FAQ
Hi,

is it possible to use ldap to authenticate and dbic (a database) to handle the
user role relation ? So that it works like it resides all in one storage
backend.
If yes how do I configure that in the $application.conf ?

Stephan

Search Discussions

  • Jonathan Hall at Sep 30, 2008 at 8:26 pm
    Not directly... it's not even possible in DBIC to have relationships
    between different databases, which is essentially what you're talking
    about doing.

    You can accomplish the same thing client-side if you write your own user
    store module(s), which is not fundamentally difficult. I have done a
    similar thing for our Cat application; we authenticate via Unix accounts
    (/etc/passwd), or DBIC, or LDAP or (insert other yet-to-exist
    authentication methods). The user roles are all defined in the database.

    The user store documentation available on CPAN describes how to write
    modules such that they will interface with Catalyst properly, and it's
    not very difficult. I did my first one in half a day, having
    practically zero experience with catalyst internals at the time. (I
    have since rewritten it a time or two, and each iteration is better and
    cleaner, as you would expect).

    --
    Jonathan


    Stephan Jennewein wrote:
    Hi,

    is it possible to use ldap to authenticate and dbic (a database) to handle the
    user role relation ? So that it works like it resides all in one storage
    backend.
    If yes how do I configure that in the $application.conf ?

    Stephan

    _______________________________________________
    List: Catalyst@lists.scsys.co.uk
    Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
    Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
    Dev site: http://dev.catalyst.perl.org/

    --
    Inbound and outbound email scanned for spam and viruses by the

    DoubleCheck Email Manager: http://www.doublecheckemail.com
  • Matt S Trout at Oct 1, 2008 at 2:07 am

    On Tue, Sep 30, 2008 at 02:26:41PM -0500, Jonathan Hall wrote:
    Not directly... it's not even possible in DBIC to have relationships
    between different databases, which is essentially what you're talking
    about doing.
    Unless you count mysql as a database in which case ->table('otherdb.foo')
    works just fine.

    But yeah, DBIC's relationships are specifically things that can be JOINed.

    LDAP doesn't count. Fortunately, see my point about store and credential
    being different in auth as a possible approach. I'm poking Jay Kuri to
    elaborate and/or tell me I'm talking crap :)

    --
    Matt S Trout Need help with your Catalyst or DBIx::Class project?
    Technical Director http://www.shadowcat.co.uk/catalyst/
    Shadowcat Systems Ltd. Want a managed development or deployment platform?
    http://chainsawblues.vox.com/ http://www.shadowcat.co.uk/servers/
  • Matt S Trout at Oct 1, 2008 at 2:05 am

    On Tue, Sep 30, 2008 at 08:58:04PM +0200, Stephan Jennewein wrote:
    Hi,

    is it possible to use ldap to authenticate and dbic (a database) to handle the
    user role relation ? So that it works like it resides all in one storage
    backend.
    If yes how do I configure that in the $application.conf ?
    LDAP credential.

    DBIx::Class store.

    See authentication docs for how to configure each.

    --
    Matt S Trout Need help with your Catalyst or DBIx::Class project?
    Technical Director http://www.shadowcat.co.uk/catalyst/
    Shadowcat Systems Ltd. Want a managed development or deployment platform?
    http://chainsawblues.vox.com/ http://www.shadowcat.co.uk/servers/
  • Tomas Doran at Oct 1, 2008 at 2:24 am

    On 1 Oct 2008, at 02:05, Matt S Trout wrote:
    On Tue, Sep 30, 2008 at 08:58:04PM +0200, Stephan Jennewein wrote:
    Hi,

    is it possible to use ldap to authenticate and dbic (a database)
    to handle the
    user role relation ? So that it works like it resides all in one
    storage
    backend.
    If yes how do I configure that in the $application.conf ?
    LDAP credential.

    DBIx::Class store.

