[Rt-commit] rt branch, 4.4/update-external-auth-config, created. rt-4.4.0-90-g8d6bdf7
Jim Brandt
jbrandt at bestpractical.com
Fri May 6 15:08:39 EDT 2016
The branch, 4.4/update-external-auth-config has been created
at 8d6bdf7f8f52000539671ec9ea20234fda40aba7 (commit)
- Log -----------------------------------------------------------------
commit 85cb0d24f7a60431c66ab8f70b3a5daf8003bd87
Author: Jim Brandt <jbrandt at bestpractical.com>
Date: Thu May 5 16:06:31 2016 -0400
Automatically enable ExternalAuth when ExternalAuth options enabled
ExtneralAuth uses three configuration options to configure the
service and also requires a flag, ExternalAuth, to be set to
enable it. The presence of the three configuration options is
enough to confirm the user would like to use ExternalAuth, so
automatically enable it when these are selected.
diff --git a/lib/RT/Config.pm b/lib/RT/Config.pm
index 2aad19c..65da8c5 100644
--- a/lib/RT/Config.pm
+++ b/lib/RT/Config.pm
@@ -1000,16 +1000,6 @@ our %META;
},
},
- ExternalAuth => {
- PostLoadCheck => sub {
- my $self = shift;
- my $ExternalAuthEnabled = $self->Get('ExternalAuth');
- if ( $ExternalAuthEnabled ) {
- require RT::Authen::ExternalAuth;
- }
- }
- },
-
ExternalSettings => {
Obfuscate => sub {
# Ensure passwords are obfuscated on the System Configuration page
@@ -1026,6 +1016,7 @@ our %META;
PostLoadCheck => sub {
my $self = shift;
my $settings = shift || {};
+ $self->EnableExternalAuth();
my $remove = sub {
my ($service) = @_;
@@ -1075,6 +1066,8 @@ our %META;
PostLoadCheck => sub {
my $self = shift;
my @values = @{ shift || [] };
+ $self->EnableExternalAuth();
+
if (not @values) {
$self->Set( 'ExternalAuthPriority', \@values );
return;
@@ -1093,6 +1086,8 @@ our %META;
PostLoadCheck => sub {
my $self = shift;
my @values = @{ shift || [] };
+ $self->EnableExternalAuth();
+
if (not @values) {
$RT::Logger->debug("ExternalInfoPriority not defined. User information (including user enabled/disabled) cannot be externally-sourced");
$self->Set( 'ExternalInfoPriority', \@values );
@@ -1716,6 +1711,16 @@ sub ObjectHasCustomFieldGrouping {
return 0;
}
+# Internal method to activate ExtneralAuth if any ExternalAuth config
+# options are set.
+sub EnableExternalAuth {
+ my $self = shift;
+
+ $self->Set('ExternalAuth', 1);
+ require RT::Authen::ExternalAuth;
+ return;
+}
+
RT::Base->_ImportOverlays();
1;
commit b2dd572a991bea239e6310839b1da239ca00c7f1
Author: Jim Brandt <jbrandt at bestpractical.com>
Date: Thu May 5 16:12:29 2016 -0400
Add messages to log ExternalAuth configuration errors
diff --git a/lib/RT/Config.pm b/lib/RT/Config.pm
index 65da8c5..44453ea 100644
--- a/lib/RT/Config.pm
+++ b/lib/RT/Config.pm
@@ -1069,11 +1069,18 @@ our %META;
$self->EnableExternalAuth();
if (not @values) {
+ $RT::Logger->debug("ExternalAuthPriority not defined. Attempting to create based on ExternalSettings");
$self->Set( 'ExternalAuthPriority', \@values );
return;
}
-
- my %settings = %{ $self->Get('ExternalSettings') };
+ my %settings;
+ if ( $self->Get('ExternalSettings') ){
+ %settings = %{ $self->Get('ExternalSettings') };
+ }
