I am uncertain how much simpler you could make Net::LDAP to cope with,
with perhaps the exception of the $mesg->code && die $mesg->error dance.
I have some existing Net::LDAP code, from a CGI application I am prototyping, which bundles the LDAP access
politely away from the main code. I have added more verbose comments to describe it, and it appears thus.
sub authenticate {
# instance method, $self is a blessed hash holding various
# important details like ldaphost etc.
my $self = shift;
# $q , a CGI->new query object
my $q = shift;
# Open an anonymous ldap session (anon reads are allowed)
my $ldap = Net::LDAP->new( $ldaphost ) or die "LDAP Connection error"
+;
$ldap->bind;
my $user = $q->param('username');
my $mesg = $ldap->search (
base=>$self->{ldap}{userbase},
filter=>"(&(cn=$user))"
);
# one day these dies will be calls to pretty printed
# html . mymodule::error->database_error()
$mesg->code && die $mesg->error;
$ldap->unbind;
# Dodgy, I admit : we only expect one account with the uid eq $user
my $entry = $mesg->shift_entry;
# Bailout if user does not exist in LDAP.
return undef unless ($entry);
my $ldaphash = $entry->get_value('userPassword');
my $ldapuser = $entry->get_value('uid');
# hash the CGI supplied password to compare with LDAP userPassword
my $md5 = Digest::MD5->new;
$md5->add( $q->param('phrase') );
my $hash = '{MD5}' . encode_base64($md5->digest, '');
if ( ( $q->param('username') eq $ldapuser) and ($hash eq $ldaphash) )
{
my $sessionid = $self->start_session( $q );
return $sessionid;
}
else {
return undef
}
}
I can see where you're coming from , however rewriting this to use
Net::LDAP::Simple , feels more like I'm shuffling the args to different methods
rather than simplifying the code. I think search paramaters belong with
search methods, not in the constructor.
sub authenticate {
my $self = shift;
my $q = shift;
# Using Net::LDAP::Simple
my $ldap = Net::LDAP::Simple->new(
host=>$ldaphost ,
base=>$self->{ldap}{userbase} ,
searchattrs=>'uid'
) or die "LDAP Connection error";
my $user = $q->param('username');
my $result = $ldap->simplesearch( $user );
die $ldap->error unless $result;
$ldap->unbind;
my $entry = shift @{$result};
# Bailout if user does not exist in LDAP.
return undef unless ($entry);
my $ldaphash = $entry->get_value('userPassword');
my $ldapuser = $entry->get_value('uid');
my $md5 = Digest::MD5->new;
$md5->add( $q->param('phrase') );
my $hash = '{MD5}' . encode_base64($md5->digest, '');
if ( ( $q->param('username') eq $ldapuser) and ($hash eq $ldaphash) )
{
my $sessionid = $self->start_session( $q );
return $sessionid;
}
else {
return undef
}
}
Please forgive me if I have misunderstood your approach, and for goodness sake
keep working on the idea. Collecting peoples ideas RE what would make LDAP simpler
to use for them might be a good start. I have considered writing some meta-methods to do commonplace things like move and rename,
I reckon your ideas there are spot on. I watch with interest
-toaster
I can't believe it's not psellchecked
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link or
or How to display code and escape characters
are good places to start.
