Re: [Catalyst] Catalyst and LDAP with sessions
Birger Burkhardt wrote on 2/28/12 7:48 AM: > Hi Francisco, > > i am not quite sure, if it could be done using existing classes/modules. Can > you please have a look > at the following both links. Are you sure, i have to implement the storage of > the passwod in a > > memcached server? > > http://cpansearch.perl.org/src/BOBTFISH/Catalyst-Model-LDAP-FromAuthentication-0.02/README > > According to this changelog (see entry in Version 1.007): > http://cpan.uwinnipeg.ca/htdocs/Catalyst-Authentication-Store-LDAP/Changes.html > > the user object has to be serialized and stored in the session to be used for > further connects to the > LDAP server. No need to store the user credentials or object separately, unless you have other needs (as Birger seems to). The fix in 1.007 mentioned here: https://rt.cpan.org/Ticket/Display.html?id=53279#txn-734373 was for the case where the User object was being stored in the session. That isn't done by default (as I mentioned earlier in this thread). Birger, it seems like your use case is a little different than what the LDAP authn module assumes. You don't just want to do initial authn and then create a Catalyst-specific session/cookie; that's what the module does. Instead you seem to want to re-bind at every HTTP request as the logged-in user, in order to perform subsequent LDAP actions that go beyond simple authentication. You can do that with the LDAP authn module, but that isn't its original intent. I'd suggest explicitly storing the user's credentials in the session on initial login, and 2-way encrypting the password so that you can decrypt it out each time you need to bind to your LDAP server (maybe in an auto() method in your affected controller(s)). I use Crypt::CBC for that in my apps (mostly because I am able to use the same algorithm from both PHP and Perl), but I am sure there are other 2-way encryption modules that would work just as well. -- Peter Karman . http://peknet.com/ . pe...@peknet.com ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst and LDAP with sessions
Hi Francisco, i am not quite sure, if it could be done using existing classes/modules. Can you please have a look at the following both links. Are you sure, i have to implement the storage of the passwod in a memcached server? http://cpansearch.perl.org/src/BOBTFISH/Catalyst-Model-LDAP-FromAuthentication-0.02/README According to this changelog (see entry in Version 1.007):http://cpan.uwinnipeg.ca/htdocs/Catalyst-Authentication-Store-LDAP/Changes.html the user object has to be serialized and stored in the session to be used for further connects to the LDAP server. Best regards, Birger On Mon, Feb 27, 2012 at 11:53 PM, Francisco Obispo wrote: > I see what the problem is now. > > I would store it locally using a Memcached server, and would use the > session_id as the key.. > > That way you can use the auto-expire feature, thus functioning like a > key-ring. > > In case you have multiple servers handling the requests, they can always > connect to the memcached server and share the info. > > Francisco > > On Feb 27, 2012, at 1:43 PM, Birger Burkhardt wrote: > > > Hi Francisco, > > > > sorry, but i think we are not talking about the same. > > 1.) The GUI uses its own LDAP Bind credentals for Directory search > purposes. > > 2.) On user login, the catalyst app binds to LDAP via the credentials of > the user. On success, session is established, user is logged in. So far so > good everything working up to here. > > 3.) After succesful login, the user performs some actions on the LDAP > server via the GUI. This has to be done with the (somewhere) stored > credentials of the user. In a new request, $c->user->ldap_connection tries > to establish a connection with the ldap-server and fails, because the > password is gone. So somewhere the password has to be stored ... > > > > Best regards, > > Birger > > > > > > On Mon, Feb 27, 2012 at 10:20 PM, Francisco Obispo > wrote: > > You don't need to store the password... You just need to have a session > id that has a short lifetime while you browse.. > > > > > > You can tie that session id with an ip address for additional