NAME

       Jifty::Plugin::Authentication::Ldap - LDAP Authentication Plugin for Jifty

DESCRIPTION

       CAUTION: This plugin is experimental.

       This may be combined with the User Mixin to provide user accounts and ldap password
       authentication to your application.

       When a new user authenticates using this plugin, a new User object will be created
       automatically.  The "name" and "email" fields will be automatically populated with LDAP
       data.

       in etc/config.yml

         Plugins:
           - Authentication::Ldap:
              LDAPhost: ldap.univ.fr           # ldap server
              LDAPbase: ou=people,dc=.....     # base ldap
              LDAPName: displayname            # name to be displayed (cn givenname)
              LDAPMail: mailLocalAddress       # email used optional
              LDAPuid: uid                     # optional

       Then create a user model

         jifty model --name=User

       and edit lib/App/Model/User.pm to look something like this:

         use strict;
         use warnings;

         package Venice::Model::User;

         use Jifty::DBI::Schema;
         use Venice::Record schema {
               # More app-specific user columns go here
         };

         use Jifty::Plugin::User::Mixin::Model::User;
         use Jifty::Plugin::Authentication::Ldap::Mixin::Model::User;

         sub current_user_can {
             my $self = shift;
             my $type = shift;
             my %args = (@_);

           return 1 if
                 $self->current_user->is_superuser;

           # all logged in users can read this table
           return 1
               if ($type eq 'read' && $self->current_user->id);

           return $self->SUPER::current_user_can($type, @_);
         };

         1;

   ACTIONS
       This plugin will add the following actions to your application.  For testing you can
       access these from the Admin plugin.

       Jifty::Plugin::Authentication::Ldap::Action::LDAPLogin
           The login path is "/ldaplogin".

       Jifty::Plugin::Authentication::Ldap::Action::LDAPLogout
           The logout path is "/ldaplogout".

   METHODS
   prereq_plugins
       This plugin depends on the User Mixin.

   Configuration
       The following options are available in your "config.yml" under the Authentication::Ldap
       Plugins section.

       "LDAPhost"
           Your LDAP server.

       "LDAPbase"
           [Mandatory] The base object where your users live. If "LDAPBindTemplate" is defined,
           "LDAPbase" is only used for user search.

       "LDAPBindTemplate"
           Alternatively to "LDAPbase", you can specify here the whole DN string, with %u as a
           placeholder for UID.

       "LDAPMail"
           The DN that your organization uses to store Email addresses.  This gets copied into
           the User object as the "email".

       "LDAPName"
           The DN that your organization uses to store Real Name.  This gets copied into the User
           object as the "name".

       "LDAPuid"
           The DN that your organization uses to store the user ID.  Usually "cn".  This gets
           copied into the User object as the "ldap_id".

       "LDAPOptions"
           These options get passed through to Net::LDAP.

           Default Options :

            debug   => 0
            onerror => undef
            async   => 1

           Other options you may want :

            timeout => 30

           See "Net::LDAP" for a full list.  You can overwrite the defaults selectively or not at
           all.

       "LDAPLoginHooks"
           Optional list of Perl functions that would be called after a successful login and
           after a corresponding User object is loaded and updated. The function is called with a
           hash array arguments, as follows:

             username => string
             user_object => User object
             ldap => Net::LDAP object
             infos => User attributes as returned by get_infos

       "LDAPFetchUserAttr"
           Optional list of LDAP user attributes fetched by get_infos. The values are returned to
           the login hook as arrayrefs.

   Example
       The following example authenticates the application against a MS Active Directory server
       for the domain MYDOMAIN. Each user entry has the attribute 'department' which is used for
       authorization. "LDAPbase" is used for user searching, and binding is done in a Microsoft
       way. The login hook checks if the user belongs to specific departments and updates the
       user record.

        ######
        #   etc/config.yml:
         Plugins:
           - User: {}
           - Authentication::Ldap:
              LDAPhost: ldap1.mydomain.com
              LDAPbase: 'DC=mydomain,DC=com'
              LDAPBindTemplate: 'MYDOMAIN\%u'
              LDAPName: displayName
              LDAPMail: mail
              LDAPuid: cn
              LDAPFetchUserAttr:
                - department
              LDAPLoginHooks:
                - 'Myapp::Model::User::ldap_login_hook'

         ######
         #  package Myapp::Model::User;
         sub ldap_login_hook
         {
             my %args = @_;

             my $u = $args{'user_object'};
             my $department = $args{'infos'}->{'department'}[0];

             my $editor = 0;
             if( $department eq 'NOC' or
                 $department eq 'ENGINEERING' )
             {
                 $editor = 1;
             }

             $u->__set( column => 'is_content_editor', value => $editor );
         }

SEE ALSO

       Jifty::Manual::AccessControl, Jifty::Plugin::User::Mixin::Model::User, Net::LDAP

AUTHORS

       Yves Agostini, <yvesago@cpan.org>, Stanislav Sinyagin

       and others authors from Jifty (maxbaker, clkao, sartak, alexmv)

LICENSE

       Copyright 2007-2010 Yves Agostini. All Rights Reserved.

       This program is free software and may be modified and distributed under the same terms as
       Perl itself.