[catagits/Catalyst-Authentication-Store-LDAP.git] / lib / Catalyst / Authentication / Store / LDAP / Backend.pm


=pod

=head1 NAME

Catalyst::Authentication::Store::LDAP::Backend 
  - LDAP authentication storage backend.

=head1 SYNOPSIS

    # you probably just want Store::LDAP under most cases,
    # but if you insist you can instantiate your own store:

    use Catalyst::Authentication::Store::LDAP::Backend;

    use Catalyst qw/
        Authentication
        Authentication::Credential::Password
    /;

    my %config = (
            'ldap_server' => 'ldap1.yourcompany.com',
            'ldap_server_options' => {
                'timeout' => 30,
            },
            'binddn' => 'anonymous',
            'bindpw' => 'dontcarehow',
            'start_tls' => 1,
            'start_tls_options' => {
                'verify' => 'none',
            },
            'user_basedn' => 'ou=people,dc=yourcompany,dc=com',
            'user_filter' => '(&(objectClass=posixAccount)(uid=%s))',
            'user_scope' => 'one',
            'user_field' => 'uid',
            'user_search_options' => {
                'deref' => 'always',
            },
            'user_results_filter' => sub { return shift->pop_entry },
            'entry_class' => 'MyApp::LDAP::Entry',
            'user_class' => 'MyUser',
            'use_roles' => 1,
            'role_basedn' => 'ou=groups,dc=yourcompany,dc=com',
            'role_filter' => '(&(objectClass=posixGroup)(member=%s))',
            'role_scope' => 'one',
            'role_field' => 'cn',
            'role_value' => 'dn',
            'role_search_options' => {
                'deref' => 'always',
            },
            'role_search_as_user' => 0,
    );
    
    our $users = Catalyst::Authentication::Store::LDAP::Backend->new(\%config);

    sub action : Local {
        my ( $self, $c ) = @_;

        $c->login( $users->get_user( $c->req->param("login") ),
            $c->req->param("password") );
    }

=head1 DESCRIPTION

You probably want L<Catalyst::Authentication::Store::LDAP>, unless
you are mixing several stores in a single app and one of them is LDAP.

Otherwise, this lets you create a store manually. 

See the L<Catalyst::Authentication::Store::LDAP> documentation for
an explanation of the configuration options.

=head1 METHODS

=cut

package Catalyst::Authentication::Store::LDAP::Backend;
use base qw( Class::Accessor::Fast );

use strict;
use warnings;

our $VERSION = '0.1004';

use Catalyst::Authentication::Store::LDAP::User;
use Net::LDAP;
use Catalyst::Utils ();

BEGIN {
    __PACKAGE__->mk_accessors(
        qw( ldap_server ldap_server_options binddn
            bindpw entry_class user_search_options
            user_filter user_basedn user_scope
            user_attrs user_field use_roles role_basedn
            role_filter role_scope role_field role_value
            role_search_options start_tls start_tls_options
            user_results_filter user_class role_search_as_user
            )
    );
}

=head2 new($config)

Creates a new L<Catalyst::Authentication::Store::LDAP::Backend> object.
$config should be a hashref, which should contain the configuration options
listed in L<Catalyst::Authentication::Store::LDAP>'s documentation.

Also sets a few sensible defaults.

=cut

sub new {
    my ( $class, $config ) = @_;

    unless ( defined($config) && ref($config) eq "HASH" ) {
        Catalyst::Exception->throw(
            "Catalyst::Authentication::Store::LDAP::Backend needs to be configured with a hashref."
        );
    }
    my %config_hash = %{$config};
    $config_hash{'binddn'}      ||= 'anonymous';
    $config_hash{'user_filter'} ||= '(uid=%s)';
    $config_hash{'user_scope'}  ||= 'sub';
    $config_hash{'user_field'}  ||= 'uid';
    $config_hash{'role_filter'} ||= '(memberUid=%s)';
    $config_hash{'role_scope'}  ||= 'sub';
    $config_hash{'role_field'}  ||= 'cn';
    $config_hash{'use_roles'}   ||= '1';
    $config_hash{'start_tls'}   ||= '0';
    $config_hash{'entry_class'} ||= 'Catalyst::Model::LDAP::Entry';
    $config_hash{'user_class'}  ||= 'Catalyst::Authentication::Store::LDAP::User';
    $config_hash{'role_search_as_user'} ||= 0;

