diff options
-rw-r--r-- | security/crudesaml/DESCR | 31 | ||||
-rw-r--r-- | security/crudesaml/Makefile.common | 28 | ||||
-rw-r--r-- | security/crudesaml/distinfo | 5 | ||||
-rw-r--r-- | security/cy2-saml/DESCR | 24 | ||||
-rw-r--r-- | security/cy2-saml/Makefile | 18 | ||||
-rw-r--r-- | security/cy2-saml/PLIST | 3 | ||||
-rw-r--r-- | security/pam-saml/DESCR | 15 | ||||
-rw-r--r-- | security/pam-saml/Makefile | 16 | ||||
-rw-r--r-- | security/pam-saml/PLIST | 3 |
9 files changed, 143 insertions, 0 deletions
diff --git a/security/crudesaml/DESCR b/security/crudesaml/DESCR new file mode 100644 index 00000000000..4d9e2029cca --- /dev/null +++ b/security/crudesaml/DESCR @@ -0,0 +1,31 @@ +SASL is a method for adding authentication support to connection-based +protocols. To use SASL, a protocol includes a command for identifying and +authenticating a user to a server and for optionally negotiating protection +of subsequent protocol interactions. If its use is negotiated, a security +layer is inserted between the protocol and the connection. + +PAM provides a way to develop programs that are independent of +authentication scheme. These programs need "authentication modules" to be +attached to them at run-time in order to work. Which authentication module +is to be attached is dependent upon the local system setup and is at the +discretion of the local system administrator. + +This package contains a SASL plugin and a PAM module that perform a crude +check on a SAML authentication assertion. The assertion signature and date +are verified, and access is granted on behalf ot the user taked for a +onfigurable attribute. + +The only protection against replay attacks is the assertion validity dates +checks, this authentication is therefore secure only if the SAML +authentication assertion remains secret. The assertion has the same role +as a web cookie used for authentication. + +Here is a PHP example of LDAP binding using www/ap2-auth-mellon and +security/cy2-saml + $saml_msg = $_SERVER["MELLON_SAML_RESPONSE"]; + $userid = $_SERVER["REMOTE_USER"]; + if (ldap_sasl_bind($ds, NULL, $saml_msg, "SAML", + NULL, $userid, NULL, "none") == FALSE) { + printf("ldap_sasl_bind() failed: %s", ldap_error($ds)); + exit; + } diff --git a/security/crudesaml/Makefile.common b/security/crudesaml/Makefile.common new file mode 100644 index 00000000000..5845f69eb19 --- /dev/null +++ b/security/crudesaml/Makefile.common @@ -0,0 +1,28 @@ +# $NetBSD: Makefile.common,v 1.1.1.1 2009/09/13 19:57:13 manu Exp $ +# + +# used by security/cy2-saml/Makefile +# used by security/pam-saml/Makefile + +DISTNAME= crudesaml-0.5 +CATEGORIES= security +MASTER_SITES= http://ftp.espci.fr/pub/crudesaml + +MAINTAINER= manu@NetBSD.org + +GNU_CONFIGURE= yes +USE_LIBTOOL= yes +USE_TOOLS+= pkg-config +USE_LANGUAGES+= c + +DISTINFO_FILE= ${.CURDIR}/../../security/crudesaml/distinfo + +CONFIGURE_ARGS+=--with-sasl2=${PREFIX} + +.include "../../security/cyrus-sasl/buildlink3.mk" +.include "../../textproc/libxml2/buildlink3.mk" +.include "../../security/lasso/buildlink3.mk" +.include "../../mk/pam.buildlink3.mk" + +# url2pkg-marker (please do not remove this line.) +.include "../../mk/bsd.pkg.mk" diff --git a/security/crudesaml/distinfo b/security/crudesaml/distinfo new file mode 100644 index 00000000000..91f9dac7e8a --- /dev/null +++ b/security/crudesaml/distinfo @@ -0,0 +1,5 @@ +$NetBSD: distinfo,v 1.1.1.1 2009/09/13 19:57:13 manu Exp $ + +SHA1 (crudesaml-0.5.tar.gz) = 4389bdc6ad963d89b3a26f3af1d66105a927d880 +RMD160 (crudesaml-0.5.tar.gz) = dbd0a7bfd5e9b5970e8d1ea265610638fab1a7e1 +Size (crudesaml-0.5.tar.gz) = 324398 bytes diff --git a/security/cy2-saml/DESCR b/security/cy2-saml/DESCR new file mode 100644 index 00000000000..a11f8f68d21 --- /dev/null +++ b/security/cy2-saml/DESCR @@ -0,0 +1,24 @@ +SASL is a method for adding authentication support to connection-based +protocols. To use SASL, a protocol includes a command for identifying and +authenticating a user to a server and for optionally