Re: [Catalyst] Catalyst::Authentication::Credential::LDAP
On Thursday 24 July 2008 04:38:30 Matt S Trout wrote:
On Wed, Jul 23, 2008 at 08:29:42AM -0500, Peter Karman wrote:
On 07/22/2008 10:37 PM, Matt S Trout wrote:
On Wed, Jun 25, 2008 at 11:27:13AM -0700, Bruce J Keeler wrote:
Also, somewhat apropos, I have a
C::A::{Store,Credential}::ActiveDirectory that I based on the LDAP
stuff. The LDAP modules didn't work for me because they want to bind
anonymously and retrieve the crypted password, whereas AD just wants
to authenticate with a bind.
So, having established this isn't true.
Could you perhaps instead post a message asking why your config of the
main LDAP store didn't work so we can figure out what configuration
problem you had and document it?
likely he is missing a 'binddn' and 'bindpw' config setting. The initial
bind() will try anonymously if those are not set. What I usually do for
Active Directory is create a user specifically for use with Net::LDAP
(and by extension, C::A::Store::LDAP), and then do all my initial binds
with that user/pass.
Hmmm. Should there be an alternative option where (if the user DN is
deterministic from the username) it skips the first part and just
tries the bind with $generated_dn and $supplied_password (where
$generated_dn is the result of a subref/sprintf pattern/whatever
supplied in config) ?
A directory isn't an RDBMS; one should never assume that the naming attribute
is the same attribute used for the username. One should avoid generating DNs
in anything but code that initially provisions the entry.
Regards,
Buchan
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst::Authentication::Credential::LDAP
On Thu, Aug 07, 2008 at 05:29:38PM +0200, Buchan Milne wrote:
On Thursday 24 July 2008 04:38:30 Matt S Trout wrote:
On Wed, Jul 23, 2008 at 08:29:42AM -0500, Peter Karman wrote:
On 07/22/2008 10:37 PM, Matt S Trout wrote:
On Wed, Jun 25, 2008 at 11:27:13AM -0700, Bruce J Keeler wrote:
Also, somewhat apropos, I have a
C::A::{Store,Credential}::ActiveDirectory that I based on the LDAP
stuff. The LDAP modules didn't work for me because they want to bind
anonymously and retrieve the crypted password, whereas AD just wants
to authenticate with a bind.
So, having established this isn't true.
Could you perhaps instead post a message asking why your config of the
main LDAP store didn't work so we can figure out what configuration
problem you had and document it?
likely he is missing a 'binddn' and 'bindpw' config setting. The initial
bind() will try anonymously if those are not set. What I usually do for
Active Directory is create a user specifically for use with Net::LDAP
(and by extension, C::A::Store::LDAP), and then do all my initial binds
with that user/pass.
Hmmm. Should there be an alternative option where (if the user DN is
deterministic from the username) it skips the first part and just
tries the bind with $generated_dn and $supplied_password (where
$generated_dn is the result of a subref/sprintf pattern/whatever
supplied in config) ?
A directory isn't an RDBMS; one should never assume that the naming attribute
is the same attribute used for the username. One should avoid generating
DNs
in anything but code that initially provisions the entry.
One should be able to get a suitable user provisioned that one uses to do
the initial search.
From what people seemed to be saying, in the real world this isn't always the
case.
I was suggesting that having such a feature available would permit people
to still use the credential in this case rather than having to write an
entire new one.
Just because you should avoid something, sadly, doesn't always mean you
-can- avoid it. Features designed for an imperfect world are important,
although it's also important that they're documented as such and that the
preferred approach is mentioned.
--
Matt S Trout Need help with your Catalyst or DBIx::Class project?
Technical Directorhttp://www.shadowcat.co.uk/catalyst/
Shadowcat Systems Ltd. Want a managed development or deployment platform?
http://chainsawblues.vox.com/http://www.shadowcat.co.uk/servers/
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst::Authentication::Credential::LDAP
On 07/22/2008 10:37 PM, Matt S Trout wrote:
On Wed, Jun 25, 2008 at 11:27:13AM -0700, Bruce J Keeler wrote:
Also, somewhat apropos, I have a
C::A::{Store,Credential}::ActiveDirectory that I based on the LDAP
stuff. The LDAP modules didn't work for me because they want to bind
anonymously and retrieve the crypted password, whereas AD just wants to
authenticate with a bind.
So, having established this isn't true.