    See authentication docs for how to configure each.
    Unfortunately, there is no such thing as an LDAP credential module on
    CPAN at the moment.

    However, as noted elsewhere in this thread, coming up with one
    wouldn't be that hard.

    Splitting the current LDAP code so that it could be either a store
    and/or credential also wouldn't be hard, and I volunteer to help with
    the effort.

    I'm personally fine with the LDAP store, but I've thrown a couple of
    patches in that direction to add stuff I need, so doing a bit more
    hacking on it wouldn't push the boat out. I haven't had any response
    to these yet however, so if anyone reading could poke the Store::LDAP
    maintainer and get them to join the thread (and respond to my
    patches!), that'd be awesome...

    Cheers
    t0m
  • Peter Karman at Oct 1, 2008 at 3:11 am

    Tomas Doran wrote on 9/30/08 8:24 PM:

    Splitting the current LDAP code so that it could be either a store
    and/or credential also wouldn't be hard, and I volunteer to help with
    the effort.
    yes, that's a good idea. The current LDAP auth plugin is in the Store namespace
    but does both Store and Credential right now.
    I'm personally fine with the LDAP store, but I've thrown a couple of
    patches in that direction to add stuff I need, so doing a bit more
    hacking on it wouldn't push the boat out. I haven't had any response to
    these yet however, so if anyone reading could poke the Store::LDAP
    maintainer and get them to join the thread (and respond to my patches!),
    that'd be awesome...
    that'd be me. I've seen the tickets; haven't yet read the patches, but in
    general the feature ideas look sane. If someone else has time to look at the
    patches, I likely won't get to it for a few more days.

    --
    Peter Karman . http://peknet.com/ . peter@peknet.com
  • Tomas Doran at Oct 1, 2008 at 3:27 am

    On 1 Oct 2008, at 03:11, Peter Karman wrote:

    Tomas Doran wrote on 9/30/08 8:24 PM:
    so if anyone reading could poke the Store::LDAP
    maintainer and get them to join the thread (and respond to my
    patches!),
    that'd be awesome...
    that'd be me. Hi!
    I've seen the tickets; haven't yet read the patches, but in
    general the feature ideas look sane. If someone else has time to
    look at the
    patches, I likely won't get to it for a few more days.
    No huge rush, I'm just totally spoilt by the Moose community where
    you end up finding a bug, writing a test case, and then finding it's
    been fixed in trunk already.

    As long as you're around and alive, have seen my patches 'in theory'
    and will get to them at some point then I'm more than happy to await
    your leisure..

    Cheers
    t0m
  • Peter Karman at Oct 22, 2008 at 2:58 am

    Tomas Doran wrote on 9/30/08 9:27 PM:
    On 1 Oct 2008, at 03:11, Peter Karman wrote:

    Tomas Doran wrote on 9/30/08 8:24 PM:
    so if anyone reading could poke the Store::LDAP
    maintainer and get them to join the thread (and respond to my patches!),
    that'd be awesome...
    that'd be me. Hi!
    I've seen the tickets; haven't yet read the patches, but in
    general the feature ideas look sane. If someone else has time to look
    at the
    patches, I likely won't get to it for a few more days.
    No huge rush, I'm just totally spoilt by the Moose community where you
    end up finding a bug, writing a test case, and then finding it's been
    fixed in trunk already.

    As long as you're around and alive, have seen my patches 'in theory' and
    will get to them at some point then I'm more than happy to await your
    leisure..
    and finally, time made itself available.

    committed to cat svn as r8570 and uploaded just now to pause as 0.1004. Thanks
    for the patches.


    --
    Peter Karman . http://peknet.com/ . peter@peknet.com
  • Jose Luis Martinez at Oct 1, 2008 at 3:58 pm

    Tomas Doran escribi?:

    Unfortunately, there is no such thing as an LDAP credential module on
    CPAN at the moment.
    Catalyst::Authentication::Credential::Authen::Simple should do the
    trick.
    http://search.cpan.org/~jlmartin/Catalyst-Authentication-Credential-Authen-Simple-0.02/lib/Catalyst/Authentication/Credential/Authen/Simple.pm
    becasue Authen::Simple does support LDAP.


