Home / server / Questions / 597921
In Process
Emil Hemdal
Asked: 2014-05-23 12:56:45 +0800 CST

Make Sympa authenticate users with another database and tablestructure

  • 772

We would like to integrate Sympa's webinterface with another system using MySQL using the other systems user table.

I've done some searching but since Sympa is poorly documented no results of relevance has shown up.

Is this possible?

sympa

1 Answers

  1. Sympa authentication is configured by the auth.conf file. This can contain one or more stanzas defining alternative authentication methods, such as the internal database, LDAP, cas or generic_sso. Sysmpa identifies users by their email address.

    The first two (internal and LDAP) take the user email address and password, and authenticate directly. CAS authentication uses a CAS service.

    Generic_sso authentication uses the Web server's own authentication to return a userID, and then obtains the user email address either from metadata or via an LDAP lookup. One example would be using Shibboleth (via mod_shib) and pulling the email address from the Shibboleth metadata. However, any web server authentication may be used, so you can easily use mod_mysql or similar to authenticate against an external user database. In order to get the email address, you can either use an assosciated LDAP lookup, have your web server authentication module return metadata (as an HTTP header), or ensure that the authenticated userID is the same as the email address.

    In short; use generic_sso, and then configure the necessary authentication in your web server, making sure to return the email address in the metadata if you cannot map user to email via an LDAP lookup.

    The (admittedly poor) documentation on this is here : Sympa authentication

    Example: This auth.conf stanza uses mod_shib to authnticate via Shibboleth; if the mail metadata is returned then it will be used, otherwise an LDAP lookup will be performed to obtain the email address. In order for the authentication to work, the location /sympa/sso_login/shibboleth is configured in the web server to be protected by Shibboleth using mod_shib. 

     generic_sso    
   service_name       Shibboleth    
   service_id         shibboleth
   http_header_list   mail,displayName,uid,unscoped_affiliation    
   netid_http_header  uid
   email_http_header  mail
         ldap_host       ldap.company.com:636
         ldap_timeout    20
         ldap_bind_dn        cn=sympa,o=company
         ldap_bind_password  xxxxxx
         ldap_suffix     ou=users,o=company
         ldap_get_email_by_uid_filter (cn=[uid])
         ldap_email_attribute mail
         ldap_scope      one
         ldap_use_ssl    1

    Example: A similar method can be used to protect a location using a different method, such as mod_auth_mysql or mod_authn_dbd. If you use mod_authn_dbd, you can return the email address in the same query, from where it will be loaded into the environment. You can then use RequestHeader set in your Apache config to push it into the HTTP headers to be picked up by the email_http_header definition. See here for the mod_authn_dbd documentation.

     generic_sso    
   service_name       MySQL    
   service_id         mysql
   email_http_header  x-mail

    and in Apache (this is not tested but should be correct):

    DBDriver mysql
DBDParams "dbname=apacheauth user=apache password=xxxxxx"
DBDMin  4
DBDKeep 8
DBDMax  20
DBDExptime 300
<Location /sympa/sso_login/mysql>
    AuthType basic
    AuthBasicProvider dbd
    Require valid-user
    AuthDBDUserPWQuery "SELECT password, emailaddr FROM authn WHERE user = %s"
    RequestHeader set x-mail %{AUTHENTICATE_emailaddr}e
</Location>
    • 0