    Catalyst::Utils::ensure_class_loaded($config_hash{'user_class'});
    my $self = \%config_hash;
    bless( $self, $class );
    return $self;
}

=head2 find_user( I<authinfo> )

Creates a L<Catalyst::Authentication::Store::LDAP::User> object
for the given User ID.  This is the preferred mechanism for getting a 
given User out of the Store.

I<authinfo> should be a hashref with a key of either C<id> or
C<username>. The value will be compared against the LDAP C<user_field> field.

=cut

sub find_user {
    my ( $self, $authinfo, $c ) = @_;
    return $self->get_user( $authinfo->{id} || $authinfo->{username} );
}

=head2 get_user($id)

Creates a L<Catalyst::Authentication::Store::LDAP::User> object
for the given User ID.  This is the preferred mechanism for getting a 
given User out of the Store.

=cut

sub get_user {
    my ( $self, $id ) = @_;
    my $user = $self->user_class->new( $self,
        $self->lookup_user($id) );
    return $user;
}

=head2 ldap_connect

Returns a L<Net::LDAP> object, connected to your LDAP server. (According
to how you configured the Backend, of course)

=cut

sub ldap_connect {
    my ($self) = shift;
    my $ldap;
    if ( defined( $self->ldap_server_options() ) ) {
        $ldap
            = Net::LDAP->new( $self->ldap_server,
            %{ $self->ldap_server_options } )
            or Catalyst::Exception->throw($@);
    }
    else {
        $ldap = Net::LDAP->new( $self->ldap_server )
            or Catalyst::Exception->throw($@);
    }
    if ( defined( $self->start_tls ) && $self->start_tls =~ /(1|true)/i ) {
        my $mesg;
        if ( defined( $self->start_tls_options ) ) {
            $mesg = $ldap->start_tls( %{ $self->start_tls_options } );
        }
        else {
            $mesg = $ldap->start_tls;
        }
        if ( $mesg->is_error ) {
            Catalyst::Exception->throw( "TLS Error: " . $mesg->error );
        }
    }
    return $ldap;
}

=head2 ldap_bind($ldap, $binddn, $bindpw)

Bind's to the directory.  If $ldap is undef, it will connect to the
LDAP server first.  $binddn should be the DN of the object you wish
to bind as, and $bindpw the password.

If $binddn is "anonymous", an anonymous bind will be performed.

=cut

sub ldap_bind {
    my ( $self, $ldap, $binddn, $bindpw, $forauth ) = @_;
    $forauth ||= 0;
    $ldap    ||= $self->ldap_connect;
    if ( !defined($ldap) ) {
        Catalyst::Exception->throw("LDAP Server undefined!");
    }
    $binddn ||= $self->binddn;
    $bindpw ||= $self->bindpw;
    if ( $binddn eq "anonymous" ) {
        $self->_ldap_bind_anon($ldap);
    }
    else {
        if ($bindpw) {
            my $mesg = $ldap->bind( $binddn, 'password' => $bindpw );
            if ( $mesg->is_error ) {

                # If we're not checking this bind for authentication purposes
                # Go ahead an blow up if we fail.
                if ( $forauth ne 'forauth' ) {
                    Catalyst::Exception->throw(
                        "Error on Initial Bind: " . $mesg->error );
                }
                else {
                    return undef;
                }
            }
        }
        else {
            $self->_ldap_bind_anon($ldap, $binddn);
        }
    }
    return $ldap;
}

sub _ldap_bind_anon {
    my ($self, $ldap, $dn) = @_;
    my $mesg = $ldap->bind($dn);
    if ( $mesg->is_error ) {
        Catalyst::Exception->throw( "Error on Bind: " . $mesg->error );
    }
}

=head2 lookup_user($id)

Given a User ID, this method will:

  A) Bind to the directory using the configured binddn and bindpw
  B) Perform a search for the User Object in the directory, using
     user_basedn, user_filter, and user_scope.
  C) Assuming we found the object, we will walk it's attributes 
     using L<Net::LDAP::Entry>'s get_value method.  We store the
     results in a hashref.
  D) Return a hashref that looks like: 
     
     $results = {
        'ldap_entry' => $entry, # The Net::LDAP::Entry object
        'attributes' => $attributes,
     }

This method is usually only called by find_user().

