Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Catalyst: Users

LDAP question

 

 

Catalyst users RSS feed   Index | Next | Previous | View Threaded


ksmclane at us

May 21, 2012, 7:20 AM

Post #1 of 22 (1127 views)
Permalink
LDAP question

I am continuing on my journey to duplicate a web app for administering a
db. I have all my pages up and running, as well as search functionality. I
decided to attack authentication next. I am using a php pages from a
different web app to get the settings for our LDAP server.

//Connect to ldap server
$ds=ldap_connect("xxx.xxx.xxx.xxx");
if ($ds) {
//Get ID for intranet user
$sr=ldap_search($ds, "ou=ldap.server, o=domain.com",
"mail=$username");
$info = ldap_get_entries($ds, $sr);
for ($i=0; $i<$info["count"]; $i++) {
$uid=$info[$i]["dn"];
}
if (strpos($uid,'uid') !== false)
{
//Bind to ldap server with $uid and $password to verify
$bind_results=ldap_bind($ds, "$uid", "$password") or
die("Could not log you in please check your UserName and Password and try
again.");
if ( $bind_results == "1" )
$sr=ldap_search($ds, "ou=bluepages, o=ibm.com",
"mail=$username");
$info = ldap_get_entries($ds, $sr);
for ($i=0; $i<$info["count"]; $i++) {
$fullname=$info[$i]["cn"][0];
}

It then goes on to create session stuff, but I want to use the built-in
LDAP authentication. I have this in my Login.pm:

sub index :Path :Args(0) {
my ( $self, $c ) = @_;
# Get the username and password from form
my $username = $c->request->params->{username};
my $password = $c->request->params->{password};
# If the username and password values were found in form
if ($username && $password) {
# Attempt to log the user in
if ($c->authenticate({ username => $username,
password => $password } )) {
# If successful, then let them use the application
$c->response->redirect($c->uri_for(
$c->controller('Search')->action_for('search')));
return;
} else {
# Set an error message
$c->stash(error_msg => "Bad username or password.");
}
} else {
# Set an error message
$c->stash(error_msg => "Empty username or password.")
unless ($c->user_exists);
}
# If either of above don't work out, send to the login page
$c->stash(template => 'login.tt2');
}

and this code in my Root.pm:

sub auto :Private {
my ($self, $c) = @_;
# Allow unauthenticated users to reach the login page. This
# allows unauthenticated users to reach any action in the Login
# controller. To lock it down to a single action, we could use:
# if ($c->action eq $c->controller('Login')->action_for('index'))
# to only allow unauthenticated access to the 'index' action we
# added above.
if ($c->controller eq $c->controller('Login')) {
return 1;
}
# If a user doesn't exist, force login
if (!$c->user_exists) {
# Dump a log message to the development server debug output
$c->log->debug('***Root::auto User not found, forwarding to
/login');
# Redirect the user to the login page
$c->response->redirect($c->uri_for('/login'));
# Return 0 to cancel 'post-auto' processing and prevent use of
application
return 0;
}
# User found, so return 1 to continue with processing after this
'auto'
return 1;
}

And in MyApp.pm:

__PACKAGE__->config(
'authentication' => {
default_realm => 'ldap',
realms => {
ldap => {
credential => {
class => 'Password',
password_field => 'password',
password_type => 'self_check',
},
store => {
binddn => "username",
bindpw => "password",
class => 'LDAP',
ldap_server => '9.17.186.253',
ldap_server_options => { timeout
=> 30 },
user_basedn => 'o=domain, o=com',
user_field => 'mail',
user_filter =>
'(&(mail=%s)(objectclass=person))',
user_scope => 'sub',
},
},
},
},
);

They are apparently doing the initial bind with the credentials submitted
by the user, I am getting invalid credentials the way I have it above, if
I change it to anonymous I get a "LDAP Error while searching for user: No
such object". I could use some suggestions.


bobtfish at bobtfish

May 21, 2012, 7:45 AM

Post #2 of 22 (1093 views)
Permalink
Re: LDAP question [In reply to]

On 21 May 2012, at 15:20, Kenneth S Mclane wrote:

> I am continuing on my journey to duplicate a web app for administering a db. I have all my pages up and running, as well as search functionality. I decided to attack authentication next. I am using a php pages from a different web app to get the settings for our LDAP server.
>
> //Connect to ldap server
> $ds=ldap_connect("xxx.xxx.xxx.xxx");
> if ($ds) {
> //Get ID for intranet user
> $sr=ldap_search($ds, "ou=ldap.server, o=domain.com", "mail=$username");
> $info = ldap_get_entries($ds, $sr);
> for ($i=0; $i<$info["count"]; $i++) {
> $uid=$info[$i]["dn"];
> }
>

<snip>

> credential => {
> class => 'Password',
> password_field => 'password',
> password_type => 'self_check',
> },

You don't want self_check here I don't think.

