[Catalyst] Catalyst and LDAP with sessions

Birger Burkhardt sysdev41 at googlemail.com
Mon Feb 27 21:43:14 GMT 2012 

Hi Francisco,

sorry, but i think we are not talking about the same.
1.) The GUI uses its own LDAP Bind credentals for Directory search purposes.
2.) On user login, the catalyst app binds to LDAP via the credentials of
the user. On success, session is established, user is logged in. So far so
good everything working up to here.
3.) After succesful login, the user performs some actions on the LDAP
server via the GUI. This has to be done with the (somewhere) stored
credentials of the user. In a new request, $c->user->ldap_connection tries
to establish a connection with the ldap-server and fails, because the
password is gone. So somewhere the password has to be stored ...

Best regards,
Birger


On Mon, Feb 27, 2012 at 10:20 PM, Francisco Obispo <fobispo at isc.org> wrote:

> You don't need to store the password... You just need to have a session id
> that has a short lifetime while you browse..
>
>
> You can tie that session id with an ip address for additional security .
>
> Francisco
>
> On Feb 27, 2012, at 1:06 PM, Birger Burkhardt <sysdev41 at googlemail.com>
> wrote:
>
> Hi Francisco,
>
> thank you for your reply. I already use sessions (FastMmap for Storage and
> Cookies for State). I can login to the GUI via my LDAP credentials. But t=
he
> problem is: every further request has to be done with my personal
> credentials. Therefore the password should be stored somewhere safe. I
> don't want to store the userpassword in a unencrypted sessionvariable.
>
> Best regards,
> Birger
>
>
> On Mon, Feb 27, 2012 at 6:52 PM, Francisco Obispo <fobispo at isc.org> wrote:
>
>> Hi Birger,
>>
>> Once you've authenticated with LDAP, or with any backend, it is important
>> that you store the session information somewhere.. Some people use a
>> database, memcached, tmp file, or any other method.
>>
>> That way, when the client comes with the next request, he will offer a
>> cookie that can be verified for authorization purposes.
>>
>> francisco
>>
>>
>>
>> On Feb 27, 2012, at 2:30 AM, Birger Burkhardt wrote:
>>
>> > Hello Peter,
>> >
>> > thank you for your reply.
>> >
>> > no, i am not storing these credentials as i thought the module would do
>> this. I also tried to use the following package, but it doesn't work eit=
her:
>> >
>> >
>> http://cpansearch.perl.org/src/BOBTFISH/Catalyst-Model-LDAP-FromAuthenti=
cation-0.02/README
>> >
>> > According to this changelog (see entry in Version 1.007):
>> >
>> http://cpan.uwinnipeg.ca/htdocs/Catalyst-Authentication-Store-LDAP/Chang=
es.html
>> > the user object has to be serialized and stored in the session. Do you
>> have an idea how to do this?
>> >
>> > Best regards,
>> > Birger
>> >
>> >
>> > On Sat, Feb 25, 2012 at 3:41 AM, Peter Karman <peter at peknet.com> wrote:
>> > Birger Burkhardt wrote on 2/24/12 7:22 AM:
>> >
>> > > After successful authentication, all further request
>> > > should be executed via the credentials of the logged in user.
>> > >
>> >
>> > are you somehow storing those credentials so that they persist over the
>> life of
>> > the session? The LDAP authn plugin does not do that for you, afaik. The
>> > credentials exist only for the life of that particular login HTTP
>> request.
>> >
>> > or maybe I'm misunderstanding what you're trying to do?
>> >
>> > > In the login controller the user is authenticated
>> > > [...]
>> > >         # Get the username and password from form
>> > >         my $username =3D3D $c->request->params->{username};
>> > >         my $password =3D3D $c->request->params->{password};
>> > >
>> > >         # If the username and password values were found in form
>> > >         if ($username && $password) {
>> > >             # Attempt to log the user in
>> > >             if ($c->authenticate({ username =3D3D> $username,
>> > >                                    password =3D3D> $password })) {
>> > > [...]
>> > >
>> > > But when I do a new request from within another controller, i get an
>> ldap
>> > > error meaning the credentials are invalid:
>> > >
>> > > code in other controller:
>> > > [...]
>> > >     my $ldapconn =3D3D $c->user->ldap_connection();
>> > >     my $mesg =3D3D $ldapconn->search(     base =3D3D>
>> "ou=3D3Dusers,dc=3D3Dexample,=3D
>> > > dc=3D3Dcom",
>> > > filter =3D3D> "(uid=3D3D*)");
>> > >     my @entries =3D3D $mesg->sorted('uid');
>> > >     $c->stash(users =3D3D> \@entries,);
>> > >     $c->stash(template =3D3D> 'userList.tt2');
>> > > [...]
>> > >
>> >
>> >
>> > --
>> > Peter Karman  .  http://peknet.com/  .  peter at peknet.com
>> >
>> > _______________________________________________
>> > List: Catalyst at lists.scsys.co.uk
>> > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
>> > Searchable archive:
>> http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
>> > Dev site: http://dev.catalyst.perl.org/
>> >
>> > _______________________________________________
>> > List: Catalyst at lists.scsys.co.uk
>> > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
>> > Searchable archive:
>> http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
>> > Dev site: http://dev.catalyst.perl.org/
>>
>> Francisco Obispo
>> email: fobispo at isc.org
>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
>> PGP KeyID =3D B38DB1BE
>>
>>
>> _______________________________________________
>> List: Catalyst at lists.scsys.co.uk
>> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
>> Searchable archive:
>> http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
>> Dev site: http://dev.catalyst.perl.org/
>>
>
> _______________________________________________
> List: Catalyst at lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive:
> http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/
>
>
> _______________________________________________
> List: Catalyst at lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive:
> http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20120227/c5d48=
dd8/attachment.htm

More information about the Catalyst mailing list