[Catalyst] Catalyst::Authentication::Credential::LDAP
Wade.Stuart at fallon.com
Wade.Stuart at fallon.com
Mon Jul 21 17:48:39 BST 2008
Matt S Trout <dbix-class at trout.me.uk> wrote on 07/19/2008 07:10:28 PM:
> On Wed, Jun 25, 2008 at 11:27:13AM -0700, Bruce J Keeler wrote:
> > Also, somewhat apropos, I have a
> > C::A::{Store,Credential}::ActiveDirectory that I based on the LDAP
> > stuff. The LDAP modules didn't work for me because they want to bind
> > anonymously and retrieve the crypted password, whereas AD just wants to
> > authenticate with a bind. My stuff also gets role information from AD
> > groups. I've been meaning to get it out on CPAN one of these days, but
> > it hasn't been a priority; I suppose I can work on it if anyone else
> > needs it though.
>
> Sounds to me like 'auth by bind' versus 'auth by retrieve and check'
should
> be an option in the LDAP stuff, not a separate module. Fancy doing up
> a patch?
>
>From the POD It authenticates users in two steps:
1) A search of the directory is performed, looking for a user object that
matches the username you pass. This is done with the bind credentials
supplied in the "binddn" and "bindpw" configuration options.
2) If that object is found, we then re-bind to the directory as that
object.
Assuming this is successful, the user is Authenticated.
And the actual check password code:
$self->store->ldap_bind( undef, $self->ldap_entry->dn, $password,
'forauth' );
Notice the rebind.
So it does not try to "retrieve the crypted password", it does bind (anon
or by authorized service account if set in binddn and bindpw) to the ldap
server, Next it grabs the user's dn from a search on that bind. Finally to
authenticate it actually binds to the ldap server as that user's dn. This
works well against AD (I use it), I don't understand what deficiency you
are trying to fix with your patch.
More information about the Catalyst
mailing list