Re: [Catalyst] LDAP question

2012-05-22 Thread Kenneth S Mclane 
Just before I left yesterday I was successful. It turns out self_check is 
fine, it tells the ldap server to handle the hashing. I found my problem 
was in my "user_field" setting. I had to change it to "mail" from "cn". I 
was thinking it was something used for display only, but apparently it 
needs to match your filter setting. Thanks for all the help.

Tomas Doran  wrote on 05/22/2012 05:27:04 AM:

> From:
> 
> Tomas Doran 
> 
> To:
> 
> The elegant MVC web framework 
> 
> Date:
> 
> 05/22/2012 05:27 AM
> 
> Subject:
> 
> Re: [Catalyst] LDAP question
> 
> 
> On 21 May 2012, at 22:24, Kenneth S Mclane wrote:
> 
> > So I should leave it as "self_check"?
> 
> No.
> 
> You set it as plain / don't set it at all, as the password needs to 
> be passed through Catalyst un-mangled - as the auth is done by 
> logging in _as the user_ (and therefore with their password) in LDAP.
> 
> Cheers
> t0m
> ___
> List: Catalyst@lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive: 
http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/
> 
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] LDAP question

2012-05-22 Thread Tomas Doran 

On 21 May 2012, at 22:24, Kenneth S Mclane wrote:

> So I should leave it as "self_check"?

No.

You set it as plain / don't set it at all, as the password needs to be passed 
through Catalyst un-mangled - as the auth is done by logging in _as the user_ 
(and therefore with their password) in LDAP.

Cheers
t0m
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] LDAP question

2012-05-22 Thread Tomas Doran 

On 21 May 2012, at 17:12, Kenneth S Mclane wrote:

> I'm going to post this up here to avoid those quoting issues. I'm x'ing out 
> my password for obvious reasons. 
> 

You missed out the app boot, and the initial bind / search… Which are the bits 
I think are going wrong.

Also, I think my bad - you probably want debug option 12, rather than 3 (for a 
more readable dump.

Cheers
t0m


___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] LDAP question

2012-05-21 Thread Kenneth S Mclane 
So I should leave it as "self_check"?

Regards



Kenneth McLane
 700 Locust St

Systems Compliance Services
 Dubuque, 52001-6838
I1OB
 USA
GTS Services Delivery
 

Phone:
+1-563-845-4674
 

Tie-Line:
946-4674
 

Mobile:
+1-563-940-7147
 

e-mail:
ksmcl...@us.ibm.com
 

"Ideas come from everything" -- Alfred Hitchcock
 
 


Luis Muñoz  wrote on 05/21/2012 04:21:07 PM:

> From:
> 
> Luis Muñoz 
> 
> To:
> 
> The elegant MVC web framework 
> 
> Date:
> 
> 05/21/2012 04:21 PM
> 
> Subject:
> 
> Re: [Catalyst] LDAP question
> 
> 
> On May 21, 2012, at 5:12 PM, Kenneth S Mclane wrote:
> 
> > I'm getting closer. I'm wondering if I need to find out what form 
> they are encrypting the password in? It defaults to SHA-1, but I do 
> not know if that is correct. 
> 
> You do not need that because you're not dealing with the hashes 
> directly. By asking the directory to authenticate, you're offloading
> that problem.
> 
> Best regards.
> 
> -lem
> 
> 
> ___
> List: Catalyst@lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive: 
http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/
> 
<>___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] LDAP question

2012-05-21 Thread Luis Muñoz 

On May 21, 2012, at 5:12 PM, Kenneth S Mclane wrote:

> I'm getting closer. I'm wondering if I need to find out what form they are 
> encrypting the password in? It defaults to SHA-1, but I do not know if that 
> is correct. 

You do not need that because you're not dealing with the hashes directly. By 
asking the directory to authenticate, you're offloading that problem.

Best regards.

-lem


___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] LDAP question

2012-05-21 Thread Kenneth S Mclane 
Actually, it is the anonymous bind that is returning the data it seems, 
then when it tries to rebind with the credentials provided it errors out. 
I see it send and receive the following:

Net::LDAP=HASH(0x44d55e0) sending:

30 0C 02 01 01 60 07 02 01 03 04 00 80 00 __ __ 0`

Net::LDAP=HASH(0x44d55e0) received:

30 84 00 00 00 10 02 01 01 61 84 00 00 00 07 0A 0a..
01 00 04 00 04 00 __ __ __ __ __ __ __ __ __ __ ..

Net::LDAP=HASH(0x44d55e0) sending:

30 64 02 01 02 63 5F 04 16 6F 75 3D 62 6C 75 65 0d...c_..ou=blue
70 61 67 65 73 2C 6F 3D 69 62 6D 2E 63 6F 6D 0A pages,o=ibm.com.
01 02 0A 01 02 02 01 00 02 01 00 01 01 00 A0 34 ...4
A3 15 04 0B 6F 62 6A 65 63 74 63 6C 61 73 73 04 objectclass.
06 70 65 72 73 6F 6E A3 1B 04 04 6D 61 69 6C 04 .personmail.
13 6B 73 6D 63 6C 61 6E 65 40 75 73 2E 69 62 6D .ksmcl...@us.ibm
2E 63 6F 6D 30 00 __ __ __ __ __ __ __ __ __ __ .com0.

Net::LDAP=HASH(0x44d55e0) received:
This is a very long hash with ALL the ldap fields.

Strangely it receives again without sending anything.

Net::LDAP=HASH(0x44d55e0) received:

30 84 00 00 00 10 02 01 02 65 84 00 00 00 07 0A 0e..
01 00 04 00 04 00 __ __ __ __ __ __ __ __ __ __ ..

Net::LDAP=HASH(0x44d55e0) sending:

30 05 02 01 03 42 00 __ __ __ __ __ __ __ __ __ 0B.

Then it gives the "Unable to locate user matching user info provided in 
realm: ldap".

I'm getting closer. I'm wondering if I need to find out what form they are 
encrypting the password in? It defaults to SHA-1, but I do not know if 
that is correct.

Kenneth S Mclane/Dubuque/IBM@IBMUS wrote on 05/21/2012 03:34:48 PM:

> From:
> 
> Kenneth S Mclane/Dubuque/IBM@IBMUS
> 
> To:
> 
> The elegant MVC web framework 
> 
> Date:
> 
> 05/21/2012 03:36 PM
> 
> Subject:
> 
> Re: [Catalyst] LDAP question
> 
> ok, making progress, I am getting all the data back in the return 
> hash, however, I get the error: "Unable to locate user matching user
> info provided in realm: ldap" and get redirected back to the login 
> page. I built this using some examples from the tutorial and the 
> definitive guide, so I may have a wire crossed somewhere. Any ideas? 
> 
> Luis Muñoz  wrote on 05/21/2012 11:18:48 AM:
> 
> > From: 
> > 
> > Luis Muñoz  
> > 
> > To: 
> > 
> > The elegant MVC web framework  
> > 
> > Date: 
> > 
> > 05/21/2012 11:20 AM 
> > 
> > Subject: 
> > 
> > Re: [Catalyst] LDAP question 
> > 
> > 
> > On May 21, 2012, at 12:02 PM, Kenneth S Mclane wrote:
> > 
> > > I have no control over the LDAP server, How would I change things 
> > so the submitted username and password would be inserted as the 
> > credentials to be used as the initial bind? 
> > 
> > You use that from the client.
> > 
> > Below is a snippet from a configuration file from a tool we use at 
> > $work for managing LDAP entries. It works in the way I described 
before.
> > 
> > Pay attention to the binddn (the account to do the initial bind) and
> > basedn (the place where you begin your search for a matching 
> > username, using the filter expression). Start simple and build up 
> > your expression to narrow down the tuples that it can retrieve. I'm 
> > pro very strict filters based on object types, but there are perhaps
> > other opinions.
> > 
> > Best regards
> > 
> > -lem
> > 
> > --8<
> > 
> > # Configure the authentication subsystem. This is the component that
> > # validates the current password for change requests. This service is
> > # provided by Catalyst::Authentication::Store::LDAP.
> > # 
> > # The ldap realm is mandatory, as this is used not only for
> > # authentication but for access to the user's LDAP entry, both for
> > # searching and for updating it. This means that we need to use a
> > # binddn with enough privileges to read and write to the
> > # directory. It's not enough to rely on the users' credentials for
> > # rebinding, because in the case of a password recovery, we don't have
> > # user credentials.
> > 
> > authentication:
> >   default_realm: ldap
> >   realms:
> > ldap:
> >   credential:
> > class:  Password
> > password_field: password
> > password_type:  self_check
> >   store:
> > class:  LDAP
> > ldap_server:localhost:3389
> > binddn: cn=your_initial_id,dc=domain,dc=com,dc=INVALID
> > bindpw: Y0urS3cr3tB!ndP@$sw0rd
> > user_basedn: 
> > ou=The,ou=Container,ou=Hi

