Friday, August 22, 2008

LDAP, catalyst, roles and groups

After a day or so of effort, I've got LDAP authorization working for groups/roles. I'm posting my config files here, since they worked for me and someone else may stumble across them and find them useful:

my ldif file is as follows:

objectclass: top
objectclass: organization

dn: cn=admin,
objectClass: simpleSecurityObject
objectclass: organizationalRole
cn: admin
description: LDAP Administrator
userPassword: 123

dn: ou=groups,
objectClass: organizationalUnit
ou: groups
description: generic groups branch

dn: ou=people,
ou: people
description: All people in organisation
objectclass: organizationalunit

dn: cn=researchers,ou=groups,
objectClass: groupofnames
cn: researchers
member: uid=richard,ou=people,

dn: uid=lionel,ou=people,
objectClass: top
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Lionel Porcheron
sn: Porcheron
userPassword: password
mail: l@a.b
title: Just a person
initials: LP
ou: people

dn: uid=richard,ou=people,
objectClass: top
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Richard Richard
sn: Richard
userPassword: password
mail: r@a.b
title: Researcher and person
initials: R
ou: people
ou: researchers

This LDIF file creates a group: researchers and a couple of people: richard and lionel. Richard is added to the group of researchers.

# Config for Store::LDAP
default_realm: ldap
class: Password
password_field: password
password_type: self_check
class: LDAP
ldap_server: localhost
timeout: 10
binddn: anonymous
bindpw: dontcare
start_tls: 0
verify: none
user_filter: (&(objectClass=organizationalPerson)(uid=%s))
user_scope: sub
user_field: uid
use_roles: 1
role_basedn: ou=groups,
role_filter: (member=%s)
role_scope: one
role_field: cn
role_value: dn
deref: always

This is my config file for catalyst.

sub list : Local {
my ($self, $c) = @_;
$c->assert_user_roles( qw/researchers/ ); # only researchers and view a list.
my $people : Stashed = $c->model('AddressDB::People');
$c->stash->{template} = 'person/list.tt2';

and this is a chunk of text from my controller.

Hope this is helpful - and saves you some time.

No comments: