Catalyst::Authentication::Store::LDAP::Backend - Catalyst::Authentication::Store::LDAP::Backend documentation

Index

NAME
SYNOPSIS
DESCRIPTION
METHODS
AUTHORS
THANKS
SEE ALSO
COPYRIGHT & LICENSE

Code Index:

package Catalyst::Authentication::Store::LDAP::Backend
__END__
EOF

NAME

Catalyst::Authentication::Store::LDAP::Backend - LDAP authentication storage backend.

SYNOPSIS

    # you probably just want Store::LDAP under most cases,
    # but if you insist you can instantiate your own store:

    use Catalyst::Authentication::Store::LDAP::Backend;

    use Catalyst qw/
        Authentication
        Authentication::Credential::Password
    /;

    my %config = (
            'ldap_server' => 'ldap1.yourcompany.com',
            'ldap_server_options' => {
                'timeout' => 30,
            },
            'binddn' => 'anonymous',
            'bindpw' => 'dontcarehow',
            'start_tls' => 1,
            'start_tls_options' => {
                'verify' => 'none',
            },
            'user_basedn' => 'ou=people,dc=yourcompany,dc=com',
            'user_filter' => '(&(objectClass=posixAccount)(uid=%s))',
            'user_scope' => 'one',  # or 'sub' for Active Directory
            'user_field' => 'uid',
            'user_search_options' => {
                'deref' => 'always',
            },
            'user_results_filter' => sub { return shift->pop_entry },
            'entry_class' => 'MyApp::LDAP::Entry',
            'user_class' => 'MyUser',
            'use_roles' => 1,
            'role_basedn' => 'ou=groups,dc=yourcompany,dc=com',
            'role_filter' => '(&(objectClass=posixGroup)(member=%s))',
            'role_scope' => 'one',
            'role_field' => 'cn',
            'role_value' => 'dn',
            'role_search_options' => {
                'deref' => 'always',
            },
            'role_search_as_user' => 0,
    );

    our $users = Catalyst::Authentication::Store::LDAP::Backend->new(\%config);

DESCRIPTION

You probably want Catalyst::Authentication::Store::LDAP.

Otherwise, this lets you create a store manually.

See the Catalyst::Authentication::Store::LDAP documentation for an explanation of the configuration options.

METHODS

new($config)

Creates a new Catalyst::Authentication::Store::LDAP::Backend object. $config should be a hashref, which should contain the configuration options listed in Catalyst::Authentication::Store::LDAP's documentation.

Also sets a few sensible defaults.

find_user( authinfo, $c )

Creates a Catalyst::Authentication::Store::LDAP::User object for the given User ID. This is the preferred mechanism for getting a given User out of the Store.

authinfo should be a hashref with a key of either id or username. The value will be compared against the LDAP user_field field.

get_user( id, $c)

Creates a Catalyst::Authentication::Store::LDAP::User object for the given User ID, or calls new on the class specified in user_class. This instance of the store object, the results of lookup_user and $c are passed as arguments (in that order) to new. This is the preferred mechanism for getting a given User out of the Store.

ldap_connect

Returns a Net::LDAP object, connected to your LDAP server. (According to how you configured the Backend, of course)

ldap_bind($ldap, $binddn, $bindpw)

Bind's to the directory. If $ldap is undef, it will connect to the LDAP server first. $binddn should be the DN of the object you wish to bind as, and $bindpw the password.

If $binddn is "anonymous", an anonymous bind will be performed.

lookup_user($id)

Given a User ID, this method will:

  A) Bind to the directory using the configured binddn and bindpw
  B) Perform a search for the User Object in the directory, using
     user_basedn, user_filter, and user_scope.
  C) Assuming we found the object, we will walk it's attributes
     using L<Net::LDAP::Entry>'s get_value method.  We store the
     results in a hashref. If we do not find the object, then
     undef is returned.
  D) Return a hashref that looks like:

     $results = {
        'ldap_entry' => $entry, # The Net::LDAP::Entry object
        'attributes' => $attributes,
     }

This method is usually only called by find_user().

lookup_roles($userobj, [$ldap])

This method looks up the roles for a given user. It takes a Catalyst::Authentication::Store::LDAP::User object as it's first argument, and can optionally take a Net::LDAP object which is used rather than the default binding if supplied.