>
> store => {
> binddn => "username",
> bindpw => "password",
> class => 'LDAP',
> ldap_server => '9.17.186.253',
> ldap_server_options => { timeout => 30 },
> user_basedn => 'o=domain, o=com',

Original code has:
> "ou=ldap.server, o=domain.com


as the base? (Although a base higher up the tree should be fine)

> user_field => 'mail',
> user_filter => '(&(mail=%s)(objectclass=person))',

You're searching more restrictively than the PHP code.

Try just 'mail=%s'

> user_scope => 'sub',
> },
> },
> },
> },
> );
>
> They are apparently doing the initial bind with the credentials submitted by the user, I am getting invalid credentials the way I have it above, if I change it to anonymous I get a "LDAP Error while searching for user: No such object". I could use some suggestions.

You can turn on LDAP debugging and get a print out of what is actually going to <=> from the LDAP server, which would help determine which query specifically is failing..

Cheers
t0m


_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/


ksmclane at us

May 21, 2012, 8:18 AM

Post #3 of 22 (1091 views)
Permalink
Re: LDAP question [In reply to]

From:
Tomas Doran <bobtfish [at] bobtfish>
To:
The elegant MVC web framework <catalyst [at] lists>
Date:
05/21/2012 09:47 AM
Subject:
Re: [Catalyst] LDAP question




On 21 May 2012, at 15:20, Kenneth S Mclane wrote:

> I am continuing on my journey to duplicate a web app for administering a
db. I have all my pages up and running, as well as search functionality. I
decided to attack authentication next. I am using a php pages from a
different web app to get the settings for our LDAP server.
>
> //Connect to ldap server
> $ds=ldap_connect("xxx.xxx.xxx.xxx");
> if ($ds) {
> //Get ID for intranet user
> $sr=ldap_search($ds, "ou=ldap.server, o=domain.com",
"mail=$username");
> $info = ldap_get_entries($ds, $sr);
> for ($i=0; $i<$info["count"]; $i++) {
> $uid=$info[$i]["dn"];
> }
>

<snip>

> credential => {
> class => 'Password',
> password_field => 'password',
> password_type => 'self_check',
> },

You don't want self_check here I don't think.

Since the php code didn't have anything here I was going off docs and
examples. I set it to clear but it made no difference. I am not aware of
any other settings, haven't had time to research that as yet.

>
> store => {
> binddn => "username",
> bindpw =>
"password",
> class => 'LDAP',
> ldap_server => '9.17.186.253',
> ldap_server_options => { timeout
> user_basedn => 'o=domain,
o=com',

Original code has:
> "ou=ldap.server, o=domain.com


as the base? (Although a base higher up the tree should be fine)

I have added and removed that, makes no difference.

> user_field => 'mail',
> user_filter =>
'(&(mail=%s)(objectclass=person))',

You're searching more restrictively than the PHP code.

Try just 'mail=%s'

Tried this, no joy.

> user_scope => 'sub',
> },
> },
> },
> },
> );
>
> They are apparently doing the initial bind with the credentials
submitted by the user, I am getting invalid credentials the way I have it
above, if I change it to anonymous I get a "LDAP Error while searching for
user: No such object". I could use some suggestions.

You can turn on LDAP debugging and get a print out of what is actually
going to <=> from the LDAP server, which would help determine which query
specifically is failing..

I cannot find anything out there on turning on LDAP debugging? Strangely,
if I out my username and password in the bind fields it gives me Invalid
credentials. I authenticate through this ldap server many times a day, so
I'm almost sure it's some setting that is wrong.

Cheers
t0m


_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive:
http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/


rbwohlfarth at gmail

May 21, 2012, 8:42 AM

Post #4 of 22 (1086 views)
Permalink
Re: LDAP question [In reply to]

On Mon, May 21, 2012 at 9:20 AM, Kenneth S Mclane <ksmclane [at] us>wrote:

> They are apparently doing the initial bind with the credentials submitted
> by the user, I am getting invalid credentials the way I have it above, if I
> change it to anonymous I get a "LDAP Error while searching for user: No
> such object". I could use some suggestions.
>

I dealt with an LDAP server that required you to login to query your own
information. The standard Catalyst::Authentication::Store::LDAP does not
work with this model. So I wrote a credential module that did nothing more
than connect to the LDAP server. If the connection succeeded, then that
user is authenticated.

