[Catalyst-commits] r13489 - in
Catalyst-Authentication-Store-LDAP/branches/fix_connect_as_user_with_session:
. Test-Session-Broken
zykes at dev.catalyst.perl.org
zykes at dev.catalyst.perl.org
Mon Aug 16 15:41:24 GMT 2010
Author: zykes
Date: 2010-08-16 16:41:24 +0100 (Mon, 16 Aug 2010)
New Revision: 13489
Added:
Catalyst-Authentication-Store-LDAP/branches/fix_connect_as_user_with_session/Changes
Catalyst-Authentication-Store-LDAP/branches/fix_connect_as_user_with_session/README
Catalyst-Authentication-Store-LDAP/branches/fix_connect_as_user_with_session/TODO
Catalyst-Authentication-Store-LDAP/branches/fix_connect_as_user_with_session/Test-Session-Broken/Changes
Log:
Added back files deleted by mistake.
Copied: Catalyst-Authentication-Store-LDAP/branches/fix_connect_as_user_with_session/Changes (from rev 13487, Catalyst-Authentication-Store-LDAP/branches/fix_connect_as_user_with_session/Changes)
===================================================================
--- Catalyst-Authentication-Store-LDAP/branches/fix_connect_as_user_with_session/Changes (rev 0)
+++ Catalyst-Authentication-Store-LDAP/branches/fix_connect_as_user_with_session/Changes 2010-08-16 15:41:24 UTC (rev 13489)
@@ -0,0 +1,113 @@
+1.011 7 July 2010
+ - fix t/05-user_attributes.t to skip correct number of tests if
+ Catalyst::Model::LDAP is not installed.
+
+1.010 6 July 2010
+ - Make AUTOLOAD method work for ->dn by generically calling has_attribute
+ which has a special case for it.
+ - Unify the handling of the ->username method between AUTOLOAD and
+ has_attribute by special casing it more generically in has_attribute.
+ Both RT#57610, patch and tests by Jason Fried
+
+1.009 15 May 2010
+ - Fix pod for get_user() and from_session() in Backend.pm, adding
+ the missing $c param. Pass $c in from_session() through to get_user().
+ Reported in https://rt.cpan.org/Ticket/Display.html?id=56983 with
+ patch from Bjørn-Olav Strand.
+
+1.008 02 April 2010
+ - Allow for multiple uid values on a User object. See RT
+ https://rt.cpan.org/Ticket/Display.html?id=51505
+ and patch from Andrew Kirkpatrick.
+
+1.007 19 Mar 2010
+ - Store the user password for the ldap_connection method in an inside
+ out hash rather than a closure so that the user object can be serialized
+ with Storable as people are putting them in the session (RT#53279)
+
+1.006 11 Dec 2009
+ - Pass $c along to find_user method so overridden user_class users can
+ get at models (or whatever crazy things they might do) (gphat)
+ - Add an ldap_connection method to the user class, which will return
+ an LDAP connection bound as the user who authenticated.
+ - Trim trailing whitespace from submitted usernames otherwise we generate
+ bad LDAP queries.
+
+0.1005 30 April 2009
+ - Stop throwing an exception when the lookup_user method fails
+ to find a user and instead return undef. (t0m)
+ - Add tests for above (t0m)
+ - Change documentation which still refers to the old ::Plugin:: style
+ auth system to use ->authenticate instead of ->login, and not say that
+ you need to do things manually to have multiple stores. (t0m)
+
+0.1004 21 Oct 2008
+ - Add the ability to have the user inflated into a custom
+ user class with the user_class option (t0m)
+ - Add the ability for role lookup to be performed within
+ the same (user) bind context that the user's password is
+ checked in (t0m)
+
+0.1003 10 Sept 2008
+ - get entries in array context rather than scalar context,
+ allowing for multiple values. patch by scpham.
+ - lc() to compare Net::LDAP results with supplied $id
+ bug reported via RT #39113
+
+
+0.1002 9 July 2008
+ - tests updated to use Net::LDAP::Server::Test 0.03
+
+
+0.1001 9 April 2008
+ - matthewr pointed out that the SYNOPSIS 'use Catalyst' line is wrong.
+ - imacat reported that t/03-entry was failing when Catalyst::Model::LDAP was
+ not installed. Fixed RT# 34777.