security . > > > > Francisco > > > > On Feb 27, 2012, at 1:06 PM, Birger Burkhardt > wrote: > > > >> Hi Francisco, > >> > >> thank you for your reply. I already use sessions (FastMmap for Storage > and Cookies for State). I can login to the GUI via my LDAP credentials. But > the problem is: every further request has to be done with my personal > credentials. Therefore the password should be stored somewhere safe. I > don't want to store the userpassword in a unencrypted sessionvariable. > >> > >> Best regards, > >> Birger > >> > >> > >> On Mon, Feb 27, 2012 at 6:52 PM, Francisco Obispo > wrote: > >> Hi Birger, > >> > >> Once you've authenticated with LDAP, or with any backend, it is > important that you store the session information somewhere.. Some people > use a database, memcached, tmp file, or any other method. > >> > >> That way, when the client comes with the next request, he will offer a > cookie that can be verified for authorization purposes. > >> > >> francisco > >> > >> > >> > >> On Feb 27, 2012, at 2:30 AM, Birger Burkhardt wrote: > >> > >> > Hello Peter, > >> > > >> > thank you for your reply. > >> > > >> > no, i am not storing these credentials as i thought the module would > do this. I also tried to use the following package, but it doesn't work > either: > >> > > >> > > http://cpansearch.perl.org/src/BOBTFISH/Catalyst-Model-LDAP-FromAuthentication-0.02/README > >> > > >> > According to this changelog (see entry in Version 1.007): > >> > > http://cpan.uwinnipeg.ca/htdocs/Catalyst-Authentication-Store-LDAP/Changes.html > >> > the user object has to be serialized and stored in the session. Do > you have an idea how to do this? > >> > > >> > Best regards, > >> > Birger > >> > > >> > > >> > On Sat, Feb 25, 2012 at 3:41 AM, Peter Karman > wrote: > >> > Birger Burkhardt wrote on 2/24/12 7:22 AM: > >> > > >> > > After successful authentication, all further request > >> > > should be executed via the credentials of the logged in user. > >> > > > >> > > >> > are you somehow storing those credentials so that they persist over > the life of > >> > the session? The LDAP authn plugin does not do that for you, afaik. > The > >> > credentials exist only for the life of that particular login HTTP > request. > >> > > >> > or maybe I'm misunderstanding what you're trying to do? > >> > > >> > > In the login controller the user is authenticated > >> > > [...] > >> > > # Get the username and password from form > >> > > my $username =3D $c->request->params->{username}; > >> > > my $password =3D $c->request->params->{password}; > >> > > > >> > > # If the username and password values were found in form > >> > > if ($username && $password) { > >> > > # Attempt to log the user in > >> > > if ($c->authenticate({ username =3D> $username, > >> > >password =3D>
Re: [Catalyst] Catalyst and LDAP with sessions
I see what the problem is now. I would store it locally using a Memcached server, and would use the session_id as the key.. That way you can use the auto-expire feature, thus functioning like a key-ring. In case you have multiple servers handling the requests, they can always connect to the memcached server and share the info. Francisco On Feb 27, 2012, at 1:43 PM, Birger Burkhardt wrote: > Hi Francisco, > > sorry, but i think we are not talking about the same. > 1.) The GUI uses its own LDAP Bind credentals for Directory search purposes. > 2.) On user login, the catalyst app binds to LDAP via the credentials of the > user. On success, session is established, user is logged in. So far so good > everything working up to here. > 3.) After succesful login, the user performs some actions on the LDAP server > via the GUI. This has to be done with the (somewhere) stored credentials of > the user. In a new request, $c->user->ldap_connection tries to establish a > connection with the ldap-server and fails, because the password is gone. So > somewhere the password has to be stored ... > > Best regards, > Birger > > > On Mon, Feb 27, 2012 at 10:20 PM, Francisco Obispo wrote: > You don't need to store the password... You just need to have a session id > that has a short lifetime while you browse.. > > > You can tie that session id with