[Catalyst] passwordless LDAP authentication

Rodrigo rodrigolive at gmail.com
Mon Jul 27 09:38:35 GMT 2009


Hi all,
I'm using Catalyst::Authentication::Store::LDAP to authenticate users, but
now I need to allow some of them to single-signon without a password, like
this:

if( $is_sso ) {
    $c->authenticate({ id=3D> $user });  ## I trust this dude, so skip the
check_password sub
} else {
   $c->authenticate({ id=3D> $user, password=3D>$password );  ## old fashio=
ned
}

I'm looking at the authentication internals and it seems to be missing a
per-user flag to disable password checking. Only a global realm-based
password_type=3D>'none' exists. Am I correct?

On the other hand, switching realms to a passwordless LDAP where
password_type=3D>'none' either duplicates information sensesly, or is a lit=
tle
bit messy since it needs a MyApp.pm startup config hack. But it seems like
the only doable option right now.

To make matters worse, LDAP::User::check_password also checks user roles
since it needs the password to bind to the ldap server. That could make it
more difficult to implement a passwordless flag at any level on the
authenticate chain.

Any views on this?

regards,
   rodrigo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20090727/52a37=
009/attachment.htm


More information about the Catalyst mailing list