Re: [Catalyst] LDAP question

2012-05-21 Thread Kenneth S Mclane 
ok, making progress, I am getting all the data back in the return hash, 
however, I get the error: "Unable to locate user matching user info 
provided in realm: ldap" and get redirected back to the login page. I 
built this using some examples from the tutorial and the definitive guide, 
so I may have a wire crossed somewhere. Any ideas?

Luis Muñoz  wrote on 05/21/2012 11:18:48 AM:

> From:
> 
> Luis Muñoz 
> 
> To:
> 
> The elegant MVC web framework 
> 
> Date:
> 
> 05/21/2012 11:20 AM
> 
> Subject:
> 
> Re: [Catalyst] LDAP question
> 
> 
> On May 21, 2012, at 12:02 PM, Kenneth S Mclane wrote:
> 
> > I have no control over the LDAP server, How would I change things 
> so the submitted username and password would be inserted as the 
> credentials to be used as the initial bind? 
> 
> You use that from the client.
> 
> Below is a snippet from a configuration file from a tool we use at 
> $work for managing LDAP entries. It works in the way I described before.
> 
> Pay attention to the binddn (the account to do the initial bind) and
> basedn (the place where you begin your search for a matching 
> username, using the filter expression). Start simple and build up 
> your expression to narrow down the tuples that it can retrieve. I'm 
> pro very strict filters based on object types, but there are perhaps
> other opinions.
> 
> Best regards
> 
> -lem
> 
> --8<
> 
> # Configure the authentication subsystem. This is the component that
> # validates the current password for change requests. This service is
> # provided by Catalyst::Authentication::Store::LDAP.
> # 
> # The ldap realm is mandatory, as this is used not only for
> # authentication but for access to the user's LDAP entry, both for
> # searching and for updating it. This means that we need to use a
> # binddn with enough privileges to read and write to the
> # directory. It's not enough to rely on the users' credentials for
> # rebinding, because in the case of a password recovery, we don't have
> # user credentials.
> 
> authentication:
>   default_realm: ldap
>   realms:
> ldap:
>   credential:
> class:  Password
> password_field: password
> password_type:  self_check
>   store:
> class:  LDAP
> ldap_server:localhost:3389
> binddn: cn=your_initial_id,dc=domain,dc=com,dc=INVALID
> bindpw: Y0urS3cr3tB!ndP@$sw0rd
> user_basedn: 
> ou=The,ou=Container,ou=Hierarchy,dc=domain,dc=com,dc=INVALID
> user_filter: (&(objectClass=inetOrgPerson)(|(uid=%s)(email=%s)))
> user_field: uid
> use_roles:  0
> 
> 
> ___
> List: Catalyst@lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive: 
http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/
> 
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] LDAP question

2012-05-21 Thread Len Jaffe 
On Mon, May 21, 2012 at 12:46 PM, Kenneth S Mclane wrote:

> Ok, found it. Thanks, I hate this program so much I give up shortly after
> trying to figure it out. ;-)
>
>
It takes a village.

