<div dir="ltr">This is my implementation using LDAP and Kerberos. As you can see I validate Admin separately, but definitively it can be modify to suit Brian workflow.<br>I hope this helps,<br><br>Denis<br><br>PS: do not hesitate in suggesting improvements! :D<br><br>$c->{check_user_password} = sub {<br> my( $session, $username, $password ) = @_;<br> <br> # Kerberos authentication for "user", "editor" and "admin" types (roles)<br> <br> use Net::LDAP; # IO::Socket::SSL also required<br> use Authen::Krb5::Simple;<br> use Authen::SASL;<br> <br> # LDAP tunables<br> my $ldap_host = “ldap.xxx.xxx";<br> my $base = “OU=xx,DC=xx,DC=xx,DC=xx,DC=xx";<br> my $proxy_user ="ad_read";<br> my $dn = "CN=$proxy_user,$base";<br><br> # Kerberos tunables<br> my $krb_host = “xxx.xxx.xxx";<br> <br> my $krb = Authen::Krb5::Simple->new(realm => $krb_host);<br> unless ( $krb )<br> {<br> print STDERR "Kerberos error: $@\n";<br> return 0;<br> }<br><br> my $ldap = Net::LDAP->new ( $ldap_host );<br> unless( $ldap )<br> {<br> print STDERR "LDAP error: $@\n";<br> return 0;<br> }<br> <br> my $sasl = Authen::SASL->new(<br> mechanism => 'GSSAPI', <br> callback => { user => 'ad_read' }<br> ) or die "$@";<br><br> my $mesg = $ldap->bind(sasl => $sasl);# dn => $dn, password=>$ldappass );<br><br> if( $mesg->code() )<br> {<br> print STDERR "LDAP Bind error: " . $mesg->error() . "\n";<br> return 0;<br> }<br><br> # Distinguished name (and attribues needed later on) for this user<br> my $result = $ldap->search (<br> base => "$base",<br> filter => "(&(sAMAccountName=$username))",<br> attrs => ['1.1', 'uid', 'sn', 'givenname', 'mail'],<br> sizelimit=>1<br> );<br><br> my $entr = $result->pop_entry;<br> unless( defined $entr )<br> {<br> # Allow local EPrints authentication for admins (accounts not found in LDAP)<br> my $user = EPrints::DataObj::User::user_with_username( $session, $username );<br> return 0 unless $user;<br><br> my $user_type = $user->get_type;<br> if( $user_type eq "admin" )<br> {<br> # internal authentication for "admin" type<br> return $session->get_database->valid_login( $username, $password );<br> }<br> return 0;<br> }<br><br> <br> # Check password<br> if( !$krb->authenticate( $username, $password ) )<br> {<br> print STDERR "$username authentication failed: ", $krb->errstr(), "\n";<br> return 0;<br> }<br> <br> # Does account already exist?<br> my $user = EPrints::DataObj::User::user_with_username( $session, $username );<br> if( !defined $user )<br> {<br> # New account<br> $user = EPrints::DataObj::User::create( $session, "user" );<br> $user->set_value( "username", $username );<br> }<br> <br> # Set metadata<br> my $name = {};<br> $name->{family} = $entr->get_value( "sn" );<br> $name->{given} = $entr->get_value( "givenName" );<br> $user->set_value( "name", $name );<br> $user->set_value( "username", $username );<br> $user->set_value( "email", $entr->get_value( "mail" ) );<br> $user->commit();<br> <br> $ldap->unbind if $ldap;<br> <br> return 1;<br>}<br><br><br><div class="gmail_extra"><div class="gmail_quote">On Thu, Dec 3, 2015 at 4:52 PM, Brian D. Gregg <span dir="ltr"><<a href="mailto:bdgregg@pitt.edu" target="_blank">bdgregg@pitt.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="white" link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Our logic flow for LDAP and local logins is as follows and we had to pretty much write (re-write) our <a href="http://eprints_login.pl" target="_blank">eprints_login.pl</a> from scratch, but we had to do that for
other reasons here as well due to the LDAP connection we needed to use to our central authentication system. Our flow assumes that everyone logging in has a LDAP account first then tries the local DB if LDAP logon fails.<u></u><u></u></span></p>
<p class="MsoNormal"><img src="cid:image001.png@01D12DB8.B2C173F0" height="518" width="659"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Hope this helps.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">-Brian.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><a name="151688f02fd06c3f__MailEndCompose"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></a></p></div></div></blockquote></div></div></div>