|
|
(2 intermediate revisions by one other user not shown) |
Line 1: |
Line 1: |
− | == LDAP Authentication and Provisioning example ==
| + | #REDIRECT [[LDAP]] |
− | Here's an example of a customized <tt>/opt/eprints3/archives/ARCHIVEID/cfg/cfg.d/user_login.pl</tt>
| |
− | * allowing LDAP accounts to login, using the "Advanced LDAP Configuration" example
| |
− | * allowing the local eprints admin account to login w/ database authentication
| |
− | * creating eprints accounts for all successfully authenticated LDAP users ''on the fly''
| |
− | Most of the code is from the default <tt>user_login.pl</tt> and from the [http://files.eprints.org/27/1/update_users update_users] script.
| |
− | | |
− | Be sure to only use this over [[HTTPS]]!
| |
− | | |
− | $c->{check_user_password} = sub {
| |
− | my( $session, $username, $password ) = @_;
| |
− |
| |
− | # LDAP authentication for "user", "editor" and "admin" types (roles)
| |
− |
| |
− | use Net::LDAP; # IO::Socket::SSL also required
| |
− |
| |
− | # LDAP tunables
| |
− | my $ldap_host = "ldap.example.org";
| |
− | my $base = "dc=example,dc=org";
| |
− | my $dn = "cn=someProxyAccount,ou=accounts,$base";
| |
− |
| |
− | my $ldap = Net::LDAP->new ( $ldap_host, version => 3 );
| |
− | unless( $ldap )
| |
− | {
| |
− | print STDERR "LDAP error: $@\n";
| |
− | return 0;
| |
− | }
| |
− |
| |
− | # Start secure connection (not needed if using LDAPS)
| |
− | my $ssl = $ldap->start_tls();
| |
− | if( $ssl->code() )
| |
− | {
| |
− | print STDERR "LDAP SSL error: " . $ssl->error() . "\n";
| |
− | return 0;
| |
− | }
| |
− |
| |
− | # Get password for the search-bind-account
| |
− | my $repository = $session->get_repository;
| |
− | my $id = $repository->get_id;
| |
− | my $ldappass = `cat /opt/eprints3/archives/$id/cfg/ldap.passwd`;
| |
− | chomp($ldappass);
| |
− |
| |
− | my $mesg = $ldap->bind( $dn, password=>$password );
| |
− | if( $mesg->code() )
| |
− | {
| |
− | print STDERR "LDAP Bind error: " . $mesg->error() . "\n";
| |
− | return 0;
| |
− | }
| |
− |
| |
− | # Distinguished name (and attribues needed later on) for this user
| |
− | my $result = $ldap->search (
| |
− | base => "$base",
| |
− | scope => "sub",
| |
− | filter => "(&(uid=$username)(objectclass=inetOrgPerson))",
| |
− | attrs => ['1.1', 'uid', 'sn', 'givenname', 'mail'],
| |
− | sizelimit=>1
| |
− | );
| |
− | my $entr = $result->pop_entry;
| |
− | unless( defined $entr )
| |
− | {
| |
− | # Allow local EPrints authentication for admins (accounts not found in LDAP)
| |
− | my $user = EPrints::DataObj::User::user_with_username( $session, $username );
| |
− | return 0 unless $user;
| |
− |
| |
− | my $user_type = $user->get_type;
| |
− | if( $user_type eq "admin" )
| |
− | {
| |
− | # internal authentication for "admin" type
| |
− | return $session->get_database->valid_login( $username, $password );
| |
− | }
| |
− | return 0;
| |
− | }
| |
− | my $ldap_dn = $entr->dn;
| |
− |
| |
− | # Check password
| |
− | my $mesg = $ldap->bind( $ldap_dn, password => $password );
| |
− | if( $mesg->code() )
| |
− | {
| |
− | return 0;
| |
− | }
| |
− |
| |
− | # Does account already exist?
| |
− | my $user = EPrints::DataObj::User::user_with_username( $session, $username );
| |
− | if( !defined $user )
| |
− | {
| |
− | # New account
| |
− | $user = EPrints::DataObj::User::create( $session, "user" );
| |
− | $user->set_value( "username", $username );
| |
− | }
| |
− |
| |
− | # Set metadata
| |
− | my $name = {};
| |
− | $name->{family} = $entr->get_value( "sn" );
| |
− | $name->{given} = $entr->get_value( "givenName" );
| |
− | $user->set_value( "name", $name );
| |
− | $user->set_value( "username", $username );
| |
− | $user->set_value( "email", $entr->get_value( "mail" ) );
| |
− | $user->commit();
| |
− |
| |
− | $ldap->unbind if $ldap;
| |
− |
| |
− | return 1;
| |
− | }
| |
− | | |
− | == things to note ==
| |
− | * This script uses a dedicated proxy account which must exist in your LDAP tree and has appropriate permissions (ACL settings) to search for users and read their <tt>uid,givenname,sn,mail</tt> attributes.
| |
− | * It get's this proxy accounts' password from a file inside the repository configuration. this file needs to have read permissions for the user your webserver runs as (e.g. <tt>www-data</tt> on Debian). Use file system permissions to protect this (e.g. <tt>chmod 400 ldap.passwd</tt>).
| |
− | * It changes the flow of <tt>user_login.pl</tt> a little to only check for local ''admin'' accounts (no users or editors; we have them all in our LDAP tree) and only when no user is found for ldap authentication. This allows you to have your admins in LDAP (if you want) but still use the local admin for "promoting" other users to admins, among other things. If you don't need the local admin, remove those lines and just <tt>return 0</tt>.
| |
− | * you could change the default role for generated user accounts from <tt>user</tt>, if you really wanted.
| |
− | | |
− | == possible enhancements ==
| |
− | * Currently this script does not remove local eprints accounts from the database. If you limited login to EPrints with an LDAP attribute (e.g. <tt>allowedServices=eprints</tt>) you could authenticate first (without filtering for this attribute) and in the case of successful authentication check for the existance of the <tt>allowedServices</tt> attribute. If it's missing delete the local eprints user account (e.g. <tt>$user->remove</tt>) and <tt>return 0</tt>.
| |