=cut

sub lookup_user {
    my ( $self, $id ) = @_;

    # No sneaking in wildcards!
    if ( $id =~ /\*/ ) {
        Catalyst::Exception->throw("ID $id contains wildcards!");
    }
    my $ldap = $self->ldap_bind;
    my @searchopts;
    if ( defined( $self->user_basedn ) ) {
        push( @searchopts, 'base' => $self->user_basedn );
    }
    else {
        Catalyst::Exception->throw(
            "You must set user_basedn before looking up users!");
    }
    my $filter = $self->_replace_filter( $self->user_filter, $id );
    push( @searchopts, 'filter' => $filter );
    push( @searchopts, 'scope'  => $self->user_scope );
    if ( defined( $self->user_search_options ) ) {
        push( @searchopts, %{ $self->user_search_options } );
    }
    my $usersearch = $ldap->search(@searchopts);
    if ( $usersearch->is_error ) {
        Catalyst::Exception->throw(
            "LDAP Error while searching for user: " . $usersearch->error );
    }
    my $userentry;
    my $user_field     = $self->user_field;
    my $results_filter = $self->user_results_filter;
    my $entry;
    if ( defined($results_filter) ) {
        $entry = &$results_filter($usersearch);
    }
    else {
        $entry = $usersearch->pop_entry;
    }
    if ( $usersearch->pop_entry ) {
        Catalyst::Exception->throw(
                  "More than one entry matches user search.\n"
                . "Consider defining a user_results_filter sub." );
    }

    # a little extra sanity check with the 'eq' since LDAP already
    # says it matches.
    # NOTE that Net::LDAP returns exactly what you asked for, but
    # because LDAP is often case insensitive, FoO can match foo
    # and so we normalize with lc().
    if ( defined($entry) ) {
        unless ( lc( $entry->get_value($user_field) ) eq lc($id) ) {
            Catalyst::Exception->throw(
                "LDAP claims '$user_field' equals '$id' but results entry does not match."
            );
        }
        $userentry = $entry;
    }

    $ldap->unbind;
    $ldap->disconnect;
    unless ($userentry) {
        return undef;
    }
    my $attrhash;
    foreach my $attr ( $userentry->attributes ) {
        my @attrvalues = $userentry->get_value($attr);
        if ( scalar(@attrvalues) == 1 ) {
            $attrhash->{ lc($attr) } = $attrvalues[0];
        }
        else {
            $attrhash->{ lc($attr) } = \@attrvalues;
        }
    }
    
    eval { Catalyst::Utils::ensure_class_loaded($self->entry_class) };
    if ( !$@ ) {
        bless( $userentry, $self->entry_class );
        $userentry->{_use_unicode}++;
    }
    my $rv = {
        'ldap_entry' => $userentry,
        'attributes' => $attrhash,
    };
    return $rv;
}

=head2 lookup_roles($userobj, [$ldap])

This method looks up the roles for a given user.  It takes a 
L<Catalyst::Authentication::Store::LDAP::User> object
as it's first argument, and can optionally take a I<Net::LDAP> object which
is used rather than the default binding if supplied.

It returns an array containing the role_field attribute from all the
objects that match it's criteria.

