[Catalyst] LDAP question
Luis Muñoz
luisemunoz at gmail.com
Mon May 21 16:18:48 GMT 2012
On May 21, 2012, at 12:02 PM, Kenneth S Mclane wrote:
> I have no control over the LDAP server, How would I change things so the submitted username and password would be inserted as the credentials to be used as the initial bind?
You use that from the client.
Below is a snippet from a configuration file from a tool we use at $work for managing LDAP entries. It works in the way I described before.
Pay attention to the binddn (the account to do the initial bind) and basedn (the place where you begin your search for a matching username, using the filter expression). Start simple and build up your expression to narrow down the tuples that it can retrieve. I'm pro very strict filters based on object types, but there are perhaps other opinions.
Best regards
-lem
--8<----
# Configure the authentication subsystem. This is the component that
# validates the current password for change requests. This service is
# provided by Catalyst::Authentication::Store::LDAP.
#
# The ldap realm is mandatory, as this is used not only for
# authentication but for access to the user's LDAP entry, both for
# searching and for updating it. This means that we need to use a
# binddn with enough privileges to read and write to the
# directory. It's not enough to rely on the users' credentials for
# rebinding, because in the case of a password recovery, we don't have
# user credentials.
authentication:
default_realm: ldap
realms:
ldap:
credential:
class: Password
password_field: password
password_type: self_check
store:
class: LDAP
ldap_server: localhost:3389
binddn: cn=your_initial_id,dc=domain,dc=com,dc=INVALID
bindpw: Y0urS3cr3tB!ndP@$sw0rd
user_basedn: ou=The,ou=Container,ou=Hierarchy,dc=domain,dc=com,dc=INVALID
user_filter: (&(objectClass=inetOrgPerson)(|(uid=%s)(email=%s)))
user_field: uid
use_roles: 0
More information about the Catalyst
mailing list