E-mail me off list if you would like a copy of that credential module.

--
Robert Wohlfarth
rbwohlfarth [at] gmail


bobtfish at bobtfish

May 21, 2012, 8:56 AM

Post #5 of 22 (1088 views)
Permalink
Re: LDAP question [In reply to]

On 21 May 2012, at 16:42, Robert Wohlfarth wrote:

> On Mon, May 21, 2012 at 9:20 AM, Kenneth S Mclane <ksmclane [at] us> wrote:
> They are apparently doing the initial bind with the credentials submitted by the user, I am getting invalid credentials the way I have it above, if I change it to anonymous I get a "LDAP Error while searching for user: No such object". I could use some suggestions.
>
> I dealt with an LDAP server that required you to login to query your own information. The standard Catalyst::Authentication::Store::LDAP does not work with this model.

Yes it does! What makes you think it doesn't?

> So I wrote a credential module that did nothing more than connect to the LDAP server. If the connection succeeded, then that user is authenticated.

That sort of strategy is usually a bad idea, as you're mandating that you have 1 flat level of LDAP for users - you have to know the DN to bind as initially, and so if you do this, you have to concatenate the username to a DN in some way - which means if you ever reorganise your LDAP (for example putting users into grouped OU containers), then your auth will stop working.

Cheers
t0m



_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/


bobtfish at bobtfish

May 21, 2012, 9:00 AM

Post #6 of 22 (1090 views)
Permalink
Re: LDAP question [In reply to]

Your quoting and HTML mail settings are really broken!

You are not quoting anyone else's email, but just changing it's font - which means that anyone using a text mail client without fonts can't see the quoting..

On 21 May 2012, at 16:18, Kenneth S Mclane wrote:

> You can turn on LDAP debugging and get a print out of what is actually going to <=> from the LDAP server, which would help determine which query specifically is failing..
>
> I cannot find anything out there on turning on LDAP debugging? Strangely, if I out my username and password in the bind fields it gives me Invalid credentials. I authenticate through this ldap server many times a day, so I'm almost sure it's some setting that is wrong.

I'm sure some setting is wrong too!

But it's going to be hard to guess which one without knowing what error code gets returned, to what query!

The debugging bit isn't as obvious as I remember it being, sorry about that:

https://metacpan.org/module/Catalyst::Authentication::Store::LDAP#ldap_server_options

so you want to set: ldap_server_options => { debug => 3 } # Incoming and outgoing packets

Cheers
t0m


_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/


ksmclane at us

May 21, 2012, 9:02 AM

Post #7 of 22 (1087 views)
Permalink
Re: LDAP question [In reply to]

I have no control over the LDAP server, How would I change things so the
submitted username and password would be inserted as the credentials to be
used as the initial bind?



From:
Tomas Doran <bobtfish [at] bobtfish>
To:
The elegant MVC web framework <catalyst [at] lists>
Date:
05/21/2012 10:57 AM
Subject:
Re: [Catalyst] LDAP question




On 21 May 2012, at 16:42, Robert Wohlfarth wrote:

> On Mon, May 21, 2012 at 9:20 AM, Kenneth S Mclane <ksmclane [at] us>
wrote:
> They are apparently doing the initial bind with the credentials
submitted by the user, I am getting invalid credentials the way I have it
above, if I change it to anonymous I get a "LDAP Error while searching for
user: No such object". I could use some suggestions.
>
> I dealt with an LDAP server that required you to login to query your own
information. The standard Catalyst::Authentication::Store::LDAP does not
work with this model.

Yes it does! What makes you think it doesn't?

> So I wrote a credential module that did nothing more than connect to the
LDAP server. If the connection succeeded, then that user is authenticated.


That sort of strategy is usually a bad idea, as you're mandating that you
have 1 flat level of LDAP for users - you have to know the DN to bind as
initially, and so if you do this, you have to concatenate the username to
a DN in some way - which means if you ever reorganise your LDAP (for
example putting users into grouped OU containers), then your auth will
stop working.

Cheers
t0m



_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive:
http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/


luisemunoz at gmail

May 21, 2012, 9:03 AM

Post #8 of 22 (1090 views)
Permalink
Re: LDAP question [In reply to]

On May 21, 2012, at 11:42 AM, Robert Wohlfarth wrote:

> The standard Catalyst::Authentication::Store::LDAP does not work with this model.

