Mailing List Archive: Catalyst: Users

Model::LDAP vs Authentication::Credential::LDAP

Index | Next | Previous | View Threaded

bgmilne at mandriva

Aug 7, 2008, 8:52 AM

Post #1 of 7 (882 views)
Permalink

Model::LDAP vs Authentication::Credential::LDAP

We are using Catalyst for an internal infrastructure management application.
Some of the data we want to manage lives in LDAP, and we already use LDAP for
authentication and roles in our application.

However, I would like to have the LDAP server do it's job in authorizing
access to some of this data, and I would also like to have LDAP-side auditing
(as direct LDAP access has to be available, doing it application-side would
miss any direct modifications).

So, I would prefer to have my Model::LDAP models (re-)bind as the
authenticated user.

So far I have stored the cleartext password in the session, after encrypting
it with the session key. Now, I would like to find some way of providing the
credentials to the model.

I wrote a connection_class for my models, but it seems that the
connection_class doesn't have access to the context, so I can't retrieve $c-
>user->ldap_entry->dn or $c->sessionid().

Is there really no way to do this at present (without dumping Model::LDAP and
doing everything via Net::LDAP directly)?

Regards,
Buchan

_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/

dwc at pobox

Aug 7, 2008, 9:27 AM

Post #2 of 7 (832 views)
Permalink

Re: Model::LDAP vs Authentication::Credential::LDAP [In reply to]

On 2008-08-07 17:52:36 +0200, Buchan Milne wrote:
> So, I would prefer to have my Model::LDAP models (re-)bind as the
> authenticated user.
>
> I wrote a connection_class for my models, but it seems that the
> connection_class doesn't have access to the context, so I can't
> retrieve $c- >user->ldap_entry->dn or $c->sessionid().

You can do this using an ACCEPT_CONTEXT method on your model class,
which tells Catalyst that your model needs information about the
current request to do its job.

For example:

package YourApp::Model::People;

use base qw/Catalyst::Model::LDAP/;
use Class::C3;

__PACKAGE__->config(connection_class => 'YourApp::LDAP::Connection');

sub ACCEPT_CONTEXT {
my $self = shift;
my $c = $_[0];

my $conn = $self->next::method(@_);

if ($conn->can('catalyst_user') and $c->user_exists) {
$conn->catalyst_user($c->user);
}

return $conn;
}

1;

In your connection class, you simply add an accessor for
e.g. 'catalyst_user' and then use it in the bind step:

YourApp::LDAP::Connection;

use base qw/Catalyst::Model::LDAP::Connection/;
use Authen::SASL qw/Perl/;
use Class::C3;

__PACKAGE__->mk_accessors(qw/catalyst_user/);

sub bind {
my ($self, %args) = @_;

# Manipulate %args to include information from $self->catalyst_user

return $self->next::method(%args);
}

1;

Hope this helps!

--
Daniel Westermann-Clark

_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/

peter at peknet

Aug 11, 2008, 9:49 AM

Post #3 of 7 (798 views)
Permalink

Re: Model::LDAP vs Authentication::Credential::LDAP [In reply to]

On 08/07/2008 10:52 AM, Buchan Milne wrote:

>
> So far I have stored the cleartext password in the session, after encrypting
> it with the session key. Now, I would like to find some way of providing the
> credentials to the model.
>
> I wrote a connection_class for my models, but it seems that the
> connection_class doesn't have access to the context, so I can't retrieve $c-
>> user->ldap_entry->dn or $c->sessionid().
>
> Is there really no way to do this at present (without dumping Model::LDAP and
> doing everything via Net::LDAP directly)?

I am going to be doing something similar eventually using Net::LDAP::Class and either
C::Model::LDAP or a CatalystX::CRUD::ModelAdapter::LDAP. You might look at
Net::LDAP::Class to see if it makes what you're doing any easier.

--
Peter Karman . peter [at] peknet . http://peknet.com/

_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/

dbix-class at trout

Aug 17, 2008, 10:39 AM

Post #4 of 7 (750 views)
Permalink

Re: Model::LDAP vs Authentication::Credential::LDAP [In reply to]

On Mon, Aug 11, 2008 at 11:49:00AM -0500, Peter Karman wrote:
> I am going to be doing something similar eventually using Net::LDAP::Class and either
> C::Model::LDAP or a CatalystX::CRUD::ModelAdapter::LDAP. You might look at
> Net::LDAP::Class to see if it makes what you're doing any easier.

