X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=blobdiff_plain;f=lib%2FCatalyst%2FAuthentication%2FStore%2FLDAP.pm;h=4769ede81eaea0c56645857cd15a00a7249c590f;hb=0d3c4264e91902605a92fc2f3d4c5b76a7f581cd;hp=11aeb21430dde53e013949a8b99e30f2ddd577a6;hpb=89e899b3685e6a4a8155171041e03d109305adc3;p=catagits%2FCatalyst-Authentication-Store-LDAP.git

diff --git a/lib/Catalyst/Authentication/Store/LDAP.pm b/lib/Catalyst/Authentication/Store/LDAP.pm
index 11aeb21..4769ede 100644
--- a/lib/Catalyst/Authentication/Store/LDAP.pm
+++ b/lib/Catalyst/Authentication/Store/LDAP.pm
@@ -3,7 +3,7 @@ package Catalyst::Authentication::Store::LDAP;
 use strict;
 use warnings;
 
-our $VERSION = '0.1003_01';
+our $VERSION = '1.016';
 
 use Catalyst::Authentication::Store::LDAP::Backend;
 
@@ -19,9 +19,11 @@ __END__
 
 =pod
 
+=encoding utf-8
+
 =head1 NAME
 
-Catalyst::Authentication::Store::LDAP 
+Catalyst::Authentication::Store::LDAP
   - Authentication from an LDAP Directory.
 
 =head1 SYNOPSIS
@@ -52,6 +54,7 @@ Catalyst::Authentication::Store::LDAP
                role_scope          => "one",
                role_search_options => { deref => "always" },
                role_value          => "dn",
+               role_search_as_user => 0,
                start_tls           => 1,
                start_tls_options   => { verify => "none" },
                entry_class         => "MyApp::LDAP::Entry",
@@ -59,9 +62,13 @@ Catalyst::Authentication::Store::LDAP
                user_basedn         => "ou=people,dc=yourcompany,dc=com",
                user_field          => "uid",
                user_filter         => "(&(objectClass=posixAccount)(uid=%s))",
-               user_scope          => "one",
-               user_search_options => { deref => "always" },
+               user_scope          => "one", # or "sub" for Active Directory
+               user_search_options => {
+                 deref => 'always',
+                 attrs => [qw( distinguishedname name mail )],
+               },
                user_results_filter => sub { return shift->pop_entry },
+               persist_in_session  => 'all',
              },
            },
          },
@@ -72,8 +79,8 @@ Catalyst::Authentication::Store::LDAP
         my ( $self, $c ) = @_;
 
         $c->authenticate({
-                          id          => $c->req->param("login"), 
-                          password    => $c->req->param("password") 
+                          id          => $c->req->param("login"),
+                          password    => $c->req->param("password")
                          });
         $c->res->body("Welcome " . $c->user->username . "!");
     }
@@ -84,17 +91,17 @@ This plugin implements the L<Catalyst::Authentication> v.10 API. Read that docum
 you are upgrading from a previous version of this plugin.
 
 This plugin uses C<Net::LDAP> to let your application authenticate against
-an LDAP directory.  It has a pretty high degree of flexibility, given the 
-wide variation of LDAP directories and schemas from one system to another. 
+an LDAP directory.  It has a pretty high degree of flexibility, given the
+wide variation of LDAP directories and schemas from one system to another.
 
 It authenticates users in two steps:
 
 1) A search of the directory is performed, looking for a user object that
-   matches the username you pass.  This is done with the bind credentials 
+   matches the username you pass.  This is done with the bind credentials
    supplied in the "binddn" and "bindpw" configuration options.
 
 2) If that object is found, we then re-bind to the directory as that object.
-   Assuming this is successful, the user is Authenticated.  
+   Assuming this is successful, the user is Authenticated.
 
 =head1 CONFIGURATION OPTIONS
 
@@ -154,9 +161,10 @@ tweeks to the example configuration will work:
 
     user_basedn: ou=Domain Users,ou=Accounts,dc=mycompany,dc=com
     user_field:  samaccountname
-    user_filter: (sAMAccountName=%s) 
+    user_filter: (sAMAccountName=%s)
+    user_scope: sub
 
-He also notes: "I found the case in the value of user_field to be significant: 
+He also notes: "I found the case in the value of user_field to be significant:
 it didn't seem to work when I had the mixed case value there."
 
