Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Catalyst: Users

Catalyst::Authentication::Credential::LDAP

  

 
Catalyst users RSS feed   Index | Next | Previous | View Threaded


plu at pqpq

Jun 24, 2008, 9:46 PM

Post #1 of 15 (1068 views)
Permalink
Catalyst::Authentication::Credential::LDAP
Hi,

there's already C::A::Store::LDAP to authenticate users against LDAP
servers. This module fetches a user from LDAP and checks his password
(if you told C::A::Credential::Password password_type => self_check).
In most of my apps i don't want to fetch the user from LDAP whereas i
just want to check his password against LDAP. The user, his roles and
preferences are stored in a database. So i use
C::A::Store::DBIx::Class to retrieve a user from the store and a
custom C::A::Credential::LDAP to verify his password.
Maybe this setup is used by someone else too and above all
C::A::Credential::LDAP is useful?
If that's the case i'll put it on CPAN - what do you think?

Thanks for your time,
plu

--
Johannes Plunien | mailto:plu[at]pqpq.de | http://www.pqpq.de


_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


Alexander.Hartmaier at t-systems

Jun 25, 2008, 1:02 AM

Post #2 of 15 (1039 views)
Permalink
RE: Catalyst::Authentication::Credential::LDAP [In reply to]
Hi!

Imho thats very useful!
Some generic plugin or extending C::P::Auth to combine two auth stores, one for authentication and one as source for the roles etc. would be great!

-Alex


-----Original Message-----
From: Johannes Plunien [mailto:plu[at]pqpq.de]
Sent: Wednesday, June 25, 2008 6:46 AM
To: catalyst[at]lists.scsys.co.uk
Subject: [Catalyst] Catalyst::Authentication::Credential::LDAP

Hi,

there's already C::A::Store::LDAP to authenticate users against LDAP
servers. This module fetches a user from LDAP and checks his password
(if you told C::A::Credential::Password password_type => self_check).
In most of my apps i don't want to fetch the user from LDAP whereas i
just want to check his password against LDAP. The user, his roles and
preferences are stored in a database. So i use
C::A::Store::DBIx::Class to retrieve a user from the store and a
custom C::A::Credential::LDAP to verify his password.
Maybe this setup is used by someone else too and above all
C::A::Credential::LDAP is useful?
If that's the case i'll put it on CPAN - what do you think?

Thanks for your time,
plu

--
Johannes Plunien | mailto:plu[at]pqpq.de | http://www.pqpq.de


_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*


_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


bruce at drangle

Jun 25, 2008, 11:27 AM

Post #3 of 15 (1029 views)
Permalink
Re: Catalyst::Authentication::Credential::LDAP [In reply to]
Johannes Plunien wrote:
> Hi,
>
> there's already C::A::Store::LDAP to authenticate users against LDAP
> servers. This module fetches a user from LDAP and checks his password
> (if you told C::A::Credential::Password password_type => self_check).
> In most of my apps i don't want to fetch the user from LDAP whereas i
> just want to check his password against LDAP. The user, his roles and
> preferences are stored in a database. So i use
> C::A::Store::DBIx::Class to retrieve a user from the store and a
> custom C::A::Credential::LDAP to verify his password.
> Maybe this setup is used by someone else too and above all
> C::A::Credential::LDAP is useful?
> If that's the case i'll put it on CPAN - what do you think?
Sounds useful.

Also, somewhat apropos, I have a
C::A::{Store,Credential}::ActiveDirectory that I based on the LDAP
stuff. The LDAP modules didn't work for me because they want to bind
anonymously and retrieve the crypted password, whereas AD just wants to
authenticate with a bind. My stuff also gets role information from AD
groups. I've been meaning to get it out on CPAN one of these days, but
it hasn't been a priority; I suppose I can work on it if anyone else
needs it though.

