Skip Menu |

This queue is for tickets about the Catalyst-Authentication-Store-LDAP CPAN distribution.

Report information
The Basics
Id: 57209
Status: rejected
Priority: 0/
Queue: Catalyst-Authentication-Store-LDAP
People
Owner: karman [...] cpan.org
Requestors: jlu [...] akk.org
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Tue May 04 15:49:09 2010 jlu [...] akk.org - Ticket created
Subject: Catalyst::Authentication::Store::LDAP - statically configure roles
Date: Tue, 4 May 2010 21:12:32 +0200
To: Peter Karman <karman [...] cpan.org>
From: Jochen Lutz <jlu [...] akk.org>
Hello. For a Catalyst project which authenticates against an LDAP server whose groups I can't influence (and admin won't adjust), I implemented stati- cally configurable roles. I would be happy if you would include my patch in the upstream source. The patch is version 1.008. Sincerely Jochen --- LDAP.pm.orig 2010-05-04 20:05:32.000000000 +0200 +++ LDAP.pm 2010-05-04 21:10:35.000000000 +0200 @@ -41,28 +41,33 @@ password_type => "self_check", }, store => { - binddn => "anonymous", - bindpw => "dontcarehow", - class => "LDAP", - ldap_server => "ldap.yourcompany.com", - ldap_server_options => { timeout => 30 }, - role_basedn => "ou=groups,ou=OxObjects,dc=yourcompany,dc=com", - role_field => "uid", - role_filter => "(&(objectClass=posixGroup) (memberUid=%s))", - role_scope => "one", - role_search_options => { deref => "always" }, - role_value => "dn", - role_search_as_user => 0, - start_tls => 1, - start_tls_options => { verify => "none" }, - entry_class => "MyApp::LDAP::Entry", - use_roles => 1, - user_basedn => "ou=people,dc=yourcompany,dc=com", - user_field => "uid", - user_filter => "(&(objectClass=posixAccount) (uid=%s))", - user_scope => "one", - user_search_options => { deref => "always" }, - user_results_filter => sub { return shift->pop_entry }, + binddn => "anonymous", + bindpw => "dontcarehow", + class => "LDAP", + ldap_server => "ldap.yourcompany.com", + ldap_server_options => { timeout => 30 }, + role_basedn => "ou=groups,ou=OxObjects,dc=yourcompany,dc=com", + role_field => "uid", + role_filter => "(&(objectClass=posixGroup) (memberUid=%s))", + role_scope => "one", + role_search_options => { deref => "always" }, + role_value => "dn", + role_search_as_user => 0, + start_tls => 1, + start_tls_options => { verify => "none" }, + entry_class => "MyApp::LDAP::Entry", + use_roles => 1, + user_basedn => "ou=people,dc=yourcompany,dc=com", + user_field => "uid", + user_filter => "(&(objectClass=posixAccount) (uid=%s))", + user_scope => "one", + user_search_options => { deref => "always" }, + user_results_filter => sub { return shift->pop_entry }, + static_roles_map => { + 'dn1' => [ 'role1', 'role3', 'role4' ], + 'dn2' => [ 'role2', 'role3' ], + }, + static_roles_default => [ 'role1', 'role2' ], }, }, }, @@ -147,6 +152,10 @@ role_value: dn role_search_options: deref: always + static_roles_default: [ 'role1', 'role2' ], + static_roles_map: { + 'dn1' => [ 'role1', 'role3', 'role4' ], + 'dn2' => [ 'role2', 'role3' ], B<NOTE:> The settings above reflect the default values for OpenLDAP. If you @@ -258,7 +267,8 @@ =head2 use_roles Whether or not to enable role lookups. It defaults to true; set it to 0 if -you want to always avoid role lookups. +you want to always avoid role lookups. Set it to 'static' if you want to enable +static role configuration =head2 role_basedn @@ -319,6 +329,16 @@ The name of the class of user object returned. By default, this is L<Catalyst::Authentication::Store::LDAP::User>. +=head2 static_roles_map + +A hashref containing the roles for LDAP users. Use the dn (distinguished name) +as key. + +=head2 static_roles_default + +When static roles is enabled this specifies the list of groups a user gets if +no configuration for him is set. + =head1 METHODS =head2 new --- LDAP/Backend.pm.orig 2010-04-03 04:56:34.000000000 +0200 +++ LDAP/Backend.pm 2010-05-04 21:10:43.000000000 +0200 @@ -49,6 +49,11 @@ 'deref' => 'always', }, 'role_search_as_user' => 0, + 'static_roles_map' => { + 'dn1' => [ 