Could you perhaps instead post a message asking why your config of the
main LDAP store didn't work so we can figure out what configuration problem
you had and document it?
likely he is missing a 'binddn' and 'bindpw' config setting. The initial bind()
will try
anonymously if those are not set. What I usually do for Active Directory is
create a user
specifically for use with Net::LDAP (and by extension, C::A::Store::LDAP), and
then do all
my initial binds with that user/pass.
'binddn' and 'bindpw' are fully documented; if the docs can be improved, please
send a patch.
--
Peter Karman . [EMAIL PROTECTED] . http://peknet.com/
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst::Authentication::Credential::LDAP
Peter Karman [EMAIL PROTECTED] wrote on 07/23/2008 08:29:42 AM:
On 07/22/2008 10:37 PM, Matt S Trout wrote:
On Wed, Jun 25, 2008 at 11:27:13AM -0700, Bruce J Keeler wrote:
Also, somewhat apropos, I have a
C::A::{Store,Credential}::ActiveDirectory that I based on the LDAP
stuff. The LDAP modules didn't work for me because they want to bind
anonymously and retrieve the crypted password, whereas AD just wants
to
authenticate with a bind.
So, having established this isn't true.
Could you perhaps instead post a message asking why your config of the
main LDAP store didn't work so we can figure out what configuration
problem
you had and document it?
likely he is missing a 'binddn' and 'bindpw' config setting. The
initial bind() will try
anonymously if those are not set. What I usually do for Active
Directory is create a user
specifically for use with Net::LDAP (and by extension, C::A::Store::
LDAP), and then do all
my initial binds with that user/pass.
'binddn' and 'bindpw' are fully documented; if the docs can be
improved, please send a patch.
Peter,
From my perspective they are documented too well -- it took me a bit
to figure out how to do _anon_ binds. =)
-Wade
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst::Authentication::Credential::LDAP
Peter Karman wrote:
On 07/22/2008 10:37 PM, Matt S Trout wrote:
On Wed, Jun 25, 2008 at 11:27:13AM -0700, Bruce J Keeler wrote:
Also, somewhat apropos, I have a
C::A::{Store,Credential}::ActiveDirectory that I based on the LDAP
stuff. The LDAP modules didn't work for me because they want to bind
anonymously and retrieve the crypted password, whereas AD just wants to
authenticate with a bind.
So, having established this isn't true.
Could you perhaps instead post a message asking why your config of the
main LDAP store didn't work so we can figure out what configuration problem
you had and document it?
likely he is missing a 'binddn' and 'bindpw' config setting. The initial bind()
will try
anonymously if those are not set. What I usually do for Active Directory is
create a user
specifically for use with Net::LDAP (and by extension, C::A::Store::LDAP), and
then do all
my initial binds with that user/pass.
'binddn' and 'bindpw' are fully documented; if the docs can be improved, please
send a patch.
I seem to recall trying that, but it's been long enough that I don't
recall the details of what went wrong.
The other reason I went off in my own direction is that I wanted to pull
role information from AD groups, and I couldn't see any way of making
that work with the stock ::LDAP modules. I will try to make some time
to revisit this stuff soon.
Bruce
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst::Authentication::Credential::LDAP
Bruce J Keeler [EMAIL PROTECTED] wrote on 07/23/2008 02:16:16 PM:
Peter Karman wrote:
On 07/22/2008 10:37 PM, Matt S Trout wrote:
On Wed, Jun 25, 2008 at 11:27:13AM -0700, Bruce J Keeler wrote:
Also, somewhat apropos, I have a
C::A::{Store,Credential}::ActiveDirectory that I based on the LDAP
stuff. The LDAP modules didn't work for me because they want to bind
anonymously and retrieve the crypted password, whereas AD just wants
to
authenticate with a bind.
So, having established this isn't true.
Could you perhaps instead post a message asking why your config of the
main LDAP store didn't work so we can figure out what configuration
problem
you had and document it?
likely he is missing a 'binddn' and 'bindpw' config setting. The
initial bind() will try
anonymously if those are not set. What I usually do for Active
Directory is create a user
specifically for use with Net::LDAP (and by extension, C::A::
Store::LDAP), and then do all
my initial binds with that user/pass.
'binddn' and 'bindpw' are fully documented; if the docs can be
improved, please send a patch.
I seem to recall trying that, but it's been long enough that I don't
recall the details of what went wrong.
