Sympa Logo
Faq | News | Contact | Mentions légales
 
 
Table of Contents

Apache 2 authentication and authorization modules using Sympa ML server

These are 2 Apache modules written in Perl to help you authenticate and do access control based on groups defined on a Sympa mailing lists server. They can be used separately and associated to third-party modules to setup one of the following configuration :

  • Sympa-based authentication + Sympa-based authorization
  • X509 certificates authentication + Sympa-based authorization
  • CAS-based authentication + Sympa-based authorization
  • Shibboleth-based authentication + Sympa-based authorization

Apache2::AuthNSympa

NAME

Apache2::AuthNSympa - Authentication module using Sympa mailing lists server user passwords

HOMEPAGE

http://sourcesup.cru.fr/projects/authsympa/

VERSION

Version 0.5.0

SYNOPSIS

Because it's difficult to have an up to date authentication backend, this module aims at authenticating against Sympa mailing lists server.

Sympa mailing lists server has its own authentication system and can be queried via a SOAP interface.

It is based on a basic HTTP authentication (popup on client side). Once the user has authenticated, the REMOTE_USER environnement var contains the user email address. The authentication module implements a SOAP client that validates user credentials against the Sympa SOAP server. Example: Sample httpd.conf example:

Sample httpd.conf example: 

    <Directory "/var/www/somwehere">
    AuthName SympaAuth
    AuthType Basic
    PerlSetVar SympaSoapServer http://mysympa.server/soap
    PerlSetVar MemcachedServer 10.219.213.24:11211
    PerlSetVar CacheExptime 3600 # in seconds, default 1800

    PerlAuthenHandler Apache2::AuthNSympa
    require valid-user

    </Directory>

Apache2::AuthZSympa

NAME

Apache2::AuthZSympa - Authorization module based on group definition from a Sympa mailing list server

HOMEPAGE

http://sourcesup.cru.fr/projects/authsympa/

VERSION

Version 0.5.0

SYNOPSIS

This module is an authorization handler for Apache 2. Its authorization method relies on mailing lists membership ; it is designed for Sympa mailing list software (http://sympa.org). This authorization handler has been initially designed to work with its peer authentication handler Apache2::AuthNSympa that performs authentication against a Sympa SOAP server. The handler has later been extended to work with third party authentication Apache modules :

  • Apache2::AuthNSympa (default)
  • SSL authentication (mod_ssl)
  • CAS authentication (mod_cas)
  • Shibboleth authentication (mod_shib)

This module needs the associated authentication handler to provide a trusted user email address ; the user email address is later used to query list membership. Because some authentication modules (CAS) don't provide the user email address, the authorization module may be configured to query an LDAP directory. The environment variable name may also be configured (when used with Shibboleth).

GENERAL CONFIGURATION TIPS

Regardless what authentication module is used, the following rules are needed in your Apache configuration file :

  • URL of your Sympa SOAP server
  • list of mailing lists for which the user has to be a member
  • handler calling rule
  • optionaly, because SOAP can be slow, you can configure a cache server based on memcached (http://www.danga.com/memcached/).

Of course, your mod_perl2 Apache module has to be correctly configured.

For example, in a location section of your Apache configuration file, you have to put the following rules : 

    PerlSetVar SympaSoapServer http://mysympa.server/soap # URL of the sympa SOAP server
    PerlAuthzHandler Apache2::AuthZSympa 
    require SympaLists sympa-users@demo.sympa.org,sympa-test@demo.sympa.org # lists for which the member has to be a member (he needs to be at least a member for one of them)
    PerlSetVar MemcachedServer 10.219.213.24:11211 # URL for cache server (option)
    PerlSetVar CacheExptime 3600 # Cache expiration time in seconds for the cache server (default 1800)

We provide a working example of a web page that has a restricted access for members of test@cru.fr mailing list only. You should subscribe to the test mailing list if you wish to try it : http://listes.cru.fr/sympa/info/test

The following page will request your email address and Sympa password : http://www.cru.fr/demo_authsympa/

SYMPA AUTHENTICATION MODULE

It is based on a basic HTTP authentication (popup on client side). Once the user has authenticated, the REMOTE_USER environnement var contains the user email address. The authentication module implements a SOAP client that validates user credentials against the Sympa SOAP server. Example: 

    <Directory "/var/www/somewhere">
    AuthName SympaAuth
    AuthType Basic
    PerlSetVar SympaSoapServer http://mysympa.server/soap
    PerlAuthenHandler Apache2::AuthNSympa
    PerlAuthzHandler Apache2::AuthZSympa
    require valid-user
    require SympaLists sympa-users@demo.sympa.org,sympa-test@demo.sympa.org
    </Directory>

SSL AUTHENTICATION

Mod_ssl can be used to do the user authentication, based on user client certificates. Your mod_ssl configuration should look like this :

  • SSLCACertificateFile # or SSLCACertificatePath
  • SSLRequireSSL # to prevent from disabling SSL
  • SSLVerifyClient require
  • AuthType SSL

Because Apache does not consider mod_ssl as an authentication handler, an authentication handler must be added. So we recommend to call Apache2::AuthNSympa because it is bypassed if “AuthType” is different from “Sympa” The authentication handler will get the expected user email address extracted from the certificate.

