Difference between revisions of "LDAP user login.pl"
m (→LDAP Authentication and Provisioning example: $id probably has not trailing \n) |
m (→possible enhancements: more relevant use case) |
||
Line 110: | Line 110: | ||
== possible enhancements == | == possible enhancements == | ||
− | + | === removing stale accounts === | |
+ | Currently this script does not remove local eprints accounts from the database: when accounts get deleted from the LDAP database the corresponding local EPrints accounts sit around forever. But since login isn't possible anymore this is not a risk or of high priority. | ||
+ | |||
+ | Depending on your situation it may be enough to run some kind of cleanup script, e.g. once a year, that get's a list of all local EPrints accounts, loops over them and <code>$user->remove</code>s all those, which cannot be found in LDAP anymore (except for those where <code>$user_type eq 'admin'</code>, so you don't risk losing your local admins). |
Revision as of 22:48, 24 April 2007
Contents
LDAP Authentication and Provisioning example
Here's an example of a customized /opt/eprints3/archives/ARCHIVEID/cfg/cfg.d/user_login.pl
- allowing LDAP accounts to login, using the "Advanced LDAP Configuration" example
- allowing the local eprints admin account to login w/ database authentication
- creating eprints accounts for all successfully authenticated LDAP users on the fly
Most of the code is from the default user_login.pl and from the update_users script.
Be sure to only use this over HTTPS!
$c->{check_user_password} = sub { my( $session, $username, $password ) = @_; # LDAP authentication for "user", "editor" and "admin" types (roles) use Net::LDAP; # IO::Socket::SSL also required # LDAP tunables my $ldap_host = "ldap.example.org"; my $base = "dc=example,dc=org"; my $dn = "cn=someProxyAccount,ou=accounts,$base"; my $ldap = Net::LDAP->new ( $ldap_host, version => 3 ); unless( $ldap ) { print STDERR "LDAP error: $@\n"; return 0; } # Start secure connection (not needed if using LDAPS) my $ssl = $ldap->start_tls(); if( $ssl->code() ) { print STDERR "LDAP SSL error: " . $ssl->error() . "\n"; return 0; } # Get password for the search-bind-account my $repository = $session->get_repository; my $id = $repository->get_id; my $ldappass = `cat /opt/eprints3/archives/$id/cfg/ldap.passwd`; chomp($ldappass); my $mesg = $ldap->bind( $dn, password=>$password ); if( $mesg->code() ) { print STDERR "LDAP Bind error: " . $mesg->error() . "\n"; return 0; } # Distinguished name (and attribues needed later on) for this user my $result = $ldap->search ( base => "$base", scope => "sub", filter => "(&(uid=$username)(objectclass=inetOrgPerson))", attrs => ['1.1', 'uid', 'sn', 'givenname', 'mail'], sizelimit=>1 ); my $entr = $result->pop_entry; unless( defined $entr ) { # Allow local EPrints authentication for admins (accounts not found in LDAP) my $user = EPrints::DataObj::User::user_with_username( $session, $username ); return 0 unless $user; my $user_type = $user->get_type; if( $user_type eq "admin" ) { # internal authentication for "admin" type return $session->get_database->valid_login( $username, $password ); } return 0; } my $ldap_dn = $entr->dn; # Check password my $mesg = $ldap->bind( $ldap_dn, password => $password ); if( $mesg->code() ) { return 0; } # Does account already exist? my $user = EPrints::DataObj::User::user_with_username( $session, $username ); if( !defined $user ) { # New account $user = EPrints::DataObj::User::create( $session, "user" ); $user->set_value( "username", $username ); } # Set metadata my $name = {}; $name->{family} = $entr->get_value( "sn" ); $name->{given} = $entr->get_value( "givenName" ); $user->set_value( "name", $name ); $user->set_value( "username", $username ); $user->set_value( "email", $entr->get_value( "mail" ) ); $user->commit(); $ldap->unbind if $ldap; return 1; }
things to note
- This script uses a dedicated proxy account which must exist in your LDAP tree and has appropriate permissions (ACL settings) to search for users and read their uid,givenname,sn,mail attributes.
- It get's this proxy accounts' password from a file inside the repository configuration. this file needs to have read permissions for the user your webserver runs as (e.g. www-data on Debian). Use file system permissions to protect this (e.g. chmod 400 ldap.passwd).
- It changes the flow of user_login.pl a little to only check for local admin accounts (no users or editors; we have them all in our LDAP tree) and only when no user is found for ldap authentication. This allows you to have your admins in LDAP (if you want) but still use the local admin for "promoting" other users to admins, among other things. If you don't need the local admin, remove those lines and just return 0.
- you could change the default role for generated user accounts from user, if you really wanted.
possible enhancements
removing stale accounts
Currently this script does not remove local eprints accounts from the database: when accounts get deleted from the LDAP database the corresponding local EPrints accounts sit around forever. But since login isn't possible anymore this is not a risk or of high priority.
Depending on your situation it may be enough to run some kind of cleanup script, e.g. once a year, that get's a list of all local EPrints accounts, loops over them and $user->remove
s all those, which cannot be found in LDAP anymore (except for those where $user_type eq 'admin'
, so you don't risk losing your local admins).