[Bps-public-commit] rt-authen-externalauth branch, configurable-group-scope, created. 0.10_01-5-g5ac161a

Thomas Sibley trs at bestpractical.com
Fri Jul 27 15:26:12 EDT 2012 

The branch, configurable-group-scope has been created
        at  5ac161ae1ad3beb1af65570832dd018a445463a3 (commit)

- Log -----------------------------------------------------------------
commit a89b476a1787d2b1f4b6ae5fcc14881e235c8555
Author: Valmiky Arquissandas <valmiky.arquissandas at ist.utl.pt>
Date:   Wed Jul 25 20:33:17 2012 +0100

    Added "group_scope" as a configurable option.
    
    This patch allows the scope of the LDAP group search to be configured,
    instead of being hard-coded as "base".
    
    It is useful to change the scope to "sub" when there are nested groups.
    
    The default option has been kept as "base".

diff --git a/etc/RT_SiteConfig.pm b/etc/RT_SiteConfig.pm
index a080d40..687c989 100644
--- a/etc/RT_SiteConfig.pm
+++ b/etc/RT_SiteConfig.pm
@@ -128,6 +128,9 @@ Set($ExternalSettings,      {   # AN EXAMPLE DB SERVICE
                                                         'net_ldap_args'             => [    version =>  3   ],
                                                         # Does authentication depend on group membership? What group name?
                                                         'group'                     =>  'GROUP_NAME',
+                                                        # What is the scope of the group search? (base, one, sub)
+                                                        # Optional; defaults to 'base', which is good enough for most cases. 'sub' is appropriate when you have nested groups
+                                                        'group_scope'               =>  'base',
                                                         # What is the attribute for the group object that determines membership?
                                                         'group_attr'                =>  'GROUP_ATTR',
                                                         # What is the attribute of the user entry that should be matched against group_attr above? (Optional; defaults to 'dn')
diff --git a/lib/RT/Authen/ExternalAuth/LDAP.pm b/lib/RT/Authen/ExternalAuth/LDAP.pm
index b228e77..e73198c 100644
--- a/lib/RT/Authen/ExternalAuth/LDAP.pm
+++ b/lib/RT/Authen/ExternalAuth/LDAP.pm
@@ -20,6 +20,7 @@ sub GetAuth {
     my $group           = $config->{'group'};
     my $group_attr      = $config->{'group_attr'};
     my $group_attr_val  = $config->{'group_attr_value'} || 'dn';
+    my $group_scope     = $config->{'group_scope'} || 'base';
     my $attr_map        = $config->{'attr_map'};
     my @attrs           = ('dn');
 
@@ -118,6 +119,8 @@ sub GetAuth {
         $RT::Logger->debug( "LDAP Search === ",
                             "Base:",
                             $group,
+                            "== Scope:",
+                            $group_scope,
                             "== Filter:", 
                             $filter->as_string,
                             "== Attrs:", 
@@ -126,7 +129,7 @@ sub GetAuth {
         $ldap_msg = $ldap->search(  base   => $group,
                                     filter => $filter,
                                     attrs  => \@attrs,
-                                    scope  => 'base');
+                                    scope  => $group_scope);
 
         # And the user isn't a member:
         unless ($ldap_msg->code == LDAP_SUCCESS || 

commit 5ac161ae1ad3beb1af65570832dd018a445463a3
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Fri Jul 27 12:24:34 2012 -0700

    Test the new group_scope option
    
    There is one TODOed test because of a Net::LDAP::Server::Test bug.  I
    fixed that bug and a related bug uncovered at the same time and issued a
    pull request.
    
    https://rt.cpan.org/Ticket/Display.html?id=78612

diff --git a/xt/ldap_group.t b/xt/ldap_group.t
index c305289..b77cf50 100644
--- a/xt/ldap_group.t
+++ b/xt/ldap_group.t
@@ -25,7 +25,7 @@ $ldap->bind();
 my $users_dn = "ou=users,dc=bestpractical,dc=com";
 my $group_dn = "cn=test group,ou=groups,dc=bestpractical,dc=com";
 
-for (1 .. 2) {
+for (1 .. 3) {
     my $uid = "testuser$_";
     my $entry    = {
         cn           => "Test User $_",
@@ -47,6 +47,15 @@ $ldap->add(
     ],
 );
 
+$ldap->add(
+    "cn=subgroup,$group_dn",
+    attr => [
+        cn          => "subgroup",
+        memberUid   => [ "testuser3" ],
+        objectClass => "group",
+    ],
+);
+
 #RT->Config->Set( Plugins                     => 'RT::Authen::ExternalAuth' );
 RT->Config->Set( ExternalAuthPriority        => ['My_LDAP'] );
 RT->Config->Set( ExternalInfoPriority        => ['My_LDAP'] );
@@ -110,6 +119,31 @@ diag "test uri login";
     ok( $m->login( 'testuser2', 'password' ), 'logged in' );
 }
 
+$m->logout;
+
+diag "Subgroup isn't used with default group_scope of base";
+{
+    local $TODO = 'Net::LDAP::Server::Test bug: https://rt.cpan.org/Ticket/Display.html?id=78612'
+        if $Net::LDAP::Server::Test::VERSION <= 0.13;
+    ok( !$m->login( 'testuser3', 'password' ), 'not logged in from subgroup' );
+    $m->logout;
+}
+
+diag "Using group_scope of sub not base";
+
+RT->Config->Get('ExternalSettings')->{My_LDAP}{group_scope} = 'sub';
+diag "test uri login";
+{
+    ok( !$m->login( 'testuser1', 'password' ), 'not logged in with real user not in group' );
+    $m->warning_like(qr/FAILED LOGIN for testuser1/);
+
+    ok( $m->login( 'testuser2', 'password' ), 'logged in as testuser2' );
+    $m->logout;
+
+    ok( $m->login( 'testuser3', 'password' ), 'logged in as testuser3 from subgroup' );
+    $m->logout;
+}
+
 $ldap->unbind();
 
 undef $m;

-----------------------------------------------------------------------

More information about the Bps-public-commit mailing list