=cut

sub lookup_roles {
    my ( $self, $userobj, $ldap ) = @_;
    if ( $self->use_roles == 0 || $self->use_roles =~ /^false$/i ) {
        return undef;
    }
    $ldap ||= $self->ldap_bind;
    my @searchopts;
    if ( defined( $self->role_basedn ) ) {
        push( @searchopts, 'base' => $self->role_basedn );
    }
    else {
        Catalyst::Exception->throw(
            "You must set up role_basedn before looking up roles!");
    }
    my $filter_value = $userobj->has_attribute( $self->role_value );
    if ( !defined($filter_value) ) {
        Catalyst::Exception->throw( "User object "
                . $userobj->username
                . " has no "
                . $self->role_value
                . " attribute, so I can't look up it's roles!" );
    }
    my $filter = $self->_replace_filter( $self->role_filter, $filter_value );
    push( @searchopts, 'filter' => $filter );
    push( @searchopts, 'scope'  => $self->role_scope );
    push( @searchopts, 'attrs'  => [ $self->role_field ] );
    if ( defined( $self->role_search_options ) ) {
        push( @searchopts, %{ $self->role_search_options } );
    }
    my $rolesearch = $ldap->search(@searchopts);
    my @roles;
RESULT: foreach my $entry ( $rolesearch->entries ) {
        push( @roles, $entry->get_value( $self->role_field ) );
    }
    return @roles;
}

sub _replace_filter {
    my $self    = shift;
    my $filter  = shift;
    my $replace = shift;
    $filter =~ s/\%s/$replace/g;
    return $filter;
}

=head2 user_supports

Returns the value of 
Catalyst::Authentication::Store::LDAP::User->supports(@_).

=cut

sub user_supports {
    my $self = shift;

    # this can work as a class method
    Catalyst::Authentication::Store::LDAP::User->supports(@_);
}

=head2 from_session( I<id> )

Returns get_user() for I<id>.

=cut

sub from_session {
    my ( $self, $c, $id ) = @_;
    $self->get_user($id);
}

1;

__END__

=head1 AUTHORS

Adam Jacob <holoway@cpan.org>

Some parts stolen shamelessly and entirely from
L<Catalyst::Plugin::Authentication::Store::Htpasswd>.

Currently maintained by Peter Karman <karman@cpan.org>.

=head1 THANKS

To nothingmuch, ghenry, castaway and the rest of #catalyst for the help. :)

=head1 SEE ALSO

L<Catalyst::Authentication::Store::LDAP>, L<Catalyst::Authentication::Store::LDAP::User>, L<Catalyst::Plugin::Authentication>, L<Net::LDAP>

=head1 COPYRIGHT & LICENSE

Copyright (c) 2005 the aforementioned authors. All rights
reserved. This program is free software; you can redistribute
it and/or modify it under the same terms as Perl itself.