an ip address for additional security . > > Francisco > > On Feb 27, 2012, at 1:06 PM, Birger Burkhardt wrote: > >> Hi Francisco, >> >> thank you for your reply. I already use sessions (FastMmap for Storage and >> Cookies for State). I can login to the GUI via my LDAP credentials. But the >> problem is: every further request has to be done with my personal >> credentials. Therefore the password should be stored somewhere safe. I don't >> want to store the userpassword in a unencrypted sessionvariable. >> >> Best regards, >> Birger >> >> >> On Mon, Feb 27, 2012 at 6:52 PM, Francisco Obispo wrote: >> Hi Birger, >> >> Once you've authenticated with LDAP, or with any backend, it is important >> that you store the session information somewhere.. Some people use a >> database, memcached, tmp file, or any other method. >> >> That way, when the client comes with the next request, he will offer a >> cookie that can be verified for authorization purposes. >> >> francisco >> >> >> >> On Feb 27, 2012, at 2:30 AM, Birger Burkhardt wrote: >> >> > Hello Peter, >> > >> > thank you for your reply. >> > >> > no, i am not storing these credentials as i thought the module would do >> > this. I also tried to use the following package, but it doesn't work >> > either: >> > >> > http://cpansearch.perl.org/src/BOBTFISH/Catalyst-Model-LDAP-FromAuthentication-0.02/README >> > >> > According to this changelog (see entry in Version 1.007): >> > http://cpan.uwinnipeg.ca/htdocs/Catalyst-Authentication-Store-LDAP/Changes.html >> > the user object has to be serialized and stored in the session. Do you >> > have an idea how to do this? >> > >> > Best regards, >> > Birger >> > >> > >> > On Sat, Feb 25, 2012 at 3:41 AM, Peter Karman wrote: >> > Birger Burkhardt wrote on 2/24/12 7:22 AM: >> > >> > > After successful authentication, all further request >> > > should be executed via the credentials of the logged in user. >> > > >> > >> > are you somehow storing those credentials so that they persist over the >> > life of >> > the session? The LDAP authn plugin does not do that for you, afaik. The >> > credentials exist only for the life of that particular login HTTP request. >> > >> > or maybe I'm misunderstanding what you're trying to do? >> > >> > > In the login controller the user is authenticated >> > > [...] >> > > # Get the username and password from form >> > > my $username =3D $c->request->params->{username}; >> > > my $password =3D $c->request->params->{password}; >> > > >> > > # If the username and password values were found in form >> > > if ($username && $password) { >> > > # Attempt to log the user in >> > > if ($c->authenticate({ username =3D> $username, >> > >password =3D> $password })) { >> > > [...] >> > > >> > > But when I do a new request from within another controller, i get an ldap >> > > error meaning the credentials are invalid: >> > > >> > > code in other controller: >> > > [...] >> > > my $ldapconn =3D $c->user->ldap_connection(); >> > > my $mesg =3D $ldapconn->search( base =3D> >> > > "ou=3Dusers,dc=3Dexample,= >> > > dc=3Dcom", >> > > filter =3D> "(uid=3D*)"); >> > > my @entries =3D $mesg->sorted('uid'); >> > > $c->stash(users =3D> \@entries,); >> > > $c->stash(template =3D> 'userList.tt2'); >> > > [...] >> > > >> > >> > >> > -- >> > Peter Karman . http://peknet.com/ . pe...@peknet.com >> > >> > ___ >> > List: Catalyst@lists.scsys.co.uk >> > Listinfo: http://lists.scsys.co.uk
Re: [Catalyst] Catalyst and LDAP with sessions
Hi Francisco, sorry, but i think we are not talking about the same. 1.) The GUI uses its own LDAP Bind credentals for Directory search purposes. 