+ else{
+ $RT::Logger->error("ExternalSettings not defined. ExternalAuth requires the ExternalSettings configuration option to operate properly");
+ return;
+ }
for my $key (grep {not $settings{$_}} @values) {
$RT::Logger->error("Removing '$key' from ExternalAuthPriority, as it is not defined in ExternalSettings");
}
@@ -1094,7 +1101,14 @@ our %META;
return;
}
- my %settings = %{ $self->Get('ExternalSettings') };
+ my %settings;
+ if ( $self->Get('ExternalSettings') ){
+ %settings = %{ $self->Get('ExternalSettings') };
+ }
+ else{
+ $RT::Logger->error("ExternalSettings not defined. ExternalAuth requires the ExternalSettings configuration option to operate properly");
+ return;
+ }
for my $key (grep {not $settings{$_}} @values) {
$RT::Logger->error("Removing '$key' from ExternalInfoPriority, as it is not defined in ExternalSettings");
}
commit df66dc6de6f691df685f3dfde96b9d28573fdc30
Author: Jim Brandt <jbrandt at bestpractical.com>
Date: Thu May 5 16:20:51 2016 -0400
Add tests for ExternalAuth configuration processing
diff --git a/t/externalauth/auth_config.t b/t/externalauth/auth_config.t
new file mode 100644
index 0000000..dda38c6
--- /dev/null
+++ b/t/externalauth/auth_config.t
@@ -0,0 +1,59 @@
+use strict;
+use warnings;
+use RT;
+my $config;
+BEGIN{
+ $config = <<'END';
+Set($ExternalSettings, {
+ 'My_LDAP' => {
+ 'type' => 'ldap',
+ 'server' => 'ldap.example.com',
+ # By not passing 'user' and 'pass' we are using an anonymous
+ # bind, which some servers to not allow
+ 'base' => 'ou=Staff,dc=example,dc=com',
+ 'filter' => '(objectClass=inetOrgPerson)',
+ # Users are allowed to log in via email address or account
+ # name
+ 'attr_match_list' => [
+ 'Name',
+ 'EmailAddress',
+ ],
+ # Import the following properties of the user from LDAP upon
+ # login
+ 'attr_map' => {
+ 'Name' => 'sAMAccountName',
+ 'EmailAddress' => 'mail',
+ 'RealName' => 'cn',
+ 'WorkPhone' => 'telephoneNumber',
+ 'Address1' => 'streetAddress',
+ 'City' => 'l',
+ 'State' => 'st',
+ 'Zip' => 'postalCode',
+ 'Country' => 'co',
+ },
+ },
+ } );
+
+END
+
+}
+use RT::Test nodb => 1, tests => undef, config => $config;
+use Test::Warn;
+
+diag "Test ExternalAuth configuration processing";
+my $auth_settings = RT::Config->Get('ExternalSettings');
+ok( $auth_settings, 'Got ExternalSettings');
+is( $auth_settings->{'My_LDAP'}{'type'}, 'ldap', 'External Auth type is ldap');
+ok( RT::Config->Get('ExternalAuth'), 'ExternalAuth activated automatically');
+
+ok( RT::Config->Set('ExternalAuthPriority', ['My_LDAP']),'Set ExternalAuthPriority');
+ok( RT::Config->Set('ExternalInfoPriority', ['My_LDAP']),'Set ExternalInfoPriority');
+
+ok( RT::Config->Set( 'ExternalSettings', undef ), 'unset ExternalSettings' );
+ok( !(RT::Config->Get('ExternalSettings')), 'ExternalSettings removed');
+
+warnings_like {RT::Config->PostLoadCheck} [qr/ExternalSettings not defined/,
+ qr/ExternalSettings not defined/],
+ 'Correct warnings with ExternalSettings missing';
+
+done_testing;
commit a580b8c5e4bfbc3a48a5bb782fbefbfa5ba6b82d
Author: Jim Brandt <jbrandt at bestpractical.com>
Date: Thu May 5 16:29:33 2016 -0400
