[rt-users] ldap authentication

Paul Rossman pdr at evanston.fluent.com
Fri Sep 21 18:01:34 EDT 2001


Hi Jesse,

I gave up on the external authentication :(  ... but now I think I like
this approach better.

What I've got here is a very quick hack to the autohandler code which
checks passwords against ldap. This uses perl-ldap. It will do it for
all people other than the RT 'root' user. If there is an error generated
logging in, I'm passing it back to get displayed.

Jesse, did I put the $session lines in the correct place? 

Please let me know if this works for anyone else or if anyone comes up
with better error handling. Thanks to Teo for suggesting to put this in
autohandler.

I should also note, that I changed LookUpExternalUserInfo in config.pm
(this with the ldap mod seems to work) to set the user name like this :

($params('Name'), undef) = split(/\@/, $EmailAddress,2);

-paul


--------------------------------------------------------------------

# If the user is loging in, let's authenticate
elsif (defined ($user) && defined ($pass)){

    $session{'CurrentUser'} = RT::CurrentUser->new();
    $session{'CurrentUser'}->Load($user);

	# paul rossman 21-Sept-2001
	# pdr at fluent.com
	# allows the auth of all users but 'root' with ldap
	# modify the server and dn vars for your site
	# using perl-ldap from http://perl-ldap.sourceforge.net

	unless ($user eq "root") {
		
		use Net::LDAP qw(:all);
		use Net::LDAP::Util qw(ldap_error_text ldap_error_name
ldap_error_desc);

		my $server = "ldap.YOURDOMAIN.COM";
		my $dn = "uid=" . $user . ",ou=People,o=YOURDOMAIN";
		
		my $ldap = Net::LDAP->new($server) or die "$@";
		my $result = $ldap->bind($dn, password=> $pass);
		my $verbosemesg = ldap_error_name($result->code);

		unless ($verbosemesg eq "LDAP_SUCCESS") {
		
			# add the login failed header to the same mesg var
			$verbosemesg = "Login failed: " . $verbosemesg;
			
			delete $session{'CurrentUser'};
			$m->comp('/Elements/Login', Error => $verbosemesg, %ARGS);
			$m->abort();		
		}

	} else {

		unless ($session{'CurrentUser'}->id() ) {
			delete $session{'CurrentUser'};
			$m->comp('/Elements/Login', %ARGS, Error=> 'Your username or password
is incorrect');
			$m->abort();
		};
		unless ($session{'CurrentUser'}->IsPassword($pass)) {
			delete $session{'CurrentUser'};	
			$m->comp('/Elements/Login', Error => 'Your username or password is
incorrect', %ARGS);
			$m->abort();
		}
	}
}
-------------- next part --------------
# If the user is loging in, let's authenticate
elsif (defined ($user) && defined ($pass)){

    $session{'CurrentUser'} = RT::CurrentUser->new();
    $session{'CurrentUser'}->Load($user);

	# paul rossman 21-Sept-2001
	# pdr at fluent.com
	# allows the auth of all users but 'root' with ldap
	# modify the server and dn vars for your site
	# using perl-ldap from http://perl-ldap.sourceforge.net

	unless ($user eq "root") {
		
		use Net::LDAP qw(:all);
		use Net::LDAP::Util qw(ldap_error_text ldap_error_name ldap_error_desc);

		my $server = "ldap.YOURDOMAIN.COM";
		my $dn = "uid=" . $user . ",ou=People,o=YOURDOMAIN";
		
		my $ldap = Net::LDAP->new($server) or die "$@";
		my $result = $ldap->bind($dn, password=> $pass);
		my $verbosemesg = ldap_error_name($result->code);

		unless ($verbosemesg eq "LDAP_SUCCESS") {
		
			# add the login failed header to the same mesg var
			$verbosemesg = "Login failed: " . $verbosemesg;
			
			delete $session{'CurrentUser'};
			$m->comp('/Elements/Login', Error => $verbosemesg, %ARGS);
			$m->abort();		
		}

	} else {

		unless ($session{'CurrentUser'}->id() ) {
			delete $session{'CurrentUser'};
			$m->comp('/Elements/Login', %ARGS, Error=> 'Your username or password is incorrect');
			$m->abort();
		};
		unless ($session{'CurrentUser'}->IsPassword($pass)) {
			delete $session{'CurrentUser'};	
			$m->comp('/Elements/Login', Error => 'Your username or password is incorrect', %ARGS);
			$m->abort();
		}
	}
}


More information about the rt-users mailing list