From bae81f5eef546e35e6c02b15165487183c24be6c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20=C3=85kre=20Solberg?= <andreas.solberg@uninett.no>
Date: Mon, 21 Apr 2008 10:11:41 +0000
Subject: [PATCH] Adding tlsclient authentication module using apache
(mod_ssl). (Thanks to Enrique de la Hoz)
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@502 44740490-163a-0410-bde0-09ae8108e29a
---
dictionaries/errors.php | 11 +++++
www/auth/login-tlsclient.php | 93 ++++++++++++++++++++++++++++++++++++
2 files changed, 104 insertions(+)
create mode 100644 www/auth/login-tlsclient.php
diff --git a/dictionaries/errors.php b/dictionaries/errors.php
index 55bb1cc42..379526b26 100644
--- a/dictionaries/errors.php
+++ b/dictionaries/errors.php
@@ -567,5 +567,16 @@ $lang = array(
'en' => 'The password in the configuration (auth.adminpassword) is not changed from the default value, please edit the config.',
'es' => 'La clave de acceso del fichero de configuraciĂłn (auth.adminpassword) no ha sido cambiada de su valor por defecto. Por favor, edite dicho fichero'
),
+
+
+ 'title_NOTVALIDCERT' => array(
+ 'en' => 'Invalid certificate',
+ 'es' => 'Certificado no válido',
+ ),
+ 'descr_NOTVALIDCERT' => array(
+ 'en' => 'You did not present a valid certificate',
+ 'es' => 'No se ha podido validar el certificado recibido',
+ ),
+
);
\ No newline at end of file
diff --git a/www/auth/login-tlsclient.php b/www/auth/login-tlsclient.php
new file mode 100644
index 000000000..cd5a5da89
--- /dev/null
+++ b/www/auth/login-tlsclient.php
@@ -0,0 +1,93 @@
+<?php
+
+
+require_once('../../www/_include.php');
+
+require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Utilities.php');
+require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Session.php');
+require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Metadata/MetaDataStorageHandler.php');
+require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/XHTML/Template.php');
+require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Logger.php');
+require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Auth/LDAP.php');
+
+$config = SimpleSAML_Configuration::getInstance();
+$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
+$session = SimpleSAML_Session::getInstance(true);
+
+SimpleSAML_Logger::info('AUTH - ldap: Accessing auth endpoint login');
+
+SimpleSAML_Configuration::init($configdir, 'ldapconfig', 'ldap.php');
+$ldapconfig = SimpleSAML_Configuration::getInstance('ldapconfig');
+
+
+$error = null;
+$attributes = array();
+$username = null;
+
+if (empty($session))
+ SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NOSESSION');
+
+/* Load the RelayState argument. The RelayState argument contains the address
+ * we should redirect the user to after a successful authentication.
+ */
+if (!array_key_exists('RelayState', $_REQUEST)) {
+ SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NORELAYSTATE');
+}
+
+$relaystate = $_REQUEST['RelayState'];
+
+
+try {
+
+ $attributes = array();
+ $userid = null;
+
+ if (!array_key_exists('SSL_CLIENT_VERIFY', $_SERVER))
+ throw new Exception('Apache header variable SSL_CLIENT_VERIFY was not available. Recheck your apache configuration.');
+
+ if (strcmp($_SERVER['SSL_CLIENT_VERIFY'], "SUCCESS") != 0) {
+ SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NOTVALIDCERT', $e);
+ }
+
+ $userid = $_SERVER['SSL_CLIENT_S_DN'];
+
+ $attributes['CertificateDN'] = array($userid);
+ $attributes['CertificateDNCN'] = array($_SERVER['SSL_CLIENT_S_DN_CN']);
+
+ $session->setAuthenticated(true, 'tlsclient');
+ $session->setAttributes($attributes);
+
+ #echo '<pre>';
+ #print_r($_SERVER);
+ #echo '</pre>'; exit;
+
+ SimpleSAML_Logger::info('AUTH - tlsclient: '. $userid . ' successfully authenticated');
+
+
+ $session->setNameID(array(
+ 'value' => SimpleSAML_Utilities::generateID(),
+ 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
+
+ /**
+ * Create a statistics log entry for every successfull login attempt.
+ * Also log a specific attribute as set in the config: statistics.authlogattr
+ */
+ $authlogattr = $config->getValue('statistics.authlogattr', null);
+ if ($authlogattr && array_key_exists($authlogattr, $attributes))
+ SimpleSAML_Logger::stats('AUTH-tlsclient OK ' . $attributes[$authlogattr][0]);
+ else
+ SimpleSAML_Logger::stats('AUTH-tlsclient OK');
+
+
+ $returnto = $_REQUEST['RelayState'];
+ SimpleSAML_Utilities::redirect($returnto);
+
+
+} catch (Exception $e) {
+ SimpleSAML_Utilities::fatalError($session->getTrackID(), 'CONFIG', $e);
+
+}
+
+
+
+?>
\ No newline at end of file
--
GitLab