Main Koha release repository https://koha-community.org
Find a file
Robin Sheat 4cbeeedbe8 Bug 6296: allow users to be authenticated by SSL client certs
This adds a new syspref: AllowPKIAuth. It can have one of three states:
* None
* Common Name
* emailAddress

If a) this is set to something that's not "None", and b) the webserver
is passing SSL client cert details on to Koha, then the relevant field
in the user's certificate will be matched up against the field in the
database and they will be automatically logged in. This is used as a
secure form of single sign-on in some organisations.

The "Common Name" field is matched up against the userid, while
"emailAddress" is matched against the primary email.

This is an example of what might go in the Apache configuration for the
virtual host:

    #SSLVerifyClient require # only allow PKI authentication
    SSLVerifyClient optional
    SSLVerifyDepth 2
    SSLCACertificateFile /etc/apache2/ssl/test/ca.crt
    SSLOptions +StdEnvVars

The last line ensures that the required details are
passed to Koha.

To test the PKI authentication, use the following curl command:
    curl -k --cert client.crt --key client.key  https://URL/
(look through the output to find the "Welcome," line to indicate that a user
has been authenticated or the "Log in to Your Account" to indicate that a
user has not been authenticated)

To create the certificates needed for the above command, the following series
of commands will work:
    # Create the CA Key and Certificate for signing Client Certs
    openssl genrsa -des3 -out ca.key 4096
    openssl req -new -x509 -days 365 -key ca.key -out ca.crt
    # This is the ca.crt file that the Apache config needs to know about,
    # so put the file at /etc/apache2/ssl/test/ca.crt

    # Create the Server Key, CSR, and Certificate
    openssl genrsa -des3 -out server.key 1024
    openssl req -new -key server.key -out server.csr

    # We're self signing our own server cert here.  This is a no-no in
    # production.
    openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key \
        -set_serial 01 -out server.crt

    # Create the Client Key and CSR
    openssl genrsa -des3 -out client.key 1024
    openssl req -new -key client.key -out client.csr

    # Sign the client certificate with our CA cert. Unlike signing our own
    # server cert, this is what we want to do.
    openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key \
        -set_serial 02 -out client.crt
    openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12
    # In theory we can install this client.p12 file in Firefox or Chrome, but
    # the exact steps for doing so are unclear, and outside the scope of this
    # patch

Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
Tested with Common Name and E-mail authentication, as well as with PKI
authentication disabled. Regular logins continue to work in all cases when
SSL authentication is set to optional on the server.

