# NOTE: THIS CONFIGURATION IS FOR APACHE 2 ONLY.
#
# Modify this to your liking and include it in httpd.conf.
# -----------------------------------------------------------------------------

PerlModule ModPerl::Util
PerlModule Apache2::Request
PerlModule Apache2::RequestRec
PerlModule Apache2::RequestIO
PerlModule Apache2::RequestUtil
PerlModule Apache2::ServerUtil
PerlModule Apache2::Connection
PerlModule Apache2::Log
PerlModule Apache::Session
PerlModule APR::Table
PerlModule ModPerl::Registry
PerlModule "Apache2::Const => ':common'"
PerlModule "APR::Const => ':common'"

PerlModule Apache2::SiteControl
PerlModule HTML::Mason::ApacheHandler

# Uncomment this next line if you get errors from libapreq2
# about an 'undefined symbol'
LoadModule apreq_module /usr/lib/apache2/modules/mod_apreq2.so

# Add Netdot's libraries to @INC
PerlSwitches -I<<Make:PREFIX>>/lib

<Perl>
# Set up the Mason handler and global variables and import modules.
use Netdot::Mason;

# Override SiteControl's login method 
use Netdot::SiteControlLoginWrapper;
</Perl>


# If you would like to put netdot somewhere other than ``/netdot''
# just change this alias, the location of the login target
# (i.e. /netdot/NetdotLogin), and the variable NetdotPath below.  
Alias /netdot "<<Make:PREFIX>>/htdocs/"

# Force UTF-8
PerlSetVar MasonPreamble "use utf8;"
AddDefaultCharset utf-8 

# Set the path that will be protected.
#
# *NOTE* This variable is used to determine absolute paths where
# needed in the netdot pages.  The Netdot corresponds to AuthName
# Netdot below.  If you want to change the AuthName you will still
# need this variable as the Mason code assumes you didn't change the
# AuthName.
PerlSetVar NetdotPath "/netdot/"

# Indicate the path to the login page. Be careful, HTML::Mason can 
# interfere with proper handling...make sure you know your dependencies.
# See samples and Apache::AuthCookie for more information.
PerlSetVar NetdotLoginScript /netdot/login.html

# See Apache::AuthCookie for descriptions of these.  
#
# A general note about these Netdot variables: Some are accessed when
# a user requests a page and others are accessed when a user attempts
# to login.  In our setup the login target (NetdotLogin) is in the
# same apache scope as the netdot pages (/netdot) and these variables
# are specified at the global scope so there isn't an issue, but if
# you decide to move them inside a Directory, Files, or Location block
# and move the login target be sure that you put the right variables
# in the right places (hint: you will probably have to read the
# AuthCookie code as it is not clear from the docs, if you don't want
# any duplicates).  The same probably goes for the SiteControl and
# other non prefixed variables, but since they don't have prefixes it
# would be inconsiderate to put them at the top level (pollute the
# global name space), and so if you move the login target be sure to
# duplicate any relevant variables (again, it might not be obvious
# which).
PerlSetVar NetdotSatisfy All
# If this is set you wont be able to use unqualified hostnames and
# rely on DNS to supply the domain.  DNS will supply the domain no
# doubt, but the browser doesn't see it so the cookie will be invalid.
# Also, a hostname isn't valid here.
#PerlSetVar NetdotDomain .uoregon.edu
PerlSetVar NetdotCache 1

# We change the value of NetdotExpires dynamically to implement both
# temporary and permanent sessions.  NetdotTemporySessionExpires
# specifies the length of the tempory sessions, i.e. it corresponds to
# NetdotExpires in a typical AuthCookie setup.
PerlSetVar NetdotTemporarySessionExpires +2h

<Directory <<Make:PREFIX>>/htdocs/>
   Order Deny,Allow
   Allow from all

   # Other applications may have attempted to override how .html files are
   # interpreted.  We need to reset this so that HTML::Mason can work 
   # correctly.
   AddType text/html .html

   # This is hackish but it works.  It is preferred over handling all
   # files in /netdot as this causes requests for /netdot or /netdot/
   # to fail (DirectoryIndex doesn't get handled correctly).  The
   # "proper" way to handle this is with rewrite rules or
   # fixuphandlers I think, but this works: Handle everything which
   # isn't /netdot or /netdot/, i.e. which has atleast one non / char
   # in its name relative /netdot/, with mason.
   <FilesMatch .>
       SetHandler perl-script
       PerlHandler Netdot::Mason
   </FilesMatch>

   # Prevent mason from handling css and javascript
   <FilesMatch (\.css|\.js)$>
       SetHandler default-handler
   </FilesMatch>

   AuthType Apache2::SiteControl
   AuthName Netdot
   # Choose a name for the instance of the authenticator. This name is
   # used as part of the remaining variable names.
   PerlSetVar AuthName Netdot
   require valid-user

   # Allow access to the css and and title image so the login page
   # displays correctly.  The anonymous sub is somehow equiv to the
   # specification of the constant explicitly.  The point is that you
   # can't simply turn off authentication for particular files, you
   # must provide a new handler which allows all requests instead.    
   <FilesMatch (\.css|title\.png)$>
        PerlAuthenHandler Apache2::Const::OK #'sub { return OK }'
        PerlAuthzHandler Apache2::Const::OK #'sub { return OK }'
   </FilesMatch>

   # LDAP parameters are set in the login target Location directive
   # below.
   PerlSetVar SiteControlMethod Netdot::LDAP

   # Turn on debugging
   PerlSetVar AccessControllerDebug 1
   PerlSetVar AuthCookieDebug 1
   PerlSetVar SiteControlDebug 1

   # Configure the factories. See SiteControl::UserFactory and
   # SiteControl::ManagerFactory
   PerlSetVar SiteControlManagerFactory Netdot::NetdotPermissionFactory

   # Configure the location of the session data on server disks
   # NOTE: apache should have read/write access to these locations. 
   PerlSetVar SiteControlSessions <<Make:PREFIX>>/tmp/sessions
   PerlSetVar SiteControlLocks <<Make:PREFIX>>/tmp/sessions/locks

   # Tell mod_perl that you want this module to control access:
   PerlAuthenHandler Apache2::SiteControl->authenticate
   PerlAuthzHandler Apache2::SiteControl->authorize

   # See Apache2::SiteControl::UserFactory.  There are more variables,
   # but this seems to be the only one which makess SiteControl insult
   # you in the logs :P
   PerlSetVar UserObjectPasswordKey "Netdot gets the last laugh"
</Directory>

<Location /netdot/NetdotLogin>
   SetHandler perl-script
   PerlHandler Netdot::SiteControlLoginWrapper->login

   # Stop AuthCookie from preventing access to NetdotLogin
   # (which would create an authen loop).
   PerlAuthenHandler Apache2::Const::OK
   PerlAuthzHandler Apache2::Const::OK

   PerlSetVar NetdotLDAPServer  "ldaps://localhost.localdomain:636"
   PerlSetVar NetdotLDAPServer2 "ldaps://otherhost.localdomain:636"
   PerlSetVar NetdotLDAPRequireTLS "no"
   PerlSetVar NetdotLDAPUserDN "uid=<username>"
   PerlSetVar NetdotLDAPSearchBase "ou=people,dc=domain,dc=local"
   PerlSetVar NetdotLDAPFailToLocal "yes"
</Location>