I've been told that the "right" way to do authentication against LDAP is

* bind with a read-only set of credentials
* Lookup the user's entry (here is where you apply your base and filters)
* Try to bind with the just-found DN and the user-supplied password

The first set of credentials has just enough privileges (via ACLs) so that only the required search can be performed. This scheme has the advantage of not allowing annon bound sessions to search your tree while supporting user hierarchies (that can change as the directory is reorganized).

Best regards.

-lem


_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/


ksmclane at us

May 21, 2012, 9:05 AM

Post #9 of 22 (1090 views)
Permalink
Re: LDAP question [In reply to]

I must apologize for my companies insistence on using Lotus Notes as a
mail client, they are kind of stuck on it since they made it.


ksmclane at us

May 21, 2012, 9:12 AM

Post #10 of 22 (1091 views)
Permalink
Re: LDAP question [In reply to]

I'm going to post this up here to avoid those quoting issues. I'm x'ing
out my password for obvious reasons.

Net::LDAP=HASH(0x4585ad0) sending:

30 28 02 01 01 60 23 02 01 03 04 13 6B 73 6D 63 0(...`#.....ksmc
6C 61 6E 65 40 75 73 2E 69 62 6D 2E 63 6F 6D 80 lane [at] us
09 46 6F 7A 7A 79 39 37 36 65 __ __ __ __ __ __ .xxxxxxxxx

Net::LDAP=HASH(0x4585ad0) received:

30 84 00 00 00 10 02 01 01 61 84 00 00 00 07 0A 0........a......
01 31 04 00 04 00 __ __ __ __ __ __ __ __ __ __ .1....

[info] *** Request 1 (0.000/s) [12394] [Mon May 21 11:07:26 2012] ***
[debug] Path is "login"
[debug] "POST" request for "login" from "192.168.159.2"
[debug] Body Parameters are:
.-------------------------------------+--------------------------------------.
| Parameter | Value |
+-------------------------------------+--------------------------------------+
| password | xxxxxxxx |
| username | ksmclane [at] us |
'-------------------------------------+--------------------------------------'
[error] Error on Initial Bind: Invalid credentials
[debug] Response Code: 500; Content-Type: text/html; charset=utf-8;
Content-Length: 20384
[info] Request took 0.186364s (5.366/s)

Needless to say these are valid credentials.



From:
Tomas Doran <bobtfish [at] bobtfish>
To:
The elegant MVC web framework <catalyst [at] lists>
Date:
05/21/2012 11:01 AM
Subject:
Re: [Catalyst] LDAP question



Your quoting and HTML mail settings are really broken!

You are not quoting anyone else's email, but just changing it's font -
which means that anyone using a text mail client without fonts can't see
the quoting..

On 21 May 2012, at 16:18, Kenneth S Mclane wrote:

> You can turn on LDAP debugging and get a print out of what is actually
going to <=> from the LDAP server, which would help determine which query
specifically is failing..
>
> I cannot find anything out there on turning on LDAP debugging?
Strangely, if I out my username and password in the bind fields it gives
me Invalid credentials. I authenticate through this ldap server many times
a day, so I'm almost sure it's some setting that is wrong.

I'm sure some setting is wrong too!

But it's going to be hard to guess which one without knowing what error
code gets returned, to what query!

The debugging bit isn't as obvious as I remember it being, sorry about
that:

https://metacpan.org/module/Catalyst::Authentication::Store::LDAP#ldap_server_options


so you want to set: ldap_server_options => { debug => 3 } # Incoming and
outgoing packets

Cheers
t0m


_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive:
http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/


luisemunoz at gmail

May 21, 2012, 9:18 AM

Post #11 of 22 (1089 views)
Permalink
Re: LDAP question [In reply to]

On May 21, 2012, at 12:02 PM, Kenneth S Mclane wrote:

> I have no control over the LDAP server, How would I change things so the submitted username and password would be inserted as the credentials to be used as the initial bind?

You use that from the client.

Below is a snippet from a configuration file from a tool we use at $work for managing LDAP entries. It works in the way I described before.

Pay attention to the binddn (the account to do the initial bind) and basedn (the place where you begin your search for a matching username, using the filter expression). Start simple and build up your expression to narrow down the tuples that it can retrieve. I'm pro very strict filters based on object types, but there are perhaps other opinions.