The other reason I went off in my own direction is that I wanted to pull
role information from AD groups, and I couldn't see any way of making
that work with the stock ::LDAP modules. I will try to make some time
to revisit this stuff soon.
http://search.cpan.org/~karman/Catalyst-Authentication-Store-LDAP-0.1002
/lib/Catalyst/Authentication/Store/LDAP.pm#use_roles
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst::Authentication::Credential::LDAP
On Wed, Jul 23, 2008 at 08:29:42AM -0500, Peter Karman wrote:
On 07/22/2008 10:37 PM, Matt S Trout wrote:
On Wed, Jun 25, 2008 at 11:27:13AM -0700, Bruce J Keeler wrote:
Also, somewhat apropos, I have a
C::A::{Store,Credential}::ActiveDirectory that I based on the LDAP
stuff. The LDAP modules didn't work for me because they want to bind
anonymously and retrieve the crypted password, whereas AD just wants to
authenticate with a bind.
So, having established this isn't true.
Could you perhaps instead post a message asking why your config of the
main LDAP store didn't work so we can figure out what configuration problem
you had and document it?
likely he is missing a 'binddn' and 'bindpw' config setting. The initial
bind() will try
anonymously if those are not set. What I usually do for Active Directory is
create a user
specifically for use with Net::LDAP (and by extension, C::A::Store::LDAP),
and then do all
my initial binds with that user/pass.
Hmmm. Should there be an alternative option where (if the user DN is
deterministic from the username) it skips the first part and just
tries the bind with $generated_dn and $supplied_password (where
$generated_dn is the result of a subref/sprintf pattern/whatever
supplied in config) ?
--
Matt S Trout Need help with your Catalyst or DBIx::Class project?
Technical Directorhttp://www.shadowcat.co.uk/catalyst/
Shadowcat Systems Ltd. Want a managed development or deployment platform?
http://chainsawblues.vox.com/http://www.shadowcat.co.uk/servers/
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst::Authentication::Credential::LDAP
Matt S Trout [EMAIL PROTECTED] wrote on 07/21/2008 04:32:03 PM: Maybe the search phase failed for the original poster? I dunno, I was just saying it should probably support both approaches :) Sorry Matt, my comment was directed twords the OP not you -- I just piggybacked on your message. If the search phase failed for him it seems like it was a config problem or a edge bug (lets find it and fix vs a new ldap auth module for cat on cpan). I have used it on a bunch o different AD schemas (some heavily segmented, some heavily locked down) with no issues. I don't really know of any non vendor ldap auth that grabs the crypted pass for client side auth instead of binding against the user (what this app does). ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst::Authentication::Credential::LDAP
On Wed, Jun 25, 2008 at 11:27:13AM -0700, Bruce J Keeler wrote:
Also, somewhat apropos, I have a
C::A::{Store,Credential}::ActiveDirectory that I based on the LDAP
stuff. The LDAP modules didn't work for me because they want to bind
anonymously and retrieve the crypted password, whereas AD just wants to
authenticate with a bind.
So, having established this isn't true.
Could you perhaps instead post a message asking why your config of the
main LDAP store didn't work so we can figure out what configuration problem
you had and document it?
Awesome though it is that you wrote a store and credential, I'd rather the
next person wrote one that didn't already exist :)
--
Matt S Trout Need help with your Catalyst or DBIx::Class project?
Technical Directorhttp://www.shadowcat.co.uk/catalyst/
Shadowcat Systems Ltd. Want a managed development or deployment platform?
http://chainsawblues.vox.com/http://www.shadowcat.co.uk/servers/
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst::Authentication::Credential::LDAP
On Mon, Jul 21, 2008 at 11:48:39AM -0500, [EMAIL PROTECTED] wrote:
Matt S Trout [EMAIL PROTECTED] wrote on 07/19/2008 07:10:28 PM:
On Wed, Jun 25, 2008 at 11:27:13AM -0700, Bruce J Keeler wrote:
Also, somewhat apropos, I have a
C::A::{Store,Credential}::ActiveDirectory that I based on the LDAP
stuff. The LDAP modules didn't work for me because they want to bind
anonymously and retrieve the crypted password, whereas AD just wants to
authenticate with a bind. My stuff also gets role information from AD
groups. I've been meaning to get it out on CPAN one of these days, but
it hasn't been a priority; I suppose I can work on it if anyone else
needs it though.
Sounds to me like 'auth by bind' versus 'auth by retrieve and check'
should
be an option in the LDAP stuff, not a separate module. Fancy doing up
a patch?