=cut
Commit	Line	Data
f66d606b	1
	2	=pod
	3
	4	=head1 NAME
	5
	6	Catalyst::Authentication::Store::LDAP::Backend
	7	- LDAP authentication storage backend.
	8
	9	=head1 SYNOPSIS
	10
	11	# you probably just want Store::LDAP under most cases,
	12	# but if you insist you can instantiate your own store:
	13
	14	use Catalyst::Authentication::Store::LDAP::Backend;
	15
	16	use Catalyst qw/
	17	Authentication
	18	Authentication::Credential::Password
	19	/;
	20
	21	my %config = (
	22	'ldap_server' => 'ldap1.yourcompany.com',
	23	'ldap_server_options' => {
	24	'timeout' => 30,
	25	},
	26	'binddn' => 'anonymous',
	27	'bindpw' => 'dontcarehow',
	28	'start_tls' => 1,
	29	'start_tls_options' => {
	30	'verify' => 'none',
	31	},
	32	'user_basedn' => 'ou=people,dc=yourcompany,dc=com',
	33	'user_filter' => '(&(objectClass=posixAccount)(uid=%s))',
	34	'user_scope' => 'one',
	35	'user_field' => 'uid',
	36	'user_search_options' => {
	37	'deref' => 'always',
	38	},
1647b33a	39	'user_results_filter' => sub { return shift->pop_entry },
f66d606b	40	'entry_class' => 'MyApp::LDAP::Entry',
405489b5	41	'user_class' => 'MyUser',
f66d606b	42	'use_roles' => 1,
	43	'role_basedn' => 'ou=groups,dc=yourcompany,dc=com',
	44	'role_filter' => '(&(objectClass=posixGroup)(member=%s))',
	45	'role_scope' => 'one',
	46	'role_field' => 'cn',
	47	'role_value' => 'dn',
	48	'role_search_options' => {
	49	'deref' => 'always',
	50	},
405489b5	51	'role_search_as_user' => 0,
f66d606b	52	);
	53
	54	our $users = Catalyst::Authentication::Store::LDAP::Backend->new(\%config);
	55
	56	sub action : Local {
	57	my ( $self, $c ) = @_;
	58
	59	$c->login( $users->get_user( $c->req->param("login") ),
	60	$c->req->param("password") );
	61	}
	62
	63	=head1 DESCRIPTION
	64
	65	You probably want L<Catalyst::Authentication::Store::LDAP>, unless
	66	you are mixing several stores in a single app and one of them is LDAP.
	67
	68	Otherwise, this lets you create a store manually.
	69
	70	See the L<Catalyst::Authentication::Store::LDAP> documentation for
	71	an explanation of the configuration options.
	72
	73	=head1 METHODS
	74
	75	=cut
	76
	77	package Catalyst::Authentication::Store::LDAP::Backend;
	78	use base qw( Class::Accessor::Fast );
	79
	80	use strict;
	81	use warnings;
	82
405489b5	83	our $VERSION = '0.1004';
f66d606b	84
	85	use Catalyst::Authentication::Store::LDAP::User;
	86	use Net::LDAP;
405489b5	87	use Catalyst::Utils ();
f66d606b	88
	89	BEGIN {
	90	__PACKAGE__->mk_accessors(
	91	qw( ldap_server ldap_server_options binddn
	92	bindpw entry_class user_search_options
	93	user_filter user_basedn user_scope
	94	user_attrs user_field use_roles role_basedn
	95	role_filter role_scope role_field role_value
	96	role_search_options start_tls start_tls_options
405489b5	97	user_results_filter user_class role_search_as_user
f66d606b	98	)
	99	);
	100	}
	101
	102	=head2 new($config)
	103
	104	Creates a new L<Catalyst::Authentication::Store::LDAP::Backend> object.
	105	$config should be a hashref, which should contain the configuration options
	106	listed in L<Catalyst::Authentication::Store::LDAP>'s documentation.
	107
	108	Also sets a few sensible defaults.
	109
	110	=cut
	111
	112	sub new {
	113	my ( $class, $config ) = @_;
	114
	115	unless ( defined($config) && ref($config) eq "HASH" ) {
	116	Catalyst::Exception->throw(
	117	"Catalyst::Authentication::Store::LDAP::Backend needs to be configured with a hashref."
	118	);
	119	}
	120	my %config_hash = %{$config};
	121	$config_hash{'binddn'} \|\|= 'anonymous';
	122	$config_hash{'user_filter'} \|\|= '(uid=%s)';
	123	$config_hash{'user_scope'} \|\|= 'sub';
