Discussion:
[jifty-devel] LDAP Plugins
Max Baker
2008-12-10 01:40:03 UTC
Permalink
Hi All,

I'm a new Jifty user, long time Mason developer (see Netdisco). This
thing is cool!!!

I am building a project and want to use our LDAP server to
authenticate. There seems to be a lot of different plugins, and I'm not
sure which one to use.

1. AuthLDAPLogin
2. AuthLDAPOnly
3. AuthzLDAP
4. Authentication::Ldap

My requirements for the plugin are
1. LDAP server is read-only, just used to get some user information and
to authenticate
2. Have a local User module that stores application-specific fields

And a nice to have is
1. Auto add users to the local table as they login using LDAP, even if
they did not exist in the local table before. In other words all users
can use the service, but I don't want to add all users to the local
table -- only the users who are using the application.

Any suggestions? I've tried following what's in AuthLDAPLogin, but it
tells me "Can't locate Jifty/Plugin/Login.pm". Do I need to do
something to get the Login plugin to install?

Thanks!
-m
Yves Agostini
2008-12-10 08:52:01 UTC
Permalink
Post by Max Baker
Hi All,
I'm a new Jifty user, long time Mason developer (see Netdisco). This
thing is cool!!!
I know netdisco, very nice stuff ;)
Post by Max Baker
I am building a project and want to use our LDAP server to
authenticate. There seems to be a lot of different plugins, and I'm not
sure which one to use.
1. AuthLDAPLogin
2. AuthLDAPOnly
3. AuthzLDAP
4. Authentication::Ldap
My requirements for the plugin are
1. LDAP server is read-only, just used to get some user information and
to authenticate
2. Have a local User module that stores application-specific fields
And a nice to have is
1. Auto add users to the local table as they login using LDAP, even if
they did not exist in the local table before. In other words all users
can use the service, but I don't want to add all users to the local
table -- only the users who are using the application.
Any suggestions? I've tried following what's in AuthLDAPLogin, but it
tells me "Can't locate Jifty/Plugin/Login.pm". Do I need to do
something to get the Login plugin to install?
unlucky : AuthLDAPLogin and AuthLDAPOnly are deprecated.

You need to use Authentication::Ldap. Authentication::Ldap add all
users to your local user table where you can add easily add fields.
https://svn.univ-metz.fr/svnweb/index.cgi/pub_Uguest/view/trunk/lib/Uguest/Model/User.pm

You can use AuthzLDAP to add filter to find with ldap attributes, which
users can write in your application.

here you can find a sample use of AuthzLDAP
https://svn.univ-metz.fr/svnweb/index.cgi/pub_Uguest/view/trunk/lib/Uguest/Dispatcher.pm

You can certainly write your own plugin (Authentication::LdapReader ?)
where you don't register user in local table.
--
---------------------------------------------------------------
AGOSTINI Yves CRI - Université Paul Verlaine - Metz
***@univ-metz.fr http://www.crium.univ-metz.fr
tel: 03 87 31 52 63 fax: 03 87 31 53 33 PGP: 842CC261
Max Baker
2008-12-12 02:47:36 UTC
Permalink
Hi Yves,
Post by Yves Agostini
unlucky : AuthLDAPLogin and AuthLDAPOnly are deprecated.
Good to know, thanks for your help.
Post by Yves Agostini
You need to use Authentication::Ldap. Authentication::Ldap add all
users to your local user table where you can add easily add fields.
https://svn.univ-metz.fr/svnweb/index.cgi/pub_Uguest/view/trunk/lib/Uguest/Model/User.pm
You can use AuthzLDAP to add filter to find with ldap attributes, which
users can write in your application.
here you can find a sample use of AuthzLDAP
https://svn.univ-metz.fr/svnweb/index.cgi/pub_Uguest/view/trunk/lib/Uguest/Dispatcher.pm
You can certainly write your own plugin (Authentication::LdapReader ?)
where you don't register user in local table.
The sample code from your application helps a lot.

For the record, I am now running the SVN head version, and here's what I
have :

config.yml:
----------------------------------------------------------------------
Plugins:
- Authentication::Ldap:
LDAPhost: ldap.company.com
LDAPbase: ou=People,dc=company,dc=com
LDAPName: cn
LDAPMail: mail
LDAPuid: uid
...
LogLevel: DEBUG
----------------------------------------------------------------------

Note that I *did not* include the User plugin as told to in the POD.
This is on suggestion from people in #jifty.

This is working now, and my app will authenticate correctly. However
now the code to automatically add a user seems to be broken. It adds an
empty row to the database with all fields blank. I added some debug
code to make sure that LDAP was returning the correct information.

The problem seems to lie here:

Plugin/Authentication/Ldap/Action/LDAPLogin.pm
----------------------------------------------------------------------
94 # Autocreate the user if necessary
95 if ( not $user->id ) {
96 my $action = Jifty->web->new_action(
97 class => 'CreateUser',
98 current_user => $current_user->superuser,
99 arguments => {
100 ldap_id => $username
101 }
102 );
103 $action->run;
104
105 if ( not $action->result->success ) {
106 # Should this be less "friendly"?
107 $self->result->error(_("Sorry, something weird happened
(we couldn't create a user f
108 return;
109 }
110
111 $user = $current_user->new( ldap_id => $username );
112 }
113
114 my $u = $user->user_object;
115
116 # Update, just in case
117 $u->__set( column => 'ldap_id', value => $username ) unless
($u->ldap_id and $u->ldap_id eq
118 $u->__set( column => 'name', value => $username ) unless
($u->name and length $u->name);
119 $u->__set( column => 'name', value => $name ) if ($name);
120 $u->__set( column => 'email', value => $email ) if ($email);
----------------------------------------------------------------------

Note that 117-120 are changed from stock because I was fooling around
trying to get it to work. But even when stock, they didn't seem to work
-- no data was written into the database! And the ui now says "Hiya
," so the username is empty in the user object as well.

Any ideas folks?

Thanks!
-m
Yves Agostini
2008-12-12 08:22:10 UTC
Permalink
Post by Max Baker
Hi Yves,
Post by Yves Agostini
unlucky : AuthLDAPLogin and AuthLDAPOnly are deprecated.
Good to know, thanks for your help.
Post by Yves Agostini
You need to use Authentication::Ldap. Authentication::Ldap add all
users to your local user table where you can add easily add fields.
https://svn.univ-metz.fr/svnweb/index.cgi/pub_Uguest/view/trunk/lib/Uguest/Model/User.pm
You can use AuthzLDAP to add filter to find with ldap attributes, which
users can write in your application.
here you can find a sample use of AuthzLDAP
https://svn.univ-metz.fr/svnweb/index.cgi/pub_Uguest/view/trunk/lib/Uguest/Dispatcher.pm
You can certainly write your own plugin (Authentication::LdapReader ?)
where you don't register user in local table.
The sample code from your application helps a lot.
For the record, I am now running the SVN head version, and here's what I
----------------------------------------------------------------------
LDAPhost: ldap.company.com
LDAPbase: ou=People,dc=company,dc=com
LDAPName: cn
LDAPMail: mail
LDAPuid: uid
...
LogLevel: DEBUG
----------------------------------------------------------------------
Note that I *did not* include the User plugin as told to in the POD.
This is on suggestion from people in #jifty.
I think you need the "Mixin User" plugin as ldap plugin add new user in
this table

so you need something like :

use yourApp::Record schema {
....
};

use Jifty::Plugin::User::Mixin::Model::User;
use Jifty::Plugin::Authentication::Ldap::Mixin::Model::User;
Post by Max Baker
This is working now, and my app will authenticate correctly. However
now the code to automatically add a user seems to be broken. It adds an
empty row to the database with all fields blank. I added some debug
code to make sure that LDAP was returning the correct information.
Plugin/Authentication/Ldap/Action/LDAPLogin.pm
----------------------------------------------------------------------
94 # Autocreate the user if necessary
95 if ( not $user->id ) {
96 my $action = Jifty->web->new_action(
97 class => 'CreateUser',
98 current_user => $current_user->superuser,
99 arguments => {
100 ldap_id => $username
101 }
102 );
103 $action->run;
104
105 if ( not $action->result->success ) {
106 # Should this be less "friendly"?
107 $self->result->error(_("Sorry, something weird happened
(we couldn't create a user f
108 return;
109 }
110
111 $user = $current_user->new( ldap_id => $username );
112 }
113
114 my $u = $user->user_object;
115
116 # Update, just in case
117 $u->__set( column => 'ldap_id', value => $username ) unless
($u->ldap_id and $u->ldap_id eq
118 $u->__set( column => 'name', value => $username ) unless
($u->name and length $u->name);
119 $u->__set( column => 'name', value => $name ) if ($name);
120 $u->__set( column => 'email', value => $email ) if ($email);
----------------------------------------------------------------------
Note that 117-120 are changed from stock because I was fooling around
trying to get it to work. But even when stock, they didn't seem to work
-- no data was written into the database! And the ui now says "Hiya
," so the username is empty in the user object as well.
take care with current_user_can maybe you can't read or can't write

you can try with :

sub current_user_can {
my $self = shift;
my $type = shift;
my %args = (@_);

return 1;
}
Post by Max Baker
Any ideas folks?
Thanks!
-m
--
---------------------------------------------------------------
AGOSTINI Yves CRI - Université Paul Verlaine - Metz
***@univ-metz.fr http://www.crium.univ-metz.fr
tel: 03 87 31 52 63 fax: 03 87 31 53 33 PGP: 842CC261
Max Baker
2008-12-12 17:33:21 UTC
Permalink
Post by Yves Agostini
I think you need the "Mixin User" plugin as ldap plugin add new user in
this table
use yourApp::Record schema {
....
};
use Jifty::Plugin::User::Mixin::Model::User;
use Jifty::Plugin::Authentication::Ldap::Mixin::Model::User;
I did actually have that in my Model/User.pm , I forgot to put it here.
Post by Yves Agostini
take care with current_user_can maybe you can't read or can't write
sub current_user_can {
my $self = shift;
my $type = shift;
return 1;
}
Success! Beautiful. I'll update the POD to reflect all this and add
it to the patch.

Thanks,
-m
Ruslan Zakirov
2008-12-12 19:10:31 UTC
Permalink
[snip]
Post by Max Baker
Post by Yves Agostini
sub current_user_can {
my $self = shift;
my $type = shift;
return 1;
}
Success! Beautiful. I'll update the POD to reflect all this and add
it to the patch.
It would be cool to add smarter current_user_can as such
implementation allow any to do anything with your users. What can be
used to manipulate your DB via REST plugin or in other ways.
Post by Max Baker
Thanks,
-m
_______________________________________________
jifty-devel mailing list
http://lists.jifty.org/cgi-bin/mailman/listinfo/jifty-devel
--
Best regards, Ruslan.
Max Baker
2008-12-13 18:37:09 UTC
Permalink
Hi Ruslan,
Post by Ruslan Zakirov
Post by Yves Agostini
sub current_user_can {
my $self = shift;
my $type = shift;
return 1;
}
It would be cool to add smarter current_user_can as such
implementation allow any to do anything with your users. What can be
used to manipulate your DB via REST plugin or in other ways.
I haven't gotten that far in Jifty yet, but if you have an example that
would be great. Which module/plugin should I look at specifically? I
would happily add more to the example in the POD.

-m

Ruslan Zakirov
2008-12-12 19:10:31 UTC
Permalink
[snip]
Post by Max Baker
Post by Yves Agostini
sub current_user_can {
my $self = shift;
my $type = shift;
return 1;
}
Success! Beautiful. I'll update the POD to reflect all this and add
it to the patch.
It would be cool to add smarter current_user_can as such
implementation allow any to do anything with your users. What can be
used to manipulate your DB via REST plugin or in other ways.
Post by Max Baker
Thanks,
-m
_______________________________________________
jifty-devel mailing list
http://lists.jifty.org/cgi-bin/mailman/listinfo/jifty-devel
--
Best regards, Ruslan.
Max Baker
2008-12-12 20:40:01 UTC
Permalink
Hi all,

Attached is a patch for Authentication::Ldap that does the following :

1. Add links to Authentication::Ldap and Authentication::CAS from
Manual::AccessControl

2. Fix small bug in Authentication::Ldap::Action::LDAPLogin.pm in
validate_ldap_id() that causes it to throw a warning

3. Add new config option "LDAPOptions" that is a pass-through to Net::LDAP

4. Allow override of default settings to Net::LDAP using above

5. Borrow some code from Authentication::CAS to make sure the user
object has correct data all the time

6. Lots of documentation

Any improvements, coding standards, or comments are welcome -- I'm just
getting familiarized w/ Jifty.

Now that I have the user and LDAP part down, I can go make an app!
Thanks for all the help on #jifty and here.

-m
Post by Yves Agostini
Post by Max Baker
Hi Yves,
Post by Yves Agostini
unlucky : AuthLDAPLogin and AuthLDAPOnly are deprecated.
Good to know, thanks for your help.
Post by Yves Agostini
You need to use Authentication::Ldap. Authentication::Ldap add all
users to your local user table where you can add easily add fields.
https://svn.univ-metz.fr/svnweb/index.cgi/pub_Uguest/view/trunk/lib/Uguest/Model/User.pm
You can use AuthzLDAP to add filter to find with ldap attributes, which
users can write in your application.
here you can find a sample use of AuthzLDAP
https://svn.univ-metz.fr/svnweb/index.cgi/pub_Uguest/view/trunk/lib/Uguest/Dispatcher.pm
You can certainly write your own plugin (Authentication::LdapReader ?)
where you don't register user in local table.
The sample code from your application helps a lot.
For the record, I am now running the SVN head version, and here's what I
----------------------------------------------------------------------
LDAPhost: ldap.company.com
LDAPbase: ou=People,dc=company,dc=com
LDAPName: cn
LDAPMail: mail
LDAPuid: uid
...
LogLevel: DEBUG
----------------------------------------------------------------------
Note that I *did not* include the User plugin as told to in the POD.
This is on suggestion from people in #jifty.
I think you need the "Mixin User" plugin as ldap plugin add new user in
this table
use yourApp::Record schema {
....
};
use Jifty::Plugin::User::Mixin::Model::User;
use Jifty::Plugin::Authentication::Ldap::Mixin::Model::User;
Post by Max Baker
This is working now, and my app will authenticate correctly. However
now the code to automatically add a user seems to be broken. It adds an
empty row to the database with all fields blank. I added some debug
code to make sure that LDAP was returning the correct information.
Plugin/Authentication/Ldap/Action/LDAPLogin.pm
----------------------------------------------------------------------
94 # Autocreate the user if necessary
95 if ( not $user->id ) {
96 my $action = Jifty->web->new_action(
97 class => 'CreateUser',
98 current_user => $current_user->superuser,
99 arguments => {
100 ldap_id => $username
101 }
102 );
103 $action->run;
104
105 if ( not $action->result->success ) {
106 # Should this be less "friendly"?
107 $self->result->error(_("Sorry, something weird happened
(we couldn't create a user f
108 return;
109 }
110
111 $user = $current_user->new( ldap_id => $username );
112 }
113
114 my $u = $user->user_object;
115
116 # Update, just in case
117 $u->__set( column => 'ldap_id', value => $username ) unless
($u->ldap_id and $u->ldap_id eq
118 $u->__set( column => 'name', value => $username ) unless
($u->name and length $u->name);
119 $u->__set( column => 'name', value => $name ) if ($name);
120 $u->__set( column => 'email', value => $email ) if ($email);
----------------------------------------------------------------------
Note that 117-120 are changed from stock because I was fooling around
trying to get it to work. But even when stock, they didn't seem to work
-- no data was written into the database! And the ui now says "Hiya
," so the username is empty in the user object as well.
take care with current_user_can maybe you can't read or can't write
sub current_user_can {
my $self = shift;
my $type = shift;
return 1;
}
Post by Max Baker
Any ideas folks?
Thanks!
-m
Continue reading on narkive:
Loading...