Bruce

_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


dbix-class at trout

Jul 19, 2008, 5:10 PM

Post #4 of 15 (904 views)
Permalink
Re: Catalyst::Authentication::Credential::LDAP [In reply to]
On Wed, Jun 25, 2008 at 11:27:13AM -0700, Bruce J Keeler wrote:
> Also, somewhat apropos, I have a
> C::A::{Store,Credential}::ActiveDirectory that I based on the LDAP
> stuff. The LDAP modules didn't work for me because they want to bind
> anonymously and retrieve the crypted password, whereas AD just wants to
> authenticate with a bind. My stuff also gets role information from AD
> groups. I've been meaning to get it out on CPAN one of these days, but
> it hasn't been a priority; I suppose I can work on it if anyone else
> needs it though.

Sounds to me like 'auth by bind' versus 'auth by retrieve and check' should
be an option in the LDAP stuff, not a separate module. Fancy doing up
a patch?

--
Matt S Trout Need help with your Catalyst or DBIx::Class project?
Technical Director http://www.shadowcat.co.uk/catalyst/
Shadowcat Systems Ltd. Want a managed development or deployment platform?
http://chainsawblues.vox.com/ http://www.shadowcat.co.uk/servers/

_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


Wade.Stuart at fallon

Jul 21, 2008, 9:48 AM

Post #5 of 15 (895 views)
Permalink
Re: Catalyst::Authentication::Credential::LDAP [In reply to]
Matt S Trout <dbix-class[at]trout.me.uk> wrote on 07/19/2008 07:10:28 PM:

> On Wed, Jun 25, 2008 at 11:27:13AM -0700, Bruce J Keeler wrote:
> > Also, somewhat apropos, I have a
> > C::A::{Store,Credential}::ActiveDirectory that I based on the LDAP
> > stuff. The LDAP modules didn't work for me because they want to bind
> > anonymously and retrieve the crypted password, whereas AD just wants to

> > authenticate with a bind. My stuff also gets role information from AD
> > groups. I've been meaning to get it out on CPAN one of these days, but

> > it hasn't been a priority; I suppose I can work on it if anyone else
> > needs it though.
>
> Sounds to me like 'auth by bind' versus 'auth by retrieve and check'
should
> be an option in the LDAP stuff, not a separate module. Fancy doing up
> a patch?
>

>From the POD It authenticates users in two steps:



1) A search of the directory is performed, looking for a user object that

matches the username you pass. This is done with the bind credentials

supplied in the "binddn" and "bindpw" configuration options.



2) If that object is found, we then re-bind to the directory as that
object.

Assuming this is successful, the user is Authenticated.







And the actual check password code:

$self->store->ldap_bind( undef, $self->ldap_entry->dn, $password,

'forauth' );

Notice the rebind.

So it does not try to "retrieve the crypted password", it does bind (anon
or by authorized service account if set in binddn and bindpw) to the ldap
server, Next it grabs the user's dn from a search on that bind. Finally to
authenticate it actually binds to the ldap server as that user's dn. This
works well against AD (I use it), I don't understand what deficiency you
are trying to fix with your patch.





_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


dbix-class at trout

Jul 21, 2008, 2:32 PM

Post #6 of 15 (889 views)
Permalink
Re: Catalyst::Authentication::Credential::LDAP [In reply to]
On Mon, Jul 21, 2008 at 11:48:39AM -0500, Wade.Stuart[at]fallon.com wrote:
> Matt S Trout <dbix-class[at]trout.me.uk> wrote on 07/19/2008 07:10:28 PM:
>
> > On Wed, Jun 25, 2008 at 11:27:13AM -0700, Bruce J Keeler wrote:
> > > Also, somewhat apropos, I have a
> > > C::A::{Store,Credential}::ActiveDirectory that I based on the LDAP
> > > stuff. The LDAP modules didn't work for me because they want to bind
> > > anonymously and retrieve the crypted password, whereas AD just wants to
>
> > > authenticate with a bind. My stuff also gets role information from AD
> > > groups. I've been meaning to get it out on CPAN one of these days, but
>
> > > it hasn't been a priority; I suppose I can work on it if anyone else
> > > needs it though.
> >
> > Sounds to me like 'auth by bind' versus 'auth by retrieve and check'
> should
> > be an option in the LDAP stuff, not a separate module. Fancy doing up
> > a patch?
> >
>
> >From the POD It authenticates users in two steps:
>
>
>
> 1) A search of the directory is performed, looking for a user object that
>
> matches the username you pass. This is done with the bind credentials
>
> supplied in the "binddn" and "bindpw" configuration options.
>
>
>
> 2) If that object is found, we then re-bind to the directory as that
> object.
>
> Assuming this is successful, the user is Authenticated.
>
>
>
>
>
>
>
> And the actual check password code:
>
> $self->store->ldap_bind( undef, $self->ldap_entry->dn, $password,
>
> 'forauth' );
>
> Notice the rebind.
>
> So it does not try to "retrieve the crypted password", it does bind (anon
> or by authorized service account if set in binddn and bindpw) to the ldap
> server, Next it grabs the user's dn from a search on that bind. Finally to
> authenticate it actually binds to the ldap server as that user's dn. This
> works well against AD (I use it), I don't understand what deficiency you
> are trying to fix with your patch.