2.) On user login, the catalyst app binds to LDAP via the credentials of the user. On success, session is established, user is logged in. So far so good everything working up to here. 3.) After succesful login, the user performs some actions on the LDAP server via the GUI. This has to be done with the (somewhere) stored credentials of the user. In a new request, $c->user->ldap_connection tries to establish a connection with the ldap-server and fails, because the password is gone. So somewhere the password has to be stored ... Best regards, Birger On Mon, Feb 27, 2012 at 10:20 PM, Francisco Obispo wrote: > You don't need to store the password... You just need to have a session id > that has a short lifetime while you browse.. > > > You can tie that session id with an ip address for additional security . > > Francisco > > On Feb 27, 2012, at 1:06 PM, Birger Burkhardt > wrote: > > Hi Francisco, > > thank you for your reply. I already use sessions (FastMmap for Storage and > Cookies for State). I can login to the GUI via my LDAP credentials. But the > problem is: every further request has to be done with my personal > credentials. Therefore the password should be stored somewhere safe. I > don't want to store the userpassword in a unencrypted sessionvariable. > > Best regards, > Birger > > > On Mon, Feb 27, 2012 at 6:52 PM, Francisco Obispo wrote: > >> Hi Birger, >> >> Once you've authenticated with LDAP, or with any backend, it is important >> that you store the session information somewhere.. Some people use a >> database, memcached, tmp file, or any other method. >> >> That way, when the client comes with the next request, he will offer a >> cookie that can be verified for authorization purposes. >> >> francisco >> >> >> >> On Feb 27, 2012, at 2:30 AM, Birger Burkhardt wrote: >> >> > Hello Peter, >> > >> > thank you for your reply. >> > >> > no, i am not storing these credentials as i thought the module would do >> this. I also tried to use the following package, but it doesn't work either: >> > >> > >> http://cpansearch.perl.org/src/BOBTFISH/Catalyst-Model-LDAP-FromAuthentication-0.02/README >> > >> > According to this changelog (see entry in Version 1.007): >> > >> http://cpan.uwinnipeg.ca/htdocs/Catalyst-Authentication-Store-LDAP/Changes.html >> > the user object has to be serialized and stored in the session. Do you >> have an idea how to do this? >> > >> > Best regards, >> > Birger >> > >> > >> > On Sat, Feb 25, 2012 at 3:41 AM, Peter Karman wrote: >> > Birger Burkhardt wrote on 2/24/12 7:22 AM: >> > >> > > After successful authentication, all further request >> > > should be executed via the credentials of the logged in user. >> > > >> > >> > are you somehow storing those credentials so that they persist over the >> life of >> > the session? The LDAP authn plugin does not do that for you, afaik. The >> > credentials exist only for the life of that particular login HTTP >> request. >> > >> > or maybe I'm misunderstanding what you're trying to do? >> > >> > > In the login controller the user is authenticated >> > > [...] >> > > # Get the username and password from form >> > > my $username =3D $c->request->params->{username}; >> > > my $password =3D $c->request->params->{password}; >> > > >> > > # If the username and password values were found in form >> > > if ($username && $password) { >> > > # Attempt to log the user in >> > > if ($c->authenticate({ username =3D> $username, >> > >password =3D> $password })) { >> > > [...] >> > > >> > > But when I do a new request from within another controller, i get an >> ldap >> > > error meaning the credentials are invalid: >> > > >> > > code in other controller: >> > > [...] >> > > my $ldapconn =3D $c->user->ldap_connection(); >> > > my $mesg =3D $ldapconn->search( base =3D> >> "ou=3Dusers,dc=3Dexample,= >> > > dc=3Dcom", >> > > filter =3D> "(uid=3D*)"); >> > > my @entries =3D $mesg->sorted('uid'); >> > > $c->stash(users =3D> \@entries,); >> > > $c->stash(template =3D> 'userList.tt2'); >> > > [...] >> > > >> > >> > >> > -- >> > Peter Karman . http://peknet.com/ . pe...@peknet.com >> > >> > ___ >> > List: Catalyst@lists.scsys.co.uk >> > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst >> > Searchable archive: >> http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ >> > Dev site: http://dev.catalyst.perl.org/ >> > >> > ___ >> > List: Catalyst@lists.scsys.co.uk >> > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst >> > Searchable archive: >> http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ >> > Dev site: http://dev.catalyst.perl.org/ >> >> Francisco Obisp
Re: [Catalyst] Catalyst and LDAP with sessions
