FAQ
Hi all,

I'm starting on a new project at $work and I wanted to try LDAP
authentication against Active Directory. After a bit of exploring the LDAP
tree with JXplorer I figured out the right dn/cn/etc to do my authentication
(we have an odd tree apparently). Authentication now works (with a
user_prepend patch)! BUT C::P::A::LDAP is not compliant with the new and
improved C::P::Authentication. What would be involved in bringing it up to
speed? I could probably do it at $work and contribute the results back if I
ask nicely. I suspect it will mostly be using $c->user instead of
$c->request->{user}.

I've been using catalyst for a while now, but have not done any plugin
hacking before.

Thanks,
Drew
--
----------------------------------------------------------------
Drew Taylor * Web development & consulting
Email: drew at drewtaylor.com * Site implementation & hosting
Web : www.drewtaylor.com * perl/mod_perl/DBI/mysql/postgres
----------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.rawmode.org/pipermail/catalyst/attachments/20060605/933acd9e/attachment.htm

Search Discussions

  • Adam Jacob at Jun 5, 2006 at 6:44 pm

    On Jun 5, 2006, at 11:10 AM, Drew Taylor wrote:
    I'm starting on a new project at $work and I wanted to try LDAP
    authentication against Active Directory. After a bit of exploring
    the LDAP tree with JXplorer I figured out the right dn/cn/etc to do
    my authentication (we have an odd tree apparently). Authentication
    now works (with a user_prepend patch)! BUT C::P::A::LDAP is not
    compliant with the new and improved C::P::Authentication. What
    would be involved in bringing it up to speed? I could probably do
    it at $work and contribute the results back if I ask nicely. I
    suspect it will mostly be using $c->user instead of $c->request->
    {user}.

    I've been using catalyst for a while now, but have not done any
    plugin hacking before.
    You want to use Catalyst::Plugin::Authentication::Store::LDAP.

    http://search.cpan.org/~holoway/Catalyst-Plugin-Authentication-Store-
    LDAP-0.04/

    It works with the new Authentication/Authorization modules, and
    should be flexible enough to do what you need. If it's not, I'm the
    maintainer, so feel free to send patches to the list. (or to me
    privately)

    Adam
  • Drew Taylor at Jun 5, 2006 at 7:09 pm

    On 6/5/06, Adam Jacob wrote:
    On Jun 5, 2006, at 11:10 AM, Drew Taylor wrote:
    I'm starting on a new project at $work and I wanted to try LDAP
    authentication against Active Directory. After a bit of exploring
    the LDAP tree with JXplorer I figured out the right dn/cn/etc to do
    my authentication (we have an odd tree apparently). Authentication
    now works (with a user_prepend patch)! BUT C::P::A::LDAP is not
    compliant with the new and improved C::P::Authentication. What
    would be involved in bringing it up to speed? I could probably do
    it at $work and contribute the results back if I ask nicely. I
    suspect it will mostly be using $c->user instead of $c->request->
    {user}.

    I've been using catalyst for a while now, but have not done any
    plugin hacking before.
    You want to use Catalyst::Plugin::Authentication::Store::LDAP.

    http://search.cpan.org/~holoway/Catalyst-Plugin-Authentication-Store-
    LDAP-0.04/

    It works with the new Authentication/Authorization modules, and
    should be flexible enough to do what you need. If it's not, I'm the
    maintainer, so feel free to send patches to the list. (or to me
    privately)

    Thanks Adam. I found your module independently about 15 minutes ago and am
    working on configuring it for our Active Directory tree. Luckily
    C::P::A::LDAP's default config is for AD (otherwise I probably would have
    been hoplessly lost) so I might be able to contribute back a good AD config
    example. For example, the uid field in our tree is completely unused -
    uid==samaccountname for AD.

    I'm sure I'll have feedback for you. :-)

    Thanks,
    Drew
    --
    ----------------------------------------------------------------
    Drew Taylor * Web development & consulting
    Email: drew at drewtaylor.com * Site implementation & hosting
    Web : www.drewtaylor.com * perl/mod_perl/DBI/mysql/postgres
    ----------------------------------------------------------------
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.rawmode.org/pipermail/catalyst/attachments/20060605/a0b3bef6/attachment.htm
  • Adam Jacob at Jun 5, 2006 at 7:24 pm

    On Jun 5, 2006, at 12:09 PM, Drew Taylor wrote:
    Thanks Adam. I found your module independently about 15 minutes ago
    and am working on configuring it for our Active Directory tree.
    Luckily C::P::A::LDAP's default config is for AD (otherwise I
    probably would have been hoplessly lost) so I might be able to
    contribute back a good AD config example. For example, the uid
    field in our tree is completely unused - uid==samaccountname for AD.

