Authenticating Against Active Directory with Catalyst
One of the more entertaining part of working in e-commerce is dealing with PCI compliance. I say interesting because the standard is a mix of good things and inane things. Regardless, it’s required. One of the sections deals with authentication and authorization. We’ve traditionally done that sort of business internally, but the newest PCI standards gave us quite a few requirements that we didn’t feel like adding. Instead, we opted to offload that functionality onto our Windows machines. We already had some experience with this, as our internal Trac talks to Active Directory to ease our administration when interfacing with the other departments.
Enough backstory. I had some hassle getting Catalyst::Authentication::Store::LDAP working with Active Directory. I wanted both authentication and roles, so here’s what I ended up with:
Plugin::Authentication:
default_realm: members
realms:
members:
credential:
class: Password
password_field: password
password_type: self_check
store:
class: LDAP
ldap_server: dc1:389
ldap_server_options:
timeout: 30
binddn: cn=SomeAccountYouSetup,ou=Accounts,dc=domain,dc=com
bindpw: password
user_basedn: ou=Accounts,dc=domain,dc=com
user_filter: (userPrincipalName=%s)
user_field: mail
use_roles: 1
role_basedn: ou=Groups,dc=domain,dc=com
role_filter: (member=%s)
role_scope: sub
role_field: name
role_value: dn
role_search_as_user: 0
role_search_options:
deref: always
I’m not really participating in Matt’s Iron Man but the flurry of Perl posting does leave me feeling a bit guilty for not saying a bit more about my language of choice.
UPDATE: I’ve changed the configuration a bit to show what you need to change.
Comments (No comments)
There are no comments for this post so far.
Post a comment