You don't need to store the password... You just need to have a session id that has a short lifetime while you browse.. You can tie that session id with an ip address for additional security . Francisco On Feb 27, 2012, at 1:06 PM, Birger Burkhardt wrote: > Hi Francisco, > > thank you for your reply. I already use sessions (FastMmap for Storage and > Cookies for State). I can login to the GUI via my LDAP credentials. But the > problem is: every further request has to be done with my personal > credentials. Therefore the password should be stored somewhere safe. I don't > want to store the userpassword in a unencrypted sessionvariable. > > Best regards, > Birger > > > On Mon, Feb 27, 2012 at 6:52 PM, Francisco Obispo wrote: > Hi Birger, > > Once you've authenticated with LDAP, or with any backend, it is important > that you store the session information somewhere.. Some people use a > database, memcached, tmp file, or any other method. > > That way, when the client comes with the next request, he will offer a cookie > that can be verified for authorization purposes. > > francisco > > > > On Feb 27, 2012, at 2:30 AM, Birger Burkhardt wrote: > > > Hello Peter, > > > > thank you for your reply. > > > > no, i am not storing these credentials as i thought the module would do > > this. I also tried to use the following package, but it doesn't work either: > > > > http://cpansearch.perl.org/src/BOBTFISH/Catalyst-Model-LDAP-FromAuthentication-0.02/README > > > > According to this changelog (see entry in Version 1.007): > > http://cpan.uwinnipeg.ca/htdocs/Catalyst-Authentication-Store-LDAP/Changes.html > > the user object has to be serialized and stored in the session. Do you have > > an idea how to do this? > > > > Best regards, > > Birger > > > > > > On Sat, Feb 25, 2012 at 3:41 AM, Peter Karman wrote: > > Birger Burkhardt wrote on 2/24/12 7:22 AM: > > > > > After successful authentication, all further request > > > should be executed via the credentials of the logged in user. > > > > > > > are you somehow storing those credentials so that they persist over the > > life of > > the session? The LDAP authn plugin does not do that for you, afaik. The > > credentials exist only for the life of that particular login HTTP request. > > > > or maybe I'm misunderstanding what you're trying to do? > > > > > In the login controller the user is authenticated > > > [...] > > > # Get the username and password from form > > > my $username =3D $c->request->params->{username}; > > > my $password =3D $c->request->params->{password}; > > > > > > # If the username and password values were found in form > > > if ($username && $password) { > > > # Attempt to log the user in > > > if ($c->authenticate({ username =3D> $username, > > >password =3D> $password })) { > > > [...] > > > > > > But when I do a new request from within another controller, i get an ldap > > > error meaning the credentials are invalid: > > > > > > code in other controller: > > > [...] > > > my $ldapconn =3D $c->user->ldap_connection(); > > > my $mesg =3D $ldapconn->search( base =3D> > > > "ou=3Dusers,dc=3Dexample,= > > > dc=3Dcom", > > > filter =3D> "(uid=3D*)"); > > > my @entries =3D $mesg->sorted('uid'); > > > $c->stash(users =3D> \@entries,); > > > $c->stash(template =3D> 'userList.tt2'); > > > [...] > > > > > > > > > -- > > Peter Karman . http://peknet.com/ . pe...@peknet.com > > > > ___ > > List: Catalyst@lists.scsys.co.uk > > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst > > Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ > > Dev site: http://dev.catalyst.perl.org/ > > > > ___ > > List: Catalyst@lists.scsys.co.uk > > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst > > Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ > > Dev site: http://dev.catalyst.perl.org/ > > Francisco Obispo > email: fobi...@isc.org > Phone: +1 650 423 1374 || INOC-DBA *3557* NOC > PGP KeyID = B38DB1BE > > > ___ > List: Catalyst@lists.scsys.co.uk > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst > Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ > Dev site: http://dev.catalyst.perl.org/ > > ___ > List: Catalyst@lists.scsys.co.uk > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst > Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ > Dev site: http://dev.catalyst.perl.org/ ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com
