Matt S Trout <[EMAIL PROTECTED]> wrote on 07/19/2008 07:10:28 PM: > On Wed, Jun 25, 2008 at 11:27:13AM -0700, Bruce J Keeler wrote: > > Also, somewhat apropos, I have a > > C::A::{Store,Credential}::ActiveDirectory that I based on the LDAP > > stuff. The LDAP modules didn't work for me because they want to bind > > anonymously and retrieve the crypted password, whereas AD just wants to
> > authenticate with a bind. My stuff also gets role information from AD > > groups. I've been meaning to get it out on CPAN one of these days, but > > it hasn't been a priority; I suppose I can work on it if anyone else > > needs it though. > > Sounds to me like 'auth by bind' versus 'auth by retrieve and check' should > be an option in the LDAP stuff, not a separate module. Fancy doing up > a patch? > >From the POD It authenticates users in two steps: 1) A search of the directory is performed, looking for a user object that matches the username you pass. This is done with the bind credentials supplied in the "binddn" and "bindpw" configuration options. 2) If that object is found, we then re-bind to the directory as that object. Assuming this is successful, the user is Authenticated. And the actual check password code: $self->store->ldap_bind( undef, $self->ldap_entry->dn, $password, 'forauth' ); Notice the rebind. So it does not try to "retrieve the crypted password", it does bind (anon or by authorized service account if set in binddn and bindpw) to the ldap server, Next it grabs the user's dn from a search on that bind. Finally to authenticate it actually binds to the ldap server as that user's dn. This works well against AD (I use it), I don't understand what deficiency you are trying to fix with your patch. _______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/