- Document how to limit the attributes returned from the LDAP search
+ - Add persist_in_session config option to allow storing of user and its
+ roles in the session without hitting the LDAP store on each request
1.015 20 February 2015
- Escape special characters in user/role names
attrs => [qw( distinguishedname name mail )],
},
user_results_filter => sub { return shift->pop_entry },
+ persist_in_session => 'all',
},
},
},
*bindpw* fields. If this is set to false, then the role search will
instead be performed when bound as the user you authenticated as.
+ persist_in_session
+ Can take one of the following values, defaults to undefined:
+
+ undefined
+ Only store the username in the session and lookup the user and its roles
+ on every request. That was how the module worked until version 1.015 and
+ is also the default for backwards compatibility.
+
+ all
+ Store the user object and its roles in the session and never look it up
+ in the store after login.
+
+ NOTE: It's recommended to limit the user attributes fetched from LDAP
+ using user_search_options / attrs to not exhaust the session store..
+
entry_class
The name of the class of LDAP entries returned. This class should exist
and is expected to be a subclass of Net::LDAP::Entry
attrs => [qw( distinguishedname name mail )],
},
user_results_filter => sub { return shift->pop_entry },
+ persist_in_session => 'all',
},
},
},
fields. If this is set to false, then the role search will instead be
performed when bound as the user you authenticated as.
+=head2 persist_in_session
+
+Can take one of the following values, defaults to undefined:
+
+=head3 undefined
+
+Only store the username in the session and lookup the user and its roles
+on every request. That was how the module worked until version 1.015 and is
+also the default for backwards compatibility.
+
+=head3 all
+
+Store the user object and its roles in the session and never look it up in
+the store after login.
+
+B<NOTE:> It's recommended to limit the user attributes fetched from LDAP
+using L<user_search_options> / attrs to not exhaust the session store..
+
=head2 entry_class
The name of the class of LDAP entries returned. This class should
'deref' => 'always',
},
'role_search_as_user' => 0,
+ 'persist_in_session' => 'all',
);
our $users = Catalyst::Authentication::Store::LDAP::Backend->new(\%config);
role_filter role_scope role_field role_value
role_search_options start_tls start_tls_options
user_results_filter user_class role_search_as_user
+ persist_in_session
)
);
}
=cut
sub from_session {
- my ( $self, $c, $id ) = @_;
- $self->get_user( $id, $c );
+ my ( $self, $c, $frozenuser ) = @_;
+
+ if ( $self->persist_in_session eq 'all' ) {
+ return $self->user_class->new( $self, $frozenuser->{user}, $c, $frozenuser->{_roles} );
+ }
+
+ return $self->get_user( $frozenuser, $c );
}
1;
=cut
sub new {
- my ( $class, $store, $user, $c ) = @_;
+ my ( $class, $store, $user, $c, $roles ) = @_;
return unless $user;
- bless { store => $store, user => $user, }, $class;
+ bless { store => $store, user => $user, _roles => $roles }, $class;
}
=head2 id
=head2 for_session
-Returns the User object, stringified.
+Returns the user for persistence in the session depending on the
+persist_in_session config option.
=cut
sub for_session {
my $self = shift;
+
+ if ( $self->store->persist_in_session eq 'all' ) {
+ # use the roles accessor to ensure the roles are fetched
+ return { user => $self->user, _roles => [ $self->roles ] };
+ }
+
return $self->stringify;
}