Remove explicit setting of ExternalAuth in tests
diff --git a/t/externalauth/ldap.t b/t/externalauth/ldap.t
index 994563c..34dcf83 100644
--- a/t/externalauth/ldap.t
+++ b/t/externalauth/ldap.t
@@ -27,8 +27,6 @@ my $entry = {
$ldap->add( $base );
$ldap->add( $dn, attr => [%$entry] );
-RT->Config->Set( ExternalAuth => 1 );
-
RT->Config->Set( ExternalAuthPriority => ['My_LDAP'] );
RT->Config->Set( ExternalInfoPriority => ['My_LDAP'] );
RT->Config->Set( AutoCreateNonExternalUsers => 0 );
diff --git a/t/externalauth/ldap_escaping.t b/t/externalauth/ldap_escaping.t
index cce4e0c..0442313 100644
--- a/t/externalauth/ldap_escaping.t
+++ b/t/externalauth/ldap_escaping.t
@@ -48,8 +48,6 @@ $ldap->add(
],
);
-RT->Config->Set( ExternalAuth => 1 );
-
RT->Config->Set( ExternalAuthPriority => ['My_LDAP'] );
RT->Config->Set( ExternalInfoPriority => ['My_LDAP'] );
RT->Config->Set( AutoCreateNonExternalUsers => 0 );
diff --git a/t/externalauth/ldap_group.t b/t/externalauth/ldap_group.t
index ede53a2..a3d87a8 100644
--- a/t/externalauth/ldap_group.t
+++ b/t/externalauth/ldap_group.t
@@ -55,8 +55,6 @@ $ldap->add(
],
);
-RT->Config->Set( ExternalAuth => 1 );
-
#RT->Config->Set( Plugins => 'RT::Authen::ExternalAuth' );
RT->Config->Set( ExternalAuthPriority => ['My_LDAP'] );
RT->Config->Set( ExternalInfoPriority => ['My_LDAP'] );
diff --git a/t/externalauth/ldap_privileged.t b/t/externalauth/ldap_privileged.t
index 26f1862..fe5e05a 100644
--- a/t/externalauth/ldap_privileged.t
+++ b/t/externalauth/ldap_privileged.t
@@ -26,8 +26,6 @@ my $entry = {
$ldap->add( $base );
$ldap->add( $dn, attr => [%$entry] );
-RT->Config->Set( ExternalAuth => 1 );
-
RT->Config->Set( ExternalAuthPriority => ['My_LDAP'] );
RT->Config->Set( ExternalInfoPriority => ['My_LDAP'] );
RT->Config->Set( AutoCreateNonExternalUsers => 0 );
diff --git a/t/externalauth/sessions.t b/t/externalauth/sessions.t
index 98eca0c..9b3ec36 100644
--- a/t/externalauth/sessions.t
+++ b/t/externalauth/sessions.t
@@ -94,8 +94,6 @@ sub setup_auth_source {
SQL
}
- RT->Config->Set( ExternalAuth => 1 );
-
RT->Config->Set( ExternalAuthPriority => ['My_SQLite'] );
RT->Config->Set( ExternalInfoPriority => ['My_SQLite'] );
RT->Config->Set( AutoCreateNonExternalUsers => 0 );
diff --git a/t/externalauth/sqlite.t b/t/externalauth/sqlite.t
index 3214b7d..9e7c2cc 100644
--- a/t/externalauth/sqlite.t
+++ b/t/externalauth/sqlite.t
@@ -33,8 +33,6 @@ $dbh->do(
"INSERT INTO $table VALUES ( 'testuser', '$password', 'testuser\@invalid.tld')"
);
-RT->Config->Set( ExternalAuth => 1 );
-
RT->Config->Set( ExternalAuthPriority => ['My_SQLite'] );
RT->Config->Set( ExternalInfoPriority => ['My_SQLite'] );
RT->Config->Set( AutoCreateNonExternalUsers => 0 );
commit a27f715397870294de7697bb6accfe533b97a6a5
Author: Jim Brandt <jbrandt at bestpractical.com>
Date: Thu May 5 16:32:32 2016 -0400
Remove ExternalAuth config option from upgrade notes
diff --git a/docs/UPGRADING-4.4 b/docs/UPGRADING-4.4
index f19c493..b641915 100644
--- a/docs/UPGRADING-4.4
+++ b/docs/UPGRADING-4.4
@@ -21,9 +21,8 @@ L<RT::Authen::ExternalAuth::DBI> documentation.