	124	$config_hash{'user_field'} \|\|= 'uid';
	125	$config_hash{'role_filter'} \|\|= '(memberUid=%s)';
	126	$config_hash{'role_scope'} \|\|= 'sub';
	127	$config_hash{'role_field'} \|\|= 'cn';
	128	$config_hash{'use_roles'} \|\|= '1';
	129	$config_hash{'start_tls'} \|\|= '0';
	130	$config_hash{'entry_class'} \|\|= 'Catalyst::Model::LDAP::Entry';
405489b5	131	$config_hash{'user_class'} \|\|= 'Catalyst::Authentication::Store::LDAP::User';
405489b5	132	$config_hash{'role_search_as_user'} \|\|= 0;
f66d606b	133
405489b5	134	Catalyst::Utils::ensure_class_loaded($config_hash{'user_class'});
f66d606b	135	my $self = \%config_hash;
	136	bless( $self, $class );
	137	return $self;
	138	}
	139
	140	=head2 find_user( I<authinfo> )
	141
	142	Creates a L<Catalyst::Authentication::Store::LDAP::User> object
	143	for the given User ID. This is the preferred mechanism for getting a
	144	given User out of the Store.
	145
	146	I<authinfo> should be a hashref with a key of either C<id> or
	147	C<username>. The value will be compared against the LDAP C<user_field> field.
	148
	149	=cut
	150
	151	sub find_user {
	152	my ( $self, $authinfo, $c ) = @_;
	153	return $self->get_user( $authinfo->{id} \|\| $authinfo->{username} );
	154	}
	155
	156	=head2 get_user($id)
	157
	158	Creates a L<Catalyst::Authentication::Store::LDAP::User> object
	159	for the given User ID. This is the preferred mechanism for getting a
	160	given User out of the Store.
	161
	162	=cut
	163
	164	sub get_user {
	165	my ( $self, $id ) = @_;
405489b5	166	my $user = $self->user_class->new( $self,
f66d606b	167	$self->lookup_user($id) );
	168	return $user;
	169	}
	170
	171	=head2 ldap_connect
	172
	173	Returns a L<Net::LDAP> object, connected to your LDAP server. (According
	174	to how you configured the Backend, of course)
	175
	176	=cut
	177
	178	sub ldap_connect {
	179	my ($self) = shift;
	180	my $ldap;
	181	if ( defined( $self->ldap_server_options() ) ) {
	182	$ldap
	183	= Net::LDAP->new( $self->ldap_server,
	184	%{ $self->ldap_server_options } )
	185	or Catalyst::Exception->throw($@);
	186	}
	187	else {
	188	$ldap = Net::LDAP->new( $self->ldap_server )
	189	or Catalyst::Exception->throw($@);
	190	}
	191	if ( defined( $self->start_tls ) && $self->start_tls =~ /(1\|true)/i ) {
	192	my $mesg;
	193	if ( defined( $self->start_tls_options ) ) {
	194	$mesg = $ldap->start_tls( %{ $self->start_tls_options } );
	195	}
	196	else {
	197	$mesg = $ldap->start_tls;
	198	}
	199	if ( $mesg->is_error ) {
	200	Catalyst::Exception->throw( "TLS Error: " . $mesg->error );
	201	}
	202	}
	203	return $ldap;
	204	}
	205
	206	=head2 ldap_bind($ldap, $binddn, $bindpw)
	207
	208	Bind's to the directory. If $ldap is undef, it will connect to the
	209	LDAP server first. $binddn should be the DN of the object you wish
	210	to bind as, and $bindpw the password.
	211
	212	If $binddn is "anonymous", an anonymous bind will be performed.
	213
	214	=cut
	215
	216	sub ldap_bind {
	217	my ( $self, $ldap, $binddn, $bindpw, $forauth ) = @_;
	218	$forauth \|\|= 0;
	219	$ldap \|\|= $self->ldap_connect;
	220	if ( !defined($ldap) ) {
	221	Catalyst::Exception->throw("LDAP Server undefined!");
	222	}
	223	$binddn \|\|= $self->binddn;
	224	$bindpw \|\|= $self->bindpw;
	225	if ( $binddn eq "anonymous" ) {
405489b5	226	$self->_ldap_bind_anon($ldap);
f66d606b	227	}
	228	else {
	229	if ($bindpw) {
	230	my $mesg = $ldap->bind( $binddn, 'password' => $bindpw );
	231	if ( $mesg->is_error ) {
	232
	233	# If we're not checking this bind for authentication purposes
	234	# Go ahead an blow up if we fail.
	235	if ( $forauth ne 'forauth' ) {
	236	Catalyst::Exception->throw(