Re: [Catalyst] Catalyst and LDAP with sessions
Hi Francisco, thank you for your reply. I already use sessions (FastMmap for Storage and Cookies for State). I can login to the GUI via my LDAP credentials. But the problem is: every further request has to be done with my personal credentials. Therefore the password should be stored somewhere safe. I don't want to store the userpassword in a unencrypted sessionvariable. Best regards, Birger On Mon, Feb 27, 2012 at 6:52 PM, Francisco Obispo wrote: > Hi Birger, > > Once you've authenticated with LDAP, or with any backend, it is important > that you store the session information somewhere.. Some people use a > database, memcached, tmp file, or any other method. > > That way, when the client comes with the next request, he will offer a > cookie that can be verified for authorization purposes. > > francisco > > > > On Feb 27, 2012, at 2:30 AM, Birger Burkhardt wrote: > > > Hello Peter, > > > > thank you for your reply. > > > > no, i am not storing these credentials as i thought the module would do > this. I also tried to use the following package, but it doesn't work either: > > > > > http://cpansearch.perl.org/src/BOBTFISH/Catalyst-Model-LDAP-FromAuthentication-0.02/README > > > > According to this changelog (see entry in Version 1.007): > > > http://cpan.uwinnipeg.ca/htdocs/Catalyst-Authentication-Store-LDAP/Changes.html > > the user object has to be serialized and stored in the session. Do you > have an idea how to do this? > > > > Best regards, > > Birger > > > > > > On Sat, Feb 25, 2012 at 3:41 AM, Peter Karman wrote: > > Birger Burkhardt wrote on 2/24/12 7:22 AM: > > > > > After successful authentication, all further request > > > should be executed via the credentials of the logged in user. > > > > > > > are you somehow storing those credentials so that they persist over the > life of > > the session? The LDAP authn plugin does not do that for you, afaik. The > > credentials exist only for the life of that particular login HTTP > request. > > > > or maybe I'm misunderstanding what you're trying to do? > > > > > In the login controller the user is authenticated > > > [...] > > > # Get the username and password from form > > > my $username =3D $c->request->params->{username}; > > > my $password =3D $c->request->params->{password}; > > > > > > # If the username and password values were found in form > > > if ($username && $password) { > > > # Attempt to log the user in > > > if ($c->authenticate({ username =3D> $username, > > >password =3D> $password })) { > > > [...] > > > > > > But when I do a new request from within another controller, i get an > ldap > > > error meaning the credentials are invalid: > > > > > > code in other controller: > > > [...] > > > my $ldapconn =3D $c->user->ldap_connection(); > > > my $mesg =3D $ldapconn->search( base =3D> > "ou=3Dusers,dc=3Dexample,= > > > dc=3Dcom", > > > filter =3D> "(uid=3D*)"); > > > my @entries =3D $mesg->sorted('uid'); > > > $c->stash(users =3D> \@entries,); > > > $c->stash(template =3D> 'userList.tt2'); > > > [...] > > > > > > > > > -- > > Peter Karman . http://peknet.com/ . pe...@peknet.com > > > > ___ > > List: Catalyst@lists.scsys.co.uk > > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst > > Searchable archive: > http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ > > Dev site: http://dev.catalyst.perl.org/ > > > > ___ > > List: Catalyst@lists.scsys.co.uk > > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst > > Searchable archive: > http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ > > Dev site: http://dev.catalyst.perl.org/ > > Francisco Obispo > email: fobi...@isc.org > Phone: +1 650 423 1374 || INOC-DBA *3557* NOC > PGP KeyID = B38DB1BE > > > ___ > List: Catalyst@lists.scsys.co.uk > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst > Searchable archive: > http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ > Dev site: http://dev.catalyst.perl.org/ > ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst and LDAP with sessions
