FAQ
I am attempting to authenticate against the LDAP server used for our
Unix authentication environment. A use entry looks like:



dn: uid=uname,ou=People,dc=company,dc=com

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: shadowAccount

uid: uname

sn: LastName

givenName: FirstName

cn: uname

userPassword: {crypt}sFBVlCCFXromo

loginShell: /bin/csh

uidNumber: 7904

gidNumber: 6062

homeDirectory: /user/uname

gecos: FirstName LastName

mail: email@email.com

displayName: LastName, FirstName

telephoneNumber: 555



I have configure authentication using:



use Catalyst qw/-Debug ConfigLoader Static::Simple

Session

Session::State::Cookie

Session::Store::FastMmap

Authentication/;



__PACKAGE__->config(

'authentication' => {

default_realm => "ldap",

realms => {

ldap => {

credential => {

class => "Password",

password_field => "userPassword",

password_type => "crypted",

},

store => {

class => "LDAP",

binddn =>
"cn=proxyagent,ou=profile,dc=xyz,dc=company,dc=com",

bindpw => "proxy",

ldap_server => "my.host.name",

ldap_server_options => { timeout => 30 },

start_tls => 0,

use_roles => 0,

user_basedn => "ou=People,dc=company,dc=com",

user_field => "uid",

user_filter =>
"(&(objectClass=posixAccount)(uid=%s))",

user_scope => "one",

user_search_options => { attrs => ['*'] },

},

},

},

},

);



Reusing some of the code from "The Book" I have implemented a login
action:



sub login : Global Form {

my ($self, $c) = @_;

my $form = $self->formbuilder;



return unless $form->submitted && $form->validate;



if ($c->authenticate({username => $form->field('username'),

password => $form->field('password')})){

$c->flash->{message} = "Logged in successfully.";

$c->res->redirect($c->uri_for('/'));

$c->detach;

}

else {

$c->stash->{error} = "Login failed.";

}

}



I have tested the C::A::Store::LDAP ability to talk to the server by
first using a bogus hostname (which generated an error) and putting a
bogus password in for my proxy account (which generated an error) so I
know that the issue is with the final phase of testing the user's
password hash. From the debug output of the server I see this happen
when trying to authenticate:



[CGI::FormBuilder::Field::validate] (debug1) password: validation passed

[CGI::FormBuilder::validate] (debug1) validation done, ok = 1 (should be
1)

[CGI::FormBuilder::field] (debug2) called $form->field(username)

[CGI::FormBuilder::field] (debug2) searching fields for 'username'

[CGI::FormBuilder::Field::value] (debug2) username: called
$field->value()

[CGI::FormBuilder::Field::value] (debug2) username: sticky && ! force

[CGI::FormBuilder::Field::cgi_value] (debug2) username: called
$field->cgi_value

[CGI::FormBuilder::Field::cgi_value] (debug2) username: cgi value =
(uname)

[CGI::FormBuilder::Field::value] (debug1) username: returning value
(uname)

[CGI::FormBuilder::Field::inflate_value] (debug2) username: called
$field->inflate_value

[CGI::FormBuilder::field] (debug2) called $form->field(password)

[CGI::FormBuilder::field] (debug2) searching fields for 'password'

[CGI::FormBuilder::Field::value] (debug2) password: called
$field->value()

[CGI::FormBuilder::Field::value] (debug2) password: sticky && ! force

[CGI::FormBuilder::Field::cgi_value] (debug2) password: called
$field->cgi_value

[CGI::FormBuilder::Field::cgi_value] (debug2) password: cgi value =
(sdfd)

[CGI::FormBuilder::Field::value] (debug1) password: returning value
(sdfd)

[CGI::FormBuilder::Field::inflate_value] (debug2) password: called
$field->inflate_value

Use of uninitialized value in crypt at
/usr/lib/perl5/site_perl/5.8.8/Catalyst/Authentication/Credential/Passwo
rd.pm line 69.

Use of uninitialized value in crypt at
/usr/lib/perl5/site_perl/5.8.8/Catalyst/Authentication/Credential/Passwo
rd.pm line 69.

Use of uninitialized value in string eq at
/usr/lib/perl5/site_perl/5.8.8/Catalyst/Authentication/Credential/Passwo
rd.pm line 69.

[info] *** Request 1 (0.001/s) [12951] [Wed Feb 27 10:37:32 2008] ***

[debug] Body Parameters are:

.-------------------------------------+---------------------------------
-----.
Parameter | Value
+-------------------------------------+---------------------------------
-----+
_submit | Login
_submitted_login | 1
password | sdfd
username | matthewr
'-------------------------------------+---------------------------------
-----|



At this point the bogus password is being verified and I am
authenticated and redirected to /, which is not correct. Can anyone see
what I am doing wrong?



Thanks,

Matt







-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20080227/45056590/attachment.htm

Search Discussions

  • Jay K at Feb 27, 2008 at 8:01 pm
    Follow up for the list.

    The first issue here is that Credential::Password expects you to pass
    the password field name to authenticate, not just 'password'. So if
    your password_field is 'userPassword', as it is below, your
    authenticate call should reflect that. The same goes for the user id
    field. So the authenticate call for the config below should actually
    be:

    $c->authenticate({ uid => $username,
    userPassword => $password });


    I've added a note to the C::P::Auth docs to call that out more clearly.

