We would like to integrate Sympa's webinterface with another system using MySQL using the other systems user table.
I've done some searching but since Sympa is poorly documented no results of relevance has shown up.
Is this possible?
We would like to integrate Sympa's webinterface with another system using MySQL using the other systems user table.
I've done some searching but since Sympa is poorly documented no results of relevance has shown up.
Is this possible?
Sympa authentication is configured by the auth.conf
file. This can contain one or more stanzas defining alternative authentication methods, such as the internal database, LDAP, cas or generic_sso. Sysmpa identifies users by their email address.
The first two (internal and LDAP) take the user email address and password, and authenticate directly. CAS authentication uses a CAS service.
Generic_sso authentication uses the Web server's own authentication to return a userID, and then obtains the user email address either from metadata or via an LDAP lookup. One example would be using Shibboleth (via mod_shib) and pulling the email address from the Shibboleth metadata. However, any web server authentication may be used, so you can easily use mod_mysql or similar to authenticate against an external user database. In order to get the email address, you can either use an assosciated LDAP lookup, have your web server authentication module return metadata (as an HTTP header), or ensure that the authenticated userID is the same as the email address.
In short; use generic_sso, and then configure the necessary authentication in your web server, making sure to return the email address in the metadata if you cannot map user to email via an LDAP lookup.
The (admittedly poor) documentation on this is here : Sympa authentication
Example:
This auth.conf
stanza uses mod_shib
to authnticate via Shibboleth; if the mail
metadata is returned then it will be used, otherwise an LDAP lookup will be performed to obtain the email address. In order for the authentication to work, the location /sympa/sso_login/shibboleth
is configured in the web server to be protected by Shibboleth using mod_shib
.
generic_sso
service_name Shibboleth
service_id shibboleth
http_header_list mail,displayName,uid,unscoped_affiliation
netid_http_header uid
email_http_header mail
ldap_host ldap.company.com:636
ldap_timeout 20
ldap_bind_dn cn=sympa,o=company
ldap_bind_password xxxxxx
ldap_suffix ou=users,o=company
ldap_get_email_by_uid_filter (cn=[uid])
ldap_email_attribute mail
ldap_scope one
ldap_use_ssl 1
Example:
A similar method can be used to protect a location using a different method, such as mod_auth_mysql
or mod_authn_dbd
. If you use mod_authn_dbd
, you can return the email address in the same query, from where it will be loaded into the environment. You can then use RequestHeader set
in your Apache config to push it into the HTTP headers to be picked up by the email_http_header
definition. See here for the mod_authn_dbd
documentation.
generic_sso
service_name MySQL
service_id mysql
email_http_header x-mail
and in Apache (this is not tested but should be correct):
DBDriver mysql
DBDParams "dbname=apacheauth user=apache password=xxxxxx"
DBDMin 4
DBDKeep 8
DBDMax 20
DBDExptime 300
<Location /sympa/sso_login/mysql>
AuthType basic
AuthBasicProvider dbd
Require valid-user
AuthDBDUserPWQuery "SELECT password, emailaddr FROM authn WHERE user = %s"
RequestHeader set x-mail %{AUTHENTICATE_emailaddr}e
</Location>