negotiating protection +of subsequent protocol interactions. If its use is negotiated, a security +layer is inserted between the protocol and the connection. + +This package contains a SASL plugin that perform a crude check on a SAML +authentication assertion. The assertion signature and date are verified, +and access is granted on behalf ot the user taked for a onfigurable +attribute. + +The only protection against replay attacks is the assertion validity dates +checks, this authentication is therefore secure only if the SAML +authentication assertion remains secret. The assertion has the same role +as a web cookie used for authentication. + +Here is a PHP example of LDAP binding using www/ap2-auth-mellon: + $saml_msg = $_SERVER["MELLON_SAML_RESPONSE"]; + $userid = $_SERVER["REMOTE_USER"]; + if (ldap_sasl_bind($ds, NULL, $saml_msg, "SAML", + NULL, $userid, NULL, "none") == FALSE) { + printf("ldap_sasl_bind() failed: %s", ldap_error($ds)); + exit; + } diff --git a/security/cy2-saml/Makefile b/security/cy2-saml/Makefile new file mode 100644 index 00000000000..58b0f22a7df --- /dev/null +++ b/security/cy2-saml/Makefile @@ -0,0 +1,18 @@ +# $NetBSD: Makefile,v 1.1.1.1 2009/09/13 19:57:36 manu Exp $ +# + +PKGNAME= ${DISTNAME:S/crudesaml-/cy2-saml-/} +COMMENT= Crude SAML assertion validator for bridging WebSSO and SASL + +PLUGINDIR= ${PREFIX}/lib/sasl2 + +PKG_DESTDIR_SUPPORT= user-destdir + +do-install: + ${INSTALL_DATA_DIR} ${DESTDIR}${PLUGINDIR} + cd ${WRKSRC} && ${SHLIBTOOL} --mode=install \ + ${INSTALL_PROGRAM} libsaml.la ${DESTDIR}${PLUGINDIR} + ${INSTALL_MAN} ${WRKSRC}/cy2_saml.5 \ + ${DESTDIR}${PREFIX}/${PKGMANDIR}/man5 + +.include "../../security/crudesaml/Makefile.common" diff --git a/security/cy2-saml/PLIST b/security/cy2-saml/PLIST new file mode 100644 index 00000000000..50ef2819b14 --- /dev/null +++ b/security/cy2-saml/PLIST @@ -0,0 +1,3 @@ +@comment $NetBSD: PLIST,v 1.1.1.1 2009/09/13 19:57:36 manu Exp $ +lib/sasl2/libsaml.la +man/man5/cy2_saml.5 diff --git a/security/pam-saml/DESCR b/security/pam-saml/DESCR new file mode 100644 index 00000000000..7f5af172112 --- /dev/null +++ b/security/pam-saml/DESCR @@ -0,0 +1,15 @@ +PAM provides a way to develop programs that are independent of +authentication scheme. These programs need "authentication modules" to be +attached to them at run-time in order to work. Which authentication module +is to be attached is dependent upon the local system setup and is at the +discretion of the local system administrator. + +This package contains a PAM module that perform a crude +check on a SAML authentication assertion. The assertion signature and date +are verified, and access is granted on behalf ot the user taked for a +onfigurable attribute. + +The only protection against replay attacks is the assertion validity dates +checks, this authentication is therefore secure only if the SAML +authentication assertion remains secret. The assertion has the same role +as a web cookie used for authentication. diff --git a/security/pam-saml/Makefile b/security/pam-saml/Makefile new file mode 100644 index 00000000000..7661eeddb8c --- /dev/null +++ b/security/pam-saml/Makefile @@ -0,0 +1,16 @@ +# $NetBSD: Makefile,v 1.1.1.1 2009/09/13 19:57:51 manu Exp $ +# + +PKGNAME= ${DISTNAME:S/crudesaml-/pam-saml-/} +COMMENT= Crude SAML assertion validator for bridging WebSSO and PAM + +PKG_DESTDIR_SUPPORT= user-destdir + +do-install: + ${INSTALL_DATA_DIR} ${DESTDIR}${PREFIX}/lib/security + cd ${WRKSRC} && ${SHLIBTOOL} --mode=install \ + ${INSTALL_PROGRAM} pam_saml.la ${DESTDIR}${PREFIX}/lib/security + ${INSTALL_MAN} ${WRKSRC}/pam_saml.5 \ + ${DESTDIR}${PREFIX}/${PKGMANDIR}/man5 + +.include "../../security/crudesaml/Makefile.common" diff --git a/security/pam-saml/PLIST b/security/pam-saml/PLIST new file mode 100644 index 00000000000..67abeaed871 --- /dev/null +++ b/security/pam-saml/PLIST @@ -0,0 +1,3 @@ +@comment $NetBSD: PLIST,v 1.1.1.1 2009/09/13 19:57:51 manu Exp $ +lib/security/pam_saml.la +man/man5/pam_saml.5 |