FAQ
Hi all,
I'm using Catalyst::Authentication::Store::LDAP to authenticate users, but
now I need to allow some of them to single-signon without a password, like
this:

if( $is_sso ) {
$c->authenticate({ id=> $user }); ## I trust this dude, so skip the
check_password sub
} else {
$c->authenticate({ id=> $user, password=>$password ); ## old fashioned
}

I'm looking at the authentication internals and it seems to be missing a
per-user flag to disable password checking. Only a global realm-based
password_type=>'none' exists. Am I correct?

On the other hand, switching realms to a passwordless LDAP where
password_type=>'none' either duplicates information sensesly, or is a little
bit messy since it needs a MyApp.pm startup config hack. But it seems like
the only doable option right now.

To make matters worse, LDAP::User::check_password also checks user roles
since it needs the password to bind to the ldap server. That could make it
more difficult to implement a passwordless flag at any level on the
authenticate chain.

Any views on this?

regards,
rodrigo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20090727/52a37009/attachment.htm

Search Discussions

  • Andrew Rodland at Jul 27, 2009 at 10:51 am

    On Monday 27 July 2009 04:38:35 am Rodrigo wrote:
    Hi all,
    I'm using Catalyst::Authentication::Store::LDAP to authenticate users, but
    now I need to allow some of them to single-signon without a password, like
    this:
    [...]
    I'm looking at the authentication internals and it seems to be missing a
    per-user flag to disable password checking. Only a global realm-based
    password_type=>'none' exists. Am I correct?
    That's not auth in general, it's Credential::Password. You can write your own
    credential that implements your own policy and have it do whatever you like.
    To make matters worse, LDAP::User::check_password also checks user roles
    since it needs the password to bind to the ldap server. That could make it
    more difficult to implement a passwordless flag at any level on the
    authenticate chain.
    Store::LDAP has an option for whether or not to rebind as the given user when
    doing role searches. If it's off, and if your LDAP permissions are set
    appropriately, you shouldn't need the user's password at any phase.

    Andrew

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcatalyst @
categoriescatalyst, perl
postedJul 27, '09 at 9:38a
activeJul 27, '09 at 10:51a
posts2
users2
websitecatalystframework.org
irc#catalyst

People

Translate

site design / logo © 2022 Grokbase