[jifty-devel] authentication and authorization

Agostini yves agostini at univ-metz.fr
Mon Nov 27 06:29:27 EST 2006

As with time shift it's difficult for me to chat on these subjects, I
send a (long) mail.

As you see on svn I make 2 plugins for ldap authentication.
The first, AuthLDAPOnly, allow to add users from a ldap directory.
In LDAPUser model, I use 'Name' for login, to don't break default views
and 'created_on' field for fun :) it's absolutely not necessary.
Developers will have to overload this schema if they need more data,
like email, from their ldap server.
Authentication is make with a 'bind' on ldap server. The use of
Net::LDAP allow the use of ldaps (but I don't test this).
/ldaplogin and /ldaplogout must be used for login logout.

The second, AuthLDAPLogin, allow the use of ldap users with external
users which can create their account with email validation. It's a "sub
plugin" of Login plugin. Login model is populate with ldap data.
Distinct id is 'email' for ldap user email is not a valid email but
created on "login at LDAP.user". I wrote a CAS plugin which use
"login at CAS.user".
A first type of authorization could be make with code like :
if ( Jifty->web->current_user->email !~ /\@LDAP.user$/ ) {
   Jifty->web->tangent(url => '/ldaplogin');
In Login model, 'Name' is populate with ldap login.
Here a pb can appear. 'Name' must be distinct so if an external user use
the same name than a ldap user, there will be a conflict.
A better way should be to add user type in Login User schema and to
remove distinct constraint on Name.
But I think that it's better to preserve as it actual Login plugin and
not force people to upgrade their user databases. 

- What do you think about the solution to make distinct email id as
"login at AUTHTYPE.user" ?

PS: Author of AuthCAS must change the cpan name, certainly in something
like Authen::CAS, as soon the new name is published I will commit two
plugins for CASOnly and CASLogin (maybe it will be better to only put
them on cpan ?)

I need more help on authorization :)

Jesse was right not publish AuthzLDAP in cpan. It's not finished.
I hope for developers something like :
(....?) is not a new obfuscated regexp :)

I make a LdapFilter model to manage things like 'is_student', id
'is_student' can be a ldap filter or a Netscape group.
So developers can imagine a kind of active directory where table can be
update by an other application. 

My main problem is : what is the best way to make (....?).
For testing I make an action
- Do we use this action or a dispatcher ???
- Does somebody have a brilliant idea ?

My other problem is that I bind on ldap with anonymous or special user
allowed to read ldap. This is fine if we use authentication like CAS
where we only have a valid login. But if we use a ldap authentication
maybe we can use the bind from AuthLDAPLogin or AuthLDAPOnly with
something like $LDAP = Jifty::Plugin::AuthLDAPLogin->LDAP();
This don't actually work, because I don't export $LDAP, and I will
certainly need to better manage timeout?
- Is it really useful ? or do we force developers to use a special
allowed user for authorization ? 

My third and last problem (for now :) ) is :
LDAPValidate take now two parameters login and filtername. 
 - Do I let like this or do I take login from current user email if
email is like /login@\w+.user$/ as in ldap authentication ?
 - Subsidiary question : do you want all filters in database or let
developers write filters when needed  ?
 something like :
   Jifty->.....->ldapvalidate($login, "(|
(edupersonaffiliation=employee)(edupersonaffiliation=faculty) )" );

Sorry it was a long mail and there's a lot of questions, but all answers
will be strongly appreciated :)



AGOSTINI Yves             CRI - Université Paul Verlaine - Metz
agostini at univ-metz.fr     http://www.crium.univ-metz.fr
tel: 03 87 31 52 63       fax: 03 87 31 53 33

More information about the jifty-devel mailing list