BMC/UUP-AUTH - Authentication library for PHP

The BMC/UUP-AUTH package provides a library for stacking authenticators together to support multiple authentication method in a uniform way.

PAM-like design

The library also contains restrictors for performing access restriction (i.e. on time of day or the ip-address/hostname). All authenticators in the stack can be set as required or sufficient to enforce logon policy (i.e. require CAS-logon from outside of LAN while supporting Kerberos logon from inside).

Documentation

Design

The library is modular. The authenticators are the frontend (credentials obtainers) that might use a validator as authentication source (for example LDAP). The authenticator can be ' combined with a storage object to support logon sessions.

Authenticators can be used in a stack or standalone (single login method). If configuring a stack, use one of the access classes for easy access to chains and authenticators. It's possible to configure any number of chains (possibly nested) for authentication and access restriction.

Framework

This listing should give an hint on where to find different classes:

    +-- UUP/Authentication/
          +-- Authenticator/        : Authenticator frontend classes.
          +-- Restrictor/           : Restrictor classes.
          +-- Stack/                : Support for stacking authenticators/restrictors.
          +-- Storage/              : Persistance support.
          +-- Validator/            : Authentication support.

Authentication

This library supports the following classes of authentication sources out of the box:

Restriction

In addition to authentication, this library can also be used to provide access restriction. For example, logon might be configured to only be accepted during specific logon hours or from specific adresses (single, range or subnet).

Stack and chains

Stacks are typical used to group sufficient authenticators and required restrictors together. In more complex cases, its possible to define multiple chains that gets selected depending on called service or whether caller belongs to a corporate network or from internet.

    # Each non-leaf represents a chain

    stack(chain)
       +-- web
       |    +-- wan
       |    |    +-- cas        // authenticator
       |    |    +-- datetime   // restrictor
       |    +-- lan
       |         +-- kerberos   // authenticator
       |         +-- msad       // authenticator
       +-- soap
            +-- address         // restrictor
            +-- form            // authenticator
            +-- hostname        // authenticator
            +-- domain          // authenticator

Chains might contain other chains that is traversed until all required objects are accepted and at least one sufficient object returns true. Filtering might be applied to the stack to select a sub chain.