[Catalyst] Catalyst and LDAP with sessions

[Peter Karman]

Birger Burkhardt wrote on 2/28/12 7:48 AM:
> Hi Francisco,
> 
> i am not quite sure, if it could be done using existing classes/modules. Can you please have a look 
> at the following both links. Are you sure, i have to implement the storage of the passwod in a 
> 
> memcached server?
> 
> http://cpansearch.perl.org/src/BOBTFISH/Catalyst-Model-LDAP-FromAuthentication-0.02/README
> 
> According to this changelog (see entry in Version 1.007):
> http://cpan.uwinnipeg.ca/htdocs/Catalyst-Authentication-Store-LDAP/Changes.html
> 
> the user object has to be serialized and stored in the session to be used for further connects to the 
> LDAP server.

No need to store the user credentials or object separately, unless you have
other needs (as Birger seems to). The fix in 1.007 mentioned here:

https://rt.cpan.org/Ticket/Display.html?id=53279#txn-734373

was for the case where the User object was being stored in the session. That
isn't done by default (as I mentioned earlier in this thread).

Birger, it seems like your use case is a little different than what the LDAP
authn module assumes. You don't just want to do initial authn and then create a
Catalyst-specific session/cookie; that's what the module does. Instead you seem
to want to re-bind at every HTTP request as the logged-in user, in order to
perform subsequent LDAP actions that go beyond simple authentication. You can do
that with the LDAP authn module, but that isn't its original intent.

I'd suggest explicitly storing the user's credentials in the session on initial
login, and 2-way encrypting the password so that you can decrypt it out each
time you need to bind to your LDAP server (maybe in an auto() method in your
affected controller(s)). I use Crypt::CBC for that in my apps (mostly because I
am able to use the same algorithm from both PHP and Perl), but I am sure there
are other 2-way encryption modules that would work just as well.



-- 
Peter Karman  .  http://peknet.com/  .  peter at peknet.com