Maybe the search phase failed for the original poster?

I dunno, I was just saying it should probably support both approaches :)

--
Matt S Trout Need help with your Catalyst or DBIx::Class project?
Technical Director http://www.shadowcat.co.uk/catalyst/
Shadowcat Systems Ltd. Want a managed development or deployment platform?
http://chainsawblues.vox.com/ http://www.shadowcat.co.uk/servers/

_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


Wade.Stuart at fallon

Jul 22, 2008, 7:29 AM

Post #7 of 15 (880 views)
Permalink
Re: Catalyst::Authentication::Credential::LDAP [In reply to]
Matt S Trout <dbix-class[at]trout.me.uk> wrote on 07/21/2008 04:32:03 PM:
>
> Maybe the search phase failed for the original poster?
>
> I dunno, I was just saying it should probably support both approaches :)
>

Sorry Matt, my comment was directed twords the OP not you -- I just
piggybacked on your message. If the search phase failed for him it seems
like it was a config problem or a edge bug (lets find it and fix vs a new
ldap auth module for cat on cpan). I have used it on a bunch o different
AD schemas (some heavily segmented, some heavily locked down) with no
issues. I don't really know of any non vendor ldap auth that grabs the
crypted pass for client side auth instead of binding against the user (what
this app does).



_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


dbix-class at trout

Jul 22, 2008, 8:37 PM

Post #8 of 15 (877 views)
Permalink
Re: Catalyst::Authentication::Credential::LDAP [In reply to]
On Wed, Jun 25, 2008 at 11:27:13AM -0700, Bruce J Keeler wrote:
> Also, somewhat apropos, I have a
> C::A::{Store,Credential}::ActiveDirectory that I based on the LDAP
> stuff. The LDAP modules didn't work for me because they want to bind
> anonymously and retrieve the crypted password, whereas AD just wants to
> authenticate with a bind.

So, having established this isn't true.

Could you perhaps instead post a message asking why your config of the
main LDAP store didn't work so we can figure out what configuration problem
you had and document it?

Awesome though it is that you wrote a store and credential, I'd rather the
next person wrote one that didn't already exist :)

--
Matt S Trout Need help with your Catalyst or DBIx::Class project?
Technical Director http://www.shadowcat.co.uk/catalyst/
Shadowcat Systems Ltd. Want a managed development or deployment platform?
http://chainsawblues.vox.com/ http://www.shadowcat.co.uk/servers/

_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


peter at peknet

Jul 23, 2008, 6:29 AM

Post #9 of 15 (876 views)
Permalink
Re: Catalyst::Authentication::Credential::LDAP [In reply to]
On 07/22/2008 10:37 PM, Matt S Trout wrote:
> On Wed, Jun 25, 2008 at 11:27:13AM -0700, Bruce J Keeler wrote:
>> Also, somewhat apropos, I have a
>> C::A::{Store,Credential}::ActiveDirectory that I based on the LDAP
>> stuff. The LDAP modules didn't work for me because they want to bind
>> anonymously and retrieve the crypted password, whereas AD just wants to
>> authenticate with a bind.
>
> So, having established this isn't true.
>
> Could you perhaps instead post a message asking why your config of the
> main LDAP store didn't work so we can figure out what configuration problem
> you had and document it?

likely he is missing a 'binddn' and 'bindpw' config setting. The initial bind() will try
anonymously if those are not set. What I usually do for Active Directory is create a user
specifically for use with Net::LDAP (and by extension, C::A::Store::LDAP), and then do all
my initial binds with that user/pass.