-- 
lenja...@jaffesystems.com   614-404-4214
www.volunteerable.net - minimally viable and improving daily
Proprietor: http://www.theycomewithcheese.com/ - An Homage to Fromage
Greenbar : Grubmaster: 2012-2009, Grub
Asst: 2008, Trained: 2007.
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] LDAP question

2012-05-21 Thread Kenneth S Mclane 
Ok, found it. Thanks, I hate this program so much I give up shortly after 
trying to figure it out. ;-)

Len Jaffe  wrote on 05/21/2012 11:40:06 AM:



> On Mon, May 21, 2012 at 12:05 PM, Kenneth S Mclane  > wrote:
> I must apologize for my companies insistence on using Lotus Notes as
> a mail client, they are kind of stuck on it since they made it.
> 
> I use it at work too, and despite the insistence on top posting 
> everything, iours has a reply button that uses bog standard '>' to 
> mark the quoted text. 
> 
> -- 
> lenja...@jaffesystems.com   614-404-4214
> www.volunteerable.net - minimally viable and improving iteratively
> Proprietor: http://www.theycomewithcheese.com/ - An Homage to Fromage
> Greenbar: Grubmaster: 2012-2009, Grub Asst: 2008, Trained: 2007.
> 
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] LDAP question

2012-05-21 Thread Len Jaffe 
On Mon, May 21, 2012 at 12:05 PM, Kenneth S Mclane wrote:

> I must apologize for my companies insistence on using Lotus Notes as a
> mail client, they are kind of stuck on it since they made it.


I use it at work too, and despite the insistence on top posting everything,
iours has a reply button that uses bog standard '>' to mark the quoted
text.

-- 
lenja...@jaffesystems.com   614-404-4214
www.volunteerable.net - minimally viable and improving iteratively
Proprietor: http://www.theycomewithcheese.com/ - An Homage to Fromage
Greenbar : Grubmaster: 2012-2009, Grub
Asst: 2008, Trained: 2007.
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] LDAP question

2012-05-21 Thread Luis Muñoz 

On May 21, 2012, at 12:02 PM, Kenneth S Mclane wrote:

> I have no control over the LDAP server, How would I change things so the 
> submitted username and password would be inserted as the credentials to be 
> used as the initial bind? 

You use that from the client.

Below is a snippet from a configuration file from a tool we use at $work for 
managing LDAP entries. It works in the way I described before.

Pay attention to the binddn (the account to do the initial bind) and basedn 
(the place where you begin your search for a matching username, using the 
filter expression). Start simple and build up your expression to narrow down 
the tuples that it can retrieve. I'm pro very strict filters based on object 
types, but there are perhaps other opinions.

Best regards

-lem

--8<

# Configure the authentication subsystem. This is the component that
# validates the current password for change requests. This service is
# provided by Catalyst::Authentication::Store::LDAP.
# 
# The ldap realm is mandatory, as this is used not only for
# authentication but for access to the user's LDAP entry, both for
# searching and for updating it. This means that we need to use a
# binddn with enough privileges to read and write to the
# directory. It's not enough to rely on the users' credentials for
# rebinding, because in the case of a password recovery, we don't have
# user credentials.

authentication:
  default_realm: ldap
  realms:
ldap:
  credential:
class:  Password
password_field: password
password_type:  self_check
  store:
class:  LDAP
ldap_server:localhost:3389
binddn: cn=your_initial_id,dc=domain,dc=com,dc=INVALID
bindpw: Y0urS3cr3tB!ndP@$sw0rd
user_basedn:
ou=The,ou=Container,ou=Hierarchy,dc=domain,dc=com,dc=INVALID
user_filter:(&(objectClass=inetOrgPerson)(|(uid=%s)(email=%s)))
user_field: uid
use_roles:  0


___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] LDAP question

2012-05-21 Thread Robert Wohlfarth 
On Mon, May 21, 2012 at 11:03 AM, Luis Muñoz  wrote:

>
> On May 21, 2012, at 11:42 AM, Robert Wohlfarth wrote:
>
> > The standard Catalyst::Authentication::Store::LDAP does not work with
> this model.
>
> I've been told that the "right" way to do authentication against LDAP is
>
> * bind with a read-only set of credentials
> * Lookup the user's entry (here is where you apply your base and filters)
> * Try to bind with the just-found DN and the user-supplied password
>
> The first set of credentials has just enough privileges (via ACLs) so that
> only the required search can be performed. This scheme has the advantage of
> not allowing annon bound sessions to search your tree while supporting user
> hierarchies (that can change as the directory is reorganized).
>

Yes, that is the best way. And Catalyst::Authentication::Store::LDAP works
like this.

For whatever reason, the LDAP server I used was not configured like that.
Or more accurately, I could not find the "read-only set of credentials".
And yes, the LDAP server has a large, flat list of people all with the same
"dn". Like Kenneth, I don't control the LDAP server and cannot change how
it's configured. Bummer, huh?

-- 
Robert Wohlfarth
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] LDAP question

2012-05-21 Thread Kenneth S Mclane 
I'm going to post this up here to avoid those quoting issues. I'm x'ing 
out my password for obvious reasons.

Net::LDAP=HASH(0x4585ad0) sending:

30 28 02 01 01 60 23 02 01 03 04 13 6B 73 6D 63 0(...`#.ksmc
6C 61 6E 65 40 75 73 2E 69 62 6D 2E 63 6F 6D 80 l...@us.ibm.com.
09 46 6F 7A 7A 79 39 37 36 65 __ __ __ __ __ __ .x

Net::LDAP=HASH(0x4585ad0) received:

30 84 00 00 00 10 02 01 01 61 84 00 00 00 07 0A 0a..
01 31 04 00 04 00 __ __ __ __ __ __ __ __ __ __ .1

[info] *** Request 1 (0.000/s) [12394] [Mon May 21 11:07:26 2012] ***
[debug] Path is "login"
[debug] "POST" request for "login" from "192.168.159.2"
[debug] Body Parameters are:
.-+--.
| Parameter   | Value   |
+-+--+
| password|   |
| username| ksmcl...@us.ibm.com   |
'-+--'
[error] Error on Initial Bind: Invalid credentials
[debug] Response Code: 500; Content-Type: text/html; charset=utf-8; 
Content-Length: 20384
[info] Request took 0.186364s (5.366/s)

Needless to say these are valid credentials.



From:
Tomas Doran 
To:
The elegant MVC web framework 
Date:
05/21/2012 11:01 AM
Subject:
Re: [Catalyst] LDAP question



Your quoting and HTML mail settings are really broken!

You are not quoting anyone else's email, but just changing it's font - 
which means that anyone using a text mail client without fonts can't see 
the quoting..

On 21 May 2012, at 16:18, Kenneth S Mclane wrote:

> You can turn on LDAP debugging and get a print out of what is actually 
going to <=> from the LDAP server, which would help determine which query 
specifically is failing.. 
> 
> I cannot find anything out there on turning on LDAP debugging? 
Strangely, if I out my username and password in the bind fields it gives 
me Invalid credentials. I authenticate through this ldap server many times 
a day, so I'm almost sure it's some setting that is wrong. 

I'm sure some setting is wrong too!

But it's going to be hard to guess which one without knowing what error 
code gets returned, to what query!

The debugging bit isn't as obvious as I remember it being, sorry about 
that:

https://metacpan.org/module/Catalyst::Authentication::Store::LDAP#ldap_server_options


so you want to set: ldap_server_options => { debug => 3 } # Incoming and 
outgoing packets

Cheers
t0m


___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: 
http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/



___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] LDAP question

2012-05-21 Thread Kenneth S Mclane 
I must apologize for my companies insistence on using Lotus Notes as a 
mail client, they are kind of stuck on it since they made it.___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] LDAP question

2012-05-21 Thread Kenneth S Mclane 
I have no control over the LDAP server, How would I change things so the 
submitted username and password would be inserted as the credentials to be 
used as the initial bind?



From:
Tomas Doran 
To:
The elegant MVC web framework 
Date:
05/21/2012 10:57 AM
Subject:
Re: [Catalyst] LDAP question




On 21 May 2012, at 16:42, Robert Wohlfarth wrote:

> On Mon, May 21, 2012 at 9:20 AM, Kenneth S Mclane  
wrote:
> They are apparently doing the initial bind with the credentials 
submitted by the user, I am getting invalid credentials the way I have it 
above, if I change it to anonymous I get a "LDAP Error while searching for 
user: No such object".  I could use some suggestions. 
> 
> I dealt with an LDAP server that required you to login to query your own 
information. The standard Catalyst::Authentication::Store::LDAP does not 
work with this model.

Yes it does! What makes you think it doesn't?

> So I wrote a credential module that did nothing more than connect to the 
LDAP server. If the connection succeeded, then that user is authenticated. 