From the POD It authenticates users in two steps:
1) A search of the directory is performed, looking for a user object that
matches the username you pass. This is done with the bind credentials
supplied in the binddn and bindpw configuration options.
2) If that object is found, we then re-bind to the directory as that
object.
Assuming this is successful, the user is Authenticated.
And the actual check password code:
$self-store-ldap_bind( undef, $self-ldap_entry-dn, $password,
'forauth' );
Notice the rebind.
So it does not try to retrieve the crypted password, it does bind (anon
or by authorized service account if set in binddn and bindpw) to the ldap
server, Next it grabs the user's dn from a search on that bind. Finally to
authenticate it actually binds to the ldap server as that user's dn. This
works well against AD (I use it), I don't understand what deficiency you
are trying to fix with your patch.
Maybe the search phase failed for the original poster?
I dunno, I was just saying it should probably support both approaches :)
--
Matt S Trout Need help with your Catalyst or DBIx::Class project?
Technical Directorhttp://www.shadowcat.co.uk/catalyst/
Shadowcat Systems Ltd. Want a managed development or deployment platform?
http://chainsawblues.vox.com/http://www.shadowcat.co.uk/servers/
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst::Authentication::Credential::LDAP
On Wed, Jun 25, 2008 at 11:27:13AM -0700, Bruce J Keeler wrote:
Also, somewhat apropos, I have a
C::A::{Store,Credential}::ActiveDirectory that I based on the LDAP
stuff. The LDAP modules didn't work for me because they want to bind
anonymously and retrieve the crypted password, whereas AD just wants to
authenticate with a bind. My stuff also gets role information from AD
groups. I've been meaning to get it out on CPAN one of these days, but
it hasn't been a priority; I suppose I can work on it if anyone else
needs it though.
Sounds to me like 'auth by bind' versus 'auth by retrieve and check' should
be an option in the LDAP stuff, not a separate module. Fancy doing up
a patch?
--
Matt S Trout Need help with your Catalyst or DBIx::Class project?
Technical Directorhttp://www.shadowcat.co.uk/catalyst/
Shadowcat Systems Ltd. Want a managed development or deployment platform?
http://chainsawblues.vox.com/http://www.shadowcat.co.uk/servers/
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
RE: [Catalyst] Catalyst::Authentication::Credential::LDAP
Hi! Imho thats very useful! Some generic plugin or extending C::P::Auth to combine two auth stores, one for authentication and one as source for the roles etc. would be great! -Alex -Original Message- From: Johannes Plunien [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2008 6:46 AM To: catalyst@lists.scsys.co.uk Subject: [Catalyst] Catalyst::Authentication::Credential::LDAP Hi, there's already C::A::Store::LDAP to authenticate users against LDAP servers. This module fetches a user from LDAP and checks his password (if you told C::A::Credential::Password password_type = self_check). In most of my apps i don't want to fetch the user from LDAP whereas i just want to check his password against LDAP. The user, his roles and preferences are stored in a database. So i use C::A::Store::DBIx::Class to retrieve a user from the store and a custom C::A::Credential::LDAP to verify his password. Maybe this setup is used by someone else too and above all C::A::Credential::LDAP is useful? If that's the case i'll put it on CPAN - what do you think? Thanks for your time, plu -- Johannes Plunien | mailto:[EMAIL PROTECTED] | http://www.pqpq.de ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst::Authentication::Credential::LDAP
Johannes Plunien wrote:
Hi,
there's already C::A::Store::LDAP to authenticate users against LDAP
servers. This module fetches a user from LDAP and checks his password
(if you told C::A::Credential::Password password_type = self_check).
In most of my apps i don't want to fetch the user from LDAP whereas i
just want to check his password against LDAP. The user, his roles and
preferences are stored in a database. So i use
C::A::Store::DBIx::Class to retrieve a user from the store and a
custom C::A::Credential::LDAP to verify his password.
Maybe this setup is used by someone else too and above all
C::A::Credential::LDAP is useful?
If that's the case i'll put it on CPAN - what do you think?
Sounds useful.
Also, somewhat apropos, I have a
C::A::{Store,Credential}::ActiveDirectory that I based on the LDAP
stuff. The LDAP modules didn't work for me because they want to bind
anonymously and retrieve the crypted password, whereas AD just wants to
authenticate with a bind. My stuff also gets role information from AD
groups. I've been meaning to get it out on CPAN one of these days, but
it hasn't been a priority; I suppose I can work on it if anyone else
needs it though.
Bruce
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
