be sent to. report_email = admin@fripost.org @@ -14,9 +12,14 @@ default_realm = fripost.org # The LDAP suffix that will be appended to bind and search DN:s. ldap_suffix = ou=virtual,o=mailHosting,dc=fripost,dc=dev -# TODO: This should be replaced with a Keberos ticket. -ldap_authcID = AdminWebPanel@fripost.org -ldap_authcPW = panel +# The authentication ID for SASL binds. This has to be a kerberos +# principal, and a ticket has to be cached for the user running the +# program. +krb5_principal = AdminWebPanel/fripost.org@FRIPOST.ORG + +# The hostname associated with the 'ldap/...' principal. (Probably the +# fqdn of the machine running slapd). +krb5_host = gnu.friprogramvarusyndikatet.se # The minimum password length. password_min_length = 12 @@ -26,5 +29,5 @@ gpg_private_key_id = ECFA6E43 gpg_private_key_passphrase = xxxxxxxxxxxx # URL prefixes of the admin web interface for the list managers. -listurl_mailman = http://smtp.fripost.org/cgi-bin/mailman/admin/ -listurl_schleuder = http://smtp.fripost.org/ +listurl_mailman = https://lists.fripost.org/mailman/admin/ +listurl_schleuder = https://lists.fripost.org/schleuder/ diff --git a/lib/Fripost/Schema.pm b/lib/Fripost/Schema.pm index 35c69e2..a0730f9 100644 --- a/lib/Fripost/Schema.pm +++ b/lib/Fripost/Schema.pm @@ -34,9 +34,10 @@ use Net::IDN::Encode qw/email_to_ascii/; =item B (I, I) -Start a LDAP connection, and SASL-authenticate using proxy -authentication for the given (fully-qualified) user. I should -contain definitions for the LDAP suffix and the authentication ID. +Start a LDAP connection, and SASL-authenticate (with the GSSAPI +mechanism) using proxy authentication for the given (fully-qualified) +user. I should contain definitions for the LDAP suffix and the +authentication ID. =cut @@ -51,12 +52,14 @@ sub SASLauth { $self->ldap( Net::LDAP::->new( $cfg{ldap_uri}, async => 1 ) ); my $sasl = Authen::SASL::->new( - mechanism => 'DIGEST-MD5', - callback => { user => $cfg{ldap_authcID} - , pass => $cfg{ldap_authcPW} - , authname => 'dn:'.$self->whoami } + mechanism => 'GSSAPI', + callback => { user => 'dn:'.$self->whoami + , authname => $cfg{krb5_principal} } ); - my $mesg = $self->ldap->bind( sasl => $sasl ); + my $conn = $sasl->client_new('ldap', $cfg{krb5_host} ); + die $conn->error if $conn->code; + + my $mesg = $self->ldap->bind( '', sasl => $conn ); # This is not supposed to happen. die $mesg->error if $mesg->code; @@ -66,7 +69,7 @@ sub SASLauth { =item B (I, I, I) -Start a LDAP connection, and (simples-) binds the given user. +Start a LDAP connection, and (simple-) binds the given user. I should contain definitions for the LDAP suffix and URI. =cut -- cgit v1.2.3