On May 21, 2012, at 11:42 AM, Robert Wohlfarth wrote: > The standard Catalyst::Authentication::Store::LDAP does not work with this > model.
I've been told that the "right" way to do authentication against LDAP is * bind with a read-only set of credentials * Lookup the user's entry (here is where you apply your base and filters) * Try to bind with the just-found DN and the user-supplied password The first set of credentials has just enough privileges (via ACLs) so that only the required search can be performed. This scheme has the advantage of not allowing annon bound sessions to search your tree while supporting user hierarchies (that can change as the directory is reorganized). Best regards. -lem _______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