    Regards,

    Jose Luis Martinez
    jlmartinez@capside.com
  • Matt S Trout at Oct 2, 2008 at 1:49 am

    On Wed, Oct 01, 2008 at 04:58:51PM +0200, Jose Luis Martinez wrote:
    Tomas Doran escribi?:
    Unfortunately, there is no such thing as an LDAP credential module on
    CPAN at the moment.
    Catalyst::Authentication::Credential::Authen::Simple should do the
    trick.
    http://search.cpan.org/~jlmartin/Catalyst-Authentication-Credential-Authen-Simple-0.02/lib/Catalyst/Authentication/Credential/Authen/Simple.pm
    becasue Authen::Simple does support LDAP.
    Fucking awesome.

    This needs to be more widely publicised, do you think you could do doc
    patches fr C::P::Authentication and a wiki write up? :)

    --
    Matt S Trout Need help with your Catalyst or DBIx::Class project?
    Technical Director http://www.shadowcat.co.uk/catalyst/
    Shadowcat Systems Ltd. Want a managed development or deployment platform?
    http://chainsawblues.vox.com/ http://www.shadowcat.co.uk/servers/
  • Jose Luis Martinez at Oct 2, 2008 at 10:57 am

    Matt S Trout escribi?:
    Catalyst::Authentication::Credential::Authen::Simple should do the
    trick.
    http://search.cpan.org/~jlmartin/Catalyst-Authentication-Credential-Authen-Simple-0.02/lib/Catalyst/Authentication/Credential/Authen/Simple.pm
    becasue Authen::Simple does support LDAP.
    Fucking awesome.
    Thanks. :)

    This needs to be more widely publicised, do you think you could do doc
    patches fr C::P::Authentication and a wiki write up? :)
    I'll try to get some time to do it...

    Jose Luis Martinez
    jlmartinez@capside.com
  • Jay kuri at Oct 1, 2008 at 3:10 am
    Hello Stephan,

    The short answer is yes, it is possible. But you will need to do some
    work to make it happen.

    The long answer is Yeeeeeessssssss. Basically, Catalyst authentication
    is split into two pieces Credentials and Stores. A Store finds / holds
    the users. A credential is responsible for comparing the authentication
    information with a user (somehow) and determining whether they are who
    they claim to be.

    It is possible to use LDAP to authenticate the user, but store that
    user's information in the database. Unfortunately there are not any
    LDAP credentials. There is an LDAP store, but it expects that role
    information is stored in LDAP also.

    So what you need to do is create a credential that verifies your user
    via LDAP (probably using Catalyst::Model::LDAP) and then use the
    DBIx::Class Store to store your user information. Alternately you could
    create a module that subclasses (or even just wraps) the LDAP store and
    override the role related methods to access the database.

    As someone else mentioned, the Internals doc in
    Catalyst::Plugin::Authentication explains in detail how credentials /
    stores work... I doubt you'd have much trouble.

    Let me know if you need any more information.

    JayK
    On Tue, 2008-09-30 at 20:58 +0200, Stephan Jennewein wrote:
    Hi,

    is it possible to use ldap to authenticate and dbic (a database) to handle the
    user role relation ? So that it works like it resides all in one storage
    backend.
    If yes how do I configure that in the $application.conf ?

    Stephan

    _______________________________________________
    List: Catalyst@lists.scsys.co.uk
    Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
    Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
    Dev site: http://dev.catalyst.perl.org/

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcatalyst @
categoriescatalyst, perl
postedSep 30, '08 at 7:57p
activeOct 22, '08 at 2:58a
posts12
users7
websitecatalystframework.org
irc#catalyst

People

Translate

site design / logo © 2022 Grokbase