I see what the problem is now. I would store it locally using a Memcached server, and would use the session_id as the key..
That way you can use the auto-expire feature, thus functioning like a key-ring. In case you have multiple servers handling the requests, they can always connect to the memcached server and share the info. Francisco On Feb 27, 2012, at 1:43 PM, Birger Burkhardt wrote: > Hi Francisco, > > sorry, but i think we are not talking about the same. > 1.) The GUI uses its own LDAP Bind credentals for Directory search purposes. > 2.) On user login, the catalyst app binds to LDAP via the credentials of the > user. On success, session is established, user is logged in. So far so good > everything working up to here. > 3.) After succesful login, the user performs some actions on the LDAP server > via the GUI. This has to be done with the (somewhere) stored credentials of > the user. In a new request, $c->user->ldap_connection tries to establish a > connection with the ldap-server and fails, because the password is gone. So > somewhere the password has to be stored ... > > Best regards, > Birger > > > On Mon, Feb 27, 2012 at 10:20 PM, Francisco Obispo <fobi...@isc.org> wrote: > You don't need to store the password... You just need to have a session id > that has a short lifetime while you browse.. > > > You can tie that session id with an ip address for additional security . > > Francisco > > On Feb 27, 2012, at 1:06 PM, Birger Burkhardt <sysde...@googlemail.com> wrote: > >> Hi Francisco, >> >> thank you for your reply. I already use sessions (FastMmap for Storage and >> Cookies for State). I can login to the GUI via my LDAP credentials. But the >> problem is: every further request has to be done with my personal >> credentials. Therefore the password should be stored somewhere safe. I don't >> want to store the userpassword in a unencrypted sessionvariable. >> >> Best regards, >> Birger >> >> >> On Mon, Feb 27, 2012 at 6:52 PM, Francisco Obispo <fobi...@isc.org> wrote: >> Hi Birger, >> >> Once you've authenticated with LDAP, or with any backend, it is important >> that you store the session information somewhere.. Some people use a >> database, memcached, tmp file, or any other method. >> >> That way, when the client comes with the next request, he will offer a >> cookie that can be verified for authorization purposes. >> >> francisco >> >> >> >> On Feb 27, 2012, at 2:30 AM, Birger Burkhardt wrote: >> >> > Hello Peter, >> > >> > thank you for your reply. >> > >> > no, i am not storing these credentials as i thought the module would do >> > this. I also tried to use the following package, but it doesn't work >> > either: >> > >> > http://cpansearch.perl.org/src/BOBTFISH/Catalyst-Model-LDAP-FromAuthentication-0.02/README >> > >> > According to this changelog (see entry in Version 1.007): >> > http://cpan.uwinnipeg.ca/htdocs/Catalyst-Authentication-Store-LDAP/Changes.html >> > the user object has to be serialized and stored in the session. Do you >> > have an idea how to do this? >> > >> > Best regards, >> > Birger >> > >> > >> > On Sat, Feb 25, 2012 at 3:41 AM, Peter Karman <pe...@peknet.com> wrote: >> > Birger Burkhardt wrote on 2/24/12 7:22 AM: >> > >> > > After successful authentication, all further request >> > > should be executed via the credentials of the logged in user. >> > > >> > >> > are you somehow storing those credentials so that they persist over the >> > life of >> > the session? The LDAP authn plugin does not do that for you, afaik. The >> > credentials exist only for the life of that particular login HTTP request. >> > >> > or maybe I'm misunderstanding what you're trying to do? >> > >> > > In the login controller the user is authenticated >> > > [...] >> > > # Get the username and password from form >> > > my $username =3D $c->request->params->{username}; >> > > my $password =3D $c->request->params->{password}; >> > > >> > > # If the username and password values were found in form >> > > if ($username && $password) { >> > > # Attempt to log the user in >> > > if ($c->authenticate({ username =3D> $username, >> > > password =3D> $password })) { >> > > [...] >> > > >> > > But when I do a new request from within another controller, i get an ldap >> > > error meaning the credentials are invalid: >> > > >> > > code in other controller: >> > > [...] >> > > my $ldapconn =3D $c->user->ldap_connection(); >> > > my $mesg =3D $ldapconn->search( base =3D> >> > > "ou=3Dusers,dc=3Dexample,= >> > > dc=3Dcom", >> > > filter =3D> "(uid=3D*)"); >> > > my @entries =3D $mesg->sorted('uid'); >> > > $c->stash(users =3D> \@entries,); >> > > $c->stash(template =3D> 'userList.tt2'); >> > > [...] >> > > >> > >> > >> > -- >> > Peter Karman . http://peknet.com/ . pe...@peknet.com >> > >> > _______________________________________________ >> > List: Catalyst@lists.scsys.co.uk >> > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst >> > Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ >> > Dev site: http://dev.catalyst.perl.org/ >> > >> > _______________________________________________ >> > List: Catalyst@lists.scsys.co.uk >> > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst >> > Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ >> > Dev site: http://dev.catalyst.perl.org/ >> >> Francisco Obispo >> email: fobi...@isc.org >> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC >> PGP KeyID = B38DB1BE >> >> >> _______________________________________________ >> List: Catalyst@lists.scsys.co.uk >> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst >> Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ >> Dev site: http://dev.catalyst.perl.org/ >> >> _______________________________________________ >> List: Catalyst@lists.scsys.co.uk >> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst >> Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ >> Dev site: http://dev.catalyst.perl.org/ > > _______________________________________________ > List: Catalyst@lists.scsys.co.uk > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst > Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ > Dev site: http://dev.catalyst.perl.org/ > > > _______________________________________________ > List: Catalyst@lists.scsys.co.uk > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst > Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ > Dev site: http://dev.catalyst.perl.org/ Francisco Obispo email: fobi...@isc.org Phone: +1 650 423 1374 || INOC-DBA *3557* NOC PGP KeyID = B38DB1BE _______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