    Jay
    On Feb 27, 2008, at 11:42 AM, Richardson, Matthew wrote:

    I am attempting to authenticate against the LDAP server used for our
    Unix authentication environment. A use entry looks like:

    dn: uid=uname,ou=People,dc=company,dc=com
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    objectClass: posixAccount
    objectClass: shadowAccount
    uid: uname
    sn: LastName
    givenName: FirstName
    cn: uname
    userPassword: {crypt}sFBVlCCFXromo
    loginShell: /bin/csh
    uidNumber: 7904
    gidNumber: 6062
    homeDirectory: /user/uname
    gecos: FirstName LastName
    mail: email@email.com
    displayName: LastName, FirstName
    telephoneNumber: 555

    I have configure authentication using:

    use Catalyst qw/-Debug ConfigLoader Static::Simple
    Session
    Session::State::Cookie
    Session::Store::FastMmap
    Authentication/;

    __PACKAGE__->config(
    'authentication' => {
    default_realm => "ldap",
    realms => {
    ldap => {
    credential => {
    class => "Password",
    password_field => "userPassword",
    password_type => "crypted",
    },
    store => {
    class => "LDAP",
    binddn =>
    "cn=proxyagent,ou=profile,dc=xyz,dc=company,dc=com",
    bindpw => "proxy",
    ldap_server => "my.host.name",
    ldap_server_options => { timeout => 30 },
    start_tls => 0,
    use_roles => 0,
    user_basedn => "ou=People,dc=company,dc=com",
    user_field => "uid",
    user_filter => "(&(objectClass=posixAccount)(uid=
    %s))",
    user_scope => "one",
    user_search_options => { attrs => ['*'] },
    },
    },
    },
    },
    );

    Reusing some of the code from "The Book" I have implemented a login
    action:

    sub login : Global Form {
    my ($self, $c) = @_;
    my $form = $self->formbuilder;

    return unless $form->submitted && $form->validate;

    if ($c->authenticate({username => $form->field('username'),
    password => $form->field('password')})){
    $c->flash->{message} = "Logged in successfully.";
    $c->res->redirect($c->uri_for('/'));
    $c->detach;
    }
    else {
    $c->stash->{error} = "Login failed.";
    }
    }

    I have tested the C::A::Store::LDAP ability to talk to the server by
    first using a bogus hostname (which generated an error) and putting
    a bogus password in for my proxy account (which generated an error)
    so I know that the issue is with the final phase of testing the
    user's password hash. >From the debug output of the server I see
    this happen when trying to authenticate:

    [CGI::FormBuilder::Field::validate] (debug1) password: validation
    passed
    [CGI::FormBuilder::validate] (debug1) validation done, ok = 1
    (should be 1)
    [CGI::FormBuilder::field] (debug2) called $form->field(username)
    [CGI::FormBuilder::field] (debug2) searching fields for 'username'
    [CGI::FormBuilder::Field::value] (debug2) username: called $field-
    value()
    [CGI::FormBuilder::Field::value] (debug2) username: sticky && ! force
    [CGI::FormBuilder::Field::cgi_value] (debug2) username: called
    $field->cgi_value
    [CGI::FormBuilder::Field::cgi_value] (debug2) username: cgi value =
    (uname)
    [CGI::FormBuilder::Field::value] (debug1) username: returning value
    (uname)
    [CGI::FormBuilder::Field::inflate_value] (debug2) username: called
    $field->inflate_value
    [CGI::FormBuilder::field] (debug2) called $form->field(password)
    [CGI::FormBuilder::field] (debug2) searching fields for 'password'
    [CGI::FormBuilder::Field::value] (debug2) password: called $field-
    value()
    [CGI::FormBuilder::Field::value] (debug2) password: sticky && ! force
    [CGI::FormBuilder::Field::cgi_value] (debug2) password: called
    $field->cgi_value
    [CGI::FormBuilder::Field::cgi_value] (debug2) password: cgi value =
    (sdfd)
    [CGI::FormBuilder::Field::value] (debug1) password: returning value
    (sdfd)
    [CGI::FormBuilder::Field::inflate_value] (debug2) password: called
    $field->inflate_value
    Use of uninitialized value in crypt at /usr/lib/perl5/site_perl/
    5.8.8/Catalyst/Authentication/Credential/Password.pm line 69.
    Use of uninitialized value in crypt at /usr/lib/perl5/site_perl/
    5.8.8/Catalyst/Authentication/Credential/Password.pm line 69.
    Use of uninitialized value in string eq at /usr/lib/perl5/site_perl/
    5.8.8/Catalyst/Authentication/Credential/Password.pm line 69.
    [info] *** Request 1 (0.001/s) [12951] [Wed Feb 27 10:37:32 2008] ***
    [debug] Body Parameters are:
    .-------------------------------------
    +--------------------------------------.
    Parameter |
    Value |
    +-------------------------------------
    +--------------------------------------+
    _submit |
    Login |
    _submitted_login |
    1 |
    password |
    sdfd |
    username |
    matthewr |
    '-------------------------------------
    +--------------------------------------|

    At this point the bogus password is being verified and I am
    authenticated and redirected to /, which is not correct. Can anyone
    see what I am doing wrong?

    Thanks,
    Matt



    _______________________________________________
    List: Catalyst@lists.scsys.co.uk
    Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
    Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
    Dev site: http://dev.catalyst.perl.org/
    ---
    For most things, throwing yourself at the wall over and over is a
    better way to improve than thinking hard about the wall and taking
    pictures of it. -- D.Litwack

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcatalyst @
categoriescatalyst, perl
postedFeb 27, '08 at 6:42p
activeFeb 27, '08 at 8:01p
posts2
users2
websitecatalystframework.org
irc#catalyst

2 users in discussion

Jay K: 1 post Richardson, Matthew: 1 post

People

Translate

site design / logo © 2022 Grokbase