I checked in C4/Auth and we are using perl time() for comparison with this value.
I also added description of specifying timeout in days which is available in code.
Robin Sheat suggested to document just lowercase d for days option, to reduce
confusion although uppercase D works as days specifier as well.
Signed-off-by: Chris Nighswonger <cnighswonger@foundations.edu>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
standardized the use of the term "library" instead of "Branch" accross the interface and opac
Signed-off-by: Nicole C. Engard <nengard@bywatersolutions.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
This adds a new syspref: AllowPKIAuth. It can have one of three states:
* None
* Common Name
* emailAddress
If a) this is set to something that's not "None", and b) the webserver
is passing SSL client cert details on to Koha, then the relevant field
in the user's certificate will be matched up against the field in the
database and they will be automatically logged in. This is used as a
secure form of single sign-on in some organisations.
The "Common Name" field is matched up against the userid, while
"emailAddress" is matched against the primary email.
This is an example of what might go in the Apache configuration for the
virtual host:
#SSLVerifyClient require # only allow PKI authentication
SSLVerifyClient optional
SSLVerifyDepth 2
SSLCACertificateFile /etc/apache2/ssl/test/ca.crt
SSLOptions +StdEnvVars
The last line ensures that the required details are
passed to Koha.
To test the PKI authentication, use the following curl command:
curl -k --cert client.crt --key client.key https://URL/
(look through the output to find the "Welcome," line to indicate that a user
has been authenticated or the "Log in to Your Account" to indicate that a
user has not been authenticated)
To create the certificates needed for the above command, the following series
of commands will work:
# Create the CA Key and Certificate for signing Client Certs
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
# This is the ca.crt file that the Apache config needs to know about,
# so put the file at /etc/apache2/ssl/test/ca.crt
# Create the Server Key, CSR, and Certificate
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
# We're self signing our own server cert here. This is a no-no in
# production.
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key \
-set_serial 01 -out server.crt
# Create the Client Key and CSR
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr
# Sign the client certificate with our CA cert. Unlike signing our own
# server cert, this is what we want to do.
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key \
-set_serial 02 -out client.crt
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12
# In theory we can install this client.p12 file in Firefox or Chrome, but
# the exact steps for doing so are unclear, and outside the scope of this
# patch
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
Tested with Common Name and E-mail authentication, as well as with PKI
authentication disabled. Regular logins continue to work in all cases when
SSL authentication is set to optional on the server.
Signed-off-by: Ian Walls <koha.sekjal@gmail.com>
QA comment: synchronized updatedatabase.pl version of syspref with sysprefs.sql
version, to avoid divergent databases between new and upgrading users.
Note: this requires CGI::Session::Driver::memcached to be installed
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
The intended functionality of this system preference was never
implemented. To avoid template changes prior to 3.2.0, put in
hard-coded string 'CSV' to (accurately) identify the type of
the output files in the affected reports.
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
Per the following koha-devel thread, the use of
staff user subpermissions, AKA granular permissions, is
now the default behavior in Koha. This patch removes
the GranularPermissions system preference.
[1] http://lists.koha-community.org/pipermail/koha-devel/2010-February/033670.html
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
Note that most of the prefs that have been moved between tabs were
moved intentionally, because the old tab no longer made sense. If one
in particular seems wrong, please let me know.