+
+
+0.1000 4 Feb 2008
+ - forked from Catalyst::Plugin::Authentication::Store::LDAP and name changed
+ to Catalyst::Authentication::Store::LDAP
+ - tests now use Net::LDAP::Server::Test instead of relying on openldap.org
+ - changed release date for 0.0600
+ - added AD config suggestions from matija at serverflow.com
+ - bumped req base Auth package to 0.10003
+ - lookup_user() now throws an exception if there is more than one entry returned
+ from a LDAP search
+ - added new user_search_filter config option to filter out multiple entries on
+ Perl side
+
+
+0.0600 karman 18 Oct 2007 [was: omega Thu Aug 09 09:22:00 CET 2007]
+ - Someone had put some 0.052 version out, need to bump past that
+ - Add realms API support to match newest C::P::Authentication API. (karman)
+ - Add POD tests. (karman)
+
+0.06 omega Thu Aug 09 09:00:00 CET 2007
+ - Added support for entry_class in the same way that Catalyst::Model::LDAP
+ supports it, allowing one to override what class is returned from
+ $c->user->ldap_entry, and thus allowing one to add methods to the user
+ object
+
+0.05
+ - Added support for multiple identifiers.
+
+0.04 adam Tue Mar 21 15:31:57 PST 2006
+ - Fixed rt.cpan.org #18250, sample YAML config incorrectly using arrays
+ - Added some error checking around whether or not we have been properly
+ configured.
+
+0.03 adam Fri Feb 17 09:51:36 PST 2006
+ - Gavin Henry's documentation patch for YAML configuration
+
+0.02 adam Fri Feb 10 14:10:23 PST 2006
+ - Now throws an exception if the initial bind fails
+ - Changed the default role_filter from (member=%s) to (memberUid=%s)
+ - Fixed bug in Backend->lookup_user that was not properly handling
+ when a user was not found in the backing store at all.
+
+0.01 adam Thu Feb 8 14:28:18 2006
+ - initial revision
+ - supports authentication
+ - supports roles
+
Copied: Catalyst-Authentication-Store-LDAP/branches/fix_connect_as_user_with_session/README (from rev 13487, Catalyst-Authentication-Store-LDAP/branches/fix_connect_as_user_with_session/README)
===================================================================
--- Catalyst-Authentication-Store-LDAP/branches/fix_connect_as_user_with_session/README (rev 0)
+++ Catalyst-Authentication-Store-LDAP/branches/fix_connect_as_user_with_session/README 2010-08-16 15:41:24 UTC (rev 13489)
@@ -0,0 +1,307 @@
+NAME
+ Catalyst::Authentication::Store::LDAP - Authentication from an LDAP
+ Directory.
+
+SYNOPSIS
+ use Catalyst qw(
+ Authentication
+ );
+
+ __PACKAGE__->config(
+ 'authentication' => {
+ default_realm => "ldap",
+ realms => {
+ ldap => {
+ credential => {
+ class => "Password",
+ password_field => "password",
+ password_type => "self_check",
+ },
+ store => {
+ binddn => "anonymous",
+ bindpw => "dontcarehow",
+ class => "LDAP",
+ ldap_server => "ldap.yourcompany.com",
+ ldap_server_options => { timeout => 30 },
+ role_basedn => "ou=groups,ou=OxObjects,dc=yourcompany,dc=com",
+ role_field => "uid",
+ role_filter => "(&(objectClass=posixGroup)(memberUid=%s))",
+ role_scope => "one",
+ role_search_options => { deref => "always" },
+ role_value => "dn",
+ role_search_as_user => 0,
+ start_tls => 1,
+ start_tls_options => { verify => "none" },
+ entry_class => "MyApp::LDAP::Entry",
+ use_roles => 1,
+ user_basedn => "ou=people,dc=yourcompany,dc=com",
+ user_field => "uid",
+ user_filter => "(&(objectClass=posixAccount)(uid=%s))",
+ user_scope => "one",
+ user_search_options => { deref => "always" },
+ user_results_filter => sub { return shift->pop_entry },
+ },
+ },
+ },
+ },
+ );
+
+ sub login : Global {
+ my ( $self, $c ) = @_;
+
+ $c->authenticate({
+ id => $c->req->param("login"),
+ password => $c->req->param("password")
+ });
+ $c->res->body("Welcome " . $c->user->username . "!");
+ }
+
+DESCRIPTION
+ This plugin implements the Catalyst::Authentication v.10 API. Read that
+ documentation first if you are upgrading from a previous version of this
+ plugin.
+
+ This plugin uses "Net::LDAP" to let your application authenticate
+ against an LDAP directory. It has a pretty high degree of flexibility,
+ given the wide variation of LDAP directories and schemas from one system
+ to another.
+
+ It authenticates users in two steps:
+
+ 1) A search of the directory is performed, looking for a user object
+ that matches the username you pass. This is done with the bind
+ credentials supplied in the "binddn" and "bindpw" configuration options.
+
+ 2) If that object is found, we then re-bind to the directory as that
+ object. Assuming this is successful, the user is Authenticated.
