[pkgsrc/trunk]: pkgsrc/security SASL is a method for adding authentication su...

[manu <manu%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/882c32bc69b1
branches:  trunk
changeset: 399145:882c32bc69b1
user:      manu <manu%pkgsrc.org@localhost>
date:      Sun Sep 13 19:57:13 2009 +0000

description:
SASL is a method for adding authentication support to connection-based
protocols.  To use SASL, a protocol includes a command for identifying and
authenticating a user to a server and for optionally negotiating protection
of subsequent protocol interactions.  If its use is negotiated, a security
layer is inserted between the protocol and the connection.

PAM provides a way to develop programs that are independent of
authentication scheme.  These programs need "authentication modules" to be
attached to them at run-time in order to work.  Which authentication module
is to be attached is dependent upon the local system setup and is at the
discretion of the local system administrator.

This package contains a SASL plugin and a PAM module that perform a crude
check on a SAML authentication assertion. The assertion signature and date
are verified, and access is granted on behalf ot the user taked for a
onfigurable attribute.

The only protection against replay attacks is the assertion validity dates
checks, this authentication is therefore secure only if the SAML
authentication assertion remains secret. The assertion has the same role
as a web cookie used for authentication.

diffstat:

 security/crudesaml/DESCR           |  31 +++++++++++++++++++++++++++++++
 security/crudesaml/Makefile.common |  28 ++++++++++++++++++++++++++++
 security/crudesaml/distinfo        |   5 +++++
 security/cy2-saml/DESCR            |  24 ++++++++++++++++++++++++
 security/cy2-saml/Makefile         |  18 ++++++++++++++++++
 security/cy2-saml/PLIST            |   3 +++
 security/pam-saml/DESCR            |  15 +++++++++++++++
 security/pam-saml/Makefile         |  16 ++++++++++++++++
 security/pam-saml/PLIST            |   3 +++
 9 files changed, 143 insertions(+), 0 deletions(-)

diffs (179 lines):