    I'm sure I'll have feedback for you. :-)
    Awesome! Doc patches are always great!

    Adam
  • Drew Taylor at Jun 5, 2006 at 8:13 pm

    On 6/5/06, Adam Jacob wrote:
    On Jun 5, 2006, at 12:09 PM, Drew Taylor wrote:
    Thanks Adam. I found your module independently about 15 minutes ago
    and am working on configuring it for our Active Directory tree.
    Luckily C::P::A::LDAP's default config is for AD (otherwise I
    probably would have been hoplessly lost) so I might be able to
    contribute back a good AD config example. For example, the uid
    field in our tree is completely unused - uid==samaccountname for AD.

    I'm sure I'll have feedback for you. :-)
    Awesome! Doc patches are always great!
    I got it working after one big realization: the "user_field" config option
    MUST be lowercase. This caused several "deep recurrsion" errors until I
    figured out how the attributes were being stored. I mentioned that
    uid==samaccountname, except in our tree it is actually spelled
    "sAMAccountName". I was using the proper puncuation, hence the errors. A
    note about that fact would be very helpful to new users. I presume this also
    applies to the "role_field" config option.

    Second, here is my user search criteria. I've left out user_basedn for
    security reasons.

    'user_filter' =>
    '(&(objectclass=user)(objectcategory=user)(samaccountname=%s*))',
    'user_scope' => 'sub',
    'user_field' => 'samaccountname',

    I'm using the same criteria for roles:

    'role_filter' =>
    '(&(objectclass=user)(objectcategory=user)(samaccountname=%s*))',
    'role_scope' => 'sub',
    'role_field' => 'memberOf',
    'role_value' => 'samaccountname',
    'role_search_options' => {
    'deref' => 'always',
    },

    I have run into one problem with roles: we're using "memberOf" for roles.
    This is a multi-values entry so you need the following patch to get all the
    values:

    Drew-iMac:~ dtaylor$ diff -u
    /Library/Perl/5.8.6/Catalyst/Plugin/Authentication/Store/LDAP/Backend.pm.orig
    /Library/Perl/5.8.6/Catalyst/Plugin/Authentication/Store/LDAP/Backend.pm

    ---
    /Library/Perl/5.8.6/Catalyst/Plugin/Authentication/Store/LDAP/Backend.pm.orig
    2006-06-05 16:04:17.000000000 -0400
    +++
    /Library/Perl/5.8.6/Catalyst/Plugin/Authentication/Store/LDAP/Backend.pm
    2006-06-05 16:04:47.000000000 -0400
    @@ -316,9 +316,9 @@
    my $rolesearch = $ldap->search(@searchopts);
    my @roles;
    RESULT: while (my $entry = $rolesearch->pop_entry) {
    - my ($role) = $entry->get_value($self->role_field);
    - if ($role) {
    - push(@roles, $role);
    + my (@userroles) = $entry->get_value($self->role_field);
    + if (@userroles) {
    + push(@roles, @userroles);
    } else {
    next RESULT;
    }

    With that patch, I'm golden! Thanks for your work.

    Now for a feature request: I don't have a dedicated LDAP login I can use for
    the initial bind and user lookup. But I can use my actual AD login to bind.
    I would really like an option to be able to use the user for both binds. I'm
    not sure how that would work because AD (at least for Windows 2003 server)
    requires the login in the form "domain\username". Perhaps a new option for a
    prepend value? Just thinking out loud at this point...

    Drew
    --
    ----------------------------------------------------------------
    Drew Taylor * Web development & consulting
    Email: drew at drewtaylor.com * Site implementation & hosting
    Web : www.drewtaylor.com * perl/mod_perl/DBI/mysql/postgres
    ----------------------------------------------------------------
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.rawmode.org/pipermail/catalyst/attachments/20060605/2d77bf9c/attachment-0001.htm

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcatalyst @
categoriescatalyst, perl
postedJun 5, '06 at 6:10p
activeJun 5, '06 at 8:13p
posts5
users2
websitecatalystframework.org
irc#catalyst

2 users in discussion

Drew Taylor: 3 posts Adam Jacob: 2 posts

People

Translate

site design / logo © 2022 Grokbase