[rt-users] LDAP authentication

Yan Fitterer y.fitterer at ram.ac.uk
Tue Apr 30 10:49:26 EDT 2002


Well - thanks, but I think by original question was not quite reflecting what I 
meant. I understand (hav have read previous posts) the principles about using 
Net::LDAP, or the various mod_ldap modules for Apache. What I didn't 
understand was the low-level mechanics about how to authenticate a user against 
the LDAP server. 

Basically, do you do a LDAP compare operation against some attributes, or do 
you just retrieve them, and do the compare yourself? As well, I wasn't clear 
_which_ attributes to use? Finally, when you get to a password field, how does 
the encryption works? Does LDAP use the standard unix crypt() function, or does 
LDAP specify its own algorythm (and how do you invoke that)?

I think I've got now partial answers - let me know if this is correct:
- The attributes one uses depend on the implementation / setup of each LDAP 
server. The common attribues are uid or cn for the username, and userPassword 
for the password. (I'm using Novell's NDS) My problem there was that my version 
of Novell / LDAP doesn't have any password-type field... :-(
- There is no LDAP - defined "authenticate object" type function, you closest to it 
would be a compare.

I'm still not sure about the crypt() issues. I've a funny feeling that's again 
implementation-specific. I still don't see how you'd do it via Net::LDAP, other than 
using the standard crypt function.

Still searching...
Thanks
Yan

----  On 30 Apr 2002, at 9:55, Harald Wagener wrote:  ----

> "V S R A, Prasad (Prasad)" wrote:
> > 
> > -----Original Message-----
> > From: Yan Fitterer [mailto:y.fitterer at ram.ac.uk]
> > Sent: Tuesday, April 30, 2002 12:17 AM
> > To: rt-users at lists.fsck.com
> > Subject: [rt-users] LDAP authentication
> > 
> > Hi,
> > 
> > I'm trying to get some form of LDAP authentication to work. Looked at the
> > various
> > submitted scripts, etc...
> > 
> > I'm still failing to understand (or find any mention of) how true LDAP
> > authentication
> > should work? IE Username / Password pair verification. It's obviously
> > possible, as
> > many Apache modules do it for you. But how is it actually done - and can it
> > be
> > done through a Perl script?
> 
> The easiest way is to implement ldap authentication on the web server side and
> set $WebExternalAuth to a defined value. Since I answered this question a few
> times the last week, I think I am going to write a FAQ. 
> 
> But, to answer Your question, you could write a perl script using the
> Perl::LDAP module and try to shove it into RT itself (or run it as an
> extension of the web server via mod_perl - but then You can use mod_auth_ldap
> as well), but I think that would be overkill. 
> 
> Regards,
> 	Harald
> -- 
> Harald Wagener*An der Alster 42*20099 Hamburg*http://www.fcb-wilkens.com
> 
> _______________________________________________
> rt-users mailing list
> rt-users at lists.fsck.com
> http://lists.fsck.com/mailman/listinfo/rt-users
> 
> Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm


-- 
Yan Fitterer
IT Manager, Royal Academy of Music
E-mail : y.fitterer at ram.ac.uk
Marylebone Rd, London, NW1 5HT
Phone (+44) 20 7873 7365 Fax (+44) 20 7873 7364
  





More information about the rt-users mailing list