On Mon, May 21, 2012 at 11:03 AM, Luis Muñoz <[email protected]> wrote:
> > On May 21, 2012, at 11:42 AM, Robert Wohlfarth wrote: > > > The standard Catalyst::Authentication::Store::LDAP does not work with > this model. > > I've been told that the "right" way to do authentication against LDAP is > > * bind with a read-only set of credentials > * Lookup the user's entry (here is where you apply your base and filters) > * Try to bind with the just-found DN and the user-supplied password > > The first set of credentials has just enough privileges (via ACLs) so that > only the required search can be performed. This scheme has the advantage of > not allowing annon bound sessions to search your tree while supporting user > hierarchies (that can change as the directory is reorganized). > Yes, that is the best way. And Catalyst::Authentication::Store::LDAP works like this. For whatever reason, the LDAP server I used was not configured like that. Or more accurately, I could not find the "read-only set of credentials". And yes, the LDAP server has a large, flat list of people all with the same "dn". Like Kenneth, I don't control the LDAP server and cannot change how it's configured. Bummer, huh? -- Robert Wohlfarth
_______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
