2 Catalyst::Authentication::Store::LDAP - Authentication from an LDAP
12 default_realm => "ldap",
17 password_field => "password",
18 password_type => "self_check",
21 binddn => "anonymous",
22 bindpw => "dontcarehow",
24 ldap_server => "ldap.yourcompany.com",
25 ldap_server_options => { timeout => 30 },
26 role_basedn => "ou=groups,ou=OxObjects,dc=yourcompany,dc=com",
28 role_filter => "(&(objectClass=posixGroup)(memberUid=%s))",
30 role_search_options => { deref => "always" },
32 role_search_as_user => 0,
34 start_tls_options => { verify => "none" },
35 entry_class => "MyApp::LDAP::Entry",
37 user_basedn => "ou=people,dc=yourcompany,dc=com",
39 user_filter => "(&(objectClass=posixAccount)(uid=%s))",
40 user_scope => "one", # or "sub" for Active Directory
41 user_search_options => {
43 attrs => [qw( distinguishedname name mail )],
45 user_results_filter => sub { return shift->pop_entry },
53 my ( $self, $c ) = @_;
56 id => $c->req->param("login"),
57 password => $c->req->param("password")
59 $c->res->body("Welcome " . $c->user->username . "!");
63 This plugin implements the Catalyst::Authentication v.10 API. Read that
64 documentation first if you are upgrading from a previous version of this
67 This plugin uses "Net::LDAP" to let your application authenticate
68 against an LDAP directory. It has a pretty high degree of flexibility,
69 given the wide variation of LDAP directories and schemas from one system
72 It authenticates users in two steps:
74 1) A search of the directory is performed, looking for a user object
75 that matches the username you pass. This is done with the bind
76 credentials supplied in the "binddn" and "bindpw" configuration options.
78 2) If that object is found, we then re-bind to the directory as that
79 object. Assuming this is successful, the user is Authenticated.
83 Set Configuration to be loaded via Config.yml in YourApp.pm
85 use YAML qw(LoadFile);
86 use Path::Class 'file';
90 file(__PACKAGE__->config->{home}, 'Config.yml')
94 Settings in Config.yml (adapt these to whatever configuration format you
97 # Config for Store::LDAP
104 password_field: password
105 password_type: self_check
108 ldap_server: ldap.yourcompany.com
116 user_basedn: ou=people,dc=yourcompany,dc=com
117 user_filter: (&(objectClass=posixAccount)(uid=%s))
123 role_basedn: ou=groups,ou=OxObjects,dc=yourcompany,dc=com
124 role_filter: (&(objectClass=posixGroup)(memberUid=%s))
131 NOTE: The settings above reflect the default values for OpenLDAP. If you
132 are using Active Directory instead, Matija Grabnar suggests that the
133 following tweeks to the example configuration will work:
135 user_basedn: ou=Domain Users,ou=Accounts,dc=mycompany,dc=com
136 user_field: samaccountname
137 user_filter: (sAMAccountName=%s)
140 He also notes: "I found the case in the value of user_field to be
141 significant: it didn't seem to work when I had the mixed case value
145 This should be the hostname of your LDAP server.
148 This should be a hashref containing options to pass to Net::LDAP->new().
149 See Net::LDAP for the full list.
152 This should be the DN of the object you wish to bind to the directory as
153 during the first phase of authentication. (The user lookup phase)
155 If you supply the value "anonymous" to this option, we will bind
156 anonymously to the directory. This is the default.
159 This is the password for the initial bind.
162 If this is set to 1, we will convert the LDAP connection to use SSL.
165 This is a hashref, which contains the arguments to the Net::LDAP
166 start_tls method. See Net::LDAP for the complete list of options.
169 This is the basedn for the initial user lookup. Usually points to the
170 top of your "users" branch; ie "ou=people,dc=yourcompany,dc=com".
173 This is the LDAP Search filter used during user lookup. The special
174 string '%s' will be replaced with the username you pass to $c->login. By
175 default it is set to '(uid=%s)'. Other possibly useful filters:
177 (&(objectClass=posixAccount)(uid=%s))
178 (&(objectClass=User)(cn=%s))
181 This specifies the scope of the search for the initial user lookup.
182 Valid values are "base", "one", and "sub". Defaults to "sub".
185 This is the attribute of the returned LDAP object we will use for their
186 "username". This defaults to "uid". If you had user_filter set to:
188 (&(objectClass=User)(cn=%s))
190 You would probably set this to "cn". You can also set it to an array, to
191 allow more than one login field. The first field will be returned as
192 identifier for the user.
195 This takes a hashref. It will append it's values to the call to
196 Net::LDAP's "search" method during the initial user lookup. See
197 Net::LDAP for valid options.
199 Be careful not to specify:
205 As they are already taken care of by other configuration options.
208 This is a Perl CODE ref that can be used to filter out multiple results
209 from your LDAP query. In theory, your LDAP query should only return one
210 result and find_user() will throw an exception if it encounters more
211 than one result. However, if you have, for whatever reason, a legitimate
212 reason for returning multiple search results from your LDAP query, use
213 "user_results_filter" to filter out the LDAP entries you do not want
214 considered. Your CODE ref should expect a single argument, a
215 Net::LDAP::Search object, and it should return exactly one value, a
216 Net::LDAP::Entry object.
220 user_results_filter => sub {
221 my $search_obj = shift;
222 foreach my $entry ($search_obj->entries) {
223 return $entry if my_match_logic( $entry );
225 return undef; # i.e., no match
229 Whether or not to enable role lookups. It defaults to true; set it to 0
230 if you want to always avoid role lookups.
233 This should be the basedn where the LDAP Objects representing your roles
237 This should be the LDAP Search filter to use during the role lookup. It
238 defaults to '(memberUid=%s)'. The %s in this filter is replaced with the
239 value of the "role_value" configuration option.
241 So, if you had a role_value of "cn", then this would be populated with
242 the cn of the User's LDAP object. The special case is a role_value of
243 "dn", which will be replaced with the User's DN.
246 This specifies the scope of the search for the user's role lookup. Valid
247 values are "base", "one", and "sub". Defaults to "sub".
250 Should be set to the Attribute of the Role Object's returned during Role
251 lookup you want to use as the "name" of the role. Defaults to "CN".
254 This is the attribute of the User object we want to use in our
255 role_filter. If this is set to "dn", we will use the User Objects DN.
258 This takes a hashref. It will append it's values to the call to
259 Net::LDAP's "search" method during the user's role lookup. See Net::LDAP
262 Be careful not to specify:
268 As they are already taken care of by other configuration options.
271 By default this setting is false, and the role search will be performed
272 by binding to the directory with the details in the *binddn* and
273 *bindpw* fields. If this is set to false, then the role search will
274 instead be performed when bound as the user you authenticated as.
277 The name of the class of LDAP entries returned. This class should exist
278 and is expected to be a subclass of Net::LDAP::Entry
281 The name of the class of user object returned. By default, this is
282 Catalyst::Authentication::Store::LDAP::User.
286 This method will populate "default_auth_store" in
287 Catalyst::Plugin::Authentication with this object.
290 Adam Jacob <holoway@cpan.org>
292 Some parts stolen shamelessly and entirely from
293 Catalyst::Plugin::Authentication::Store::Htpasswd.
295 Currently maintained by Peter Karman <karman@cpan.org>.
298 To nothingmuch, ghenry, castaway and the rest of #catalyst for the help.
302 Catalyst::Authentication::Store::LDAP,
303 Catalyst::Authentication::Store::LDAP::User,
304 Catalyst::Authentication::Store::LDAP::Backend,
305 Catalyst::Plugin::Authentication, Net::LDAP
308 Copyright (c) 2005 the aforementioned authors. All rights reserved. This
309 program is free software; you can redistribute it and/or modify it under
310 the same terms as Perl itself.