Setup Remote Authentication

enabled = $enabled; $this->lib_ug = $lib_ug; $this->lib_ag = $lib_ag; $this->lib_sg = ""; $this->principal = $principal; $this->credential = $credential; $this->repository_uri = $repository_uri; $this->user_dn = $user_dn; $this->group_dn = $group_dn; $this->domain = $domain; $this->use_start_tls = $use_start_tls; } }; class CKRB5_info { var $enabled; var $realm; var $kdc; var $mappings; var $kt; function CKRB5_info( $enabled, $realm, $kdc, $mappings, $kt ) { $this->enabled = $enabled; $this->realm = $realm; $this->kdc = $kdc; $this->mappings = $mappings; $this->kt = $kt; } }; // Handel the progress screen if opened and get the NEW data if ($_SERVER[REQUEST_METHOD] == "POST") { $operationInProgress = true; $testResult = true; $status = new ReturnStatus(); $wasError = false; // This contains sensitive information, and should not be in shipped code. //error_log("_POST = ". print_r($_POST,true) ); //error_log("_FILES = ". print_r($_FILES,true) ); if( $_POST['test_ldap'] == "1" ) { test_ldap($user, $_POST['test_user'], $_POST['test_password'] ); } else { $ldapEnabled = False; $krb5Enabled = False; $krb5_kt = ""; $ldap_kt = ""; if ( $_POST['enabled'] == "ldap" ) { /***************************************************************************** How to use the new certificate script. Usage: ./ldapCAConfig actions: -g - Get current certificate setup (SEE IF THERE IS ONE INSTALLED ALREADY) -d - Disable certificate validation (IF Remove is checked) -e [CA Cert] - Install and enable a CA Cert (If there is a filename) -h - Print this message return: During any operation the return code of the shell will be set to '0' upon success. During a get operation, if a ca certificate is configured you will receive 'on' from stdout or 'off' conversely. *******************************************************************************/ $ldapEnabled = true; if(is_uploaded_file($_FILES['ldap_cert']['tmp_name'])) { error_log("Found a ldap cert file...."); $ldap_kt = $_FILES['ldap_cert']['tmp_name']; } else { $ldap_kt_exists = $_POST['ldap_kt_exists']; if (is_null($_FILES['ldap_cert']) ) { error_log("The file is too big, brickUpdate is NULL"); $status->setErrorCode("4109"); } else { $wasError = true; switch ($HTTP_POST_FILES['ldap_cert']['error']) { case 1: //uploaded file exceeds the upload_max_filesize directive in php.ini case 2: //uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the html form error_log("The file you are trying to upload is too big."); $status->setErrorCode("4109"); break; case 3: //uploaded file was only partially uploaded error_log("The file you are trying upload was only partially uploaded."); $status->setErrorCode("4110"); break; case 4: //no file was uploaded $wasError = false; // This is not an error // We don't need to upload one of these each time. //if ( ! $ldap_kt_exists ) //{ // error_log("You must upload a cert for the library principal."); // $status->setErrorCode("4111"); //} break; default: error_log("There was a problem with your upload."); $status->setErrorCode("4108"); break; } } } } else if ( $_POST['enabled'] == "krb5" ) { $ldapEnabled = true; $krb5Enabled = true; if(is_uploaded_file($_FILES['serviceKeytab']['tmp_name'])) { $krb5_kt = $_FILES['serviceKeytab']['tmp_name']; } else { $kt_exists = $_POST['krb5_kt_exists']; if (is_null($_FILES['serviceKeytab']) ) { error_log("The file is too big, brickUpdate is NULL"); $status->setErrorCode("4109"); } else { $wasError = true; switch ($HTTP_POST_FILES['serviceKeytab']['error']) { case 1: //uploaded file exceeds the upload_max_filesize directive in php.ini case 2: //uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the html form error_log("The file you are trying to upload is too