[Catalyst] Catalyst::Plugin::Authentication::Store::LDAPsettingsfor Microsoft Active Directory

Hermida, Leandro Leandro.Hermida at fmi.ch
Fri Dec 22 16:11:09 GMT 2006 

> -----Original Message-----
> From: Peter Karman [mailto:peter at peknet.com] 
> Sent: Friday, December 22, 2006 15:51
> > Hermida, Leandro scribbled on 12/21/06 12:18 PM:
> >
> > Here are the errors shown in the Catalyst debug screen:
> > 
> > Deep recursion on subroutine
> > "Catalyst::Plugin::Authentication::Store::LDAP::User::stringify" at 
> > 
> /usr/lib/perl5/site_perl/5.8.5/Catalyst/Plugin/Authentication/Store/LD
> > AP
> > /User.pm line 254.
> > Deep recursion on subroutine
> > "Catalyst::Plugin::Authentication::Store::LDAP::User::AUTOLOAD" at 
> > 
> /usr/lib/perl5/site_perl/5.8.5/Catalyst/Plugin/Authentication/Store/LD
> > AP
> > /User.pm line 100.
> > 
> 
> not sure if it's the same issue, but this might help:
> 
> http://article.gmane.org/gmane.comp.web.catalyst.general/7523/
> match=ldap
> 
> pek

It works!  Thanks for this link!  We need to make it clear that the
user_field needs to be in lowercase to avoid this deep recursion error,
at least with C::P::A::Store::LDAP and Active Directory.  With
user_filter it doesn't seem to matter.  As mentioned in a previous email
in this thread, I would like to propose for the documentation an example
setup for Active Directory:

In myapp.yml:

authentication:
    ldap:
        ldap_server: ads.domain.com
        ldap_server_options:
            version: 3
        binddn: cn=adsearchuser,cn=Users,dc=domain,dc=com
        bindpw: adsearchpassword
        user_basedn: cn=Users,dc=domain,dc=com
        user_scope: sub
        user_filter: (&(objectclass=user)(samaccountname=%s))
        user_field: samaccountname


Some notes:

adsearchuser in the binddn should be replaced with the Windows account
in your domain which had rights to search the Active Directory LDAP
tree.  adsearchpassword should be replaced with 

user_basedn can vary because your Windows sysadmin might have a
hierarchy of OUs defined under the dc=domain,dc=com where he/she put
user account entries.  An example of an alternative could be
ou=User,ou=Finance,dc=domain,dc=com.  If your adsearchuser account has
privileges to search the entire Active Directory tree I have found that
simply specifying dc=domain,dc=com as the user_basedn will still work -
it just has to search from higher in the tree before finding the entry.


user_field needs to be in lowercase!

TLS or SSL don't seem to work when connecting to Active Directory so
please do not set start_tls: 1 nor specify the ldap_server as a URI with
ldaps://.  If someone has managed to get this to work using Net::LDAP, I
would really like to know.


Leandro

More information about the Catalyst mailing list