[Rt-commit] rt branch, 4.4/add-ldap-email-authentication, repushed
Blaine Motsinger
blaine at bestpractical.com
Mon Jan 25 11:33:20 EST 2021
The branch 4.4/add-ldap-email-authentication was deleted and repushed:
was eaf25c59d8f966d987c0f6c285cadf85e785ccbd
now 0d25844552b4b92481edcdf24dab918578981847
1: 6bb0380d95 ! 1: 2fe0f25870 Add LDAP email authentication
@@ -108,7 +108,7 @@
- $filter->as_string,
- "== Attrs:",
- join(',', at attrs));
-+ my $net_ldap_filter = Net::LDAP::Filter->new(
++ my $search_filter = Net::LDAP::Filter->new(
+ '(&' .
+ $filter .
+ '(' .
@@ -125,9 +125,23 @@
+ "Base:",
+ $base,
+ "== Filter:",
-+ ($net_ldap_filter ? $net_ldap_filter->as_string : ''),
++ ($search_filter ? $search_filter->as_string : ''),
+ "== Attrs:",
+ join(',', at attrs) );
++
++ $ldap_msg = $ldap->search( base => $base,
++ filter => $search_filter,
++ attrs => \@attrs );
++
++ unless ( $ldap_msg->code == LDAP_SUCCESS || $ldap_msg->code == LDAP_PARTIAL_RESULTS ) {
++ $RT::Logger->critical( "search for",
++ $search_filter->as_string,
++ "failed:",
++ ldap_error_name($ldap_msg->code),
++ $ldap_msg->code );
++ # Didn't even get a partial result - jump straight to the next external auth service
++ return 0;
++ }
- unless ($ldap_msg->code == LDAP_SUCCESS || $ldap_msg->code == LDAP_PARTIAL_RESULTS) {
- $RT::Logger->debug( "search for",
@@ -137,10 +151,19 @@
- $ldap_msg->code);
- # Didn't even get a partial result - jump straight to the next external auth service
- return 0;
-- }
-+ $ldap_msg = $ldap->search( base => $base,
-+ filter => $net_ldap_filter,
-+ attrs => \@attrs );
++ if ( $ldap_msg->count != 1 ) {
++ $RT::Logger->info( $service,
++ "AUTH FAILED:",
++ $username,
++ "User not found or more than one user found" );
++ # We got no user, or too many users.. try the next attr_match_list field.
++ next;
++ }
++ else {
++ # User was found
++ last;
++ }
+ }
- unless ($ldap_msg->count == 1) {
- $RT::Logger->info( $service,
@@ -149,46 +172,18 @@
- "User not found or more than one user found");
- # We got no user, or too many users.. jump straight to the next external auth service
- return 0;
-+ unless ( $ldap_msg->code == LDAP_SUCCESS || $ldap_msg->code == LDAP_PARTIAL_RESULTS ) {
-+ $RT::Logger->debug( "search for",
-+ $net_ldap_filter->as_string,
-+ "failed:",
-+ ldap_error_name($ldap_msg->code),
-+ $ldap_msg->code );
-+ # Didn't even get a partial result - jump straight to the next external auth service
-+ return 0;
-+ }
-+
-+ if ( $ldap_msg->count != 1 ) {
-+ $RT::Logger->info( $service,
-+ "AUTH FAILED:",
-+ $username,
-+ "User not found or more than one user found" );
-+ # We got no user, or too many users.. try the next attr_match_list field.