'binddn' and 'bindpw' are fully documented; if the docs can be improved, please send a patch.

--
Peter Karman . peter[at]peknet.com . http://peknet.com/


_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


Wade.Stuart at fallon

Jul 23, 2008, 7:34 AM

Post #10 of 15 (873 views)
Permalink
Re: Catalyst::Authentication::Credential::LDAP [In reply to]
Peter Karman <peter[at]peknet.com> wrote on 07/23/2008 08:29:42 AM:

>
>
> On 07/22/2008 10:37 PM, Matt S Trout wrote:
> > On Wed, Jun 25, 2008 at 11:27:13AM -0700, Bruce J Keeler wrote:
> >> Also, somewhat apropos, I have a
> >> C::A::{Store,Credential}::ActiveDirectory that I based on the LDAP
> >> stuff. The LDAP modules didn't work for me because they want to bind
> >> anonymously and retrieve the crypted password, whereas AD just wants
to
> >> authenticate with a bind.
> >
> > So, having established this isn't true.
> >
> > Could you perhaps instead post a message asking why your config of the
> > main LDAP store didn't work so we can figure out what configuration
problem
> > you had and document it?
>
> likely he is missing a 'binddn' and 'bindpw' config setting. The
> initial bind() will try
> anonymously if those are not set. What I usually do for Active
> Directory is create a user
> specifically for use with Net::LDAP (and by extension, C::A::Store::
> LDAP), and then do all
> my initial binds with that user/pass.
>
> 'binddn' and 'bindpw' are fully documented; if the docs can be
> improved, please send a patch.
>

Peter,

From my perspective they are documented too well -- it took me a bit
to figure out how to do _anon_ binds. =)

-Wade


_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


bruce at drangle

Jul 23, 2008, 12:16 PM

Post #11 of 15 (872 views)
Permalink
Re: Catalyst::Authentication::Credential::LDAP [In reply to]
Peter Karman wrote:
> On 07/22/2008 10:37 PM, Matt S Trout wrote:
>
>> On Wed, Jun 25, 2008 at 11:27:13AM -0700, Bruce J Keeler wrote:
>>
>>> Also, somewhat apropos, I have a
>>> C::A::{Store,Credential}::ActiveDirectory that I based on the LDAP
>>> stuff. The LDAP modules didn't work for me because they want to bind
>>> anonymously and retrieve the crypted password, whereas AD just wants to
>>> authenticate with a bind.
>>>
>> So, having established this isn't true.
>>
>> Could you perhaps instead post a message asking why your config of the
>> main LDAP store didn't work so we can figure out what configuration problem
>> you had and document it?
>>
>
> likely he is missing a 'binddn' and 'bindpw' config setting. The initial bind() will try
> anonymously if those are not set. What I usually do for Active Directory is create a user
> specifically for use with Net::LDAP (and by extension, C::A::Store::LDAP), and then do all
> my initial binds with that user/pass.
>
> 'binddn' and 'bindpw' are fully documented; if the docs can be improved, please send a patch.
>
>
I seem to recall trying that, but it's been long enough that I don't
recall the details of what went wrong.

The other reason I went off in my own direction is that I wanted to pull
role information from AD groups, and I couldn't see any way of making
that work with the stock ::LDAP modules. I will try to make some time
to revisit this stuff soon.