That sort of strategy is usually a bad idea, as you're mandating that you 
have 1 flat level of LDAP for users - you have to know the DN to bind as 
initially, and so if you do this, you have to concatenate the username to 
a DN in some way - which means if you ever reorganise your LDAP (for 
example putting users into grouped OU containers), then your auth will 
stop working.

Cheers
t0m



___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: 
http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/



___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] LDAP question

2012-05-21 Thread Luis Muñoz 

On May 21, 2012, at 11:42 AM, Robert Wohlfarth wrote:

> The standard Catalyst::Authentication::Store::LDAP does not work with this 
> model.

I've been told that the "right" way to do authentication against LDAP is

* bind with a read-only set of credentials
* Lookup the user's entry (here is where you apply your base and filters)
* Try to bind with the just-found DN and the user-supplied password

The first set of credentials has just enough privileges (via ACLs) so that only 
the required search can be performed. This scheme has the advantage of not 
allowing annon bound sessions to search your tree while supporting user 
hierarchies (that can change as the directory is reorganized).

Best regards.

-lem


___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] LDAP question

2012-05-21 Thread Tomas Doran 
Your quoting and HTML mail settings are really broken!

You are not quoting anyone else's email, but just changing it's font - which 
means that anyone using a text mail client without fonts can't see the quoting..

On 21 May 2012, at 16:18, Kenneth S Mclane wrote:

> You can turn on LDAP debugging and get a print out of what is actually going 
> to <=> from the LDAP server, which would help determine which query 
> specifically is failing.. 
> 
> I cannot find anything out there on turning on LDAP debugging? Strangely, if 
> I out my username and password in the bind fields it gives me Invalid 
> credentials. I authenticate through this ldap server many times a day, so I'm 
> almost sure it's some setting that is wrong. 

I'm sure some setting is wrong too!

But it's going to be hard to guess which one without knowing what error code 
gets returned, to what query!

The debugging bit isn't as obvious as I remember it being, sorry about that:

https://metacpan.org/module/Catalyst::Authentication::Store::LDAP#ldap_server_options

so you want to set: ldap_server_options => { debug => 3 } # Incoming and 
outgoing packets

Cheers
t0m


___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] LDAP question

2012-05-21 Thread Tomas Doran 

On 21 May 2012, at 16:42, Robert Wohlfarth wrote:

> On Mon, May 21, 2012 at 9:20 AM, Kenneth S Mclane  wrote:
> They are apparently doing the initial bind with the credentials submitted by 
> the user, I am getting invalid credentials the way I have it above, if I 
> change it to anonymous I get a "LDAP Error while searching for user: No such 
> object".  I could use some suggestions. 
> 
> I dealt with an LDAP server that required you to login to query your own 
> information. The standard Catalyst::Authentication::Store::LDAP does not work 
> with this model.

Yes it does! What makes you think it doesn't?

> So I wrote a credential module that did nothing more than connect to the LDAP 
> server. If the connection succeeded, then that user is authenticated. 

That sort of strategy is usually a bad idea, as you're mandating that you have 
1 flat level of LDAP for users - you have to know the DN to bind as initially, 
and so if you do this, you have to concatenate the username to a DN in some way 
- which means if you ever reorganise your LDAP (for example putting users into 
grouped OU containers), then your auth will stop working.

Cheers
t0m



___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] LDAP question

2012-05-21 Thread Robert Wohlfarth 
On Mon, May 21, 2012 at 9:20 AM, Kenneth S Mclane wrote:

> They are apparently doing the initial bind with the credentials submitted
> by the user, I am getting invalid credentials the way I have it above, if I
> change it to anonymous I get a "LDAP Error while searching for user: No
> such object".  I could use some suggestions.
>

I dealt with an LDAP server that required you to login to query your own
information. The standard Catalyst::Authentication::Store::LDAP does not
work with this model. So I wrote a credential module that did nothing more
than connect to the LDAP server. If the connection succeeded, then that
user is authenticated.

E-mail me off list if you would like a copy of that credential module.

