[Catalyst] LDAP question

Robert Wohlfarth rbwohlfarth at gmail.com
Mon May 21 16:18:53 GMT 2012

On Mon, May 21, 2012 at 11:03 AM, Luis Mu=F1oz <luisemunoz at gmail.com> wrote:

> On May 21, 2012, at 11:42 AM, Robert Wohlfarth wrote:
> > The standard Catalyst::Authentication::Store::LDAP does not work with
> this model.
> I've been told that the "right" way to do authentication against LDAP is
> * bind with a read-only set of credentials
> * Lookup the user's entry (here is where you apply your base and filters)
> * Try to bind with the just-found DN and the user-supplied password
> The first set of credentials has just enough privileges (via ACLs) so that
> only the required search can be performed. This scheme has the advantage =
> not allowing annon bound sessions to search your tree while supporting us=
> hierarchies (that can change as the directory is reorganized).

Yes, that is the best way. And Catalyst::Authentication::Store::LDAP works
like this.

For whatever reason, the LDAP server I used was not configured like that.
Or more accurately, I could not find the "read-only set of credentials".
And yes, the LDAP server has a large, flat list of people all with the same
"dn". Like Kenneth, I don't control the LDAP server and cannot change how
it's configured. Bummer, huh?

-- =

Robert Wohlfarth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20120521/f8e6f=

More information about the Catalyst mailing list