[rt-users] LDAP authentication
Sivan DERAY
sivan.deray at net-aptitude.fr
Fri Sep 24 11:15:18 EDT 2004
I read many posts about LDAP, but i'm still confused on how to implement
that :
here is what a understood :
I put in the /opt/rt3/lib/RT/ directory a User_Local.pm file containing
:
********
********
no warnings qw(redefine);
# {{{ sub IsPassword
# Modification Originally by Marcelo Bartsch <bartschm_cl at hotmail.com>
# Update by Stewart James <stewart.james at vu.edu.au for rt3.
# Drop this file in /opt/rt3/lib/RT/User_Local.pm
# Drop something like below in yout RT_SiteConfig.pm
# $LDAPExternalAuth = 1;
# $LdapServer="adress";
# $LdapUser="";
# $LdapPass="";
# $LdapBase="dc=domain,dc=com";
# $LdapUidAttr="uid";
# $LdapFilter="(objectclass=*)";
sub IsPassword {
my $self = shift;
my $value = shift;
#TODO there isn't any apparent way to legitimately ACL this
# RT does not allow null passwords
if ( ( !defined($value) ) or ( $value eq '' ) ) {
return (undef);
}
if ( $self->PrincipalObj->Disabled ) {
$RT::Logger->info(
"Disabled user " . $self->Name . " tried to log
in" );
return (undef);
}
if ( ($self->__Value('Password') eq '') ||
($self->__Value('Password') eq undef) ) {
return(undef);
}
# generate an md5 password
if ($self->_GeneratePassword($value) eq
$self->__Value('Password')) {
return(1);
}
# if it's a historical password we say ok.
if (! $RT::LDAPExternalAuth)
{
if ($self->__Value('Password') eq crypt($value,
$self->__Value('Password'))) {
return (1);
}
else {
return (undef);
}
}
else
{
if ($self->__Value('Password') eq crypt($value,
$self->__Value('Password'))) {
return (1);
}
$RT::Logger->info("Using External Authentication\n");
use Net::LDAP;
my $mesg;
my $ldap = Net::LDAP->new($RT::LdapServer, version=>3)
or $RT::Logger->critical("GetExternalUserWithLDAP: " . "Cannot connect
to LDAP'\n"), return 0;
# Iseem to have problems is I try and bind with a NULL
username by hand
# So this now checks to see if we are really going to
bind with a
# username.
if (defined($RT::LdapUser) && $RT::LdapUser != '') {
$mesg = $ldap->bind($RT::LdapUser, password
=>$RT::LdapPass );
} else {
$mesg = $ldap->bind;
}
if ($mesg->code != LDAP_SUCCESS) {
$RT::Logger->critical("GetExternalUserWithLDAP:
Cannot bind to LDAP:",
$mesg->code, "\n");
return 0;
}
my $filter = "(&(&(objectclass=person)(" .
$RT::LdapUidAttr . "=" . $self->Name ."))$RT::LdapFilter)";
$RT::Logger->debug("GetExternalUserWithLDAP: First
search filter '$filter'\n");
$mesg = $ldap->search(base => $RT::LdapBase,
filter => $filter,
attrs => ['dn']);
if (($mesg->code != LDAP_SUCCESS) or ($mesg->code !=
LDAP_PARTIAL_RESULTS))
{
$RT::Logger->debug("GetExternalUserWithLDAP:
Could not search for $filter: ",
$mesg->code, "" ,
ldap_error_name($mesg->code) ,"\n");
return 0;
}
$RT::Logger->debug("GetExternalUserWithLDAP: First
search produced ",
$mesg->count, " results\n");
if (! $mesg->count)
{
$RT::Logger->info("AUTH FAILED: " . $self->Name
. "\n");
return 0;
}
$RT::Logger->debug("LDAP DN: " . $mesg->first_entry->dn
. " " . $value . "\n");
my $mesg2 = $ldap->bind($mesg->first_entry->dn, password
=>$value );
if ($mesg2->code != LDAP_SUCCESS) {
$RT::Logger->critical("GetExternalUserWithLDAP:
Cannot bind to LDAP:",
$mesg2->code, "\n");
return 0;
}
else
{
$RT::Logger->info("AUTH OK: " . $self->Name . "
(" .$mesg->first_entry->dn . ")\n");
return 1;
}
}
# no password check has succeeded. get out
return (undef);
}
# }}}
1;
**********
**********
Next I put in httpd.conf :
# LDAP integration
<Directory /opt/rt3/share/html>
AuthType Basic
AuthName "Request Tracker Login"
AuthLDAPURL ldap://ipadress
require valid-user
</Directory>
and in Rt_SiteConfig :
Set ($WebExternalAuth , 1);
Set($WebFallbackToInternalAuth , 1);
Set($WebExternalAuto , 1);
I know i missed other things but do i have to add to meet with the needs
?
i'm running a RH7.3 - apache 1 - mod_perl 1 - RT 3.0.10
thanks a lot !!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20040924/2fd93f5c/attachment.htm>
More information about the rt-users
mailing list