Best regards

-lem

--8<----

# Configure the authentication subsystem. This is the component that
# validates the current password for change requests. This service is
# provided by Catalyst::Authentication::Store::LDAP.
#
# The ldap realm is mandatory, as this is used not only for
# authentication but for access to the user's LDAP entry, both for
# searching and for updating it. This means that we need to use a
# binddn with enough privileges to read and write to the
# directory. It's not enough to rely on the users' credentials for
# rebinding, because in the case of a password recovery, we don't have
# user credentials.

authentication:
default_realm: ldap
realms:
ldap:
credential:
class: Password
password_field: password
password_type: self_check
store:
class: LDAP
ldap_server: localhost:3389
binddn: cn=your_initial_id,dc=domain,dc=com,dc=INVALID
bindpw: Y0urS3cr3tB!ndP@$sw0rd
user_basedn: ou=The,ou=Container,ou=Hierarchy,dc=domain,dc=com,dc=INVALID
user_filter: (&(objectClass=inetOrgPerson)(|(uid=%s)(email=%s)))
user_field: uid
use_roles: 0


_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/


rbwohlfarth at gmail

May 21, 2012, 9:18 AM

Post #12 of 22 (1086 views)
Permalink
Re: LDAP question [In reply to]

On Mon, May 21, 2012 at 11:03 AM, Luis Muñoz <luisemunoz [at] gmail> wrote:

>
> On May 21, 2012, at 11:42 AM, Robert Wohlfarth wrote:
>
> > The standard Catalyst::Authentication::Store::LDAP does not work with
> this model.
>
> I've been told that the "right" way to do authentication against LDAP is
>
> * bind with a read-only set of credentials
> * Lookup the user's entry (here is where you apply your base and filters)
> * Try to bind with the just-found DN and the user-supplied password
>
> The first set of credentials has just enough privileges (via ACLs) so that
> only the required search can be performed. This scheme has the advantage of
> not allowing annon bound sessions to search your tree while supporting user
> hierarchies (that can change as the directory is reorganized).
>

Yes, that is the best way. And Catalyst::Authentication::Store::LDAP works
like this.

For whatever reason, the LDAP server I used was not configured like that.
Or more accurately, I could not find the "read-only set of credentials".
And yes, the LDAP server has a large, flat list of people all with the same
"dn". Like Kenneth, I don't control the LDAP server and cannot change how
it's configured. Bummer, huh?

--
Robert Wohlfarth


lenjaffe at jaffesystems

May 21, 2012, 9:40 AM

Post #13 of 22 (1087 views)
Permalink
Re: LDAP question [In reply to]

On Mon, May 21, 2012 at 12:05 PM, Kenneth S Mclane <ksmclane [at] us>wrote:

> I must apologize for my companies insistence on using Lotus Notes as a
> mail client, they are kind of stuck on it since they made it.


I use it at work too, and despite the insistence on top posting everything,
iours has a reply button that uses bog standard '>' to mark the quoted
text.

--
lenjaffe [at] jaffesystems 614-404-4214
www.volunteerable.net - minimally viable and improving iteratively
Proprietor: http://www.theycomewithcheese.com/ - An Homage to Fromage
Greenbar <http://www.greenbartraining.org/>: Grubmaster: 2012-2009, Grub
Asst: 2008, Trained: 2007.


ksmclane at us

May 21, 2012, 9:46 AM

Post #14 of 22 (1089 views)
Permalink
Re: LDAP question [In reply to]

Ok, found it. Thanks, I hate this program so much I give up shortly after
trying to figure it out. ;-)

Len Jaffe <lenjaffe [at] jaffesystems> wrote on 05/21/2012 11:40:06 AM:



> On Mon, May 21, 2012 at 12:05 PM, Kenneth S Mclane <ksmclane [at] us
> > wrote:
> I must apologize for my companies insistence on using Lotus Notes as
> a mail client, they are kind of stuck on it since they made it.
>
> I use it at work too, and despite the insistence on top posting
> everything, iours has a reply button that uses bog standard '>' to
> mark the quoted text.
>
> --
> lenjaffe [at] jaffesystems 614-404-4214
> www.volunteerable.net - minimally viable and improving iteratively
> Proprietor: http://www.theycomewithcheese.com/ - An Homage to Fromage
> Greenbar: Grubmaster: 2012-2009, Grub Asst: 2008, Trained: 2007.
>


lenjaffe at jaffesystems

May 21, 2012, 10:06 AM

Post #15 of 22 (1087 views)
Permalink
Re: LDAP question [In reply to]

On Mon, May 21, 2012 at 12:46 PM, Kenneth S Mclane <ksmclane [at] us>wrote:

> Ok, found it. Thanks, I hate this program so much I give up shortly after
> trying to figure it out. ;-)
>
>
It takes a village.

