jifty::plugin::authzldap(3pm) [debian man page]

Jifty::Plugin::AuthzLDAP(3pm)				User Contributed Perl Documentation			     Jifty::Plugin::AuthzLDAP(3pm)

NAME

       Jifty::Plugin::AuthzLDAP - Jifty plugin to a add dynamic ldap authorization

DESCRIPTION

       Jifty plugin.  Provide ldap authorization with filters table and cache.

CONFIGURATION NOTES

       in etc/config.yml
	 Plugins:
	   - AuthzLDAP:
	      LDAPbind: cn=testldap,ou=admins,dc=myorg,dc=org #
	      LDAPpass: test		       # password
	      LDAPhost: ldap.myorg.org	       # ldap host
	      LDAPbase: ou=people,dc=myorg..   # ldap base
	      LDAPuid: uid		       # optional
	      CacheTimout: 20		       # minutes, optional, default 20 minutes

       in application create a LDAPFilter model
	       use base qw/Jifty::Plugin::AuthzLDAP::Model::LDAPFilter/;

       in LDAPFilter model create your filters, something like
	name	|filter 			|is_group
	is_admin|(!eduPersonAffiliation=STUDENT)|0
	in_admin|cn=admin,ou=groups,dc=my.org	|1

       to protect access to /admin in "TestApp" application create a lib/TestApp/Dispatcher.pm

	   use strict;
	   use warnings;

	   package TestApp::Dispatcher;
	   use Jifty::Dispatcher -base;

	   before '/admin/*' => run {
	      # Authentication
	      Jifty->web->tangent(url => '/login')
		   if (! Jifty->web->current_user->id);
	      # Authorization
	      my $user = Jifty->web->current_user->user_object->name;
	      Jifty->web->tangent(url => '/error/AccessDenied')
		   if (! Jifty::Plugin::AuthzLDAP->ldapvalidate($user,'is_admin') );
	   };

	   1

SEE ALSO

       Net::LDAP

METHODS

   init
       load config parameters, connect to ldap, create memory cache

   BASE CACHE DN  LDAP BASE UID PASS LDAPFilterClass
       accesors to conf parametres

   bind
       Bind to ldap

   ldapvalidate NAME FILTERNAME
       return 1 if NAME validate FILTER or NAME-FILTERNAME in cache else return 0

       If FILTERNAME is flagged as is_group, search if user is uniquemember of this group as supported by the Netscape Directory Server

AUTHOR

       Yves Agostini, <yvesago@cpan.org>

LICENSE

       Copyright 2007-2009 Yves Agostini. All Rights Reserved.

       This program is free software and may be modified and distributed under the same terms as Perl itself.

perl v5.10.0							    2009-05-15					     Jifty::Plugin::AuthzLDAP(3pm)

Jifty::Plugin::Authentication::Ldap(3pm)		User Contributed Perl Documentation		  Jifty::Plugin::Authentication::Ldap(3pm)

NAME

       Jifty::Plugin::Authentication::Ldap - LDAP Authentication Plugin for Jifty

DESCRIPTION

       CAUTION: This plugin is experimental.

       This may be combined with the User Mixin to provide user accounts and ldap password authentication to your application.

       When a new user authenticates using this plugin, a new User object will be created automatically.  The "name" and "email" fields will be
       automatically populated with LDAP data.

       in etc/config.yml

	 Plugins:
	   - Authentication::Ldap:
	      LDAPhost: ldap.univ.fr	       # ldap server
	      LDAPbase: ou=people,dc=.....     # base ldap
	      LDAPName: displayname	       # name to be displayed (cn givenname)
	      LDAPMail: mailLocalAddress       # email used optional
	      LDAPuid: uid		       # optional

       Then create a user model

	 jifty model --name=User

       and edit lib/App/Model/User.pm to look something like this:

	 use strict;
	 use warnings;

	 package Venice::Model::User;

	 use Jifty::DBI::Schema;
	 use Venice::Record schema {
	       # More app-specific user columns go here
	 };

	 use Jifty::Plugin::User::Mixin::Model::User;
	 use Jifty::Plugin::Authentication::Ldap::Mixin::Model::User;

	 sub current_user_can {
	     my $self = shift;
	     my $type = shift;
	     my %args = (@_);

	   return 1 if
		 $self->current_user->is_superuser;

	   # all logged in users can read this table
	   return 1
	       if ($type eq 'read' && $self->current_user->id);

	   return $self->SUPER::current_user_can($type, @_);
	 };

	 1;

   ACTIONS
       This plugin will add the following actions to your application.	For testing you can access these from the Admin plugin.