-- 
Robert Wohlfarth
rbwohlfa...@gmail.com
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] LDAP question

2012-05-21 Thread Kenneth S Mclane 
From:
Tomas Doran 
To:
The elegant MVC web framework 
Date:
05/21/2012 09:47 AM
Subject:
Re: [Catalyst] LDAP question




On 21 May 2012, at 15:20, Kenneth S Mclane wrote:

> I am continuing on my journey to duplicate a web app for administering a 
db. I have all my pages up and running, as well as search functionality. I 
decided to attack authentication next. I am using a php pages from a 
different web app to get the settings for our LDAP server. 
> 
> //Connect to ldap server 
> $ds=ldap_connect("xxx.xxx.xxx.xxx"); 
> if ($ds) { 
> //Get ID for intranet user 
> $sr=ldap_search($ds, "ou=ldap.server, o=domain.com", 
"mail=$username"); 
> $info = ldap_get_entries($ds, $sr); 
> for ($i=0; $i<$info["count"]; $i++) { 
> $uid=$info[$i]["dn"]; 
> } 
> 



> credential => { 
> class => 'Password', 
> password_field => 'password', 
> password_type => 'self_check', 
> },

You don't want self_check here I don't think.

Since the php code didn't have anything here I was going off docs and 
examples. I set it to clear but it made no difference. I am not aware of 
any other settings, haven't had time to research that as yet.

> 
> store => { 
> binddn  => "username", 
>bindpw  => 
"password", 
> class => 'LDAP', 
> ldap_server => '9.17.186.253', 
> ldap_server_options => { timeout 
=> 30 }, 
> user_basedn => 'o=domain, 
o=com', 

Original code has:
> "ou=ldap.server, o=domain.com


as the base? (Although a base higher up the tree should be fine)

I have added and removed that, makes no difference.

> user_field => 'mail', 
> user_filter => 
'(&(mail=%s)(objectclass=person))', 

You're searching more restrictively than the PHP code.

Try just 'mail=%s'

Tried this, no joy.

> user_scope => 'sub',  
> }, 
> }, 
> }, 
> }, 
> );
> 
> They are apparently doing the initial bind with the credentials 
submitted by the user, I am getting invalid credentials the way I have it 
above, if I change it to anonymous I get a "LDAP Error while searching for 
user: No such object".  I could use some suggestions. 

You can turn on LDAP debugging and get a print out of what is actually 
going to <=> from the LDAP server, which would help determine which query 
specifically is failing..

I cannot find anything out there on turning on LDAP debugging? Strangely, 
if I out my username and password in the bind fields it gives me Invalid 
credentials. I authenticate through this ldap server many times a day, so 
I'm almost sure it's some setting that is wrong. 

Cheers
t0m


___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: 
http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/



___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] LDAP question

2012-05-21 Thread Tomas Doran 

On 21 May 2012, at 15:20, Kenneth S Mclane wrote:

> I am continuing on my journey to duplicate a web app for administering a db. 
> I have all my pages up and running, as well as search functionality.  I 
> decided to attack authentication next. I am using a php pages from a 
> different web app to get the settings for our LDAP server. 
> 
> //Connect to ldap server 
> $ds=ldap_connect("xxx.xxx.xxx.xxx"); 
> if ($ds) { 
> //Get ID for intranet user 
> $sr=ldap_search($ds, "ou=ldap.server, o=domain.com", 
> "mail=$username"); 
> $info = ldap_get_entries($ds, $sr); 
> for ($i=0; $i<$info["count"]; $i++) { 
> $uid=$info[$i]["dn"]; 
> } 
> 



> credential => { 
> class => 'Password', 
> password_field => 'password', 
> password_type => 'self_check', 
> },

You don't want self_check here I don't think.

>  
> store => { 
> binddn  => "username", 
>bindpw  => "password", 
> class => 'LDAP', 
> ldap_server => '9.17.186.253', 
> ldap_server_options => { timeout => 
> 30 }, 
> user_basedn => 'o=domain, o=com', 

Original code has:
> "ou=ldap.server, o=domain.com


as the base? (Although a base higher up the tree should be fine)

> user_field => 'mail', 
> user_filter => 
> '(&(mail=%s)(objectclass=person))', 

You're searching more restrictively than the PHP code.