 =head2 ldap_server
@@ -165,7 +173,7 @@ This should be the hostname of your LDAP server.
 
 =head2 ldap_server_options
 
-This should be a hashref containing options to pass to L<Net::LDAP>->new().  
+This should be a hashref containing options to pass to L<Net::LDAP>->new().
 See L<Net::LDAP> for the full list.
 
 =head2 binddn
@@ -196,7 +204,7 @@ top of your "users" branch; ie "ou=people,dc=yourcompany,dc=com".
 
 =head2 user_filter
 
-This is the LDAP Search filter used during user lookup.  The special string 
+This is the LDAP Search filter used during user lookup.  The special string
 '%s' will be replaced with the username you pass to $c->login.  By default
 it is set to '(uid=%s)'.  Other possibly useful filters:
 
@@ -253,10 +261,10 @@ Example:
                           }
                           return undef; # i.e., no match
                         }
- 
+
 =head2 use_roles
 
-Whether or not to enable role lookups.  It defaults to true; set it to 0 if 
+Whether or not to enable role lookups.  It defaults to true; set it to 0 if
 you want to always avoid role lookups.
 
 =head2 role_basedn
@@ -284,7 +292,7 @@ Should be set to the Attribute of the Role Object's returned during Role lookup
 
 =head2 role_value
 
-This is the attribute of the User object we want to use in our role_filter. 
+This is the attribute of the User object we want to use in our role_filter.
 If this is set to "dn", we will use the User Objects DN.
 
 =head2 role_search_options
@@ -301,21 +309,62 @@ Be careful not to specify:
 
 As they are already taken care of by other configuration options.
 
+=head2 role_search_as_user
+
+By default this setting is false, and the role search will be performed
+by binding to the directory with the details in the I<binddn> and I<bindpw>
+fields. If this is set to false, then the role search will instead be
+performed when bound as the user you authenticated as.
+
+=head2 persist_in_session
+
+Can take one of the following values, defaults to C<username>:
+
+=over
+
+=item C<username>
+
+Only store the username in the session and lookup the user and its roles
+on every request. That was how the module worked until version 1.015 and is
+also the default for backwards compatibility.
+
+=item C<all>
+
+Store the user object and its roles in the session and never look it up in
+the store after login.
+
+B<NOTE:> It's recommended to limit the user attributes fetched from LDAP
+using L<user_search_options> / attrs to not exhaust the session store.
+
+=back
+
+=head2 entry_class
+
+The name of the class of LDAP entries returned. This class should
+exist and is expected to be a subclass of Net::LDAP::Entry
+
+=head2 user_class
+
+The name of the class of user object returned. By default, this is
+L<Catalyst::Authentication::Store::LDAP::User>.
+
 =head1 METHODS
 
 =head2 new
 
 This method will populate
-L<Catalyst::Plugin::Authentication/default_auth_store> with this object. 
+L<Catalyst::Plugin::Authentication/default_auth_store> with this object.
 
 =head1 AUTHORS
 
 Adam Jacob <holoway@cpan.org>
+Peter Karman <karman@cpan.org>
+Alexander Hartmaier <abraxxa@cpan.org>
 
 Some parts stolen shamelessly and entirely from
 L<Catalyst::Plugin::Authentication::Store::Htpasswd>.
 
-Currently maintained by Peter Karman <karman@cpan.org>.
+Currently maintained by Dagfinn Ilmari Mannsåker <ilmari@cpan.org>.
 
 =head1 THANKS
 
@@ -326,7 +375,7 @@ To nothingmuch, ghenry, castaway and the rest of #catalyst for the help. :)
 L<Catalyst::Authentication::Store::LDAP>,
 L<Catalyst::Authentication::Store::LDAP::User>,
 L<Catalyst::Authentication::Store::LDAP::Backend>,
-L<Catalyst::Plugin::Authentication>, 
+L<Catalyst::Plugin::Authentication>,
 L<Net::LDAP>
 
 =head1 COPYRIGHT & LICENSE