--
lenjaffe [at] jaffesystems 614-404-4214
www.volunteerable.net - minimally viable and improving daily
Proprietor: http://www.theycomewithcheese.com/ - An Homage to Fromage
Greenbar <http://www.greenbartraining.org/>: Grubmaster: 2012-2009, Grub
Asst: 2008, Trained: 2007.


ksmclane at us

May 21, 2012, 1:34 PM

Post #16 of 22 (1102 views)
Permalink
Re: LDAP question [In reply to]

ok, making progress, I am getting all the data back in the return hash,
however, I get the error: "Unable to locate user matching user info
provided in realm: ldap" and get redirected back to the login page. I
built this using some examples from the tutorial and the definitive guide,
so I may have a wire crossed somewhere. Any ideas?

Luis Muñoz <luisemunoz [at] gmail> wrote on 05/21/2012 11:18:48 AM:

> From:
>
> Luis Muñoz <luisemunoz [at] gmail>
>
> To:
>
> The elegant MVC web framework <catalyst [at] lists>
>
> Date:
>
> 05/21/2012 11:20 AM
>
> Subject:
>
> Re: [Catalyst] LDAP question
>
>
> On May 21, 2012, at 12:02 PM, Kenneth S Mclane wrote:
>
> > I have no control over the LDAP server, How would I change things
> so the submitted username and password would be inserted as the
> credentials to be used as the initial bind?
>
> You use that from the client.
>
> Below is a snippet from a configuration file from a tool we use at
> $work for managing LDAP entries. It works in the way I described before.
>
> Pay attention to the binddn (the account to do the initial bind) and
> basedn (the place where you begin your search for a matching
> username, using the filter expression). Start simple and build up
> your expression to narrow down the tuples that it can retrieve. I'm
> pro very strict filters based on object types, but there are perhaps
> other opinions.
>
> Best regards
>
> -lem
>
> --8<----
>
> # Configure the authentication subsystem. This is the component that
> # validates the current password for change requests. This service is
> # provided by Catalyst::Authentication::Store::LDAP.
> #
> # The ldap realm is mandatory, as this is used not only for
> # authentication but for access to the user's LDAP entry, both for
> # searching and for updating it. This means that we need to use a
> # binddn with enough privileges to read and write to the
> # directory. It's not enough to rely on the users' credentials for
> # rebinding, because in the case of a password recovery, we don't have
> # user credentials.
>
> authentication:
> default_realm: ldap
> realms:
> ldap:
> credential:
> class: Password
> password_field: password
> password_type: self_check
> store:
> class: LDAP
> ldap_server: localhost:3389
> binddn: cn=your_initial_id,dc=domain,dc=com,dc=INVALID
> bindpw: Y0urS3cr3tB!ndP@$sw0rd
> user_basedn:
> ou=The,ou=Container,ou=Hierarchy,dc=domain,dc=com,dc=INVALID
> user_filter: (&(objectClass=inetOrgPerson)(|(uid=%s)(email=%s)))
> user_field: uid
> use_roles: 0
>
>
> _______________________________________________
> List: Catalyst [at] lists
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive:
http://www.mail-archive.com/catalyst [at] lists/
> Dev site: http://dev.catalyst.perl.org/
>


ksmclane at us

May 21, 2012, 2:12 PM

Post #17 of 22 (1096 views)
Permalink
Re: LDAP question [In reply to]

Actually, it is the anonymous bind that is returning the data it seems,
then when it tries to rebind with the credentials provided it errors out.
I see it send and receive the following:

Net::LDAP=HASH(0x44d55e0) sending:

30 0C 02 01 01 60 07 02 01 03 04 00 80 00 __ __ 0....`........

Net::LDAP=HASH(0x44d55e0) received:

30 84 00 00 00 10 02 01 01 61 84 00 00 00 07 0A 0........a......
01 00 04 00 04 00 __ __ __ __ __ __ __ __ __ __ ......

Net::LDAP=HASH(0x44d55e0) sending:

30 64 02 01 02 63 5F 04 16 6F 75 3D 62 6C 75 65 0d...c_..ou=blue
70 61 67 65 73 2C 6F 3D 69 62 6D 2E 63 6F 6D 0A pages,o=ibm.com.
01 02 0A 01 02 02 01 00 02 01 00 01 01 00 A0 34 ...............4
A3 15 04 0B 6F 62 6A 65 63 74 63 6C 61 73 73 04 ....objectclass.
06 70 65 72 73 6F 6E A3 1B 04 04 6D 61 69 6C 04 .person....mail.
13 6B 73 6D 63 6C 61 6E 65 40 75 73 2E 69 62 6D .ksmclane [at] us
2E 63 6F 6D 30 00 __ __ __ __ __ __ __ __ __ __ .com0.

