LDAP REST microservice with Password Policy overlay support
OpenLDAP comes with the awesome Password Policy overlay, which adds password and authentication policy enforcement directly into SLAPD itself. This layer of security is immediately applied against any system using LDAP as an authentication provider with zero client-side changes.
However! Such overlays are part of LDAPv3, which adds richer return data, but most common languages do not support providing this data when using the bind
function. An LDAP bind will work the same regardless, but will lack this informative data (e.g. account locked, password reset required, etc.).
Catslap provides this detailed LDAP authentication as a REST microservice that can be incorporated into any application's authentication process. Catslap also acts as middleware security to isolate your LDAP services from your other applications (your apps won't require administrative bind credentials). Also, because Catslap is powered by Mojolicious, horizontal scaling and zero-downtime hot redeployment are effortless through the built-in Hypnotoad pre-forking web server.
The Net::LDAP
Perl module includes full support for the LDAPv3 Password Policy overlay (via the Net::LDAP::Control::PasswordPolicy
module). Perl is seemingly the only major web language with such complete support.
There is a utility that comes with OpenLDAP called slapcat
(8)
, and since bad puns are the highest form of comedy, Catslap was born! :D
Notice: This assumes we will be installing and running Catslap as the meow
user, installed in /home/meow/catslap
.
- Perl 5.20 or greater
- cpanminus or Carton
- OpenLDAP SLAPD service with Password Policy overlay, users, superusers, and groups configured
These will be installed in the next step.
cd
to the parent directory where Catslap will be installed:
meow@server:/home/meow$ cd /home/meow/catslap
- Install the Perl CPAN module dependencies:
# if using cpanminus
# (include the trailing dot!)
meow@server:/home/meow/catslap$ cpanm --installdeps .
# if using Carton
meow@server:/home/meow/catslap$ carton install
-
Configure Catslap, by copying
catslap.conf.example
tocatslap.conf
and editing it, following the comments within. -
Set Catslap to start with your server using either the supplied startup scripts, or using system utilities like Systemd or Supervisord.
Notice: This assumes we installed Catslap as the meow
user in /home/meow/catslap
.
meow@server:/home/meow/catslap$ ./bin/catslap
Catslap listening on http://localhost:31195/
meow@server:/home/meow/catslap$
No cats were slapped in the making of this software. =^^=