[Catalyst] ldap authentication/db authorization

Byron Young Byron.Young at riverbed.com
Mon Aug 10 17:11:36 GMT 2009 

Steve Rippl wrote on 2009-08-09:
> Hello!
> 
> I have a question that is hopefully trivial for someone here, but I
> haven't seen any examples.  I have an app I'm building, used by folks in
> an Active Directory network.  It's got a DBIx model and I'd like to use
> that for role based authorization and getting staff members
> grade/building info etc (it's a school district), but I'd like to (just)
> authenticate against ldap.  I don't want to store any user/role data
> there (obviously their username is in there and it matches what I have
> in the db), simply try to bind against it as the user, then get store
> data from the database.  This way they can use their network passwords
> and I don't have to fill AD with application specific info.
> 
> Make sense? Easy to do?
> 
> So far I'm doing it all via the db...
> 
> name WsdSis
> <authentication>
>   default_realm dbic
>   <realms>
>     <dbic>
>       <credential>
>         class Password
>         password_type clear
>      </credential>
>      <store>
>         user_class DB::Staff
>         role_relation  roles
>         role_field role
>       </store>
>     </dbic>
>   </realms>
> </authentication>
> ...
> 
> and
> ...
> use Catalyst qw/
>                  -Debug
>                  ConfigLoader
>                  Static::Simple
>                  StackTrace
>                  Authentication
>                  Authorization::Roles
>                  Session
>                  Session::Store::FastMmap
>                  Session::State::Cookie
>                 /;
> ...
> 
> What would these look like if I'm able to squeeze the ldap plugin in
> there?  Can I have 2 Authentication::Store backends in there?
> 
> TIA,
> Steve
> 
> --
> Steve Rippl
> Technology Director
> Woodland School District
> 360 225 9451 x326
> 
> 

Hey Steve,

I do this in my app.  The way I do is it I have two authentication realms - LDAP and DBIC.  I authenticate against the LDAP realm first, and if that is successful I do a find_or_create with the user info on my user DB table, so any first-time users get a user created in the DBIC realm with default roles and whatnot.  Then I authenticate against the DBIC realm.  I do that last because $c->user will contain the most recently authenticated user, so in this case $c->user would be your DB::Staff object.

HTH

Byron

More information about the Catalyst mailing list