Hi Birger, Once you've authenticated with LDAP, or with any backend, it is important that you store the session information somewhere.. Some people use a database, memcached, tmp file, or any other method. That way, when the client comes with the next request, he will offer a cookie that can be verified for authorization purposes. francisco On Feb 27, 2012, at 2:30 AM, Birger Burkhardt wrote: > Hello Peter, > > thank you for your reply. > > no, i am not storing these credentials as i thought the module would do this. > I also tried to use the following package, but it doesn't work either: > > http://cpansearch.perl.org/src/BOBTFISH/Catalyst-Model-LDAP-FromAuthentication-0.02/README > > According to this changelog (see entry in Version 1.007): > http://cpan.uwinnipeg.ca/htdocs/Catalyst-Authentication-Store-LDAP/Changes.html > the user object has to be serialized and stored in the session. Do you have > an idea how to do this? > > Best regards, > Birger > > > On Sat, Feb 25, 2012 at 3:41 AM, Peter Karman wrote: > Birger Burkhardt wrote on 2/24/12 7:22 AM: > > > After successful authentication, all further request > > should be executed via the credentials of the logged in user. > > > > are you somehow storing those credentials so that they persist over the life > of > the session? The LDAP authn plugin does not do that for you, afaik. The > credentials exist only for the life of that particular login HTTP request. > > or maybe I'm misunderstanding what you're trying to do? > > > In the login controller the user is authenticated > > [...] > > # Get the username and password from form > > my $username =3D $c->request->params->{username}; > > my $password =3D $c->request->params->{password}; > > > > # If the username and password values were found in form > > if ($username && $password) { > > # Attempt to log the user in > > if ($c->authenticate({ username =3D> $username, > >password =3D> $password })) { > > [...] > > > > But when I do a new request from within another controller, i get an ldap > > error meaning the credentials are invalid: > > > > code in other controller: > > [...] > > my $ldapconn =3D $c->user->ldap_connection(); > > my $mesg =3D $ldapconn->search( base =3D> "ou=3Dusers,dc=3Dexample,= > > dc=3Dcom", > > filter =3D> "(uid=3D*)"); > > my @entries =3D $mesg->sorted('uid'); > > $c->stash(users =3D> \@entries,); > > $c->stash(template =3D> 'userList.tt2'); > > [...] > > > > > -- > Peter Karman . http://peknet.com/ . pe...@peknet.com > > ___ > List: Catalyst@lists.scsys.co.uk > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst > Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ > Dev site: http://dev.catalyst.perl.org/ > > ___ > List: Catalyst@lists.scsys.co.uk > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst > Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ > Dev site: http://dev.catalyst.perl.org/ Francisco Obispo email: fobi...@isc.org Phone: +1 650 423 1374 || INOC-DBA *3557* NOC PGP KeyID = B38DB1BE ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst and LDAP with sessions
Hello Peter, thank you for your reply. no, i am not storing these credentials as i thought the module would do this. I also tried to use the following package, but it doesn't work either: http://cpansearch.perl.org/src/BOBTFISH/Catalyst-Model-LDAP-FromAuthentication-0.02/README According to this changelog (see entry in Version 1.007): http://cpan.uwinnipeg.ca/htdocs/Catalyst-Authentication-Store-LDAP/Changes.html the user object has to be serialized and stored in the session. Do you have an idea how to do this? Best regards, Birger On Sat, Feb 25, 2012 at 3:41 AM, Peter Karman wrote: > Birger Burkhardt wrote on 2/24/12 7:22 AM: > > > After successful authentication, all further request > > should be executed via the credentials of the logged in user. > > > > are you somehow storing those credentials so that they persist over the > life of > the session? The LDAP authn plugin does not do that for you, afaik. The > credentials exist only for the life of that particular login HTTP request. > > or maybe I'm misunderstanding what you're trying to do? > > > In the login controller the user is authenticated > > [...] > > # Get the username and password from form > > my $username =3D $c->request->params->{username}; > > my $password =3D $c->request->params->{password}; > > > > # If the username and password values were found in form > > if ($username && $password) { > > # Attempt to log the user in > > if ($c->authenticate({ username =3D> $username, > >password =3D> $password })) { > > [...] > > > > But when I do a new request from within another controller, i get an ldap > > error meaning the credentials are invalid: > > > > code in other controller: > > [...] > > my $ldapconn =3D $c->user->ldap_connection(); > > my $mesg =3D $ldapconn->search( base =3D> > "ou=3Dusers,dc=3Dexample,= > > dc=3Dcom", > > filter =3D> "(uid=3D*)"); > > my @entries =3D $mesg->sorted('uid'); > > $c->stash(users =3D> \@entries,); > > $c->stash(template =3D> 'userList.tt2'); > > [...] > > > > > -- > Peter Karman . http://peknet.com/ . pe...@peknet.com > > ___ > List: Catalyst@lists.scsys.co.uk > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst > Searchable archive: > http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ > Dev site: http://dev.catalyst.perl.org/ > ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst and LDAP with sessions
Birger Burkhardt wrote on 2/24/12 7:22 AM: > After successful authentication, all further request > should be executed via the credentials of the logged in user. > are you somehow storing those credentials so that they persist over the life of the session? The LDAP authn plugin does not do that for you, afaik. The credentials exist only for the life of that particular login HTTP request. or maybe I'm misunderstanding what you're trying to do? > In the login controller the user is authenticated > [...] > # Get the username and password from form > my $username =3D $c->request->params->{username}; > my $password =3D $c->request->params->{password}; > > # If the username and password values were found in form > if ($username && $password) { > # Attempt to log the user in > if ($c->authenticate({ username =3D> $username, >password =3D> $password })) { > [...] > > But when I do a new request from within another controller, i get an ldap > error meaning the credentials are invalid: > > code in other controller: > [...] > my $ldapconn =3D $c->user->ldap_connection(); > my $mesg =3D $ldapconn->search( base =3D> "ou=3Dusers,dc=3Dexample,= > dc=3Dcom", > filter =3D> "(uid=3D*)"); > my @entries =3D $mesg->sorted('uid'); > $c->stash(users =3D> \@entries,); > $c->stash(template =3D> 'userList.tt2'); > [...] > -- Peter Karman . http://peknet.com/ . pe...@peknet.com ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
[Catalyst] Catalyst and LDAP with sessions
Hello all, since my last mail to the mailing list was abused by other people for their thread ("Catalyst 5.90010 server must be in CWD to run?"), i am posting my question again, hoping that someone else has experience with catalyst and LDAP. I would like to use catalyst framework for a ldap authenticated web interface. Anonymous bind is not allowed so I have configured binddn and bindpw in the config. After successful authentication, all further request should be executed via the credentials of the logged in user. In the login controller the user is authenticated [...] # Get the username and password from form my $username =3D $c->request->params->{username}; my $password =3D $c->request->params->{password}; # If the username and password values were found in form if ($username && $password) { # Attempt to log the user in if ($c->authenticate({ username =3D> $username, password =3D> $password })) { [...] But when I do a new request from within another controller, i get an ldap error meaning the credentials are invalid: code in other controller: [...] my $ldapconn =3D $c->user->ldap_connection(); my $mesg =3D $ldapconn->search( base =3D> "ou=3Dusers,dc=3Dexample,= dc=3Dcom", filter =3D> "(uid=3D*)"); my @entries =3D $mesg->sorted('uid'); $c->stash(users =3D> \@entries,); $c->stash(template =3D> 'userList.tt2'); [...] I use sessions: Session Session::Store::FastMmap Session::State::Cookie Can anybody give me a hint how to solve this problem? Best regards, Birger ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/