[Catalyst] Issue with C::A::Store::LDAP and C::A::Credential::Password

Jay K jayk at ion0.com
Wed Feb 27 20:01:34 GMT 2008


Follow up for the list.

The first issue here is that Credential::Password expects you to pass
the password field name to authenticate, not just 'password'.  So if
your password_field is 'userPassword', as it is below, your
authenticate call should reflect that.  The same goes for the user id
field.  So the authenticate call for the config below should actually
be:

$c->authenticate({ uid => $username,
				  userPassword => $password });


I've added a note to the C::P::Auth docs to call that out more clearly.

Jay

On Feb 27, 2008, at 11:42 AM, Richardson, Matthew wrote:

> I am attempting to authenticate against the LDAP server used for our
> Unix authentication environment. A use entry looks like:
>
> dn: uid=uname,ou=People,dc=company,dc=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> uid: uname
> sn: LastName
> givenName: FirstName
> cn: uname
> userPassword: {crypt}sFBVlCCFXromo
> loginShell: /bin/csh
> uidNumber: 7904
> gidNumber: 6062
> homeDirectory: /user/uname
> gecos: FirstName LastName
> mail: email at email.com
> displayName: LastName, FirstName
> telephoneNumber: 555
>
> I have configure authentication using:
>
> use Catalyst qw/-Debug ConfigLoader Static::Simple
>                     Session
>                         Session::State::Cookie
>                         Session::Store::FastMmap
>                     Authentication/;
>
> __PACKAGE__->config(
>   'authentication' => {
>      default_realm => "ldap",
>      realms => {
>        ldap => {
>          credential => {
>            class => "Password",
>            password_field => "userPassword",
>            password_type => "crypted",
>          },
>          store => {
>             class               => "LDAP",
>             binddn              =>
> "cn=proxyagent,ou=profile,dc=xyz,dc=company,dc=com",
>             bindpw              => "proxy",
>             ldap_server         => "my.host.name",
>             ldap_server_options => { timeout => 30 },
>             start_tls           => 0,
>             use_roles           => 0,
>             user_basedn         => "ou=People,dc=company,dc=com",
>             user_field          => "uid",
>             user_filter         => "(&(objectClass=posixAccount)(uid=
> %s))",
>             user_scope          => "one",
>             user_search_options => { attrs => ['*'] },
>          },
>        },
>      },
>    },
> );
>
> Reusing some of the code from "The Book" I have implemented a login
> action:
>
> sub login : Global Form {
>     my ($self, $c) = @_;
>     my $form = $self->formbuilder;
>
>     return unless $form->submitted && $form->validate;
>
>     if ($c->authenticate({username => $form->field('username'),
>                           password => $form->field('password')})){
>         $c->flash->{message} = "Logged in successfully.";
>         $c->res->redirect($c->uri_for('/'));
>         $c->detach;
>     }
>     else {
>         $c->stash->{error} = "Login failed.";
>     }
> }
>
> I have tested the C::A::Store::LDAP ability to talk to the server by
> first using a bogus hostname (which generated an error) and putting
> a bogus password in for my proxy account (which generated an error)
> so I know that the issue is with the final phase of testing the
> user's password hash. >From the debug output of the server I see
> this happen when trying to authenticate:
>
> [CGI::FormBuilder::Field::validate] (debug1) password: validation
> passed
> [CGI::FormBuilder::validate] (debug1) validation done, ok = 1
> (should be 1)
> [CGI::FormBuilder::field] (debug2) called $form->field(username)
> [CGI::FormBuilder::field] (debug2) searching fields for 'username'
> [CGI::FormBuilder::Field::value] (debug2) username: called $field-
> >value()
> [CGI::FormBuilder::Field::value] (debug2) username: sticky && ! force
> [CGI::FormBuilder::Field::cgi_value] (debug2) username: called
> $field->cgi_value
> [CGI::FormBuilder::Field::cgi_value] (debug2) username: cgi value =
> (uname)
> [CGI::FormBuilder::Field::value] (debug1) username: returning value
> (uname)
> [CGI::FormBuilder::Field::inflate_value] (debug2) username: called
> $field->inflate_value
> [CGI::FormBuilder::field] (debug2) called $form->field(password)
> [CGI::FormBuilder::field] (debug2) searching fields for 'password'
> [CGI::FormBuilder::Field::value] (debug2) password: called $field-
> >value()
> [CGI::FormBuilder::Field::value] (debug2) password: sticky && ! force
> [CGI::FormBuilder::Field::cgi_value] (debug2) password: called
> $field->cgi_value
> [CGI::FormBuilder::Field::cgi_value] (debug2) password: cgi value =
> (sdfd)
> [CGI::FormBuilder::Field::value] (debug1) password: returning value
> (sdfd)
> [CGI::FormBuilder::Field::inflate_value] (debug2) password: called
> $field->inflate_value
> Use of uninitialized value in crypt at /usr/lib/perl5/site_perl/
> 5.8.8/Catalyst/Authentication/Credential/Password.pm line 69.
> Use of uninitialized value in crypt at /usr/lib/perl5/site_perl/
> 5.8.8/Catalyst/Authentication/Credential/Password.pm line 69.
> Use of uninitialized value in string eq at /usr/lib/perl5/site_perl/
> 5.8.8/Catalyst/Authentication/Credential/Password.pm line 69.
> [info] *** Request 1 (0.001/s) [12951] [Wed Feb 27 10:37:32 2008] ***
> [debug] Body Parameters are:
> .-------------------------------------
> +--------------------------------------.
> | Parameter                           |
> Value                                |
> +-------------------------------------
> +--------------------------------------+
> | _submit                             |
> Login                                |
> | _submitted_login                    |
> 1                                    |
> | password                            |
> sdfd                                 |
> | username                            |
> matthewr                             |
> '-------------------------------------
> +--------------------------------------|
>
> At this point the bogus password is being verified and I am
> authenticated and redirected to /, which is not correct. Can anyone
> see what I am doing wrong?
>
> Thanks,
> Matt
>
>
>
> _______________________________________________
> List: Catalyst at lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/

---
For most things, throwing yourself at the wall over and over is a
better way to improve than thinking hard about the wall and taking
pictures of it.  -- D.Litwack





More information about the Catalyst mailing list