Bruce

_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


Wade.Stuart at fallon

Jul 23, 2008, 1:09 PM

Post #12 of 15 (873 views)
Permalink
Re: Catalyst::Authentication::Credential::LDAP [In reply to]
Bruce J Keeler <bruce[at]drangle.com> wrote on 07/23/2008 02:16:16 PM:

> Peter Karman wrote:
> > On 07/22/2008 10:37 PM, Matt S Trout wrote:
> >
> >> On Wed, Jun 25, 2008 at 11:27:13AM -0700, Bruce J Keeler wrote:
> >>
> >>> Also, somewhat apropos, I have a
> >>> C::A::{Store,Credential}::ActiveDirectory that I based on the LDAP
> >>> stuff. The LDAP modules didn't work for me because they want to bind

> >>> anonymously and retrieve the crypted password, whereas AD just wants
to
> >>> authenticate with a bind.
> >>>
> >> So, having established this isn't true.
> >>
> >> Could you perhaps instead post a message asking why your config of the
> >> main LDAP store didn't work so we can figure out what configuration
problem
> >> you had and document it?
> >>
> >
> > likely he is missing a 'binddn' and 'bindpw' config setting. The
> initial bind() will try
> > anonymously if those are not set. What I usually do for Active
> Directory is create a user
> > specifically for use with Net::LDAP (and by extension, C::A::
> Store::LDAP), and then do all
> > my initial binds with that user/pass.
> >
> > 'binddn' and 'bindpw' are fully documented; if the docs can be
> improved, please send a patch.
> >
> >
> I seem to recall trying that, but it's been long enough that I don't
> recall the details of what went wrong.
>
> The other reason I went off in my own direction is that I wanted to pull
> role information from AD groups, and I couldn't see any way of making
> that work with the stock ::LDAP modules. I will try to make some time
> to revisit this stuff soon.

http://search.cpan.org/~karman/Catalyst-Authentication-Store-LDAP-0.1002
/lib/Catalyst/Authentication/Store/LDAP.pm#use_roles



_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


dbix-class at trout

Jul 23, 2008, 7:38 PM

Post #13 of 15 (867 views)
Permalink
Re: Catalyst::Authentication::Credential::LDAP [In reply to]
On Wed, Jul 23, 2008 at 08:29:42AM -0500, Peter Karman wrote:
>
>
> On 07/22/2008 10:37 PM, Matt S Trout wrote:
> > On Wed, Jun 25, 2008 at 11:27:13AM -0700, Bruce J Keeler wrote:
> >> Also, somewhat apropos, I have a
> >> C::A::{Store,Credential}::ActiveDirectory that I based on the LDAP
> >> stuff. The LDAP modules didn't work for me because they want to bind
> >> anonymously and retrieve the crypted password, whereas AD just wants to
> >> authenticate with a bind.
> >
> > So, having established this isn't true.
> >
> > Could you perhaps instead post a message asking why your config of the
> > main LDAP store didn't work so we can figure out what configuration problem
> > you had and document it?
>
> likely he is missing a 'binddn' and 'bindpw' config setting. The initial bind() will try
> anonymously if those are not set. What I usually do for Active Directory is create a user
> specifically for use with Net::LDAP (and by extension, C::A::Store::LDAP), and then do all
> my initial binds with that user/pass.

Hmmm. Should there be an alternative option where (if the user DN is
deterministic from the username) it skips the first part and just
tries the bind with $generated_dn and $supplied_password (where
$generated_dn is the result of a subref/sprintf pattern/whatever
supplied in config) ?

--
Matt S Trout Need help with your Catalyst or DBIx::Class project?
Technical Director http://www.shadowcat.co.uk/catalyst/
Shadowcat Systems Ltd. Want a managed development or deployment platform?
http://chainsawblues.vox.com/ http://www.shadowcat.co.uk/servers/

