[Catalyst] Catalyst and LDAP with sessions

Francisco Obispo fobispo at isc.org
Mon Feb 27 22:53:25 GMT 2012 

I see what the problem is now.

I would store it locally using a Memcached server, and would use the session_id as the key..

That way you can use the auto-expire feature, thus functioning like a key-ring.

In case you have multiple servers handling the requests, they can always connect to the memcached server and share the info.

Francisco

On Feb 27, 2012, at 1:43 PM, Birger Burkhardt wrote:

> Hi Francisco,
> 
> sorry, but i think we are not talking about the same.
> 1.) The GUI uses its own LDAP Bind credentals for Directory search purposes.
> 2.) On user login, the catalyst app binds to LDAP via the credentials of the user. On success, session is established, user is logged in. So far so good everything working up to here.
> 3.) After succesful login, the user performs some actions on the LDAP server via the GUI. This has to be done with the (somewhere) stored credentials of the user. In a new request, $c->user->ldap_connection tries to establish a connection with the ldap-server and fails, because the password is gone. So somewhere the password has to be stored ...
> 
> Best regards,
> Birger
> 
> 
> On Mon, Feb 27, 2012 at 10:20 PM, Francisco Obispo <fobispo at isc.org> wrote:
> You don't need to store the password... You just need to have a session id that has a short lifetime while you browse..  
> 
> 
> You can tie that session id with an ip address for additional security .
> 
> Francisco
> 
> On Feb 27, 2012, at 1:06 PM, Birger Burkhardt <sysdev41 at googlemail.com> wrote:
> 
>> Hi Francisco,
>> 
>> thank you for your reply. I already use sessions (FastMmap for Storage and Cookies for State). I can login to the GUI via my LDAP credentials. But the problem is: every further request has to be done with my personal credentials. Therefore the password should be stored somewhere safe. I don't want to store the userpassword in a unencrypted sessionvariable.
>> 
>> Best regards,
>> Birger
>> 
>> 
>> On Mon, Feb 27, 2012 at 6:52 PM, Francisco Obispo <fobispo at isc.org> wrote:
>> Hi Birger,
>> 
>> Once you've authenticated with LDAP, or with any backend, it is important that you store the session information somewhere.. Some people use a database, memcached, tmp file, or any other method.
>> 
>> That way, when the client comes with the next request, he will offer a cookie that can be verified for authorization purposes.
>> 
>> francisco
>> 
>> 
>> 
>> On Feb 27, 2012, at 2:30 AM, Birger Burkhardt wrote:
>> 
>> > Hello Peter,
>> >
>> > thank you for your reply.
>> >
>> > no, i am not storing these credentials as i thought the module would do this. I also tried to use the following package, but it doesn't work either:
>> >
>> > http://cpansearch.perl.org/src/BOBTFISH/Catalyst-Model-LDAP-FromAuthentication-0.02/README
>> >
>> > According to this changelog (see entry in Version 1.007):
>> > http://cpan.uwinnipeg.ca/htdocs/Catalyst-Authentication-Store-LDAP/Changes.html
>> > the user object has to be serialized and stored in the session. Do you have an idea how to do this?
>> >
>> > Best regards,
>> > Birger
>> >
>> >
>> > On Sat, Feb 25, 2012 at 3:41 AM, Peter Karman <peter at peknet.com> wrote:
>> > Birger Burkhardt wrote on 2/24/12 7:22 AM:
>> >
>> > > After successful authentication, all further request
>> > > should be executed via the credentials of the logged in user.
>> > >
>> >
>> > are you somehow storing those credentials so that they persist over the life of
>> > the session? The LDAP authn plugin does not do that for you, afaik. The
>> > credentials exist only for the life of that particular login HTTP request.
>> >
>> > or maybe I'm misunderstanding what you're trying to do?
>> >
>> > > In the login controller the user is authenticated
>> > > [...]
>> > >         # Get the username and password from form
>> > >         my $username =3D $c->request->params->{username};
>> > >         my $password =3D $c->request->params->{password};
>> > >
>> > >         # If the username and password values were found in form
>> > >         if ($username && $password) {
>> > >             # Attempt to log the user in
>> > >             if ($c->authenticate({ username =3D> $username,
>> > >                                    password =3D> $password })) {
>> > > [...]
>> > >
>> > > But when I do a new request from within another controller, i get an ldap
>> > > error meaning the credentials are invalid:
>> > >
>> > > code in other controller:
>> > > [...]
>> > >     my $ldapconn =3D $c->user->ldap_connection();
>> > >     my $mesg =3D $ldapconn->search(     base =3D> "ou=3Dusers,dc=3Dexample,=
>> > > dc=3Dcom",
>> > > filter =3D> "(uid=3D*)");
>> > >     my @entries =3D $mesg->sorted('uid');
>> > >     $c->stash(users =3D> \@entries,);
>> > >     $c->stash(template =3D> 'userList.tt2');
>> > > [...]
>> > >
>> >
>> >
>> > --
>> > Peter Karman  .  http://peknet.com/  .  peter at peknet.com
>> >
>> > _______________________________________________
>> > List: Catalyst at lists.scsys.co.uk
>> > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
>> > Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
>> > Dev site: http://dev.catalyst.perl.org/
>> >
>> > _______________________________________________
>> > List: Catalyst at lists.scsys.co.uk
>> > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
>> > Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
>> > Dev site: http://dev.catalyst.perl.org/
>> 
>> Francisco Obispo
>> email: fobispo at isc.org
>> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
>> PGP KeyID = B38DB1BE
>> 
>> 
>> _______________________________________________
>> List: Catalyst at lists.scsys.co.uk
>> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
>> Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
>> Dev site: http://dev.catalyst.perl.org/
>> 
>> _______________________________________________
>> List: Catalyst at lists.scsys.co.uk
>> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
>> Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
>> Dev site: http://dev.catalyst.perl.org/
> 
> _______________________________________________
> List: Catalyst at lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/
> 
> 
> _______________________________________________
> List: Catalyst at lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/

Francisco Obispo 
email: fobispo at isc.org
Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
PGP KeyID = B38DB1BE

More information about the Catalyst mailing list