+
+CONFIGURATION OPTIONS
+ Configuring with YAML
+ Set Configuration to be loaded via Config.yml in YourApp.pm
+
+ use YAML qw(LoadFile);
+ use Path::Class 'file';
+
+ __PACKAGE__->config(
+ LoadFile(
+ file(__PACKAGE__->config->{home}, 'Config.yml')
+ )
+ );
+
+ Settings in Config.yml (adapt these to whatever configuration format you
+ use):
+
+ # Config for Store::LDAP
+ authentication:
+ default_realm: ldap
+ realms:
+ ldap:
+ credential:
+ class: Password
+ password_field: password
+ password_type: self_check
+ store:
+ class: LDAP
+ ldap_server: ldap.yourcompany.com
+ ldap_server_options:
+ timeout: 30
+ binddn: anonymous
+ bindpw: dontcarehow
+ start_tls: 1
+ start_tls_options:
+ verify: none
+ user_basedn: ou=people,dc=yourcompany,dc=com
+ user_filter: (&(objectClass=posixAccount)(uid=%s))
+ user_scope: one
+ user_field: uid
+ user_search_options:
+ deref: always
+ use_roles: 1
+ role_basedn: ou=groups,ou=OxObjects,dc=yourcompany,dc=com
+ role_filter: (&(objectClass=posixGroup)(memberUid=%s))
+ role_scope: one
+ role_field: uid
+ role_value: dn
+ role_search_options:
+ deref: always
+
+ NOTE: The settings above reflect the default values for OpenLDAP. If you
+ are using Active Directory instead, Matija Grabnar suggests that the
+ following tweeks to the example configuration will work:
+
+ user_basedn: ou=Domain Users,ou=Accounts,dc=mycompany,dc=com
+ user_field: samaccountname
+ user_filter: (sAMAccountName=%s)
+
+ He also notes: "I found the case in the value of user_field to be
+ significant: it didn't seem to work when I had the mixed case value
+ there."
+
+ ldap_server
+ This should be the hostname of your LDAP server.
+
+ ldap_server_options
+ This should be a hashref containing options to pass to Net::LDAP->new().
+ See Net::LDAP for the full list.
+
+ binddn
+ This should be the DN of the object you wish to bind to the directory as
+ during the first phase of authentication. (The user lookup phase)
+
+ If you supply the value "anonymous" to this option, we will bind
+ anonymously to the directory. This is the default.
+
+ bindpw
+ This is the password for the initial bind.
+
+ start_tls
+ If this is set to 1, we will convert the LDAP connection to use SSL.
+
+ start_tls_options
+ This is a hashref, which contains the arguments to the Net::LDAP
+ start_tls method. See Net::LDAP for the complete list of options.
+
+ user_basedn
+ This is the basedn for the initial user lookup. Usually points to the
+ top of your "users" branch; ie "ou=people,dc=yourcompany,dc=com".
+
+ user_filter
+ This is the LDAP Search filter used during user lookup. The special
+ string '%s' will be replaced with the username you pass to $c->login. By
+ default it is set to '(uid=%s)'. Other possibly useful filters:
+
+ (&(objectClass=posixAccount)(uid=%s))
+ (&(objectClass=User)(cn=%s))
+
+ user_scope
+ This specifies the scope of the search for the initial user lookup.
+ Valid values are "base", "one", and "sub". Defaults to "sub".
+
+ user_field
+ This is the attribute of the returned LDAP object we will use for their
+ "username". This defaults to "uid". If you had user_filter set to:
+
+ (&(objectClass=User)(cn=%s))
+
+ You would probably set this to "cn". You can also set it to an array, to
+ allow more than one login field. The first field will be returned as
+ identifier for the user.
+
+ user_search_options
+ This takes a hashref. It will append it's values to the call to
+ Net::LDAP's "search" method during the initial user lookup. See
+ Net::LDAP for valid options.
+
+ Be careful not to specify:
+
+ filter
+ scope
+ base
+
+ As they are already taken care of by other configuration options.
+
+ user_results_filter
+ This is a Perl CODE ref that can be used to filter out multiple results
+ from your LDAP query. In theory, your LDAP query should only return one
+ result and find_user() will throw an exception if it encounters more
+ than one result. However, if you have, for whatever reason, a legitimate
+ reason for returning multiple search results from your LDAP query, use
+ "user_results_filter" to filter out the LDAP entries you do not want
+ considered. Your CODE ref should expect a single argument, a
+ Net::LDAP::Search object, and it should return exactly one value, a
+ Net::LDAP::Entry object.
+
+ Example:
+
+ user_results_filter => sub {
+ my $search_obj = shift;
+ foreach my $entry ($search_obj->entries) {
+ return $entry if my_match_logic( $entry );
+ }
+ return undef; # i.e., no match
+ }
+
+ use_roles
+ Whether or not to enable role lookups. It defaults to true; set it to 0
+ if you want to always avoid role lookups.