It returns an array containing the role_field attribute from all the objects that match it's criteria.

user_supports

Returns the value of Catalyst::Authentication::Store::LDAP::User->supports(@_).

from_session( id, $c )

Returns get_user() for id.

AUTHORS

Adam Jacob <holoway@cpan.org>

Some parts stolen shamelessly and entirely from Catalyst::Plugin::Authentication::Store::Htpasswd.

Currently maintained by Peter Karman <karman@cpan.org>.

THANKS

To nothingmuch, ghenry, castaway and the rest of #catalyst for the help. :)

COPYRIGHT & LICENSE

package Catalyst::Authentication::Store::LDAP::Backend; use base qw( Class::Accessor::Fast ); use strict; use warnings; our $VERSION = '1.012'; use Catalyst::Authentication::Store::LDAP::User; use Net::LDAP; use Catalyst::Utils (); BEGIN { __PACKAGE__->mk_accessors( qw( ldap_server ldap_server_options binddn bindpw entry_class user_search_options user_filter user_basedn user_scope user_attrs user_field use_roles role_basedn role_filter role_scope role_field role_value role_search_options start_tls start_tls_options user_results_filter user_class role_search_as_user ) ); }

sub new { my ( $class, $config ) = @_; unless ( defined($config) && ref($config) eq "HASH" ) { Catalyst::Exception->throw( "Catalyst::Authentication::Store::LDAP::Backend needs to be configured with a hashref." ); } my %config_hash = %{$config}; $config_hash{'binddn'} ||= 'anonymous'; $config_hash{'user_filter'} ||= '(uid=%s)'; $config_hash{'user_scope'} ||= 'sub'; $config_hash{'user_field'} ||= 'uid'; $config_hash{'role_filter'} ||= '(memberUid=%s)'; $config_hash{'role_scope'} ||= 'sub'; $config_hash{'role_field'} ||= 'cn'; $config_hash{'use_roles'} ||= '1'; $config_hash{'start_tls'} ||= '0'; $config_hash{'entry_class'} ||= 'Catalyst::Model::LDAP::Entry'; $config_hash{'user_class'} ||= 'Catalyst::Authentication::Store::LDAP::User'; $config_hash{'role_search_as_user'} ||= 0; Catalyst::Utils::ensure_class_loaded($config_hash{'user_class'}); my $self = \%config_hash; bless( $self, $class ); return $self; }

sub find_user { my ( $self, $authinfo, $c ) = @_; return $self->get_user( $authinfo->{id} || $authinfo->{username}, $c ); }

sub get_user { my ( $self, $id, $c ) = @_; my $user = $self->user_class->new( $self, $self->lookup_user($id), $c ); return $user; }

sub ldap_connect { my ($self) = shift; my $ldap; if ( defined( $self->ldap_server_options() ) ) { $ldap = Net::LDAP->new( $self->ldap_server, %{ $self->ldap_server_options } ) or Catalyst::Exception->throw($@); } else { $ldap = Net::LDAP->new( $self->ldap_server ) or Catalyst::Exception->throw($@); } if ( defined( $self->start_tls ) && $self->start_tls =~ /(1|true)/i ) { my $mesg; if ( defined( $self->start_tls_options ) ) { $mesg = $ldap->start_tls( %{ $self->start_tls_options } ); } else { $mesg = $ldap->start_tls; } if ( $mesg->is_error ) { Catalyst::Exception->throw( "TLS Error: " . $mesg->error ); } } return $ldap; }

sub ldap_bind { my ( $self, $ldap, $binddn, $bindpw, $forauth ) = @_; $forauth ||= 0; $ldap ||= $self->ldap_connect; if ( !defined($ldap) ) { Catalyst::Exception->throw("LDAP Server undefined!"); } $binddn ||= $self->binddn; $bindpw ||= $self->bindpw; if ( $binddn eq "anonymous" ) { $self->_ldap_bind_anon($ldap); } else { if ($bindpw) { my $mesg = $ldap->bind( $binddn, 'password' => $bindpw ); if ( $mesg->is_error ) { # If we're not checking this bind for authentication purposes # Go ahead an blow up if we fail. if ( $forauth ne 'forauth' ) { Catalyst::Exception->throw( "Error on Initial Bind: " . $mesg->error ); } else { return undef; } } } else { $self->_ldap_bind_anon($ldap, $binddn); } } return $ldap; } sub _ldap_bind_anon { my ($self, $ldap, $dn) = @_; my $mesg = $ldap->bind($dn); if ( $mesg->is_error ) { Catalyst::Exception->throw( "Error on Bind: " . $mesg->error ); } }

