[Catalyst] LDAP question

Luis Muñoz luisemunoz at gmail.com
Mon May 21 16:18:48 GMT 2012

On May 21, 2012, at 12:02 PM, Kenneth S Mclane wrote:

> I have no control over the LDAP server, How would I change things so the submitted username and password would be inserted as the credentials to be used as the initial bind? 

You use that from the client.

Below is a snippet from a configuration file from a tool we use at $work for managing LDAP entries. It works in the way I described before.

Pay attention to the binddn (the account to do the initial bind) and basedn (the place where you begin your search for a matching username, using the filter expression). Start simple and build up your expression to narrow down the tuples that it can retrieve. I'm pro very strict filters based on object types, but there are perhaps other opinions.

Best regards



# Configure the authentication subsystem. This is the component that
# validates the current password for change requests. This service is
# provided by Catalyst::Authentication::Store::LDAP.
# The ldap realm is mandatory, as this is used not only for
# authentication but for access to the user's LDAP entry, both for
# searching and for updating it. This means that we need to use a
# binddn with enough privileges to read and write to the
# directory. It's not enough to rely on the users' credentials for
# rebinding, because in the case of a password recovery, we don't have
# user credentials.

  default_realm: ldap
        class:          Password
        password_field: password
        password_type:  self_check
        class:          LDAP
        ldap_server:    localhost:3389
        binddn:         cn=your_initial_id,dc=domain,dc=com,dc=INVALID
        bindpw:         Y0urS3cr3tB!ndP@$sw0rd
        user_basedn:    ou=The,ou=Container,ou=Hierarchy,dc=domain,dc=com,dc=INVALID
        user_filter:    (&(objectClass=inetOrgPerson)(|(uid=%s)(email=%s)))
        user_field:     uid
        use_roles:      0

More information about the Catalyst mailing list