[Catalyst] Catalyst::Authentication::Credential::LDAP

Matt S Trout dbix-class at trout.me.uk
Fri Aug 8 03:00:50 BST 2008


On Thu, Aug 07, 2008 at 05:29:38PM +0200, Buchan Milne wrote:
> On Thursday 24 July 2008 04:38:30 Matt S Trout wrote:
> > On Wed, Jul 23, 2008 at 08:29:42AM -0500, Peter Karman wrote:
> > > On 07/22/2008 10:37 PM, Matt S Trout wrote:
> > > > On Wed, Jun 25, 2008 at 11:27:13AM -0700, Bruce J Keeler wrote:
> > > >> Also, somewhat apropos, I have a
> > > >> C::A::{Store,Credential}::ActiveDirectory  that I based on the LDAP
> > > >> stuff.  The LDAP modules didn't work for me because they want to bind
> > > >> anonymously and retrieve the crypted password, whereas AD just wants
> > > >> to authenticate with a bind.
> > > >
> > > > So, having established this isn't true.
> > > >
> > > > Could you perhaps instead post a message asking why your config of the
> > > > main LDAP store didn't work so we can figure out what configuration
> > > > problem you had and document it?
> > >
> > > likely he is missing a 'binddn' and 'bindpw' config setting. The initial
> > > bind() will try anonymously if those are not set. What I usually do for
> > > Active Directory is create a user specifically for use with Net::LDAP
> > > (and by extension, C::A::Store::LDAP), and then do all my initial binds
> > > with that user/pass.
> >
> > Hmmm. Should there be an alternative option where (if the user DN is
> > deterministic from the username) it skips the first part and just
> > tries the bind with $generated_dn and $supplied_password (where
> > $generated_dn is the result of a subref/sprintf pattern/whatever
> > supplied in config) ?
> 
> A directory isn't an RDBMS; one should never assume that the naming attribute 
> is the same attribute used for the "username". One should avoid generating DNs 
> in anything but code that initially provisions the entry.

One should be able to get a suitable user provisioned that one uses to do
the initial search.

>From what people seemed to be saying, in the real world this isn't always the
case.

I was suggesting that having such a feature available would permit people
to still use the credential in this case rather than having to write an
entire new one.

Just because you "should avoid" something, sadly, doesn't always mean you
-can- avoid it. Features designed for an imperfect world are important,
although it's also important that they're documented as such and that the
preferred approach is mentioned.

-- 
      Matt S Trout       Need help with your Catalyst or DBIx::Class project?
   Technical Director                    http://www.shadowcat.co.uk/catalyst/
 Shadowcat Systems Ltd.  Want a managed development or deployment platform?
http://chainsawblues.vox.com/            http://www.shadowcat.co.uk/servers/



More information about the Catalyst mailing list