sub authenticate {
 # instance method, $self is a blessed hash holding various
 # important details like ldaphost etc.
 my $self = shift;
 # $q , a CGI->new query object
 my $q = shift;
 
  # Open an anonymous ldap session (anon reads are allowed)
 my $ldap = Net::LDAP->new( $ldaphost ) or die "LDAP Connection error";
 $ldap->bind;
 my $user = $q->param('username');
 my $mesg = $ldap->search ( 
 	base=>$self->{ldap}{userbase},
 	filter=>"(&(cn=$user))"
 );
 # one day these dies will be calls to  pretty printed
 # html .  mymodule::error->database_error()
 $mesg->code && die $mesg->error;
 $ldap->unbind;
 
 # Dodgy, I admit : we only expect one account with the uid eq $user
 my $entry = $mesg->shift_entry;

 # Bailout if user does not exist in LDAP. 
 return undef unless ($entry);
  
 my $ldaphash = $entry->get_value('userPassword');
 my $ldapuser = $entry->get_value('uid');
 
 # hash the CGI supplied password to compare with LDAP userPassword
 my $md5 = Digest::MD5->new;
 $md5->add( $q->param('phrase') );
 my $hash = '{MD5}' . encode_base64($md5->digest, '');
 
 if ( ( $q->param('username') eq $ldapuser) and ($hash eq $ldaphash) )
  {
   my $sessionid = $self->start_session( $q );
   return $sessionid;
  }
 else {
  return undef
 }
}