	237	"Error on Initial Bind: " . $mesg->error );
	238	}
	239	else {
	240	return undef;
	241	}
	242	}
	243	}
	244	else {
405489b5	245	$self->_ldap_bind_anon($ldap, $binddn);
f66d606b	246	}
	247	}
	248	return $ldap;
	249	}
	250
405489b5	251	sub _ldap_bind_anon {
	252	my ($self, $ldap, $dn) = @_;
	253	my $mesg = $ldap->bind($dn);
	254	if ( $mesg->is_error ) {
	255	Catalyst::Exception->throw( "Error on Bind: " . $mesg->error );
	256	}
	257	}
	258
f66d606b	259	=head2 lookup_user($id)
	260
	261	Given a User ID, this method will:
	262
	263	A) Bind to the directory using the configured binddn and bindpw
	264	B) Perform a search for the User Object in the directory, using
	265	user_basedn, user_filter, and user_scope.
	266	C) Assuming we found the object, we will walk it's attributes
	267	using L<Net::LDAP::Entry>'s get_value method. We store the
	268	results in a hashref.
	269	D) Return a hashref that looks like:
	270
	271	$results = {
	272	'ldap_entry' => $entry, # The Net::LDAP::Entry object
	273	'attributes' => $attributes,
	274	}
	275
1647b33a	276	This method is usually only called by find_user().
f66d606b	277
	278	=cut
	279
	280	sub lookup_user {
	281	my ( $self, $id ) = @_;
	282
	283	# No sneaking in wildcards!
	284	if ( $id =~ /\*/ ) {
	285	Catalyst::Exception->throw("ID $id contains wildcards!");
	286	}
	287	my $ldap = $self->ldap_bind;
	288	my @searchopts;
	289	if ( defined( $self->user_basedn ) ) {
	290	push( @searchopts, 'base' => $self->user_basedn );
	291	}
	292	else {
	293	Catalyst::Exception->throw(
	294	"You must set user_basedn before looking up users!");
	295	}
	296	my $filter = $self->_replace_filter( $self->user_filter, $id );
	297	push( @searchopts, 'filter' => $filter );
	298	push( @searchopts, 'scope' => $self->user_scope );
	299	if ( defined( $self->user_search_options ) ) {
	300	push( @searchopts, %{ $self->user_search_options } );
	301	}
	302	my $usersearch = $ldap->search(@searchopts);
	303	if ( $usersearch->is_error ) {
	304	Catalyst::Exception->throw(
	305	"LDAP Error while searching for user: " . $usersearch->error );
	306	}
	307	my $userentry;
1647b33a	308	my $user_field = $self->user_field;
	309	my $results_filter = $self->user_results_filter;
	310	my $entry;
	311	if ( defined($results_filter) ) {
	312	$entry = &$results_filter($usersearch);
	313	}
	314	else {
	315	$entry = $usersearch->pop_entry;
	316	}
	317	if ( $usersearch->pop_entry ) {
	318	Catalyst::Exception->throw(
	319	"More than one entry matches user search.\n"
	320	. "Consider defining a user_results_filter sub." );
	321	}
	322
	323	# a little extra sanity check with the 'eq' since LDAP already
	324	# says it matches.
5772b468	325	# NOTE that Net::LDAP returns exactly what you asked for, but
	326	# because LDAP is often case insensitive, FoO can match foo
	327	# and so we normalize with lc().
1647b33a	328	if ( defined($entry) ) {
5772b468	329	unless ( lc( $entry->get_value($user_field) ) eq lc($id) ) {
1647b33a	330	Catalyst::Exception->throw(
	331	"LDAP claims '$user_field' equals '$id' but results entry does not match."
	332	);
f66d606b	333	}
1647b33a	334	$userentry = $entry;
f66d606b	335	}
1647b33a	336
f66d606b	337	$ldap->unbind;
	338	$ldap->disconnect;
	339	unless ($userentry) {
	340	return undef;
	341	}
	342	my $attrhash;
	343	foreach my $attr ( $userentry->attributes ) {
	344	my @attrvalues = $userentry->get_value($attr);
	345	if ( scalar(@attrvalues) == 1 ) {
	346	$attrhash->{ lc($attr) } = $attrvalues[0];
	347	}
	348	else {
	349	$attrhash->{ lc($attr) } = \@attrvalues;
	350	}
	351	}
405489b5	352
405489b5	353	eval { Catalyst::Utils::ensure_class_loaded($self->entry_class) };
