A module that provides integration of the Catalyst web application framework with GSSAPI/SPNEGO HTTP authentication.
Perl XS Perl 6
Switch branches/tags
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
lib/Catalyst/Authentication/Credential
t
.gitignore
Build.PL
LICENSE
README

README

NAME
    Catalyst::Authentication::Credential::GSSAPI - rfc4559 SPNEGO/GSSAPI

SYNOPSIS
    In your application configuration:

      <authentication>
        default_realm "myrealm"
        <realms>
          <myrealm>
            <credential>
              class "GSSAPI"
            </credential>
            <store>
              class "LDAP"
              ldap_server "myrealm.mydomain.com"
              binddn "anonymous"
              bindpw "dontcarehow"
              user_basedn "OU=Users,DC=myrealm,DC=mydomain,DC=com"
              user_field "userprincipalname"
              user_filter "(userprincipalname=%s)"
              user_scope "sub"
            </store>
          </myrealm>
        </realms>
      </authentication>

    On your application code:

      $c->authenticate({ });

DESCRIPTION
    This module implements the HTTP negotiation described in rfc4559. The
    authentication is implemented by the natively calling the gssapi from
    the krb5 library. It provides only the "Credential" part of the system.
    You are required to plugin a different "Storage", such as LDAP, in order
    to get the data for the user info.

    This allows your application to perform Single-Sign-On (SSO) if you are
    in an environment with Kerberos authentication. One example of such
    scenario is for environments managed with Microsoft Active Directory.

    This module will not, however, perform password-based authentication on
    the Kerberos realm. It will only accept token-based negotiation with
    GSSAPI.

    Like Catalyst::Authentication::Credential::HTTP, this module will detach
    your action for the HTTP negotiation to happen and will only return when
    a valid user was authenticated and retrieved from the store.

KEYTABS AND PRINCIPALS
    When implementing GSSAPI negotiation over HTTP, the convention specify
    that the name of the principal for the service will always be:

      HTTP/hostname.of.the.server

    Such that if the client is connecting to

      http://myservice.mydomain.com

    the name of Service Principal Name (SPN) will be required to be

      HTTP/myservice.mydomain.com

    The SPN needs to be registered with the kerberos server, and application
    needs to be run with a keytab that contains that principal. One way to
    verify that is by doing:

      $ k5srvutil -f mykeytabfile.keytab list
      Keytab name: FILE:mykeytabfile.keyttab
      KVNO Principal
      ---- --------------------------------------------------------------------
       3 serviceaccount@MYREALM.MYDOMAIN.COM
       3 HTTP/myservice.mydomain.com@MYREALM.MYDOMAIN.COM

    With the MIT krb5 library, you can use the keytab by exporting the
    following environment variable for the process running the application:

      export KRB5_KTNAME=FILE:/full/path/to/mykeytabfile.keytab

    That way the application will be able to participate in the
    authentication.

CLIENT SIDE
    The client side, of course, also has to support this negotiation.

  BROWSER SUPPORT
    All major browsers support this negotiation, some configuration may be
    required in order to enable it.

  CURL
    Curl can be built with krb5 support, at which point you should be able
    to use:

      curl --negotiate -u x:x http://myservice.mydomain.com

    The "-u x:x" argument is necessary in order to tell curl to enable
    authentication, the user name and password will not be used and can be
    set to a dummy value, like "x:x".

CONFIGURATION
    username_field
        This configures what field should the username be set to in the
        authinfo hash. Defaults to "username".

        The authentication will send the "src name" from gssapi as the user
        name for the find_user call.

    strip_realm
        When using kerberos, the full principal name is returned, which is
        usually in the form of user@REALM. Setting this will strip
        everything after the '@' before sending it to the credential store.
        This is useful if you are using a store that is not connected to the
        kerberos authentication.

USING WITH LDAP ON MICROSOFT ACTIVE DIRECTORY
    Active Directory offers the LDAP attribute "userprincipalname" that will
    match the kerberos principal used by this API. If you set the user_field
    and user_filter configurations of the LDAP store, it will seamlessly
    integrate and return you a valid LDAP user.

COPYRIGHT
    Copyright 2015 Bloomberg Finance L.P.

    Licensed under the Apache License, Version 2.0 (the "License"); you may
    not use this file except in compliance with the License. You may obtain
    a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.