diff -r 58fce8feefd8 -r 882c32bc69b1 security/crudesaml/DESCR
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/crudesaml/DESCR  Sun Sep 13 19:57:13 2009 +0000
@@ -0,0 +1,31 @@
+SASL is a method for adding authentication support to connection-based
+protocols.  To use SASL, a protocol includes a command for identifying and
+authenticating a user to a server and for optionally negotiating protection
+of subsequent protocol interactions.  If its use is negotiated, a security
+layer is inserted between the protocol and the connection.
+
+PAM provides a way to develop programs that are independent of
+authentication scheme.  These programs need "authentication modules" to be
+attached to them at run-time in order to work.  Which authentication module
+is to be attached is dependent upon the local system setup and is at the
+discretion of the local system administrator.
+
+This package contains a SASL plugin and a PAM module that perform a crude 
+check on a SAML authentication assertion. The assertion signature and date
+are verified, and access is granted on behalf ot the user taked for a 
+onfigurable attribute.
+
+The only protection against replay attacks is the assertion validity dates
+checks, this authentication is therefore secure only if the SAML
+authentication assertion remains secret. The assertion has the same role
+as a web cookie used for authentication.
+
+Here is a PHP example of LDAP binding using www/ap2-auth-mellon and
+security/cy2-saml
+        $saml_msg = $_SERVER["MELLON_SAML_RESPONSE"];
+        $userid = $_SERVER["REMOTE_USER"];
+        if (ldap_sasl_bind($ds, NULL, $saml_msg, "SAML",
+                           NULL, $userid, NULL, "none") == FALSE) {
+                printf("ldap_sasl_bind() failed: %s", ldap_error($ds));
+                exit;
+        }
diff -r 58fce8feefd8 -r 882c32bc69b1 security/crudesaml/Makefile.common
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/crudesaml/Makefile.common        Sun Sep 13 19:57:13 2009 +0000
@@ -0,0 +1,28 @@
+# $NetBSD: Makefile.common,v 1.1.1.1 2009/09/13 19:57:13 manu Exp $
+#
+
+# used by security/cy2-saml/Makefile
+# used by security/pam-saml/Makefile
+
+DISTNAME=      crudesaml-0.5
+CATEGORIES=    security
+MASTER_SITES=  http://ftp.espci.fr/pub/crudesaml
+
+MAINTAINER=    manu%NetBSD.org@localhost
+
+GNU_CONFIGURE= yes
+USE_LIBTOOL=   yes
+USE_TOOLS+=    pkg-config
+USE_LANGUAGES+=        c
+
+DISTINFO_FILE= ${.CURDIR}/../../security/crudesaml/distinfo
+
+CONFIGURE_ARGS+=--with-sasl2=${PREFIX}
+
+.include "../../security/cyrus-sasl/buildlink3.mk"
+.include "../../textproc/libxml2/buildlink3.mk"
+.include "../../security/lasso/buildlink3.mk"
+.include "../../mk/pam.buildlink3.mk"
+
+# url2pkg-marker (please do not remove this line.)
+.include "../../mk/bsd.pkg.mk"
diff -r 58fce8feefd8 -r 882c32bc69b1 security/crudesaml/distinfo
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/crudesaml/distinfo       Sun Sep 13 19:57:13 2009 +0000
@@ -0,0 +1,5 @@
+$NetBSD: distinfo,v 1.1.1.1 2009/09/13 19:57:13 manu Exp $
+
+SHA1 (crudesaml-0.5.tar.gz) = 4389bdc6ad963d89b3a26f3af1d66105a927d880
+RMD160 (crudesaml-0.5.tar.gz) = dbd0a7bfd5e9b5970e8d1ea265610638fab1a7e1
+Size (crudesaml-0.5.tar.gz) = 324398 bytes
diff -r 58fce8feefd8 -r 882c32bc69b1 security/cy2-saml/DESCR
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/cy2-saml/DESCR   Sun Sep 13 19:57:13 2009 +0000
@@ -0,0 +1,24 @@
+SASL is a method for adding authentication support to connection-based
+protocols.  To use SASL, a protocol includes a command for identifying and
+authenticating a user to a server and for optionally negotiating protection
+of subsequent protocol interactions.  If its use is negotiated, a security
+layer is inserted between the protocol and the connection.
+
+This package contains a SASL plugin that perform a crude check on a SAML
+authentication assertion. The assertion signature and date are verified,
+and access is granted on behalf ot the user taked for a onfigurable
+attribute.
+
+The only protection against replay attacks is the assertion validity dates
+checks, this authentication is therefore secure only if the SAML
+authentication assertion remains secret. The assertion has the same role
+as a web cookie used for authentication.
+
+Here is a PHP example of LDAP binding using www/ap2-auth-mellon:
+        $saml_msg = $_SERVER["MELLON_SAML_RESPONSE"];
+        $userid = $_SERVER["REMOTE_USER"];
+        if (ldap_sasl_bind($ds, NULL, $saml_msg, "SAML",
+                           NULL, $userid, NULL, "none") == FALSE) {
+                printf("ldap_sasl_bind() failed: %s", ldap_error($ds));
+                exit;
+        }
diff -r 58fce8feefd8 -r 882c32bc69b1 security/cy2-saml/Makefile
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/cy2-saml/Makefile        Sun Sep 13 19:57:13 2009 +0000
@@ -0,0 +1,18 @@
+# $NetBSD: Makefile,v 1.1.1.1 2009/09/13 19:57:36 manu Exp $
+#
+
+PKGNAME=       ${DISTNAME:S/crudesaml-/cy2-saml-/}
+COMMENT=       Crude SAML assertion validator for bridging WebSSO and SASL
+
+PLUGINDIR=     ${PREFIX}/lib/sasl2
+
+PKG_DESTDIR_SUPPORT=    user-destdir
+
+do-install:
+       ${INSTALL_DATA_DIR} ${DESTDIR}${PLUGINDIR}
+       cd ${WRKSRC} && ${SHLIBTOOL} --mode=install \
+               ${INSTALL_PROGRAM} libsaml.la ${DESTDIR}${PLUGINDIR}
+       ${INSTALL_MAN} ${WRKSRC}/cy2_saml.5 \
+               ${DESTDIR}${PREFIX}/${PKGMANDIR}/man5
+
+.include "../../security/crudesaml/Makefile.common"
diff -r 58fce8feefd8 -r 882c32bc69b1 security/cy2-saml/PLIST
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/cy2-saml/PLIST   Sun Sep 13 19:57:13 2009 +0000
@@ -0,0 +1,3 @@
+@comment $NetBSD: PLIST,v 1.1.1.1 2009/09/13 19:57:36 manu Exp $
+lib/sasl2/libsaml.la
+man/man5/cy2_saml.5
diff -r 58fce8feefd8 -r 882c32bc69b1 security/pam-saml/DESCR
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/pam-saml/DESCR   Sun Sep 13 19:57:13 2009 +0000
@@ -0,0 +1,15 @@
+PAM provides a way to develop programs that are independent of
+authentication scheme.  These programs need "authentication modules" to be
+attached to them at run-time in order to work.  Which authentication module
+is to be attached is dependent upon the local system setup and is at the
+discretion of the local system administrator.
+
+This package contains a PAM module that perform a crude
+check on a SAML authentication assertion. The assertion signature and date
+are verified, and access is granted on behalf ot the user taked for a
+onfigurable attribute.
+
+The only protection against replay attacks is the assertion validity dates
+checks, this authentication is therefore secure only if the SAML
+authentication assertion remains secret. The assertion has the same role
+as a web cookie used for authentication.
diff -r 58fce8feefd8 -r 882c32bc69b1 security/pam-saml/Makefile
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/pam-saml/Makefile        Sun Sep 13 19:57:13 2009 +0000
@@ -0,0 +1,16 @@
+# $NetBSD: Makefile,v 1.1.1.1 2009/09/13 19:57:51 manu Exp $
+#
+
+PKGNAME=       ${DISTNAME:S/crudesaml-/pam-saml-/}
+COMMENT=       Crude SAML assertion validator for bridging WebSSO and PAM
+
+PKG_DESTDIR_SUPPORT=    user-destdir
+
+do-install:
+       ${INSTALL_DATA_DIR} ${DESTDIR}${PREFIX}/lib/security
+       cd ${WRKSRC} && ${SHLIBTOOL} --mode=install \
+               ${INSTALL_PROGRAM} pam_saml.la ${DESTDIR}${PREFIX}/lib/security
+       ${INSTALL_MAN} ${WRKSRC}/pam_saml.5 \
+               ${DESTDIR}${PREFIX}/${PKGMANDIR}/man5
+
+.include "../../security/crudesaml/Makefile.common"
diff -r 58fce8feefd8 -r 882c32bc69b1 security/pam-saml/PLIST
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/pam-saml/PLIST   Sun Sep 13 19:57:13 2009 +0000
@@ -0,0 +1,3 @@
+@comment $NetBSD: PLIST,v 1.1.1.1 2009/09/13 19:57:51 manu Exp $
+lib/security/pam_saml.la
+man/man5/pam_saml.5