[Bps-public-commit] rt-authen-externalauth branch, configurable-group-value, created. 0.09-12-g51efe8e

Thomas Sibley trs at bestpractical.com
Mon Jan 23 11:02:09 EST 2012 

The branch, configurable-group-value has been created
        at  51efe8ef810a5b7d2c16a43d10a03682b5f51bf0 (commit)

- Log -----------------------------------------------------------------
commit 51efe8ef810a5b7d2c16a43d10a03682b5f51bf0
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Mon Jan 23 10:56:10 2012 -0500

    Support group membership checks against a value other than the user's DN
    
    This is necessary when the group membership attribute (group_attr)
    contains uids or email addresses or other values instead of the DNs of
    users.
    
    The new optional config param for LDAP sources is named
    group_attr_value.

diff --git a/etc/RT_SiteConfig.pm b/etc/RT_SiteConfig.pm
index cf8ca36..a080d40 100644
--- a/etc/RT_SiteConfig.pm
+++ b/etc/RT_SiteConfig.pm
@@ -130,6 +130,8 @@ Set($ExternalSettings,      {   # AN EXAMPLE DB SERVICE
                                                         'group'                     =>  'GROUP_NAME',
                                                         # What is the attribute for the group object that determines membership?
                                                         'group_attr'                =>  'GROUP_ATTR',
+                                                        # What is the attribute of the user entry that should be matched against group_attr above? (Optional; defaults to 'dn')
+                                                        'group_attr_value'          =>  'GROUP_ATTR_VALUE',
                                                         ## RT ATTRIBUTE MATCHING SECTION
                                                         # The list of RT attributes that uniquely identify a user
 							# This example shows what you *can* specify.. I recommend reducing this
diff --git a/lib/RT/Authen/ExternalAuth/LDAP.pm b/lib/RT/Authen/ExternalAuth/LDAP.pm
index 885c7dd..d3560a5 100644
--- a/lib/RT/Authen/ExternalAuth/LDAP.pm
+++ b/lib/RT/Authen/ExternalAuth/LDAP.pm
@@ -1,7 +1,7 @@
 package RT::Authen::ExternalAuth::LDAP;
 
 use Net::LDAP qw(LDAP_SUCCESS LDAP_PARTIAL_RESULTS);
-use Net::LDAP::Util qw(ldap_error_name);
+use Net::LDAP::Util qw(ldap_error_name escape_filter_value);
 use Net::LDAP::Filter;
 
 use strict;
@@ -19,6 +19,7 @@ sub GetAuth {
     my $filter          = $config->{'filter'};
     my $group           = $config->{'group'};
     my $group_attr      = $config->{'group_attr'};
+    my $group_attr_val  = $config->{'group_attr_value'} || 'dn';
     my $attr_map        = $config->{'attr_map'};
     my @attrs           = ('dn');
 
@@ -71,7 +72,9 @@ sub GetAuth {
         return 0;
     }
 
-    my $ldap_dn = $ldap_msg->first_entry->dn;
+    my $ldap_entry = $ldap_msg->first_entry;
+    my $ldap_dn    = $ldap_entry->dn;
+
     $RT::Logger->debug( "Found LDAP DN:", 
                         $ldap_dn);
 
@@ -94,8 +97,14 @@ sub GetAuth {
 
     # The user is authenticated ok, but is there an LDAP Group to check?
     if ($group) {
-        # If we've been asked to check a group...
-        $filter = Net::LDAP::Filter->new("(${group_attr}=${ldap_dn})");
+        my $group_val = lc $group_attr_val eq 'dn'
+                            ? $ldap_dn
+                            : $ldap_entry->get_value($group_attr_val);
+
+        # Fallback to the DN if the user record doesn't have a value
+        $group_val = $ldap_dn unless defined $group_val;
+
+        $filter = Net::LDAP::Filter->new("(${group_attr}=" . escape_filter_value($group_val) . ")");
         
         $RT::Logger->debug( "LDAP Search === ",
                             "Base:",
diff --git a/xt/ldap_group.t b/xt/ldap_group.t
index ecf4876..c305289 100644
--- a/xt/ldap_group.t
+++ b/xt/ldap_group.t
@@ -1,6 +1,11 @@
 use strict;
 use warnings;
 
+# This lets us change config during runtime without restarting
+BEGIN {
+    $ENV{RT_TEST_WEB_HANDLER} = 'inline';
+}
+
 use RT::Test tests => undef, testing => 'RT::Authen::ExternalAuth';
 use Net::LDAP;
 use RT::Authen::ExternalAuth;
@@ -37,6 +42,7 @@ $ldap->add(
     attr => [
         cn          => "test group",
         memberDN    => [ "uid=testuser1,$users_dn" ],
+        memberUid   => [ "testuser2" ],
         objectClass => 'Group',
     ],
 );
@@ -70,6 +76,7 @@ RT->Config->Set(
 
 my ( $baseurl, $m ) = RT::Test->started_ok();
 
+diag "Using DN to match group membership";
 diag "test uri login";
 {
     ok( !$m->login( 'fakeuser', 'password' ), 'not logged in with fake user' );
@@ -89,6 +96,20 @@ diag "test user creation";
     is($testuser->EmailAddress,'testuser1 at example.com');
 }
 
+$m->logout;
+
+diag "Using uid to match group membership";
+
+RT->Config->Get('ExternalSettings')->{My_LDAP}{group_attr} = 'memberUid';
+RT->Config->Get('ExternalSettings')->{My_LDAP}{group_attr_value} = 'uid';
+diag "test uri login";
+{
+    ok( !$m->login( 'testuser1', 'password' ), 'not logged in with real user not in group' );
+    $m->warning_like(qr/FAILED LOGIN for testuser1/);
+
+    ok( $m->login( 'testuser2', 'password' ), 'logged in' );
+}
+
 $ldap->unbind();
 
 undef $m;

-----------------------------------------------------------------------

More information about the Bps-public-commit mailing list