[Catalyst] Issue with C::A::Store::LDAP and C::A::Credential::Password

Richardson, Matthew Matthew_Richardson at mentor.com
Wed Feb 27 18:42:48 GMT 2008 

I am attempting to authenticate against the LDAP server used for our
Unix authentication environment. A use entry looks like:

 

dn: uid=uname,ou=People,dc=company,dc=com

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: shadowAccount

uid: uname

sn: LastName

givenName: FirstName

cn: uname

userPassword: {crypt}sFBVlCCFXromo

loginShell: /bin/csh

uidNumber: 7904

gidNumber: 6062

homeDirectory: /user/uname

gecos: FirstName LastName

mail: email at email.com

displayName: LastName, FirstName

telephoneNumber: 555

 

I have configure authentication using:

 

use Catalyst qw/-Debug ConfigLoader Static::Simple

                    Session

                        Session::State::Cookie

                        Session::Store::FastMmap

                    Authentication/;

 

__PACKAGE__->config(

  'authentication' => {

     default_realm => "ldap",

     realms => {

       ldap => {

         credential => {

           class => "Password",

           password_field => "userPassword",

           password_type => "crypted",

         },

         store => {

            class               => "LDAP",

            binddn              =>
"cn=proxyagent,ou=profile,dc=xyz,dc=company,dc=com",

            bindpw              => "proxy",

            ldap_server         => "my.host.name",

            ldap_server_options => { timeout => 30 },

            start_tls           => 0,

            use_roles           => 0,

            user_basedn         => "ou=People,dc=company,dc=com",

            user_field          => "uid",

            user_filter         =>
"(&(objectClass=posixAccount)(uid=%s))",

            user_scope          => "one",

            user_search_options => { attrs => ['*'] },

         },

       },

     },

   },

);

 

Reusing some of the code from "The Book" I have implemented a login
action:

 

sub login : Global Form {

    my ($self, $c) = @_;

    my $form = $self->formbuilder;

    

    return unless $form->submitted && $form->validate;

    

    if ($c->authenticate({username => $form->field('username'),

                          password => $form->field('password')})){

        $c->flash->{message} = "Logged in successfully.";

        $c->res->redirect($c->uri_for('/'));

        $c->detach;

    }

    else {

        $c->stash->{error} = "Login failed.";

    }

}

 

I have tested the C::A::Store::LDAP ability to talk to the server by
first using a bogus hostname (which generated an error) and putting a
bogus password in for my proxy account (which generated an error) so I
know that the issue is with the final phase of testing the user's
password hash. From the debug output of the server I see this happen
when trying to authenticate:

 

[CGI::FormBuilder::Field::validate] (debug1) password: validation passed

[CGI::FormBuilder::validate] (debug1) validation done, ok = 1 (should be
1)

[CGI::FormBuilder::field] (debug2) called $form->field(username)

[CGI::FormBuilder::field] (debug2) searching fields for 'username'

[CGI::FormBuilder::Field::value] (debug2) username: called
$field->value()

[CGI::FormBuilder::Field::value] (debug2) username: sticky && ! force

[CGI::FormBuilder::Field::cgi_value] (debug2) username: called
$field->cgi_value

[CGI::FormBuilder::Field::cgi_value] (debug2) username: cgi value =
(uname)

[CGI::FormBuilder::Field::value] (debug1) username: returning value
(uname)

[CGI::FormBuilder::Field::inflate_value] (debug2) username: called
$field->inflate_value

[CGI::FormBuilder::field] (debug2) called $form->field(password)

[CGI::FormBuilder::field] (debug2) searching fields for 'password'

[CGI::FormBuilder::Field::value] (debug2) password: called
$field->value()

[CGI::FormBuilder::Field::value] (debug2) password: sticky && ! force

[CGI::FormBuilder::Field::cgi_value] (debug2) password: called
$field->cgi_value

[CGI::FormBuilder::Field::cgi_value] (debug2) password: cgi value =
(sdfd)

[CGI::FormBuilder::Field::value] (debug1) password: returning value
(sdfd)

[CGI::FormBuilder::Field::inflate_value] (debug2) password: called
$field->inflate_value

Use of uninitialized value in crypt at
/usr/lib/perl5/site_perl/5.8.8/Catalyst/Authentication/Credential/Passwo
rd.pm line 69.

Use of uninitialized value in crypt at
/usr/lib/perl5/site_perl/5.8.8/Catalyst/Authentication/Credential/Passwo
rd.pm line 69.

Use of uninitialized value in string eq at
/usr/lib/perl5/site_perl/5.8.8/Catalyst/Authentication/Credential/Passwo
rd.pm line 69.

[info] *** Request 1 (0.001/s) [12951] [Wed Feb 27 10:37:32 2008] ***

[debug] Body Parameters are:

.-------------------------------------+---------------------------------
-----.

| Parameter                           | Value
|

+-------------------------------------+---------------------------------
-----+

| _submit                             | Login
|

| _submitted_login                    | 1
|

| password                            | sdfd
|

| username                            | matthewr
|

'-------------------------------------+---------------------------------
-----|

 

At this point the bogus password is being verified and I am
authenticated and redirected to /, which is not correct. Can anyone see
what I am doing wrong?

 

Thanks,

Matt

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20080227/45056590/attachment.htm

More information about the Catalyst mailing list