[Catalyst] Catalyst and LDAP with sessions

Birger Burkhardt sysdev41 at googlemail.com
Tue Feb 28 13:48:05 GMT 2012


Hi Francisco,

i am not quite sure, if it could be done using existing
classes/modules. Can you please have a look
at the following both links. Are you sure, i have to implement the
storage of the passwod in a
memcached server?

http://cpansearch.perl.org/src/BOBTFISH/Catalyst-Model-LDAP-FromAuthenticat=
ion-0.02/README

According to this changelog (see entry in Version
1.007):http://cpan.uwinnipeg.ca/htdocs/Catalyst-Authentication-Store-LDAP/C=
hanges.html
the user object has to be serialized and stored in the session to be
used for further connects to the
LDAP server.

Best regards,
Birger


On Mon, Feb 27, 2012 at 11:53 PM, Francisco Obispo <fobispo at isc.org> wrote:

> I see what the problem is now.
>
> I would store it locally using a Memcached server, and would use the
> session_id as the key..
>
> That way you can use the auto-expire feature, thus functioning like a
> key-ring.
>
> In case you have multiple servers handling the requests, they can always
> connect to the memcached server and share the info.
>
> Francisco
>
> On Feb 27, 2012, at 1:43 PM, Birger Burkhardt wrote:
>
> > Hi Francisco,
> >
> > sorry, but i think we are not talking about the same.
> > 1.) The GUI uses its own LDAP Bind credentals for Directory search
> purposes.
> > 2.) On user login, the catalyst app binds to LDAP via the credentials of
> the user. On success, session is established, user is logged in. So far so
> good everything working up to here.
> > 3.) After succesful login, the user performs some actions on the LDAP
> server via the GUI. This has to be done with the (somewhere) stored
> credentials of the user. In a new request, $c->user->ldap_connection tries
> to establish a connection with the ldap-server and fails, because the
> password is gone. So somewhere the password has to be stored ...
> >
> > Best regards,
> > Birger
> >
> >
> > On Mon, Feb 27, 2012 at 10:20 PM, Francisco Obispo <fobispo at isc.org>
> wrote:
> > You don't need to store the password... You just need to have a session
> id that has a short lifetime while you browse..
> >
> >
> > You can tie that session id with an ip address for additional security .
> >
> > Francisco
> >
> > On Feb 27, 2012, at 1:06 PM, Birger Burkhardt <sysdev41 at googlemail.com>
> wrote:
> >
> >> Hi Francisco,
> >>
> >> thank you for your reply. I already use sessions (FastMmap for Storage
> and Cookies for State). I can login to the GUI via my LDAP credentials. B=
ut
> the problem is: every further request has to be done with my personal
> credentials. Therefore the password should be stored somewhere safe. I
> don't want to store the userpassword in a unencrypted sessionvariable.
> >>
> >> Best regards,
> >> Birger
> >>
> >>
> >> On Mon, Feb 27, 2012 at 6:52 PM, Francisco Obispo <fobispo at isc.org>
> wrote:
> >> Hi Birger,
> >>
> >> Once you've authenticated with LDAP, or with any backend, it is
> important that you store the session information somewhere.. Some people
> use a database, memcached, tmp file, or any other method.
> >>
> >> That way, when the client comes with the next request, he will offer a
> cookie that can be verified for authorization purposes.
> >>
> >> francisco
> >>
> >>
> >>
> >> On Feb 27, 2012, at 2:30 AM, Birger Burkhardt wrote:
> >>
> >> > Hello Peter,
> >> >
> >> > thank you for your reply.
> >> >
> >> > no, i am not storing these credentials as i thought the module would
> do this. I also tried to use the following package, but it doesn't work
> either:
> >> >
> >> >
> http://cpansearch.perl.org/src/BOBTFISH/Catalyst-Model-LDAP-FromAuthentic=
ation-0.02/README
> >> >
> >> > According to this changelog (see entry in Version 1.007):
> >> >
> http://cpan.uwinnipeg.ca/htdocs/Catalyst-Authentication-Store-LDAP/Change=
s.html
> >> > the user object has to be serialized and stored in the session. Do
> you have an idea how to do this?
> >> >
> >> > Best regards,
> >> > Birger
> >> >
> >> >
> >> > On Sat, Feb 25, 2012 at 3:41 AM, Peter Karman <peter at peknet.com>
> wrote:
> >> > Birger Burkhardt wrote on 2/24/12 7:22 AM:
> >> >
> >> > > After successful authentication, all further request
> >> > > should be executed via the credentials of the logged in user.
> >> > >
> >> >
> >> > are you somehow storing those credentials so that they persist over
> the life of
> >> > the session? The LDAP authn plugin does not do that for you, afaik.
> The
> >> > credentials exist only for the life of that particular login HTTP
> request.
> >> >
> >> > or maybe I'm misunderstanding what you're trying to do?
> >> >
> >> > > In the login controller the user is authenticated
> >> > > [...]
> >> > >         # Get the username and password from form
> >> > >         my $username =3D3D $c->request->params->{username};
> >> > >         my $password =3D3D $c->request->params->{password};
> >> > >
> >> > >         # If the username and password values were found in form
> >> > >         if ($username && $password) {
> >> > >             # Attempt to log the user in
> >> > >             if ($c->authenticate({ username =3D3D> $username,
> >> > >                                    password =3D3D> $password })) {
> >> > > [...]
> >> > >
> >> > > But when I do a new request from within another controller, i get
> an ldap
> >> > > error meaning the credentials are invalid:
> >> > >
> >> > > code in other controller:
> >> > > [...]
> >> > >     my $ldapconn =3D3D $c->user->ldap_connection();
> >> > >     my $mesg =3D3D $ldapconn->search(     base =3D3D>
> "ou=3D3Dusers,dc=3D3Dexample,=3D
> >> > > dc=3D3Dcom",
> >> > > filter =3D3D> "(uid=3D3D*)");
> >> > >     my @entries =3D3D $mesg->sorted('uid');
> >> > >     $c->stash(users =3D3D> \@entries,);
> >> > >     $c->stash(template =3D3D> 'userList.tt2');
> >> > > [...]
> >> > >
> >> >
> >> >
> >> > --
> >> > Peter Karman  .  http://peknet.com/  .  peter at peknet.com
> >> >
> >> > _______________________________________________
> >> > List: Catalyst at lists.scsys.co.uk
> >> > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> >> > Searchable archive:
> http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> >> > Dev site: http://dev.catalyst.perl.org/
> >> >
> >> > _______________________________________________
> >> > List: Catalyst at lists.scsys.co.uk
> >> > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> >> > Searchable archive:
> http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> >> > Dev site: http://dev.catalyst.perl.org/
> >>
> >> Francisco Obispo
> >> email: fobispo at isc.org
> >> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
> >> PGP KeyID =3D B38DB1BE
> >>
> >>
> >> _______________________________________________
> >> List: Catalyst at lists.scsys.co.uk
> >> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> >> Searchable archive:
> http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> >> Dev site: http://dev.catalyst.perl.org/
> >>
> >> _______________________________________________
> >> List: Catalyst at lists.scsys.co.uk
> >> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> >> Searchable archive:
> http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> >> Dev site: http://dev.catalyst.perl.org/
> >
> > _______________________________________________
> > List: Catalyst at lists.scsys.co.uk
> > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> > Searchable archive:
> http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> > Dev site: http://dev.catalyst.perl.org/
> >
> >
> > _______________________________________________
> > List: Catalyst at lists.scsys.co.uk
> > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> > Searchable archive:
> http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> > Dev site: http://dev.catalyst.perl.org/
>
> Francisco Obispo
> email: fobispo at isc.org
> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
> PGP KeyID =3D B38DB1BE
>
>
> _______________________________________________
> List: Catalyst at lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive:
> http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20120228/adedb=
19c/attachment.htm


More information about the Catalyst mailing list