sub lookup_user { my ( $self, $id ) = @_; # No sneaking in wildcards! if ( $id =~ /\*/ ) { Catalyst::Exception->throw("ID $id contains wildcards!"); } # Trim trailing space or we confuse ourselves $id =~ s/\s+$//; my $ldap = $self->ldap_bind; my @searchopts; if ( defined( $self->user_basedn ) ) { push( @searchopts, 'base' => $self->user_basedn ); } else { Catalyst::Exception->throw( "You must set user_basedn before looking up users!"); } my $filter = $self->_replace_filter( $self->user_filter, $id ); push( @searchopts, 'filter' => $filter ); push( @searchopts, 'scope' => $self->user_scope ); if ( defined( $self->user_search_options ) ) { push( @searchopts, %{ $self->user_search_options } ); } my $usersearch = $ldap->search(@searchopts); return undef if ( $usersearch->is_error ); my $userentry; my $user_field = $self->user_field; my $results_filter = $self->user_results_filter; my $entry; if ( defined($results_filter) ) { $entry = &$results_filter($usersearch); } else { $entry = $usersearch->pop_entry; } if ( $usersearch->pop_entry ) { Catalyst::Exception->throw( "More than one entry matches user search.\n" . "Consider defining a user_results_filter sub." ); } # a little extra sanity check with the 'eq' since LDAP already # says it matches. # NOTE that Net::LDAP returns exactly what you asked for, but # because LDAP is often case insensitive, FoO can match foo # and so we normalize with lc(). if ( defined($entry) ) { unless ( lc( $entry->get_value($user_field) ) eq lc($id) ) { Catalyst::Exception->throw( "LDAP claims '$user_field' equals '$id' but results entry does not match." ); } $userentry = $entry; } $ldap->unbind; $ldap->disconnect; unless ($userentry) { return undef; } my $attrhash; foreach my $attr ( $userentry->attributes ) { my @attrvalues = $userentry->get_value($attr); if ( scalar(@attrvalues) == 1 ) { $attrhash->{ lc($attr) } = $attrvalues[0]; } else { $attrhash->{ lc($attr) } = \@attrvalues; } } eval { Catalyst::Utils::ensure_class_loaded($self->entry_class) }; if ( !$@ ) { bless( $userentry, $self->entry_class ); $userentry->{_use_unicode}++; } my $rv = { 'ldap_entry' => $userentry, 'attributes' => $attrhash, }; return $rv; }

sub lookup_roles { my ( $self, $userobj, $ldap ) = @_; if ( $self->use_roles == 0 || $self->use_roles =~ /^false$/i ) { return undef; } $ldap ||= $self->ldap_bind; my @searchopts; if ( defined( $self->role_basedn ) ) { push( @searchopts, 'base' => $self->role_basedn ); } else { Catalyst::Exception->throw( "You must set up role_basedn before looking up roles!"); } my $filter_value = $userobj->has_attribute( $self->role_value ); if ( !defined($filter_value) ) { Catalyst::Exception->throw( "User object " . $userobj->username . " has no " . $self->role_value . " attribute, so I can't look up it's roles!" ); } my $filter = $self->_replace_filter( $self->role_filter, $filter_value ); push( @searchopts, 'filter' => $filter ); push( @searchopts, 'scope' => $self->role_scope ); push( @searchopts, 'attrs' => [ $self->role_field ] ); if ( defined( $self->role_search_options ) ) { push( @searchopts, %{ $self->role_search_options } ); } my $rolesearch = $ldap->search(@searchopts); my @roles; RESULT: foreach my $entry ( $rolesearch->entries ) { push( @roles, $entry->get_value( $self->role_field ) ); } return @roles; } sub _replace_filter { my $self = shift; my $filter = shift; my $replace = shift; $filter =~ s/\%s/$replace/g; return $filter; }

sub user_supports { my $self = shift; # this can work as a class method Catalyst::Authentication::Store::LDAP::User->supports(@_); }

sub from_session { my ( $self, $c, $id ) = @_; $self->get_user($id, $c); } 1; __END__