NAME Jifty::Plugin::Authentication::Ldap - LDAP Authentication Plugin for Jifty

DESCRIPTION CAUTION: This plugin is experimental.

This may be combined with the User Mixin to provide user accounts and
ldap password authentication to your application.

When a new user authenticates using this plugin, a new User object will
be created automatically. The "name" and "email" fields will be
automatically populated with LDAP data.

in etc/config.yml

  Plugins: 
    - Authentication::Ldap: 
       LDAPhost: ldap.univ.fr           # ldap server
       LDAPbase: ou=people,dc=.....     # base ldap
       LDAPName: displayname            # name to be displayed (cn givenname)
       LDAPMail: mailLocalAddress       # email used optional
       LDAPuid: uid                     # optional

Then create a user model

  jifty model --name=User

and edit lib/App/Model/User.pm to look something like this:

  use strict;
  use warnings;

package Venice::Model::User;

use Jifty::DBI::Schema; use Venice::Record schema {

More app-specific user columns go here

  };

use Jifty::Plugin::User::Mixin::Model::User; use Jifty::Plugin::Authentication::Ldap::Mixin::Model::User;

sub current_usercan { my $self = shift; my $type = shift; my %args = (@);

return 1 if
          $self->current_user->is_superuser;

# all logged in users can read this table
    return 1
        if ($type eq 'read' && $self->current_user->id);

return $self->SUPER::current_user_can($type, @_);
  };

1;

ACTIONS This plugin will add the following actions to your application. For testing you can access these from the Admin plugin.

Jifty::Plugin::Authentication::Ldap::Action::LDAPLogin
    The login path is "/ldaplogin".

Jifty::Plugin::Authentication::Ldap::Action::LDAPLogout
    The logout path is "/ldaplogout".

METHODS prereq_plugins This plugin depends on the User Mixin.

Configuration The following options are available in your "config.yml" under the Authentication::Ldap Plugins section.

"LDAPhost"
    Your LDAP server.

"LDAPbase"
    [Mandatory] The base object where your users live. If
    "LDAPBindTemplate" is defined, "LDAPbase" is only used for user
    search.

"LDAPBindTemplate"
    Alternatively to "LDAPbase", you can specify here the whole DN
    string, with *%u* as a placeholder for UID.

"LDAPMail"
    The DN that your organization uses to store Email addresses. This
    gets copied into the User object as the "email".

"LDAPName"
    The DN that your organization uses to store Real Name. This gets
    copied into the User object as the "name".

"LDAPuid"
    The DN that your organization uses to store the user ID. Usually
    "cn". This gets copied into the User object as the "ldap_id".

"LDAPOptions"
    These options get passed through to Net::LDAP.

    Default Options :

     debug   => 0
     onerror => undef
     async   => 1

    Other options you may want :

     timeout => 30

    See "Net::LDAP" for a full list. You can overwrite the defaults
    selectively or not at all.

"LDAPLoginHooks"
    Optional list of Perl functions that would be called after a
    successful login and after a corresponding User object is loaded and
    updated. The function is called with a hash array arguments, as
    follows:

      username => string
      user_object => User object
      ldap => Net::LDAP object
      infos => User attributes as returned by get_infos

"LDAPFetchUserAttr"
    Optional list of LDAP user attributes fetched by get_infos. The
    values are returned to the login hook as arrayrefs.

Example The following example authenticates the application against a MS Active Directory server for the domain MYDOMAIN. Each user entry has the attribute 'department' which is used for authorization. "LDAPbase" is used for user searching, and binding is done in a Microsoft way. The login hook checks if the user belongs to specific departments and updates the user record.

 ######
 #   etc/config.yml:  
  Plugins: 
    - User: {}
    - Authentication::Ldap:
       LDAPhost: ldap1.mydomain.com
       LDAPbase: 'DC=mydomain,DC=com'
       LDAPBindTemplate: 'MYDOMAIN%u'
       LDAPName: displayName
       LDAPMail: mail
       LDAPuid: cn
       LDAPFetchUserAttr:
         - department
       LDAPLoginHooks:
         - 'Myapp::Model::User::ldap_login_hook'

  ######
  #  package Myapp::Model::User;
  sub ldap_login_hook
  {
      my %args = @_;

      my $u = $args{'user_object'};    
      my $department = $args{'infos'}->{'department'}[0];

      my $editor = 0;
      if( $department eq 'NOC' or
          $department eq 'ENGINEERING' )
      {
          $editor = 1;
      }

      $u->__set( column => 'is_content_editor', value => $editor );
  }

SEE ALSO Jifty::Manual::AccessControl, Jifty::Plugin::User::Mixin::Model::User, Net::LDAP

AUTHORS Yves Agostini, [email protected], Stanislav Sinyagin

and others authors from Jifty (maxbaker, clkao, sartak, alexmv)

LICENSE Copyright 2007-2010 Yves Agostini. All Rights Reserved.

This program is free software and may be modified and distributed under
the same terms as Perl itself.