Re: [Catalyst] passwordless LDAP authentication
On Monday 27 July 2009 04:38:35 am Rodrigo wrote: > Hi all, > I'm using Catalyst::Authentication::Store::LDAP to authenticate users, but > now I need to allow some of them to single-signon without a password, like > this: > [...] > > I'm looking at the authentication internals and it seems to be missing a > per-user flag to disable password checking. Only a global realm-based > password_type=>'none' exists. Am I correct? > That's not auth in general, it's Credential::Password. You can write your own credential that implements your own policy and have it do whatever you like. > To make matters worse, LDAP::User::check_password also checks user roles > since it needs the password to bind to the ldap server. That could make it > more difficult to implement a passwordless flag at any level on the > authenticate chain. > Store::LDAP has an option for whether or not to rebind as the given user when doing role searches. If it's off, and if your LDAP permissions are set appropriately, you shouldn't need the user's password at any phase. Andrew ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
[Catalyst] passwordless LDAP authentication
Hi all, I'm using Catalyst::Authentication::Store::LDAP to authenticate users, but now I need to allow some of them to single-signon without a password, like this: if( $is_sso ) { $c->authenticate({ id=> $user }); ## I trust this dude, so skip the check_password sub } else { $c->authenticate({ id=> $user, password=>$password ); ## old fashioned } I'm looking at the authentication internals and it seems to be missing a per-user flag to disable password checking. Only a global realm-based password_type=>'none' exists. Am I correct? On the other hand, switching realms to a passwordless LDAP where password_type=>'none' either duplicates information sensesly, or is a little bit messy since it needs a MyApp.pm startup config hack. But it seems like the only doable option right now. To make matters worse, LDAP::User::check_password also checks user roles since it needs the password to bind to the ldap server. That could make it more difficult to implement a passwordless flag at any level on the authenticate chain. Any views on this? regards, rodrigo ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/