       Jifty::Plugin::Authentication::Ldap::Action::LDAPLogin
	   The login path is "/ldaplogin".

       Jifty::Plugin::Authentication::Ldap::Action::LDAPLogout
	   The logout path is "/ldaplogout".

   METHODS
   prereq_plugins
       This plugin depends on the User Mixin.

   Configuration
       The following options are available in your "config.yml" under the Authentication::Ldap Plugins section.

       "LDAPhost"
	   Your LDAP server.

       "LDAPbase"
	   [Mandatory] The base object where your users live. If "LDAPBindTemplate" is defined, "LDAPbase" is only used for user search.

       "LDAPBindTemplate"
	   Alternatively to "LDAPbase", you can specify here the whole DN string, with %u as a placeholder for UID.

       "LDAPMail"
	   The DN that your organization uses to store Email addresses.  This gets copied into the User object as the "email".

       "LDAPName"
	   The DN that your organization uses to store Real Name.  This gets copied into the User object as the "name".

       "LDAPuid"
	   The DN that your organization uses to store the user ID.  Usually "cn".  This gets copied into the User object as the "ldap_id".

       "LDAPOptions"
	   These options get passed through to Net::LDAP.

	   Default Options :

	    debug   => 0
	    onerror => undef
	    async   => 1

	   Other options you may want :

	    timeout => 30

	   See "Net::LDAP" for a full list.  You can overwrite the defaults selectively or not at all.

       "LDAPLoginHooks"
	   Optional list of Perl functions that would be called after a successful login and after a corresponding User object is loaded and
	   updated. The function is called with a hash array arguments, as follows:

	     username => string
	     user_object => User object
	     ldap => Net::LDAP object
	     infos => User attributes as returned by get_infos

       "LDAPFetchUserAttr"
	   Optional list of LDAP user attributes fetched by get_infos. The values are returned to the login hook as arrayrefs.

   Example
       The following example authenticates the application against a MS Active Directory server for the domain MYDOMAIN. Each user entry has the
       attribute 'department' which is used for authorization. "LDAPbase" is used for user searching, and binding is done in a Microsoft way. The
       login hook checks if the user belongs to specific departments and updates the user record.

	######
	#   etc/config.yml:
	 Plugins:
	   - User: {}
	   - Authentication::Ldap:
	      LDAPhost: ldap1.mydomain.com
	      LDAPbase: 'DC=mydomain,DC=com'
	      LDAPBindTemplate: 'MYDOMAIN\%u'
	      LDAPName: displayName
	      LDAPMail: mail
	      LDAPuid: cn
	      LDAPFetchUserAttr:
		- department
	      LDAPLoginHooks:
		- 'Myapp::Model::User::ldap_login_hook'

	 ######
	 #  package Myapp::Model::User;
	 sub ldap_login_hook
	 {
	     my %args = @_;

	     my $u = $args{'user_object'};
	     my $department = $args{'infos'}->{'department'}[0];

	     my $editor = 0;
	     if( $department eq 'NOC' or
		 $department eq 'ENGINEERING' )
	     {
		 $editor = 1;
	     }

	     $u->__set( column => 'is_content_editor', value => $editor );
	 }

SEE ALSO

       Jifty::Manual::AccessControl, Jifty::Plugin::User::Mixin::Model::User, Net::LDAP

AUTHORS

       Yves Agostini, <yvesago@cpan.org>, Stanislav Sinyagin

       and others authors from Jifty (maxbaker, clkao, sartak, alexmv)

LICENSE

       Copyright 2007-2010 Yves Agostini. All Rights Reserved.

       This program is free software and may be modified and distributed under the same terms as Perl itself.

perl v5.10.1							    2010-09-15				  Jifty::Plugin::Authentication::Ldap(3pm)