Signed-off-by: Ian Walls <koha.sekjal@gmail.com>
QA comment: synchronized updatedatabase.pl version of syspref with sysprefs.sql
version, to avoid divergent databases between new and upgrading users.
2012-03-19 17:02:44 +01:00
acqui Bug 6296: allow users to be authenticated by SSL client certs 2012-03-19 17:02:44 +01:00
admin Bug 7582 - When adding a Z39.50 server the "checked" option should use a checkbox 2012-02-27 18:33:12 +01:00
authorities signed off Bug 7284: Authority matching improvements 2012-03-07 17:34:11 +01:00
basket Bug 6050 Make calls to GetItemsInfo consistent 2011-06-14 14:12:02 +12:00
C4 Bug 6296: allow users to be authenticated by SSL client certs 2012-03-19 17:02:44 +01:00
catalogue Bug 6296: allow users to be authenticated by SSL client certs 2012-03-19 17:02:44 +01:00
cataloguing Merge remote-tracking branch 'origin/new/bug_7458' 2012-03-12 18:20:36 +01:00
circ bug_7001: Issue and Reserve slips are notices. 2012-03-09 10:11:20 +01:00
debian Bug 7532 - remove dependency on Date::ICal 2012-02-17 11:49:05 +01:00
docs welcome David Cook, you're 178th 2012-03-16 11:54:13 +01:00
errors Housekeeping in errors scripts 2010-05-12 07:29:03 -04:00
etc Bug 7698: Add CHR/ICU Zebra tokenization choice to installation 2012-03-13 16:08:04 +01:00
install_misc Bug 7532 - remove dependency on Date::ICal 2012-02-17 11:49:05 +01:00
installer Bug 6296: allow users to be authenticated by SSL client certs 2012-03-19 17:02:44 +01:00
Koha/Template/Plugin Bug 929 : Followup fixing date formatting 2012-01-06 13:52:08 +01:00
koha-tmpl Bug 6296: allow users to be authenticated by SSL client certs 2012-03-19 17:02:44 +01:00
labels Bug 7615 - Give option to use description for homebranch/holding branch in label creator instead of the branchcode 2012-03-08 16:12:50 +01:00
members Bug 6296: allow users to be authenticated by SSL client certs 2012-03-19 17:02:44 +01:00
misc Merge remote-tracking branch 'origin/new/bug_7368' 2012-03-16 11:50:42 +01:00
offline_circ Bug 4976 - Status of item returned with process_koc.pl is empty in Intranet 2012-03-19 16:23:10 +01:00
opac Enh 7031: More options for Advanced Search 2012-03-14 14:35:27 +01:00
patroncards Bug 7318: Fixes category display in patroncards Patron Search results. 2012-02-27 18:01:00 +01:00
reports Bug 5698: Followup: Add date picker option to SQL Runtime Parameters 2012-03-19 16:21:48 +01:00
reserve Bug 6296: allow users to be authenticated by SSL client certs 2012-03-19 17:02:44 +01:00
reviews Bug 1623 - Provide view of approved comments 2011-12-27 18:26:50 +01:00
rotating_collections Bug 6553 : Follow up adding license statements 2011-08-13 19:54:38 +12:00
selenium Adding selenium tests for filterMembers 2009-09-30 11:30:37 +02:00
serials Bug 6296: allow users to be authenticated by SSL client certs 2012-03-19 17:02:44 +01:00
skel installer: fixed chown invocation; added skel for KOHA_LOG_DIR 2007-12-17 09:13:53 -06:00
sms Bug 2505 - Add commented use warnings where missing in the sms/ directory 2010-04-21 20:25:08 +12:00
suggestion Bug 7577: Adds a display page for suggestions 2012-03-12 13:52:22 +01:00
svc Bug 6752: Be stricter with utf-8 encoding of output 2012-01-27 12:11:06 +01:00
t 7661 Followup for resolving moved Record test 2012-03-14 14:59:46 +01:00
tags Bug 6933 follow-up, perltyding new script list.pl 2012-02-02 10:17:43 +01:00
test Bug 5449: JSON malformed in Koha - Blocker with jQuery 1.4.x 2011-03-12 08:53:41 +13:00
tmp/modified_authorities changing DO_NOT_REMOVE to README.txt 2007-10-21 19:14:41 -05:00
tools bug_7001: protected are only all libraries letters 2012-03-13 12:07:58 +01:00
virtualshelves Fix for Bug 6957, authors disappearing when emailing lists 2011-10-20 11:34:39 +13:00
xt Merge remote-tracking branch 'origin/new/bug_5327' 2012-02-15 13:55:48 +01:00
.htaccess Fix file permissions: if it is not a script, it should not be executable. 2010-04-16 00:40:34 -04:00
.mailmap 7439 Mailmap for master 2012-01-27 12:27:58 +01:00
about.pl Bug 7164 follow-up history.txt and perlcritic compliance 2011-12-14 15:10:28 +01:00
changelanguage.pl Bug 6755 Problems with switching languages 2011-09-23 09:47:09 +12:00
edithelp.pl Bug 7038 Contextual help is always in English 2011-10-18 16:01:25 +13:00
fix-perl-path.PL installer: improvements to fix-path-perl.PL on Win32 2007-12-20 19:20:12 -06:00
help.pl Bug 6628 : Stopping a potential vulnerability 2011-11-28 10:05:58 +01:00
INSTALL Updating main INSTALL instructions 2011-10-22 09:04:19 +13:00
install-CPAN.pl Bug 5370: Fix all the references to koha.org 2010-11-08 09:41:49 +13:00
INSTALL.debian Updating distro specific install files 2011-10-22 09:12:15 +13:00
INSTALL.fedora7 Bug 7532 - remove dependency on Date::ICal 2012-02-17 11:49:05 +01:00
INSTALL.opensuse Bug 7356 - Fix various typos and mis-spellings 2012-01-13 11:51:26 +01:00
INSTALL.ubuntu Updating distro specific install files 2011-10-22 09:12:15 +13:00
INSTALL.ubuntu.lucid Updating distro specific install files 2011-10-22 09:12:15 +13:00
koha_perl_deps.pl Bug 6914 - fixes for the color option of koha_perl_deps.pl 2011-12-03 07:47:38 +01:00
kohaversion.pl Bug 7557 follow-up: DBRev number and removed default value 2012-03-14 16:38:07 +01:00
LICENSE Update LICENSE with a fresh copy from upstream. This updates the FSF address, and refers to the LGPL with its current name, and changes a few other minor things of the typographical sort. No semantic changes. 2010-03-16 20:17:48 -04:00
mainpage.pl Bug 6875 cleaning mainpage.pl 2012-02-15 14:58:31 +01:00
Makefile.PL Bug 7698: Add CHR/ICU Zebra tokenization choice to installation 2012-03-13 16:08:04 +01:00
MANIFEST.SKIP Bug Fixing : 3334 2009-06-19 06:33:34 -05:00
README updated links in README 2010-05-24 08:14:16 -04:00
README.robots Bug 6411 add another example to README.robots 2011-07-05 14:48:05 +12:00
rewrite-config.PL Bug 7698: Add CHR/ICU Zebra tokenization choice to installation 2012-03-13 16:08:04 +01:00

Koha is a free software integrated library system.

Koha is distributed under the GNU GPL version 2 or later.
Please read the file LICENSE for more details.

To install or upgrade Koha, please see the INSTALL file appropriate
to your platform.

Report bugs at http://bugs.koha-community.org/

Visit the Koha Project website at http://www.koha-community.org/