[Catalyst] Catalyst::Authentication::Credential::LDAP
Buchan Milne
bgmilne at mandriva.org
Thu Aug 7 16:29:38 BST 2008
On Thursday 24 July 2008 04:38:30 Matt S Trout wrote:
> On Wed, Jul 23, 2008 at 08:29:42AM -0500, Peter Karman wrote:
> > On 07/22/2008 10:37 PM, Matt S Trout wrote:
> > > On Wed, Jun 25, 2008 at 11:27:13AM -0700, Bruce J Keeler wrote:
> > >> Also, somewhat apropos, I have a
> > >> C::A::{Store,Credential}::ActiveDirectory that I based on the LDAP
> > >> stuff. The LDAP modules didn't work for me because they want to bind
> > >> anonymously and retrieve the crypted password, whereas AD just wants
> > >> to authenticate with a bind.
> > >
> > > So, having established this isn't true.
> > >
> > > Could you perhaps instead post a message asking why your config of the
> > > main LDAP store didn't work so we can figure out what configuration
> > > problem you had and document it?
> >
> > likely he is missing a 'binddn' and 'bindpw' config setting. The initial
> > bind() will try anonymously if those are not set. What I usually do for
> > Active Directory is create a user specifically for use with Net::LDAP
> > (and by extension, C::A::Store::LDAP), and then do all my initial binds
> > with that user/pass.
>
> Hmmm. Should there be an alternative option where (if the user DN is
> deterministic from the username) it skips the first part and just
> tries the bind with $generated_dn and $supplied_password (where
> $generated_dn is the result of a subref/sprintf pattern/whatever
> supplied in config) ?
A directory isn't an RDBMS; one should never assume that the naming attribute
is the same attribute used for the "username". One should avoid generating DNs
in anything but code that initially provisions the entry.
Regards,
Buchan
More information about the Catalyst
mailing list