[Catalyst] mix authentication stores

Not directly... it's not even possible in DBIC to have relationships
between different databases, which is essentially what you're talking
about doing.

You can accomplish the same thing client-side if you write your own user
store module(s), which is not fundamentally difficult. I have done a
similar thing for our Cat application; we authenticate via Unix accounts
(/etc/passwd), or DBIC, or LDAP or (insert other yet-to-exist
authentication methods). The user roles are all defined in the database.

The user store documentation available on CPAN describes how to write
modules such that they will interface with Catalyst properly, and it's
not very difficult. I did my first one in half a day, having
practically zero experience with catalyst internals at the time. (I
have since rewritten it a time or two, and each iteration is better and
cleaner, as you would expect).

Unless you count mysql as a database in which case ->table('otherdb.foo')
works just fine.

But yeah, DBIC's relationships are specifically things that can be JOINed.

LDAP doesn't count. Fortunately, see my point about store and credential
being different in auth as a possible approach. I'm poking Jay Kuri to
elaborate and/or tell me I'm talking crap :)

LDAP credential.

DBIx::Class store.

See authentication docs for how to configure each.

Unfortunately, there is no such thing as an LDAP credential module on
CPAN at the moment.

However, as noted elsewhere in this thread, coming up with one
wouldn't be that hard.

Splitting the current LDAP code so that it could be either a store
and/or credential also wouldn't be hard, and I volunteer to help with
the effort.

I'm personally fine with the LDAP store, but I've thrown a couple of
patches in that direction to add stuff I need, so doing a bit more
hacking on it wouldn't push the boat out. I haven't had any response
to these yet however, so if anyone reading could poke the Store::LDAP
maintainer and get them to join the thread (and respond to my
patches!), that'd be awesome...

Cheers
t0m

yes, that's a good idea. The current LDAP auth plugin is in the Store namespace
but does both Store and Credential right now.
that'd be me. I've seen the tickets; haven't yet read the patches, but in
general the feature ideas look sane. If someone else has time to look at the
patches, I likely won't get to it for a few more days.

No huge rush, I'm just totally spoilt by the Moose community where
you end up finding a bug, writing a test case, and then finding it's
been fixed in trunk already.

As long as you're around and alive, have seen my patches 'in theory'
and will get to them at some point then I'm more than happy to await
your leisure..

Cheers
t0m

and finally, time made itself available.

committed to cat svn as r8570 and uploaded just now to pause as 0.1004. Thanks
for the patches.

Catalyst::Authentication::Credential::Authen::Simple should do the
trick.
http://search.cpan.org/~jlmartin/Catalyst-Authentication-Credential-Authen-Simple-0.02/lib/Catalyst/Authentication/Credential/Authen/Simple.pm
becasue Authen::Simple does support LDAP.


Regards,

Jose Luis Martinez
[email protected]

Fucking awesome.

This needs to be more widely publicised, do you think you could do doc
patches fr C::P::Authentication and a wiki write up? :)

Thanks. :)

I'll try to get some time to do it...

Jose Luis Martinez
[email protected]

Hello Stephan,

The short answer is yes, it is possible. But you will need to do some
work to make it happen.

The long answer is Yeeeeeessssssss. Basically, Catalyst authentication
is split into two pieces Credentials and Stores. A Store finds / holds
the users. A credential is responsible for comparing the authentication
information with a user (somehow) and determining whether they are who
they claim to be.

It is possible to use LDAP to authenticate the user, but store that
user's information in the database. Unfortunately there are not any
LDAP credentials. There is an LDAP store, but it expects that role
information is stored in LDAP also.

So what you need to do is create a credential that verifies your user
via LDAP (probably using Catalyst::Model::LDAP) and then use the
DBIx::Class Store to store your user information. Alternately you could
create a module that subclasses (or even just wraps) the LDAP store and
override the role related methods to access the database.

As someone else mentioned, the Internals doc in
Catalyst::Plugin::Authentication explains in detail how credentials /
stores work... I doubt you'd have much trouble.

Let me know if you need any more information.

JayK