[Catalyst] Bring C::P::Authentication::LDAP up to current standards

Drew Taylor taylor.andrew.j at gmail.com
Mon Jun 5 22:13:13 CEST 2006 

On 6/5/06, Adam Jacob <adam at stalecoffee.org> wrote:
>
> On Jun 5, 2006, at 12:09 PM, Drew Taylor wrote:
> > Thanks Adam. I found your module independently about 15 minutes ago
> > and am working on configuring it for our Active Directory tree.
> > Luckily C::P::A::LDAP's default config is for AD (otherwise I
> > probably would have been hoplessly lost) so I might be able to
> > contribute back a good AD config example. For example, the uid
> > field in our tree is completely unused - uid==samaccountname for AD.
> >
> > I'm sure I'll have feedback for you. :-)
>
> Awesome!  Doc patches are always great!
>

I got it working after one big realization: the "user_field" config option
MUST be lowercase. This caused several "deep recurrsion" errors until I
figured out how the attributes were being stored. I mentioned that
uid==samaccountname, except in our tree it is actually spelled
"sAMAccountName". I was using the proper puncuation, hence the errors. A
note about that fact would be very helpful to new users. I presume this also
applies to the "role_field" config option.

Second, here is my user search criteria. I've left out user_basedn for
security reasons.

    'user_filter' =>
'(&(objectclass=user)(objectcategory=user)(samaccountname=%s*))',
    'user_scope' => 'sub',
    'user_field' => 'samaccountname',

I'm using the same criteria for roles:

    'role_filter' =>
'(&(objectclass=user)(objectcategory=user)(samaccountname=%s*))',
    'role_scope' => 'sub',
    'role_field' => 'memberOf',
    'role_value' => 'samaccountname',
    'role_search_options' => {
       'deref' => 'always',
    },

I have run into one problem with roles: we're using "memberOf" for roles.
This is a multi-values entry so you need the following patch to get all the
values:

Drew-iMac:~ dtaylor$ diff -u
/Library/Perl/5.8.6/Catalyst/Plugin/Authentication/Store/LDAP/Backend.pm.orig
/Library/Perl/5.8.6/Catalyst/Plugin/Authentication/Store/LDAP/Backend.pm

---
/Library/Perl/5.8.6/Catalyst/Plugin/Authentication/Store/LDAP/Backend.pm.orig
2006-06-05 16:04:17.000000000 -0400
+++
/Library/Perl/5.8.6/Catalyst/Plugin/Authentication/Store/LDAP/Backend.pm
2006-06-05 16:04:47.000000000 -0400
@@ -316,9 +316,9 @@
     my $rolesearch = $ldap->search(@searchopts);
     my @roles;
   RESULT: while (my $entry = $rolesearch->pop_entry) {
-        my ($role) = $entry->get_value($self->role_field);
-        if ($role) {
-            push(@roles, $role);
+        my (@userroles) = $entry->get_value($self->role_field);
+        if (@userroles) {
+            push(@roles, @userroles);
         } else {
             next RESULT;
         }

With that patch, I'm golden! Thanks for your work.

Now for a feature request: I don't have a dedicated LDAP login I can use for
the initial bind and user lookup. But I can use my actual AD login to bind.
I would really like an option to be able to use the user for both binds. I'm
not sure how that would work because AD (at least for Windows 2003 server)
requires the login in the form "domain\username". Perhaps a new option for a
prepend value? Just thinking out loud at this point...

Drew
-- 
----------------------------------------------------------------
Drew Taylor                 *  Web development & consulting
Email: drew at drewtaylor.com  *  Site implementation & hosting
Web  : www.drewtaylor.com   *  perl/mod_perl/DBI/mysql/postgres
----------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.rawmode.org/pipermail/catalyst/attachments/20060605/2d77bf9c/attachment-0001.htm

More information about the Catalyst mailing list