big."); $status->setErrorCode("4109"); break; case 3: //uploaded file was only partially uploaded error_log("The file you are trying upload was only partially uploaded."); $status->setErrorCode("4110"); break; case 4: //no file was uploaded if ( ! $kt_exists ) { error_log("You must upload a keytab for the library principal."); $status->setErrorCode("4111"); } break; default: error_log("There was a problem with your upload."); $status->setErrorCode("4108"); break; } } } } if( isset($_POST['useTLS']) ) $useTLS = 1; else $useTLS = 0; $ldap_info = new CLDAP_info( $ldapEnabled, $_POST['lib_ug'], $_POST['lib_ag'], $_POST['principal'], $_POST['credential'], $_POST['repository_uri'], $_POST['user_dn'], $_POST['group_dn'], $_POST['domain'], $useTLS ); $krb5_info = new CKRB5_info( $krb5Enabled, $_POST['krb5_realm'], $_POST['krb5_kdc'], $_POST['krb5_mappings'], $krb5_kt ); error_log("useTLS = $useTLS"); //error_log("ldap_info = ". print_r($ldap_info,true) ); $bRemoveCert = 0; if( isset($_POST['remove_ldap_cert']) ) { error_log("remove_ldap_cert = ". $_POST['remove_ldap_cert']); if( $_POST['remove_ldap_cert'] == "on" ) $bRemoveCert = 1; } set_krb5($user, $krb5_info); set_ldap($user, $ldap_info, $bRemoveCert, $ldap_kt); // Make sure the setting was valid. // $testResult = @test_ldap($user, $_POST['test_user'], $_POST['test_password']); // if( $testResult != 0 ) // { // $status->setErrorCode( 0x50022 ); // } } if( $wasError == true || $_POST['enabled'] == "local" || $_POST['test_ldap'] == "1" ) print $status->out(); else { $text = "CAUTION:To validate the LDAP settings that were just saved, you need to enter a user name and password at the bottom of the page and then click the \"Test Settings\" button."; if($bRemoveCert || $ldap_kt != "") { $text .= "
Please wait for the library to restart, and then refresh your browser."; print $status->closeMsg(6, $text); } else print $status->closeMsg(3, $text); } return; } else { // Load stuff up for the first time $ldap = get_ldap($user); // This contains sensitive information and should not be uncommented in a shipped code release //error_log("get_ldap = ". print_r($ldap,true) ); if( substr($ldap->repository_uri,0,5) == "ldaps" ) $disableUseTls = true; else $disableUseTls = false; // This contains sensitive information, and should not be present in shipped code // error_log( "ldap = ". print_r($ldap, true) ); $krb5 = get_krb5($user); error_log( "krb5 = ". print_r($krb5, true) ); //!?! Brian $ldapDomains = get_ldap_domains($user); // error_log( "ldapDomains = ". print_r($ldapDomains, true) ); } ?> Setup Remote Authentication

Setup - Remote Authentication

Authenticate logins against a third-party service.

" > " >

Authentication Type:
Local Only:enabled) echo "checked" ?>>	LDAP:enabled) echo "checked" ?>>	LDAP with Kerberos:enabled) echo "checked" ?>>

LDAP Server

is_tls_cert_installed != 0 ) { echo(""); } ?>

Server URI:

Ex: ldap://hostname:389

StartTLS:

use_start_tls==1?"CHECKED":"")?>>

Check if your LDAP server supports this extension.

Install TLS CA Certificate:

Refer to online help for further details.

"); echo(""); echo("

Remove TLS CA Certificate:

"); echo(" "); echo("

Check to remove the installed certificate.

Principal:

A user with search permissions. Refer to your LDAP vendor for syntax.

Password:

Confirm Password:

Authorization

User DN:

Ex: cn=users,ou=system,dc=mycompany,dc=com

Group DN:

Ex: cn=groups,ou=system,dc=mycompany,dc=com

Library User Group:

Only members of this group can manage this library.

Library Admin Group:

Members of this group are granted the administrator privilege.

User:	Password:
Apply any changes to the settings before using this test. Test with a user that belongs to both the User and Admin groups.