Users of the existing
L<RT::Authen::ExternalAuth|https://metacpan.org/pod/RT::Authen::ExternalAuth>
-extension should remove C<RT::Authen::ExternalAuth> from the plugins list,
-and add C<Set($ExternalAuth, 1);> to the F<RT_SiteConfig.pm> file. Please
-also remove F<local/plugins/RT-Authen-ExternalAuth> from your RT
+extension should remove C<RT::Authen::ExternalAuth> from the plugins list.
+Please also remove F<local/plugins/RT-Authen-ExternalAuth> from your RT
installation.
=item *
commit 8d6bdf7f8f52000539671ec9ea20234fda40aba7
Author: Jim Brandt <jbrandt at bestpractical.com>
Date: Fri May 6 15:03:52 2016 -0400
Add ExternalAuth, LDAPImport options to RT_Config
Fixes: I#31464
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index 6852ff2..02dcc3f 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -2372,6 +2372,100 @@ Set($MinimumPasswordLength, 5);
=back
+=head2 External Authentication and Authorization
+
+RT has a built-in module for integrating with a directory service like
+LDAP or Active Directory for authentication (login) and authorization
+(enabling/disabling users and setting user attributes). The core configuration
+settings for the service are listed here. Additional details are available
+in the F<lib/RT/Authen/ExternalAuth> module documentation.
+
+=over 4
+
+=item C<$ExternalSettings>
+
+This option, along with the following options, activate and configure authentication
+via a resource external to RT. All of the configuration for your external authentication
+service, like LDAP or Active Directory, are defined in a data structure in this option.
+You can find full details on the configuration
+options in the F<lib/RT/Authen/ExternalAuth> documentation.
+
+=cut
+
+# No defaults are set for ExternalAuth because this is an optional feature.
+
+=item C<$ExternalAuthPriority>
+
+Sets the priority of authentication resources if you have multiple configured.
+RT will attempt authorization with each resource, in order, until one succeeds or
+no more remain. See F<lib/RT/Authen/ExternalAuth> for details.
+
+=item C<$ExternalInfoPriority>
+
+Sets the order of resources for querying user information if you have multiple
+configured. RT will query each resource, in order, until one succeeds or
+no more remain. See F<lib/RT/Authen/ExternalAuth> for details.
+
+=item C<$UserAutocreateDefaultsOnLogin>
+
+A hashref of options to set for users who are autocreated on login via
+ExternalAuth. For example, you can automatically make "Privileged" users
+who were authenticated and created from LDAP or Active Directory.
+See F<lib/RT/Authen/ExternalAuth> for details.
+
+=item C<$AutoCreateNonExternalUsers>
+
+Users should still be autocreated by RT as internal users if they
+fail to exist in an external service; this is so requestors who
+are not in LDAP can still be created when they email in.
+See F<lib/RT/Authen/ExternalAuth> for details.
+
+=back
+
+=head2 Syncing Users and Groups with LDAP or AD
+
+In addition to the authentication services described above, RT also
+has a utility you can schedule to periodicially sync from your
+directory service additional user attributes, new users,
+disabled users, and group membership. Options for the
+LDAPImport tool are listed here. Additional information is
+available in the F<lib/RT/LDAPImport> documentation.
+
+=item C<$LDAPHost>
+
+Your LDAP server hostname.
+
+=item C<$LDAPUser>
+
+The LDAP user to log in with.
+
+=item C<$LDAPPassword>
+
+Password for LDAPUser.
+
+=item C<$LDAPFilter>
+
+The filter to use when querying LDAP for the set of users to sync.
+
+=item C<$LDAPMapping>
+
+Mapping to apply between LDAP attributes retrieved and RT user
+record attributes. See the F<lib/RT/LDAPImport> documentation
+for details.
+
+=item C<$LDAPGroupBase>
+
+The base for the LDAP group search.
+
+=item C<$LDAPGroupFilter>
+
+The filter to use when querying LDAP for groups to sync.
+
+=item C<$LDAPGroupMapping>
+
+Mapping to apply between LDAP group member attributes retrieved and
+RT groups. See the F<lib/RT/LDAPImport> documentation
+for details.
=head1 Internationalization
-----------------------------------------------------------------------
More information about the rt-commit
mailing list