Example : 

    <Directory "/var/www/somewhere">
    SSLVerifyClient require 
    SSLRequireSSL 
    SSLOptions +StdEnvVars
    AuthType SSL
    PerlSetVar SympaSoapServer http://mysympa.server/soap
    PerlAuthenHandler Apache2::AuthNSympa
    PerlAuthzHandler Apache2::AuthZSympa
    require SympaLists sympa-users@demo.sympa.org,sympa-test@demo.sympa.org
    </Directory>

CAS AUTHENTICATION

CAS is a web single sign-on software, developped by the university of Yale : http://www.ja-sig.org/products/cas/

CAS does not provide any email address . Therefore the authorization module will first query an LDAP directory to get the user email address, given his UID.

Example: 

    <Directory "/var/www/somewhere">
    AuthName SympaAuth
    AuthType CAS
    PerlSetVar SympaSoapServer http://mysympa.server/soap
    PerlSetVar MemcachedServer 10.219.213.24:11211
    PerlSetVar CacheExptime 3600 # in seconds, default 1800

    ## here is ldap filters to retrieve user email address
    ## if CAS uid is an email address, no need these directives
    PerlSetVar LDAPHost            ldap.localdomain
    PerlSetVar LDAPSuffix          ou=people
    PerlSetVar LDAPEmailFilter     (uid=[uid])
    PerlSetVar LDAPEmailAttribute  mail
    PerlSetVar LDAPScope           sub

    PerlAuthzHandler Apache2::AuthZSympa
    require valid-user
    require SympaLists sympa-users@demo.sympa.org,sympa-test@demo.sympa.org
    </Directory>

SHIBBOLETH AUTHENTICATION

Shibboleth is an open source software developped by Internet2 : http://shibboleth.internet2.edu

The default behavior of mod_shib authentication module is to provide the user email address in the HTTP_SHIB_INETORGPERSON_MAIL HTTP header. The AuthZSympa module still provides a ShibbolethMailVar parameter to declare which HTTP header contains the user email address, if not the default one.

The following rules are required:

* AuthType shibboleth * require valid-user * ShibbolethMailVar (if not HTTP_SHIB_INETORGPERSON_MAIL)

Example: 

    <Directory "/var/www/somewhere">

    AuthType shibboleth
    PerlSetVar SympaSoapServer http://mysympa.server/soap
    PerlSetVar MemcachedServer 10.219.213.24:11211
    PerlSetVar CacheExptime 3600 # in seconds, default 1800

    PerlSetVar ShibbolethMailVar            HTTP_SHIB_INETORGPERSON_MAIL 
    PerlAuthzHandler Apache2::AuthZSympa
    require valid-user
    require SympaLists sympa-users@demo.sympa.org,sympa-test@demo.sympa.org
    </Directory>

COMPLETE MODULE RULES LIST

    # required to identify the good authentication type
    AuthType CAS # can be SSL, Sympa or shibboleth
    
    # URL to query Sympa server SOAP interface, required
    PerlSetEnv SympaSoapServer
    
    # lists to verify membership of user, required
    require SympaLists list1@mydomain,list2@mydomain
    
    # IP address and port of memcached server if necessary
    PerlSetEnv MemcachedServer 192.168.0.1:11211

    # Cache expiration time in seconds if memcached server used, default 1800
    PerlSetEnv CacheExptime 3600
    
    # LDAP Host for CAS backend
    PerlSetEnv LDAPHost ldap.mydomain
    
    # LDAP suffix to query LDAP backend
    PerlSetenv LDAPSuffix o=people
        
    # Filter to query LDAP backend. It has to match uid provided by CAS server
    PerlSetenv LDAPEmailFilter  myIdAttribute=([uid])
    
    # LDAP backend attribute containing email address
    PerlSetenv LDAPEmailAttribute mail
    
    # LDAP scope, default sub
    PerlSetenv LDAPScope sub
    
    # Shibboleth env var to match email address. optional, default HTTP_SHIB_INETORGPERSON_MAIL
    PerlSetenv ShibbolethMailVar HTTP_SHIB_INETORGPERSON_MAIL

AUTHOR

Dominique Launay,Comite Reseau des Universites, <tt><dominique.launay AT cru.fr></tt>

COPYRIGHT & LICENSE

Copyright 2005 Dominique Launay, Comite Reseau des Universites http://www.cru.fr All Rights Reserved.

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

contribs/apache_authsympa.txt · Last modified: 2007/05/16 11:40 by olivier.salaun@cru.fr
Show pagesource
Back to top
Valid XHTML 1.0 Transitional