Friday, August 22, 2008

LDAP, catalyst, roles and groups

After a day or so of effort, I've got LDAP authorization working for groups/roles. I'm posting my config files here, since they worked for me and someone else may stumble across them and find them useful:

my ldif file is as follows:


dn: o=example.org
objectclass: top
objectclass: organization
o: example.org

dn: cn=admin,o=example.org
objectClass: simpleSecurityObject
objectclass: organizationalRole
cn: admin
description: LDAP Administrator
userPassword: 123

dn: ou=groups,o=example.org
objectClass: organizationalUnit
ou: groups
description: generic groups branch

dn: ou=people,o=example.org
ou: people
description: All people in organisation
objectclass: organizationalunit

dn: cn=researchers,ou=groups,o=example.org
objectClass: groupofnames
cn: researchers
member: uid=richard,ou=people,o=example.org

dn: uid=lionel,ou=people,o=example.org
objectClass: top
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Lionel Porcheron
sn: Porcheron
userPassword: password
mail: l@a.b
title: Just a person
initials: LP
ou: people

dn: uid=richard,ou=people,o=example.org
objectClass: top
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Richard Richard
sn: Richard
userPassword: password
mail: r@a.b
title: Researcher and person
initials: R
ou: people
ou: researchers

This LDIF file creates a group: researchers and a couple of people: richard and lionel. Richard is added to the group of researchers.


# Config for Store::LDAP
authentication:
    default_realm: ldap
    realms:
        ldap:
            credential:
                class: Password
                password_field: password
                password_type:  self_check
            store:
                class: LDAP
                ldap_server: localhost
                ldap_server_options:
                    timeout: 10
                binddn: anonymous
                bindpw: dontcare
                start_tls: 0
                start_tls_options:
                    verify: none
                user_basedn: o=example.org
                user_filter: (&(objectClass=organizationalPerson)(uid=%s))
                user_scope: sub
                user_field: uid
                use_roles: 1
                role_basedn: ou=groups,o=example.org
                role_filter: (member=%s)
                role_scope: one
                role_field: cn
                role_value: dn
                role_search_options:
                    deref: always

This is my config file for catalyst.


sub list : Local {
    my ($self, $c) = @_;
    $c->assert_user_roles( qw/researchers/ ); # only researchers and view a list.
    my $people : Stashed = $c->model('AddressDB::People');
    $c->stash->{template} = 'person/list.tt2';
}


and this is a chunk of text from my controller.

Hope this is helpful - and saves you some time.
Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)