BMC/UUP-AUTH - Authentication library for PHP
The BMC/UUP-AUTH package provides a library for stacking authenticators together to support multiple authentication method in a uniform way.
The library also contains restrictors for performing access restriction (i.e. on time of day or the ip-address/hostname). All authenticators in the stack can be set as required or sufficient to enforce logon policy (i.e. require CAS-logon from outside of LAN while supporting Kerberos logon from inside).
- The example directory in the source code contains fully working examples.
- See API docs.
The library is modular. The authenticators are the frontend (credentials obtainers) that might use a validator as authentication source (for example LDAP). The authenticator can be ' combined with a storage object to support logon sessions.
Authenticators can be used in a stack or standalone (single login method). If configuring a stack, use one of the access classes for easy access to chains and authenticators. It's possible to configure any number of chains (possibly nested) for authentication and access restriction.
This listing should give an hint on where to find different classes:
+-- UUP/Authentication/ +-- Authenticator/ : Authenticator frontend classes. +-- Restrictor/ : Restrictor classes. +-- Stack/ : Support for stacking authenticators/restrictors. +-- Storage/ : Persistance support. +-- Validator/ : Authentication support.
This library supports the following classes of authentication sources out of the box:
- CAS (Central Authentication Service)
- LDAP (MSAD, bind or search).
- SQL (user table with password).
- Remote (i.e. Kerberos or Shibboleth)
- System (PAM, shadow or passwd).
- Network (hostname, IP-adress or domain).
- Plain text (simple e-mail/password).
In addition to authentication, this library can also be used to provide access restriction. For example, logon might be configured to only be accepted during specific logon hours or from specific adresses (single, range or subnet).
Stack and chains
Stacks are typical used to group sufficient authenticators and required restrictors together. In more complex cases, its possible to define multiple chains that gets selected depending on called service or whether caller belongs to a corporate network or from internet.
# Each non-leaf represents a chain stack(chain) +-- web | +-- wan | | +-- cas // authenticator | | +-- datetime // restrictor | +-- lan | +-- kerberos // authenticator | +-- msad // authenticator +-- soap +-- address // restrictor +-- form // authenticator +-- hostname // authenticator +-- domain // authenticator
Chains might contain other chains that is traversed until all required objects are accepted and at least one sufficient object returns true. Filtering might be applied to the stack to select a sub chain.