[Catalyst] LDAP question
Robert Wohlfarth
rbwohlfarth at gmail.com
Mon May 21 16:18:53 GMT 2012
On Mon, May 21, 2012 at 11:03 AM, Luis Mu=F1oz <luisemunoz at gmail.com> wrote:
>
> On May 21, 2012, at 11:42 AM, Robert Wohlfarth wrote:
>
> > The standard Catalyst::Authentication::Store::LDAP does not work with
> this model.
>
> I've been told that the "right" way to do authentication against LDAP is
>
> * bind with a read-only set of credentials
> * Lookup the user's entry (here is where you apply your base and filters)
> * Try to bind with the just-found DN and the user-supplied password
>
> The first set of credentials has just enough privileges (via ACLs) so that
> only the required search can be performed. This scheme has the advantage =
of
> not allowing annon bound sessions to search your tree while supporting us=
er
> hierarchies (that can change as the directory is reorganized).
>
Yes, that is the best way. And Catalyst::Authentication::Store::LDAP works
like this.
For whatever reason, the LDAP server I used was not configured like that.
Or more accurately, I could not find the "read-only set of credentials".
And yes, the LDAP server has a large, flat list of people all with the same
"dn". Like Kenneth, I don't control the LDAP server and cannot change how
it's configured. Bummer, huh?
-- =
Robert Wohlfarth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20120521/f8e6f=
cee/attachment.htm
More information about the Catalyst
mailing list