_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


bgmilne at mandriva

Aug 7, 2008, 8:29 AM

Post #14 of 15 (643 views)
Permalink
Re: Catalyst::Authentication::Credential::LDAP [In reply to]
On Thursday 24 July 2008 04:38:30 Matt S Trout wrote:
> On Wed, Jul 23, 2008 at 08:29:42AM -0500, Peter Karman wrote:
> > On 07/22/2008 10:37 PM, Matt S Trout wrote:
> > > On Wed, Jun 25, 2008 at 11:27:13AM -0700, Bruce J Keeler wrote:
> > >> Also, somewhat apropos, I have a
> > >> C::A::{Store,Credential}::ActiveDirectory that I based on the LDAP
> > >> stuff. The LDAP modules didn't work for me because they want to bind
> > >> anonymously and retrieve the crypted password, whereas AD just wants
> > >> to authenticate with a bind.
> > >
> > > So, having established this isn't true.
> > >
> > > Could you perhaps instead post a message asking why your config of the
> > > main LDAP store didn't work so we can figure out what configuration
> > > problem you had and document it?
> >
> > likely he is missing a 'binddn' and 'bindpw' config setting. The initial
> > bind() will try anonymously if those are not set. What I usually do for
> > Active Directory is create a user specifically for use with Net::LDAP
> > (and by extension, C::A::Store::LDAP), and then do all my initial binds
> > with that user/pass.
>
> Hmmm. Should there be an alternative option where (if the user DN is
> deterministic from the username) it skips the first part and just
> tries the bind with $generated_dn and $supplied_password (where
> $generated_dn is the result of a subref/sprintf pattern/whatever
> supplied in config) ?

A directory isn't an RDBMS; one should never assume that the naming attribute
is the same attribute used for the "username". One should avoid generating DNs
in anything but code that initially provisions the entry.

Regards,
Buchan

_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


dbix-class at trout

Aug 7, 2008, 7:00 PM

Post #15 of 15 (640 views)
Permalink
Re: Catalyst::Authentication::Credential::LDAP [In reply to]
On Thu, Aug 07, 2008 at 05:29:38PM +0200, Buchan Milne wrote:
> On Thursday 24 July 2008 04:38:30 Matt S Trout wrote:
> > On Wed, Jul 23, 2008 at 08:29:42AM -0500, Peter Karman wrote:
> > > On 07/22/2008 10:37 PM, Matt S Trout wrote:
> > > > On Wed, Jun 25, 2008 at 11:27:13AM -0700, Bruce J Keeler wrote:
> > > >> Also, somewhat apropos, I have a
> > > >> C::A::{Store,Credential}::ActiveDirectory that I based on the LDAP
> > > >> stuff. The LDAP modules didn't work for me because they want to bind
> > > >> anonymously and retrieve the crypted password, whereas AD just wants
> > > >> to authenticate with a bind.
> > > >
> > > > So, having established this isn't true.
> > > >
> > > > Could you perhaps instead post a message asking why your config of the
> > > > main LDAP store didn't work so we can figure out what configuration
> > > > problem you had and document it?
> > >
> > > likely he is missing a 'binddn' and 'bindpw' config setting. The initial
> > > bind() will try anonymously if those are not set. What I usually do for
> > > Active Directory is create a user specifically for use with Net::LDAP
> > > (and by extension, C::A::Store::LDAP), and then do all my initial binds
> > > with that user/pass.
> >
> > Hmmm. Should there be an alternative option where (if the user DN is
> > deterministic from the username) it skips the first part and just
> > tries the bind with $generated_dn and $supplied_password (where
> > $generated_dn is the result of a subref/sprintf pattern/whatever
> > supplied in config) ?
>
> A directory isn't an RDBMS; one should never assume that the naming attribute
> is the same attribute used for the "username". One should avoid generating DNs
> in anything but code that initially provisions the entry.

One should be able to get a suitable user provisioned that one uses to do
the initial search.

>From what people seemed to be saying, in the real world this isn't always the
case.

I was suggesting that having such a feature available would permit people
to still use the credential in this case rather than having to write an
entire new one.

Just because you "should avoid" something, sadly, doesn't always mean you
-can- avoid it. Features designed for an imperfect world are important,
although it's also important that they're documented as such and that the
preferred approach is mentioned.

--
Matt S Trout Need help with your Catalyst or DBIx::Class project?
Technical Director http://www.shadowcat.co.uk/catalyst/
Shadowcat Systems Ltd. Want a managed development or deployment platform?
http://chainsawblues.vox.com/ http://www.shadowcat.co.uk/servers/

_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Catalyst users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.