[Catalyst] Catalyst::Authentication::Credential::LDAP

Matt S Trout dbix-class at trout.me.uk
Mon Jul 21 22:32:03 BST 2008 

On Mon, Jul 21, 2008 at 11:48:39AM -0500, Wade.Stuart at fallon.com wrote:
> Matt S Trout <dbix-class at trout.me.uk> wrote on 07/19/2008 07:10:28 PM:
> 
> > On Wed, Jun 25, 2008 at 11:27:13AM -0700, Bruce J Keeler wrote:
> > > Also, somewhat apropos, I have a
> > > C::A::{Store,Credential}::ActiveDirectory  that I based on the LDAP
> > > stuff.  The LDAP modules didn't work for me because they want to bind
> > > anonymously and retrieve the crypted password, whereas AD just wants to
> 
> > > authenticate with a bind.  My stuff also gets role information from AD
> > > groups.  I've been meaning to get it out on CPAN one of these days, but
> 
> > > it hasn't been a priority; I suppose I can work on it if anyone else
> > > needs it though.
> >
> > Sounds to me like 'auth by bind' versus 'auth by retrieve and check'
> should
> > be an option in the LDAP stuff, not a separate module. Fancy doing up
> > a patch?
> >
> 
> >From the POD It authenticates users in two steps:
> 
> 
> 
> 1) A search of the directory is performed, looking for a user object that
> 
>    matches the username you pass.  This is done with the bind credentials
> 
>    supplied in the "binddn" and "bindpw" configuration options.
> 
> 
> 
> 2) If that object is found, we then re-bind to the directory as that
> object.
> 
>    Assuming this is successful, the user is Authenticated.
> 
> 
> 
> 
> 
> 
> 
> And the actual check password code:
> 
> $self->store->ldap_bind( undef, $self->ldap_entry->dn, $password,
> 
>         'forauth' );
> 
> Notice the rebind.
> 
> So it does not try to "retrieve the crypted password",  it does bind (anon
> or by authorized service account if set in binddn and bindpw) to the ldap
> server, Next it grabs the user's dn from a search on that bind.  Finally to
> authenticate it actually binds to the ldap server as that user's dn.  This
> works well against AD (I use it),  I don't understand what deficiency you
> are trying to fix with your patch.

Maybe the search phase failed for the original poster?

I dunno, I was just saying it should probably support both approaches :)

-- 
      Matt S Trout       Need help with your Catalyst or DBIx::Class project?
   Technical Director                    http://www.shadowcat.co.uk/catalyst/
 Shadowcat Systems Ltd.  Want a managed development or deployment platform?
http://chainsawblues.vox.com/            http://www.shadowcat.co.uk/servers/

More information about the Catalyst mailing list