NAME
Jifty::Plugin::Authentication::Ldap - LDAP Authentication Plugin for Jifty
DESCRIPTION
CAUTION: This plugin is experimental.
This may be combined with the User Mixin to provide user accounts and ldap password authentication to your application.
When a new user authenticates using this plugin, a new User object will be created automatically. The name
and email
fields will be automatically populated with LDAP data.
in etc/config.yml
Plugins:
- Authentication::Ldap:
LDAPhost: ldap.univ.fr # ldap server
LDAPbase: ou=people,dc=..... # base ldap
LDAPName: displayname # name to be displayed (cn givenname)
LDAPMail: mailLocalAddress # email used optional
LDAPuid: uid # optional
Then create a user model
jifty model --name=User
and edit lib/App/Model/User.pm to look something like this:
use strict;
use warnings;
package Venice::Model::User;
use Jifty::DBI::Schema;
use Venice::Record schema {
# More app-specific user columns go here
};
use Jifty::Plugin::User::Mixin::Model::User;
use Jifty::Plugin::Authentication::Ldap::Mixin::Model::User;
sub current_user_can {
my $self = shift;
my $type = shift;
my %args = (@_);
return 1 if
$self->current_user->is_superuser;
# all logged in users can read this table
return 1
if ($type eq 'read' && $self->current_user->id);
return $self->SUPER::current_user_can($type, @_);
};
1;
ACTIONS
This plugin will add the following actions to your application. For testing you can access these from the Admin plugin.
- Jifty::Plugin::Authentication::Ldap::Action::LDAPLogin
-
The login path is
/ldaplogin
. - Jifty::Plugin::Authentication::Ldap::Action::LDAPLogout
-
The logout path is
/ldaplogout
.
METHODS
prereq_plugins
This plugin depends on the User Mixin.
Configuration
The following options are available in your config.yml
under the Authentication::Ldap Plugins section.
LDAPhost
-
Your LDAP server.
LDAPbase
-
[Mandatory] The base object where your users live. If
LDAPBindTemplate
is defined,LDAPbase
is only used for user search. LDAPBindTemplate
-
Alternatively to
LDAPbase
, you can specify here the whole DN string, with %u as a placeholder for UID. LDAPMail
-
The DN that your organization uses to store Email addresses. This gets copied into the User object as the
email
. LDAPName
-
The DN that your organization uses to store Real Name. This gets copied into the User object as the
name
. LDAPuid
-
The DN that your organization uses to store the user ID. Usually
cn
. This gets copied into the User object as theldap_id
. LDAPOptions
-
These options get passed through to Net::LDAP.
Default Options :
debug => 0 onerror => undef async => 1
Other options you may want :
timeout => 30
See
Net::LDAP
for a full list. You can overwrite the defaults selectively or not at all. LDAPLoginHooks
-
Optional list of Perl functions that would be called after a successful login and after a corresponding User object is loaded and updated. The function is called with a hash array arguments, as follows:
username => string user_object => User object ldap => Net::LDAP object infos => User attributes as returned by get_infos
LDAPFetchUserAttr
-
Optional list of LDAP user attributes fetched by get_infos. The values are returned to the login hook as arrayrefs.
Example
The following example authenticates the application against a MS Active Directory server for the domain MYDOMAIN. Each user entry has the attribute 'department' which is used for authorization. LDAPbase
is used for user searching, and binding is done in a Microsoft way. The login hook checks if the user belongs to specific departments and updates the user record.
######
# etc/config.yml:
Plugins:
- User: {}
- Authentication::Ldap:
LDAPhost: ldap1.mydomain.com
LDAPbase: 'DC=mydomain,DC=com'
LDAPBindTemplate: 'MYDOMAIN\%u'
LDAPName: displayName
LDAPMail: mail
LDAPuid: cn
LDAPFetchUserAttr:
- department
LDAPLoginHooks:
- 'Myapp::Model::User::ldap_login_hook'
######
# package Myapp::Model::User;
sub ldap_login_hook
{
my %args = @_;
my $u = $args{'user_object'};
my $department = $args{'infos'}->{'department'}[0];
my $editor = 0;
if( $department eq 'NOC' or
$department eq 'ENGINEERING' )
{
$editor = 1;
}
$u->__set( column => 'is_content_editor', value => $editor );
}
SEE ALSO
Jifty::Manual::AccessControl, Jifty::Plugin::User::Mixin::Model::User, Net::LDAP
AUTHORS
Yves Agostini, <yvesago@cpan.org>, Stanislav Sinyagin
and others authors from Jifty (maxbaker, clkao, sartak, alexmv)
LICENSE
Copyright 2007-2010 Yves Agostini. All Rights Reserved.
This program is free software and may be modified and distributed under the same terms as Perl itself.