-+ next;
-+ }
-+ else {
-+ # User was found
-+ $RT::Logger->debug( "User Check Succeeded :: (",
-+ $service,
-+ ")",
-+ $username );
-+ last;
-+ }
- }
-
+- }
+ # if we didn't match anything, go to the next external auth service
+ return 0 unless $ldap_msg->first_entry;
-+
+
my $ldap_entry = $ldap_msg->first_entry;
my $ldap_dn = $ldap_entry->dn;
-
@@
# We only need the dn for the actual group since all we care about is existence
@attrs = qw(dn);
- $filter = Net::LDAP::Filter->new("(${group_attr}=" . escape_filter_value($group_val) . ")");
-+ my $net_ldap_filter = Net::LDAP::Filter->new("(${group_attr}=" . escape_filter_value($group_val) . ")");
++ my $search_filter = Net::LDAP::Filter->new("(${group_attr}=" . escape_filter_value($group_val) . ")");
$RT::Logger->debug( "LDAP Search === ",
"Base:",
@@ -197,13 +192,13 @@
$group_scope,
"== Filter:",
- $filter->as_string,
-+ $net_ldap_filter->as_string,
++ $search_filter->as_string,
"== Attrs:",
join(',', at attrs));
$ldap_msg = $ldap->search( base => $group,
- filter => $filter,
-+ filter => $net_ldap_filter,
++ filter => $search_filter,
attrs => \@attrs,
scope => $group_scope);
@@ -212,7 +207,7 @@
$ldap_msg->code == LDAP_PARTIAL_RESULTS) {
$RT::Logger->critical( "Search for",
- $filter->as_string,
-+ $net_ldap_filter->as_string,
++ $search_filter->as_string,
"failed:",
ldap_error_name($ldap_msg->code),
$ldap_msg->code);
@@ -258,7 +253,7 @@
+ }
- my @attrs = values(%{$config->{'attr_map'}});
-+ my $net_ldap_filter = Net::LDAP::Filter->new(
++ my $search_filter = Net::LDAP::Filter->new(
+ '(&' .
+ $filter .
+ '(' .
@@ -278,22 +273,18 @@
- join(',', at attrs));
+ my $ldap = _GetBoundLdapObj($config);
+ return unless $ldap;
-+
+
+- my $user_found = $ldap->search( base => $base,
+- filter => $filter,
+- attrs => \@attrs);
+ # Check that the user exists in the LDAP service
+ $RT::Logger->debug( "LDAP Search === ",
+ "Base:",
+ $base,
+ "== Filter:",
-+ ($net_ldap_filter ? $net_ldap_filter->as_string : ''),
++ ($search_filter ? $search_filter->as_string : ''),
+ "== Attrs:",
+ join(',', at attrs) );
-
-- my $user_found = $ldap->search( base => $base,
-- filter => $filter,
-- attrs => \@attrs);
-+ my $user_found = $ldap->search( base => $base,
-+ filter => $net_ldap_filter,
-+ attrs => \@attrs );
- if($user_found->count < 1) {
- # If 0 or negative integer, no user found or major failure
@@ -311,6 +302,10 @@
- $username,
- "More than one user with that username!");
- return 0;
++ my $user_found = $ldap->search( base => $base,
++ filter => $search_filter,
++ attrs => \@attrs );
++
+ unless ( $user_found->code == LDAP_SUCCESS || $user_found->code == LDAP_PARTIAL_RESULTS ) {
+ $RT::Logger->debug( "search for",
+ $filter->as_string,
@@ -321,21 +316,26 @@
+ return 0;
+ }
+
-+ if ( $user_found->count != 1 ) {
++ if ( $user_found->count < 1 ) {
++ # If 0 or negative integer, no user found or major failure
+ $RT::Logger->debug( "User Check Failed :: (",
+ $service,
+ ")",
+ $username,
-+ "User not found or more than one user found with that username!" );
++ "User not found" );
++ next;
++ }
++ elsif ( $user_found->count > 1 ) {
++ # If more than one result returned, jump to the next attr because the username field should be unique!
++ $RT::Logger->debug( "User Check Failed :: (",
++ $service,
++ ")",
++ $username,
++ "More than one user with that username!" );
+ next;
+ }
+ else {
+ # User was found
-+ $RT::Logger->debug( "User Check Succeeded :: (",
-+ $service,
-+ ")",
-+ $username );
-+
+ # RT::Authen::ExternalAuth::DoAuth needs to be able to load by either User or EmailAddress.
+ # store the key that matched into the session so DoAuth can use the correct one.
+ $session->{'_ldap_attr_match'} = $attr_match;
@@ -401,10 +401,8 @@
- $username,
- ") so I'm just going to assume the user is not disabled");
- return 0;
-
+-
- }
-+ my $ldap = _GetBoundLdapObj($config);
-+ next unless $ldap;
- my $ldap = _GetBoundLdapObj($config);
- next unless $ldap;
@@ -412,7 +410,9 @@
- # We only need the UID for confirmation now,
- # the other information would waste time and bandwidth
- my @attrs = ('uid');
--
++ my $ldap = _GetBoundLdapObj($config);
++ next unless $ldap;
+
- $RT::Logger->debug( "LDAP Search === ",
- "Base:",
- $base,
2: eaf25c59d8 = 2: 0d25844552 Add test for LDAP attr search and match
More information about the rt-commit
mailing list