Net::LDAP=HASH(0x44d55e0) received:
<snip>This is a very long hash with ALL the ldap fields.

Strangely it receives again without sending anything.

Net::LDAP=HASH(0x44d55e0) received:

30 84 00 00 00 10 02 01 02 65 84 00 00 00 07 0A 0........e......
01 00 04 00 04 00 __ __ __ __ __ __ __ __ __ __ ......

Net::LDAP=HASH(0x44d55e0) sending:

30 05 02 01 03 42 00 __ __ __ __ __ __ __ __ __ 0....B.

Then it gives the "Unable to locate user matching user info provided in
realm: ldap".

I'm getting closer. I'm wondering if I need to find out what form they are
encrypting the password in? It defaults to SHA-1, but I do not know if
that is correct.

Kenneth S Mclane/Dubuque/IBM [at] IBMU wrote on 05/21/2012 03:34:48 PM:

> From:
>
> Kenneth S Mclane/Dubuque/IBM [at] IBMU
>
> To:
>
> The elegant MVC web framework <catalyst [at] lists>
>
> Date:
>
> 05/21/2012 03:36 PM
>
> Subject:
>
> Re: [Catalyst] LDAP question
>
> ok, making progress, I am getting all the data back in the return
> hash, however, I get the error: "Unable to locate user matching user
> info provided in realm: ldap" and get redirected back to the login
> page. I built this using some examples from the tutorial and the
> definitive guide, so I may have a wire crossed somewhere. Any ideas?
>
> Luis Muñoz <luisemunoz [at] gmail> wrote on 05/21/2012 11:18:48 AM:
>
> > From:
> >
> > Luis Muñoz <luisemunoz [at] gmail>
> >
> > To:
> >
> > The elegant MVC web framework <catalyst [at] lists>
> >
> > Date:
> >
> > 05/21/2012 11:20 AM
> >
> > Subject:
> >
> > Re: [Catalyst] LDAP question
> >
> >
> > On May 21, 2012, at 12:02 PM, Kenneth S Mclane wrote:
> >
> > > I have no control over the LDAP server, How would I change things
> > so the submitted username and password would be inserted as the
> > credentials to be used as the initial bind?
> >
> > You use that from the client.
> >
> > Below is a snippet from a configuration file from a tool we use at
> > $work for managing LDAP entries. It works in the way I described
before.
> >
> > Pay attention to the binddn (the account to do the initial bind) and
> > basedn (the place where you begin your search for a matching
> > username, using the filter expression). Start simple and build up
> > your expression to narrow down the tuples that it can retrieve. I'm
> > pro very strict filters based on object types, but there are perhaps
> > other opinions.
> >
> > Best regards
> >
> > -lem
> >
> > --8<----
> >
> > # Configure the authentication subsystem. This is the component that
> > # validates the current password for change requests. This service is
> > # provided by Catalyst::Authentication::Store::LDAP.
> > #
> > # The ldap realm is mandatory, as this is used not only for
> > # authentication but for access to the user's LDAP entry, both for
> > # searching and for updating it. This means that we need to use a
> > # binddn with enough privileges to read and write to the
> > # directory. It's not enough to rely on the users' credentials for
> > # rebinding, because in the case of a password recovery, we don't have
> > # user credentials.
> >
> > authentication:
> > default_realm: ldap
> > realms:
> > ldap:
> > credential:
> > class: Password
> > password_field: password
> > password_type: self_check
> > store:
> > class: LDAP
> > ldap_server: localhost:3389
> > binddn: cn=your_initial_id,dc=domain,dc=com,dc=INVALID
> > bindpw: Y0urS3cr3tB!ndP@$sw0rd
> > user_basedn:
> > ou=The,ou=Container,ou=Hierarchy,dc=domain,dc=com,dc=INVALID
> > user_filter:
(&(objectClass=inetOrgPerson)(|(uid=%s)(email=%s)))
> > user_field: uid
> > use_roles: 0
> >
> >
> > _______________________________________________
> > List: Catalyst [at] lists
> > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> > Searchable archive:
http://www.mail-archive.com/catalyst [at] lists/
> > Dev site: http://dev.catalyst.perl.org/
> > _______________________________________________
> List: Catalyst [at] lists
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive:
http://www.mail-archive.com/catalyst [at] lists/
> Dev site: http://dev.catalyst.perl.org/


luisemunoz at gmail

May 21, 2012, 2:21 PM

Post #18 of 22 (1074 views)
Permalink
Re: LDAP question [In reply to]

On May 21, 2012, at 5:12 PM, Kenneth S Mclane wrote:

> I'm getting closer. I'm wondering if I need to find out what form they are encrypting the password in? It defaults to SHA-1, but I do not know if that is correct.

You do not need that because you're not dealing with the hashes directly. By asking the directory to authenticate, you're offloading that problem.

Best regards.

-lem


_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/


ksmclane at us

May 21, 2012, 2:24 PM

Post #19 of 22 (1079 views)
Permalink
Re: LDAP question [In reply to]

So I should leave it as "self_check"?

Regards



Kenneth McLane
700 Locust St

Systems Compliance Services
Dubuque, 52001-6838
I1OB
USA
GTS Services Delivery


Phone:
+1-563-845-4674


Tie-Line:
946-4674


Mobile:
+1-563-940-7147


e-mail:
ksmclane [at] us


"Ideas come from everything" -- Alfred Hitchcock




Luis Muñoz <luisemunoz [at] gmail> wrote on 05/21/2012 04:21:07 PM:

> From:
>
> Luis Muñoz <luisemunoz [at] gmail>
>
> To:
>
> The elegant MVC web framework <catalyst [at] lists>
>
> Date:
>
> 05/21/2012 04:21 PM
>
> Subject:
>
> Re: [Catalyst] LDAP question
>
>
> On May 21, 2012, at 5:12 PM, Kenneth S Mclane wrote:
>
> > I'm getting closer. I'm wondering if I need to find out what form
> they are encrypting the password in? It defaults to SHA-1, but I do
> not know if that is correct.
>
> You do not need that because you're not dealing with the hashes
> directly. By asking the directory to authenticate, you're offloading
> that problem.
>
> Best regards.
>
> -lem
>
>
> _______________________________________________
> List: Catalyst [at] lists
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive:
http://www.mail-archive.com/catalyst [at] lists/
> Dev site: http://dev.catalyst.perl.org/
>


bobtfish at bobtfish

May 22, 2012, 3:24 AM

Post #20 of 22 (1069 views)
Permalink
Re: LDAP question [In reply to]

On 21 May 2012, at 17:12, Kenneth S Mclane wrote:

> I'm going to post this up here to avoid those quoting issues. I'm x'ing out my password for obvious reasons.
>

You missed out the app boot, and the initial bind / search… Which are the bits I think are going wrong.

Also, I think my bad - you probably want debug option 12, rather than 3 (for a more readable dump.

Cheers
t0m


_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/


bobtfish at bobtfish

May 22, 2012, 3:27 AM

Post #21 of 22 (1066 views)
Permalink
Re: LDAP question [In reply to]

On 21 May 2012, at 22:24, Kenneth S Mclane wrote:

> So I should leave it as "self_check"?

No.

You set it as plain / don't set it at all, as the password needs to be passed through Catalyst un-mangled - as the auth is done by logging in _as the user_ (and therefore with their password) in LDAP.

Cheers
t0m
_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/


ksmclane at us

May 22, 2012, 5:56 AM

Post #22 of 22 (1067 views)
Permalink
Re: LDAP question [In reply to]

Just before I left yesterday I was successful. It turns out self_check is
fine, it tells the ldap server to handle the hashing. I found my problem
was in my "user_field" setting. I had to change it to "mail" from "cn". I
was thinking it was something used for display only, but apparently it
needs to match your filter setting. Thanks for all the help.

Tomas Doran <bobtfish [at] bobtfish> wrote on 05/22/2012 05:27:04 AM:

> From:
>
> Tomas Doran <bobtfish [at] bobtfish>
>
> To:
>
> The elegant MVC web framework <catalyst [at] lists>
>
> Date:
>
> 05/22/2012 05:27 AM
>
> Subject:
>
> Re: [Catalyst] LDAP question
>
>
> On 21 May 2012, at 22:24, Kenneth S Mclane wrote:
>
> > So I should leave it as "self_check"?
>
> No.
>
> You set it as plain / don't set it at all, as the password needs to
> be passed through Catalyst un-mangled - as the auth is done by
> logging in _as the user_ (and therefore with their password) in LDAP.
>
> Cheers
> t0m
> _______________________________________________
> List: Catalyst [at] lists
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive:
http://www.mail-archive.com/catalyst [at] lists/
> Dev site: http://dev.catalyst.perl.org/
>

Catalyst users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.