Damn. Net::LDAP::Class reserves ->meta for a crappy metadata object.

Could that not be called metadata or something to make it easier to use
with catamoose?

--
Matt S Trout Need help with your Catalyst or DBIx::Class project?
Technical Director http://www.shadowcat.co.uk/catalyst/
Shadowcat Systems Ltd. Want a managed development or deployment platform?
http://chainsawblues.vox.com/ http://www.shadowcat.co.uk/servers/

_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/

peter at peknet

Aug 17, 2008, 12:09 PM

Post #5 of 7 (745 views)
Permalink

Re: Model::LDAP vs Authentication::Credential::LDAP [In reply to]

Matt S Trout wrote on 8/17/08 12:39 PM:
> On Mon, Aug 11, 2008 at 11:49:00AM -0500, Peter Karman wrote:
>> I am going to be doing something similar eventually using Net::LDAP::Class and either
>> C::Model::LDAP or a CatalystX::CRUD::ModelAdapter::LDAP. You might look at
>> Net::LDAP::Class to see if it makes what you're doing any easier.
>
> Damn. Net::LDAP::Class reserves ->meta for a crappy metadata object.
>
> Could that not be called metadata or something to make it easier to use
> with catamoose?
>

yes, it could. I'll change it for the next release.

--
Peter Karman . http://peknet.com/ . peter [at] peknet

_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/

peter at peknet

Aug 21, 2008, 9:17 PM

Post #6 of 7 (700 views)
Permalink

Re: Model::LDAP vs Authentication::Credential::LDAP [In reply to]

Peter Karman wrote on 8/17/08 2:09 PM:
>
>
> Matt S Trout wrote on 8/17/08 12:39 PM:
>> On Mon, Aug 11, 2008 at 11:49:00AM -0500, Peter Karman wrote:
>>> I am going to be doing something similar eventually using
>>> Net::LDAP::Class and either
>>> C::Model::LDAP or a CatalystX::CRUD::ModelAdapter::LDAP. You might
>>> look at
>>> Net::LDAP::Class to see if it makes what you're doing any easier.
>>
>> Damn. Net::LDAP::Class reserves ->meta for a crappy metadata object.
>>
>> Could that not be called metadata or something to make it easier to use
>> with catamoose?
>>
>
> yes, it could. I'll change it for the next release.
>

Thanks for the feedback, Matt. Uploaded as 0.09.

--
Peter Karman . http://peknet.com/ . peter [at] peknet

_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/

dbix-class at trout

Aug 22, 2008, 7:44 AM

Post #7 of 7 (698 views)
Permalink

Re: Model::LDAP vs Authentication::Credential::LDAP [In reply to]

On Thu, Aug 21, 2008 at 11:17:05PM -0500, Peter Karman wrote:
>
>
> Peter Karman wrote on 8/17/08 2:09 PM:
> >
> >
> > Matt S Trout wrote on 8/17/08 12:39 PM:
> >> On Mon, Aug 11, 2008 at 11:49:00AM -0500, Peter Karman wrote:
> >>> I am going to be doing something similar eventually using
> >>> Net::LDAP::Class and either
> >>> C::Model::LDAP or a CatalystX::CRUD::ModelAdapter::LDAP. You might
> >>> look at
> >>> Net::LDAP::Class to see if it makes what you're doing any easier.
> >>
> >> Damn. Net::LDAP::Class reserves ->meta for a crappy metadata object.
> >>
> >> Could that not be called metadata or something to make it easier to use
> >> with catamoose?
> >>
> >
> > yes, it could. I'll change it for the next release.
> >
>
> Thanks for the feedback, Matt. Uploaded as 0.09.

karpet++

--
Matt S Trout Need help with your Catalyst or DBIx::Class project?
Technical Director http://www.shadowcat.co.uk/catalyst/
Shadowcat Systems Ltd. Want a managed development or deployment platform?
http://chainsawblues.vox.com/ http://www.shadowcat.co.uk/servers/

_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads