awohld has asked for the wisdom of the Perl Monks concerning the following question:

SOLVED!

'user_scope'needs to be 'sub' and not 'one'. And as a side note 'user_field' must be lowercase or a deep recursion search will be done.

I'm trying to authenticate with Catalyst::Authentication::Store::LDAP and in the Catalyst development server it keeps saying "debug: Unable to locate user matching user info provided".

Since it uses Net::LDAP as a backend I made a test script which works and is as seen below. It dumps out all the ActiveDirectory info for me. 

#!/usr/bin/perl
use Net::LDAP;
use Data::Dumper;

my $ldap = Net::LDAP->new( 'sub.ad.mydomain.org' );

# bind to a directory with dn and password
my $mesg = $ldap->bind(
    'myusername@ad.mydomain.com',
    password => 'mypassword'
);

$mesg = $ldap->search(
    base => "DC=sub,DC=ad,DC=mydomain,DC=org",
    filter => "(sAMAccountName=myusername)",
); 

die Dumper $mesg->entries;

[download]

Also running "ldapsearch" like below dumps all my ActiveDirectory info: 

ldapsearch -H ldap://sub.ad.mydomain.org \
-b dc=sub,dc=ad,dc=mydomain,dc=org \
-D myusername@ad.subdomain.org \
-w mypassword \
'(sAMAccountName=myusername)'

[download]

In the documentation for Catalyst::Authentication::Store::LDAP it says for Microsoft ActiveDirectory to change "user_field: samaccountname" to lowercase which I have and I also left it the proper case.

The development server debug info looks like this: 

[debug] Body Parameters are:
.-------------+-------------.
| Parameter   | Value       |
+-------------+-------------+
| password    | mypassword  |
| username    | myusername  |
'-------------+-------------'
[debug] Path is "login"
[debug] Unable to locate user matching user info provided

[download]
Here is what my myapp.conf file looks like for Catalyst: 

name MyApp

# Config for Store::LDAP
<authentication>
  default_realm ldap
  <realms>
    <ldap>
      <credential>
        class Password
        password_field password
        password_type  self_check
      </credential>
      <store>
        class LDAP
        ldap_server ldap://sub.ad.mydomain.org
        <ldap_server_options>
          timeout 30
          onerror warn
        </ldap_server_options>
        binddn myusername@ad.mydomain.org
        bindpw mypassword
        start_tls 0
        <start_tls_options>
          verify none
        </start_tls_options>
        user_basedn DC=sub,DC=ad,DC=mydomain,DC=org
        user_filter (sAMAccountName=%s)
        user_scope one
        user_field sAMAccountName  # also tried samaccountname
        <user_search_options>
          deref always
        </user_search_options>
        use_roles 0
      </store>
    </ldap>
  </realms>
</authentication>

[download]

And also here's my login method in Root.pm 

sub login : Global {
    my ( $self, $c ) = @_;
    
    # Get the username and password from form
    my $username = $c->request->params->{username};
    my $password = $c->request->params->{password};

    if ( $username and $password ) {
        if ($c->authenticate({username => $username, password => $pass
+word })) {
            $c->res->body("Welcome " . $c->user->username . "!");
        } else {
            $c->stash(error_msg => "Bad username or password.");
        }
    } else {
        # Set an error message
        $c->stash(error_msg => "Empty username or password.");
    }  
}

[download]
Any ideas on what I'm doing wrong? Is there something wrong with my Config file? Thanks in advance for any help!

Replies are listed 'Best First'.
Re: Not Authenticating - Catalyst::Authentication::Store::LDAP
by shmem (Chancellor) on Aug 21, 2010 at 10:09 UTC

    The docs say 

            $c->authenticate({
                          id          => $c->req->param("login"), 
                          password    => $c->req->param("password") 
                         });

    [download]

    id, not username ;-)

[reply]
[d/l]
[select]
      I was really hoping that was it, but it's still saying it can't locate the user matching the info provided.

      So seeing that Catalyst::Plugin::Authentication::LDAP was superceded by Catalyst::Authentication::Store::LDAP, I take it means that C::A::Store::LDAP does the authentication too.

      But looking at C::A::Store::LDAP it says that it authenticates a user if it finds the user info in the LDAP store. So it's really not even looking a the passwords. So this looks like it's not really an Authentication module. But why would an Authenticaiton module be superceeded by a Store module?

      UPDATE:
      As an update I see that the first step is that C::A::Store::LDAP binds with the pre-set user and password, then it reconnects with the user and password sent in second time. Here's a copy of my config in memory if that helps: 
      do {
  my $a = {
    "Action::RenderView" => {
      ignore_classes => [
                          "DBIx::Class::ResultSource::Table",
                          "DBIx::Class::ResultSourceHandle",
                          "DateTime",
                        ],
      scrubber_func  => sub { ... },
    },
    "authentication" => {
      default_realm => "ldap",
      realms => {
        ldap => {
          credential => {
            class => "Password",
            password_field => "password",
            password_hash_type => "SHA-1",
            password_type => "self_check",
          },
          store => {
            binddn              => "myusername\@ad.mydomain.org",
            bindpw              => "mypassword",
            class               => "LDAP",
            ldap_server         => "ldap://sub.ad.mydomain.org",
            ldap_server_options => { onerror => "warn", timeout => 30 
+},
            start_tls           => 0,
            start_tls_options   => { verify => "none" },
            use_roles           => 0,
            user_basedn         => "DC=sub,DC=ad,DC=mydomain,DC=org",
            user_field          => "sAMAccountName",
            user_filter         => "(sAMAccountName=%s)",
            user_scope          => "one",
            user_search_options => { deref => "always" },
          },
          use_session => 1,
        },
      },
      use_session => 1,
    },
    "disable_component_resolution_regex_fallback" => 1,
    "home" => "/home/me/perl_modules/MyApp",
    "name" => "MyApp",
    "Plugin::Authentication" => 'fix',
    "Plugin::ConfigLoader" => {},
    "root" => bless({
      dirs => ["", "home", "me", "perl_modules", "MyApp", "root"],
      file_spec_class => undef,
      volume => "",
    }, "Path::Class::Dir"),
    "stacktrace" => { context => 3, verbose => 0 },
    "static" => {
      debug => 1,
      dirs => [],
      ignore_dirs => [],
      ignore_extensions => ["tmpl", "tt", "tt2", "html", "xhtml"],
      include_path => ['fix'],
      mime_types => {},
      mime_types_obj => bless({}, "MIME::Types"),
      no_logs => 1,
    },
  };
  $a->{"Plugin::Authentication"} = $a->{"authentication"};
  $a->{"static"}{include_path}[0] = $a->{"root"};
  $a;
}

      [download]
[reply]
[d/l]

Back to Seekers of Perl Wisdom