+
+ role_basedn
+ This should be the basedn where the LDAP Objects representing your roles
+ are.
+
+ role_filter
+ This should be the LDAP Search filter to use during the role lookup. It
+ defaults to '(memberUid=%s)'. The %s in this filter is replaced with the
+ value of the "role_value" configuration option.
+
+ So, if you had a role_value of "cn", then this would be populated with
+ the cn of the User's LDAP object. The special case is a role_value of
+ "dn", which will be replaced with the User's DN.
+
+ role_scope
+ This specifies the scope of the search for the user's role lookup. Valid
+ values are "base", "one", and "sub". Defaults to "sub".
+
+ role_field
+ Should be set to the Attribute of the Role Object's returned during Role
+ lookup you want to use as the "name" of the role. Defaults to "CN".
+
+ role_value
+ This is the attribute of the User object we want to use in our
+ role_filter. If this is set to "dn", we will use the User Objects DN.
+
+ role_search_options
+ This takes a hashref. It will append it's values to the call to
+ Net::LDAP's "search" method during the user's role lookup. See Net::LDAP
+ for valid options.
+
+ Be careful not to specify:
+
+ filter
+ scope
+ base
+
+ As they are already taken care of by other configuration options.
+
+ role_search_as_user
+ By default this setting is false, and the role search will be performed
+ by binding to the directory with the details in the *binddn* and
+ *bindpw* fields. If this is set to false, then the role search will
+ instead be performed when bound as the user you authenticated as.
+
+ entry_class
+ The name of the class of LDAP entries returned. This class should exist
+ and is expected to be a subclass of Net::LDAP::Entry
+
+ user_class
+ The name of the class of user object returned. By default, this is
+ Catalyst::Authentication::Store::LDAP::User.
+
+METHODS
+ new
+ This method will populate "default_auth_store" in
+ Catalyst::Plugin::Authentication with this object.
+
+AUTHORS
+ Adam Jacob <holoway at cpan.org>
+
+ Some parts stolen shamelessly and entirely from
+ Catalyst::Plugin::Authentication::Store::Htpasswd.
+
+ Currently maintained by Peter Karman <karman at cpan.org>.
+
+THANKS
+ To nothingmuch, ghenry, castaway and the rest of #catalyst for the help.
+ :)
+
+SEE ALSO
+ Catalyst::Authentication::Store::LDAP,
+ Catalyst::Authentication::Store::LDAP::User,
+ Catalyst::Authentication::Store::LDAP::Backend,
+ Catalyst::Plugin::Authentication, Net::LDAP
+
+COPYRIGHT & LICENSE
+ Copyright (c) 2005 the aforementioned authors. All rights reserved. This
+ program is free software; you can redistribute it and/or modify it under
+ the same terms as Perl itself.
+
Copied: Catalyst-Authentication-Store-LDAP/branches/fix_connect_as_user_with_session/TODO (from rev 13487, Catalyst-Authentication-Store-LDAP/branches/fix_connect_as_user_with_session/TODO)
===================================================================
--- Catalyst-Authentication-Store-LDAP/branches/fix_connect_as_user_with_session/TODO (rev 0)
+++ Catalyst-Authentication-Store-LDAP/branches/fix_connect_as_user_with_session/TODO 2010-08-16 15:41:24 UTC (rev 13489)
@@ -0,0 +1,10 @@
+* Cache - this hits the directory a lot during full Auth/Authz usage.
+
+* Recipes - We could handle some default recipes in the documentation for
+ different usage patterns.
+
+* Tests - We don't do any but the most cursory of tests
+
+(13:22:23) jayk: karpet: yah. the ability to define the user class to use
+in config would make the module much more flexible.
+able to customize without so much hacking around.
Copied: Catalyst-Authentication-Store-LDAP/branches/fix_connect_as_user_with_session/Test-Session-Broken/Changes (from rev 13487, Catalyst-Authentication-Store-LDAP/branches/fix_connect_as_user_with_session/Test-Session-Broken/Changes)
===================================================================
--- Catalyst-Authentication-Store-LDAP/branches/fix_connect_as_user_with_session/Test-Session-Broken/Changes (rev 0)
+++ Catalyst-Authentication-Store-LDAP/branches/fix_connect_as_user_with_session/Test-Session-Broken/Changes 2010-08-16 15:41:24 UTC (rev 13489)
@@ -0,0 +1,4 @@
+This file documents the revision history for Perl extension Test::LDAP.
+
+0.01 2010-08-03 15:00:19
+ - initial revision, generated by Catalyst
More information about the Catalyst-commits
mailing list