'role1', 'role3', 'role4' ], + 'dn2' => [ 'role2', 'role3' ], + }, + 'static_roles_default' => [ 'role1', 'role2' ], ); our $users = Catalyst::Authentication::Store::LDAP::Backend->new (\%config); @@ -87,6 +92,7 @@ role_filter role_scope role_field role_value role_search_options start_tls start_tls_options user_results_filter user_class role_search_as_user + static_roles_default static_roles_map ) ); } @@ -372,6 +378,16 @@ sub lookup_roles { my ( $self, $userobj, $ldap ) = @_; + if ( $self->use_roles =~ /^static$/i ) { + my $user = $userobj->ldap_entry->dn; + + if ( exists $self->static_roles_map->{$user} ) { + return $self->static_roles_map->{$user}; + } + else { + return $self->static_roles_default; + } + } if ( $self->use_roles == 0 || $self->use_roles =~ /^false$/i ) { return undef; }
  Tue May 04 15:49:25 2010 karman [...] cpan.org - Taken
  Sun May 09 12:28:21 2010 jlu [...] akk.org - Correspondence added
Subject: Re: [rt.cpan.org #57209] AutoReply: Catalyst::Authentication::Store::LDAP - statically configure roles
Date: Sun, 9 May 2010 18:28:20 +0200
To: bug-Catalyst-Authentication-Store-LDAP [...] rt.cpan.org
From: Jochen Lutz <jlu [...] akk.org>
Am 04.05.2010 um 21:49 schrieb Bugs in Catalyst-Authentication-Store- LDAP via RT: Show quoted text
> This message has been automatically generated in response to the > creation of a trouble ticket regarding: > "Catalyst::Authentication::Store::LDAP - statically configure roles", > a summary of which appears below. > > There is no need to reply to this message right now. Your ticket > has been > assigned an ID of [rt.cpan.org #57209]. Your ticket is accessible > on the web at: > > https://rt.cpan.org/Ticket/Display.html?id=57209 > > Please include the string: > > [rt.cpan.org #57209] > > in the subject line of all future correspondence about this issue. > To do so, > you may reply to this message.
I found a bug in my patch, which prevents Catalyst::ActionRole::ACL from working correctly. Show quoted text
> --- LDAP/Backend.pm.orig 2010-04-03 04:56:34.000000000 +0200 > +++ LDAP/Backend.pm 2010-05-04 21:10:43.000000000 +0200 > @@ -372,6 +378,16 @@ > > sub lookup_roles { > my ( $self, $userobj, $ldap ) = @_; > + if ( $self->use_roles =~ /^static$/i ) { > + my $user = $userobj->ldap_entry->dn; > + > + if ( exists $self->static_roles_map->{$user} ) { > + return $self->static_roles_map->{$user}; > + } > + else { > + return $self->static_roles_default; > + } > + } > if ( $self->use_roles == 0 || $self->use_roles =~ /^false$/i ) { > return undef; > }
This should be: if ( $self->use_roles =~ /^static$/i ) { my $user = $userobj->ldap_entry->dn; if ( exists $self->static_roles_map->{$user} ) { return @{ $self->static_roles_map->{$user} }; } else { return @{ $self->static_roles_default }; } } Sincerely Jochen
  Fri May 21 18:49:01 2010 me [...] jasonfried.info - Correspondence added
Why not just create your own sub class of C:A:S:LDAP, that way you can stay up to date with the upstream via cpan, and have your customizations. These static roles of your is a very niche feature.
  Fri May 21 18:49:02 2010 The RT System itself - Status changed from 'new' to 'open'
  Sat May 22 11:54:35 2010 karman [...] cpan.org - Correspondence added
On Fri May 21 18:49:01 2010, FRIED wrote: Show quoted text
> Why not just create your own sub class of C:A:S:LDAP, that way you can > stay up to date with the upstream via cpan, and have your > customizations. These static roles of your is a very niche feature. > >
I'm inclined this way myself. Is there something we can change about the module to make it easier to extend/subclass? It's a nice feature, but as an extension to LDAP, and not properly part of the core module.
  Tue Jun 29 22:08:56 2010 karman [...] cpan.org - Correspondence added
Having not heard back in several weeks, I'm going to close this ticket. If you can think of anything that would make it easier to maintain your local subclass, please let us know.
  Tue Jun 29 22:08:57 2010 karman [...] cpan.org - Status changed from 'open' to 'rejected'