Catalyst::Plugin::Authentication::Store::LDAP.3pm

Langue: en

Version: 2006-02-14 (mandriva - 01/05/08)

Section: 3 (Bibliothèques de fonctions)

Sommaire

NAME

Catalyst::Plugin::Authentication::Store::LDAP
  - Authentication from an LDAP Directory.

SYNOPSIS

     use Catalyst qw/
       Authentication
       Authentication::Store::LDAP
       Authentication::Credential::Password
       /;
 
 

     __PACKAGE__->config(
         'authentication' => {
             'ldap' => {
                 'ldap_server' => 'ldap.yourcompany.com',
                 'ldap_server_options' => {
                     'timeout' => 30,
                 },
                 'binddn' => 'anonymous',
                 'bindpw' => 'dontcarehow',
                 'start_tls' => 1,
                 'start_tls_options' => {
                     'verify' => 'none',
                 },
                 'user_basedn' => 'ou=people,dc=yourcompany,dc=com',
                 'user_filter' => '(&(objectClass=posixAccount)(uid=%s))',
                 'user_scope' => 'one',
                 'user_field' => 'uid',
                 'user_search_options' => {
                     'deref' => 'always',
                 },
                 'use_roles' => 1,
                 'role_basedn' => 'ou=groups,dc=yourcompany,dc=com',
                 'role_filter' => '(&(objectClass=posixGroup)(memberUid=%s))',
                 'role_scope' => 'one',
                 'role_field' => 'uid',
                 'role_value' => 'dn',
                 'role_search_options' => {
                     'deref' => 'always',
                 },
             }
         },
     );
 
 

     sub login : Global {
         my ( $self, $c ) = @_;
 
 

         $c->login( $c->req->param("login"), $c->req->param("password"), );
         $c->res->body("Welcome " . $c->user->username . "!");
     }

DESCRIPTION

This plugin uses "Net::LDAP" to let your application authenticate against an LDAP directory. It has a pretty high degree of flexibility, given the wide variation of LDAP directories and schemas from one system to another.

It authenticates users in two steps:

1) A search of the directory is performed, looking for a user object that
   matches the username you pass.  This is done with the bind credentials 
   supplied in the ``binddn'' and ``bindpw'' configuration options.

2) If that object is found, we then re-bind to the directory as that object.
   Assuming this is successful, the user is Authenticated.  

CONFIGURATION OPTIONS


Configuring with YAML

Set Configuration to be loaded via Config.yml in YourApp.pm

     use YAML qw(LoadFile);
     use Path::Class 'file';
 
 

     __PACKAGE__->config(
         LoadFile(
             file(__PACKAGE__->config->{home}, 'Config.yml')
         )
     );

Settings in Config.yml

     # Config for Store::LDAP
     authentication:
         ldap:
             ldap_server: ldap.yourcompany.com
             ldap_server_options:
                 timeout: 30
             binddn: anonymous
             bindpw: dontcarehow
             start_tls: 1
             start_tls_options:
                 verify: none
             user_basedn: ou=people,dc=yourcompany,dc=com
             user_filter: (&(objectClass=posixAccount)(uid=%s))
             user_scope: one
             user_field: uid
             user_search_options:
                 deref: always
             use_roles: 1
             role_basedn: ou=groups,ou=OxObjects,dc=yourcompany,dc=com
             role_filter: (&(objectClass=posixGroup)(memberUid=%s))
             role_scope: one
             role_field: uid
             role_value: dn
             role_search_options:
                 deref: always

ldap_server

This should be the hostname of your LDAP server.

ldap_server_options

This should be a hashref containing options to pass to Net::LDAP->new(). See Net::LDAP for the full list.

binddn

This should be the DN of the object you wish to bind to the directory as during the first phase of authentication. (The user lookup phase)

If you supply the value ``anonymous'' to this option, we will bind anonymously to the directory. This is the default.

bindpw

This is the password for the initial bind.

start_tls

If this is set to 1, we will convert the LDAP connection to use SSL.

start_tls_options

This is a hashref, which contains the arguments to the Net::LDAP start_tls method. See Net::LDAP for the complete list of options.

user_basedn

This is the basedn for the initial user lookup. Usually points to the top of your ``users'' branch; ie ``ou=people,dc=yourcompany,dc=com''.

user_filter

This is the LDAP Search filter used during user lookup. The special string '%s' will be replaced with the username you pass to $c->login. By default it is set to '(uid=%s)'. Other possibly useful filters:

     (&(objectClass=posixAccount)(uid=%s))
     (&(objectClass=User)(cn=%s))

user_scope

This specifies the scope of the search for the initial user lookup. Valid values are ``base'', ``one'', and ``sub''. Defaults to ``sub''.

user_field

This is the attribute of the returned LDAP object we will use for their ``username''. This defaults to ``uid''. If you had user_filter set to:

     (&(objectClass=User)(cn=%s))

You would probably set this to ``cn''.

user_search_options

This takes a hashref. It will append it's values to the call to Net::LDAP's ``search'' method during the initial user lookup. See Net::LDAP for valid options.

Be careful not to specify:

     filter
     scope
     base

As they are already taken care of by other configuration options.

use_roles

Whether or not to enable role lookups. It defaults to true; set it to 0 if you want to always avoid role lookups.

role_basedn

This should be the basedn where the LDAP Objects representing your roles are.

role_filter

This should be the LDAP Search filter to use during the role lookup. It defaults to '(memberUid=%s)'. The %s in this filter is replaced with the value of the ``role_value'' configuration option.

So, if you had a role_value of ``cn'', then this would be populated with the cn of the User's LDAP object. The special case is a role_value of ``dn'', which will be replaced with the User's DN.

role_scope

This specifies the scope of the search for the user's role lookup. Valid values are ``base'', ``one'', and ``sub''. Defaults to ``sub''.

role_field

Should be set to the Attribute of the Role Object's returned during Role lookup you want to use as the ``name'' of the role. Defaults to ``CN''.

role_value

This is the attribute of the User object we want to use in our role_filter. If this is set to ``dn'', we will use the User Objects DN.

role_search_options

This takes a hashref. It will append it's values to the call to Net::LDAP's ``search'' method during the user's role lookup. See Net::LDAP for valid options.

Be careful not to specify:

     filter
     scope
     base

As they are already taken care of by other configuration options.

METHODS


setup

This method will populate ``default_auth_store'' in Catalyst::Plugin::Authentication with this object.

AUTHORS

Adam Jacob <holoway@cpan.org>

Some parts stolen shamelessly and entirely from Catalyst::Plugin::Authentication::Store::Htpasswd.

THANKS

To nothingmuch, ghenry, castaway and the rest of #catalyst for the help. :)

SEE ALSO

Catalyst::Plugin::Authentication::Store::LDAP, Catalyst::Plugin::Authentication::Store::LDAP::User, Catalyst::Plugin::Authentication::Store::LDAP::Backend, Catalyst::Plugin::Authentication, Net::LDAP Copyright (c) 2005 the aforementioned authors. All rights reserved. This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.