f66d606b	354	if ( !$@ ) {
	355	bless( $userentry, $self->entry_class );
	356	$userentry->{_use_unicode}++;
	357	}
	358	my $rv = {
	359	'ldap_entry' => $userentry,
	360	'attributes' => $attrhash,
	361	};
	362	return $rv;
	363	}
	364
405489b5	365	=head2 lookup_roles($userobj, [$ldap])
f66d606b	366
	367	This method looks up the roles for a given user. It takes a
	368	L<Catalyst::Authentication::Store::LDAP::User> object
405489b5	369	as it's first argument, and can optionally take a I<Net::LDAP> object which
405489b5	370	is used rather than the default binding if supplied.
f66d606b	371
	372	It returns an array containing the role_field attribute from all the
	373	objects that match it's criteria.
	374
	375	=cut
	376
	377	sub lookup_roles {
405489b5	378	my ( $self, $userobj, $ldap ) = @_;
f66d606b	379	if ( $self->use_roles == 0 \|\| $self->use_roles =~ /^false$/i ) {
	380	return undef;
	381	}
405489b5	382	$ldap \|\|= $self->ldap_bind;
f66d606b	383	my @searchopts;
	384	if ( defined( $self->role_basedn ) ) {
	385	push( @searchopts, 'base' => $self->role_basedn );
	386	}
	387	else {
	388	Catalyst::Exception->throw(
	389	"You must set up role_basedn before looking up roles!");
	390	}
	391	my $filter_value = $userobj->has_attribute( $self->role_value );
	392	if ( !defined($filter_value) ) {
	393	Catalyst::Exception->throw( "User object "
	394	. $userobj->username
	395	. " has no "
	396	. $self->role_value
	397	. " attribute, so I can't look up it's roles!" );
	398	}
	399	my $filter = $self->_replace_filter( $self->role_filter, $filter_value );
	400	push( @searchopts, 'filter' => $filter );
	401	push( @searchopts, 'scope' => $self->role_scope );
	402	push( @searchopts, 'attrs' => [ $self->role_field ] );
	403	if ( defined( $self->role_search_options ) ) {
	404	push( @searchopts, %{ $self->role_search_options } );
	405	}
	406	my $rolesearch = $ldap->search(@searchopts);
	407	my @roles;
ab62b426	408	RESULT: foreach my $entry ( $rolesearch->entries ) {
ab62b426	409	push( @roles, $entry->get_value( $self->role_field ) );
f66d606b	410	}
	411	return @roles;
	412	}
	413
	414	sub _replace_filter {
	415	my $self = shift;
	416	my $filter = shift;
	417	my $replace = shift;
	418	$filter =~ s/\%s/$replace/g;
	419	return $filter;
	420	}
	421
	422	=head2 user_supports
	423
	424	Returns the value of
	425	Catalyst::Authentication::Store::LDAP::User->supports(@_).
	426
	427	=cut
	428
	429	sub user_supports {
	430	my $self = shift;
	431
	432	# this can work as a class method
	433	Catalyst::Authentication::Store::LDAP::User->supports(@_);
	434	}
	435
	436	=head2 from_session( I<id> )
	437
	438	Returns get_user() for I<id>.
	439
	440	=cut
	441
	442	sub from_session {
	443	my ( $self, $c, $id ) = @_;
	444	$self->get_user($id);
	445	}
	446
	447	1;
	448
	449	__END__
	450
	451	=head1 AUTHORS
	452
	453	Adam Jacob <holoway@cpan.org>
	454
	455	Some parts stolen shamelessly and entirely from
	456	L<Catalyst::Plugin::Authentication::Store::Htpasswd>.
	457
	458	Currently maintained by Peter Karman <karman@cpan.org>.
	459
	460	=head1 THANKS
	461
	462	To nothingmuch, ghenry, castaway and the rest of #catalyst for the help. :)
	463
	464	=head1 SEE ALSO
	465
	466	L<Catalyst::Authentication::Store::LDAP>, L<Catalyst::Authentication::Store::LDAP::User>, L<Catalyst::Plugin::Authentication>, L<Net::LDAP>
	467
	468	=head1 COPYRIGHT & LICENSE
	469
	470	Copyright (c) 2005 the aforementioned authors. All rights
	471	reserved. This program is free software; you can redistribute
	472	it and/or modify it under the same terms as Perl itself.
	473
474	=cut
475