Try just 'mail=%s'

> user_scope => 'sub',  
>
> }, 
> }, 
> }, 
> }, 
> );
> 
> They are apparently doing the initial bind with the credentials submitted by 
> the user, I am getting invalid credentials the way I have it above, if I 
> change it to anonymous I get a "LDAP Error while searching for user: No such 
> object".  I could use some suggestions. 

You can turn on LDAP debugging and get a print out of what is actually going to 
<=> from the LDAP server, which would help determine which query specifically 
is failing..

Cheers
t0m


___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

[Catalyst] LDAP question

2012-05-21 Thread Kenneth S Mclane 
I am continuing on my journey to duplicate a web app for administering a 
db. I have all my pages up and running, as well as search functionality. I 
decided to attack authentication next. I am using a php pages from a 
different web app to get the settings for our LDAP server.

//Connect to ldap server
$ds=ldap_connect("xxx.xxx.xxx.xxx");
if ($ds) { 
//Get ID for intranet user
$sr=ldap_search($ds, "ou=ldap.server, o=domain.com", 
"mail=$username"); 
$info = ldap_get_entries($ds, $sr);
for ($i=0; $i<$info["count"]; $i++) {
$uid=$info[$i]["dn"];
}
if (strpos($uid,'uid') !== false)
{
//Bind to ldap server with $uid and $password to verify 
$bind_results=ldap_bind($ds, "$uid", "$password") or 
die("Could not log you in please check your UserName and Password and try 
again."); 
if ( $bind_results == "1" )
$sr=ldap_search($ds, "ou=bluepages, o=ibm.com", 
"mail=$username"); 
$info = ldap_get_entries($ds, $sr);
for ($i=0; $i<$info["count"]; $i++) {
$fullname=$info[$i]["cn"][0];
}

It then goes on to create session stuff, but I want to use the built-in 
LDAP authentication. I have this in my Login.pm:

sub index :Path :Args(0) {
my ( $self, $c ) = @_;
# Get the username and password from form
my $username = $c->request->params->{username};
my $password = $c->request->params->{password};
# If the username and password values were found in form
if ($username && $password) {
# Attempt to log the user in
if ($c->authenticate({ username => $username,
   password => $password  } )) {
# If successful, then let them use the application
$c->response->redirect($c->uri_for(
$c->controller('Search')->action_for('search')));
return;
} else {
# Set an error message
$c->stash(error_msg => "Bad username or password.");
}
} else {
# Set an error message
$c->stash(error_msg => "Empty username or password.")
unless ($c->user_exists);
}
 # If either of above don't work out, send to the login page
$c->stash(template => 'login.tt2'); 
}

and this code in my Root.pm:

sub auto :Private {
my ($self, $c) = @_;
# Allow unauthenticated users to reach the login page.  This
# allows unauthenticated users to reach any action in the Login
# controller.  To lock it down to a single action, we could use:
# if ($c->action eq $c->controller('Login')->action_for('index'))
# to only allow unauthenticated access to the 'index' action we
# added above.
if ($c->controller eq $c->controller('Login')) {
return 1;
}
# If a user doesn't exist, force login
if (!$c->user_exists) {
# Dump a log message to the development server debug output
$c->log->debug('***Root::auto User not found, forwarding to 
/login');
# Redirect the user to the login page
$c->response->redirect($c->uri_for('/login'));
# Return 0 to cancel 'post-auto' processing and prevent use of 
application
return 0;
}
# User found, so return 1 to continue with processing after this 
'auto'
return 1;
}

And in MyApp.pm:

__PACKAGE__->config(
'authentication' => {
default_realm => 'ldap',
realms => {
ldap => {
credential => {
class => 'Password',
password_field => 'password',
password_type => 'self_check',
},
store => {
binddn  => "username",
bindpw  => "password",
class => 'LDAP',
ldap_server => '9.17.186.253',
ldap_server_options => { timeout 
=> 30 },
user_basedn => 'o=domain, o=com',
user_field => 'mail',
user_filter => 
'(&(mail=%s)(objectclass=person))',
user_scope => 'sub', 
},
},
},
},
);

They are apparently doing the initial bind with the credentials submitted 
by the user, I am getting invalid credentials the way I have it above, if 
I change it to anonymous I get a "L