[rt-users] Patch to lib/RT/User.pm to use LDAP Authentication. (for rt 2.0.15)
Marcelo Bartsch
mbartsch at netglobalis.net
Thu Dec 12 13:01:41 EST 2002
Hello,
i was looking at the mailing list and couldn't find a patch
that just do autehntication, all do authentication plus
information fetch from ldap, so i write my own.
This patch allow to autenticate users using Net::LDAP to
autenticate against ldap using normal auth (not external)
for user information i use the script from contrib called
rtimportldap.pl from Stanislav Sinyagin <ssinyagin_[at]_yahoo_[dot]_com>
so user information is pushed into RT from crontab every 5 minutes, and
authentication is performed online thanks to this patch. i hope it can
be from use to other people.
you musty add this variables to etc/config.pm inside the RT Package
$LDAPExternalAuth = 1;
$LdapServer="ldap.domian.com";
$LdapUser="CN=ldapuser,CN=Users,DC=domain,DC=com";
$LdapPass="ldapasswd";
$LdapBase="DC=domain,DC=com";
$LdapUidAttr="uid";
$LdapFilter="(|(memberOf=CN=WebRT,OU=ACLS,DC=domain,DC=com)(memberOf=CN=WebRT-admin,OU=ACLS,DC=domain,DC=com))";
please note, this is an ldap from Windows2000 Active Directory.
what i do to control access is:
create a new OU called ACLS, then i create groups called WebRT
,WebRT-admin and some other for authentication then i add the
users to those groups, and using filter i can check if someone had
access to some areas or not, so the ldap schema is something like
dn: CN=Name LastName,OU=Support 1,OU=Main OU,DC=domain,DC=com
memberOf: CN=webrt-admin,OU=ACLS,DC=domain,DC=com
memberOf: CN=other-access-group,OU=ACLS,DC=domain,DC=com
accountExpires: 9223372036854775807
badPasswordTime: 126841869968308180
badPwdCount: 0
codePage: 0
cn: Name LastName
[more lines of AD ldap stuff]
so "memberOf" makes the trick, the only thing will not work (i mean
i had not tested so if didn't work, don't blame me) is that the user is
member of a group wich
is member of webrt for example)
the filter used for query ldap is:
(&(&(objectclass=user)(<LdapUidAttr>=<USERNAME>))<LdapFilter>)
i had't tested with an empty LdapFilter.
Please not i wrote this patch in some 2 hours, so bugs must
be there.
P.D.: is there any way to overwrite a built in function with an
external on, so i can write a module to replace IsPassword ?
P.D.2: i'm a new perl programmer so there must be bugs on the code
or line bad writen, this patch also has not been intensive tested.
--
Marcelo Bartsch
mbartsch at netglobalis.net
www.netglobalis.net
PGP Fingerprint :
877E 3A56 F523 B44A 3260 8F83 8916 E158 6100 F721
-------------- next part --------------
--- /root/rt-2-0-15/lib/RT/User.pm Wed Jul 10 14:36:27 2002
+++ lib/RT/User.pm Thu Dec 12 14:57:38 2002
@@ -583,11 +583,60 @@
($self->__Value('Password') eq undef) ) {
return(undef);
}
- if ($self->__Value('Password') eq crypt($value, $self->__Value('Password'))) {
- return (1);
+ if (! $RT::LDAPExternalAuth)
+ {
+ if ($self->__Value('Password') eq crypt($value, $self->__Value('Password'))) {
+ return (1);
+ }
+ else {
+ return (undef);
+ }
}
- else {
- return (undef);
+ else
+ {
+#Modification by Marcelo Bartsch <bartschm_cl at hotmail.com>
+ $RT::Logger->info("Using External Authentication\n");
+ use Net::LDAP::Util qw( ldap_error_name ldap_error_text) ;
+
+ my $ldap = Net::LDAP->new($RT::LdapServer, version=>3) or $RT::Logger->critical("GetExternalUserWithLDAP: " . "Cannot connect to LDAP'\n"), return 0;
+
+ my $mesg = $ldap->bind($RT::LdapUser, password =>$RT::LdapPass );
+ if ($mesg->code != LDAP_SUCCESS) {
+ $RT::Logger->critical("GetExternalUserWithLDAP: Cannot bind to LDAP:",
+ $mesg->code, "\n");
+ return 0;
+ }
+
+ my $filter = "(&(&(objectclass=user)(" . $RT::LdapUidAttr . "=" . $self->Name ."))$RT::LdapFilter)";
+ $RT::Logger->debug("GetExternalUserWithLDAP: First search filter '$filter'\n");
+ $mesg = $ldap->search(base => $RT::LdapBase,
+ filter => $filter,
+ attrs => ['dn']);
+ if (($mesg->code != LDAP_SUCCESS) or ($mesg->code != LDAP_PARTIAL_RESULTS))
+ {
+ $RT::Logger->debug("GetExternalUserWithLDAP: Could not search for $filter: ",
+ $mesg->code, "" , ldap_error_name($mesg->code) ,"\n");
+ return 0;
+ }
+ $RT::Logger->debug("GetExternalUserWithLDAP: First search produced ",
+ $mesg->count, " results\n");
+ if (! $mesg->count)
+ {
+ $RT::Logger->info("AUTH FAILED: " . $self->Name . "\n");
+ return 0;
+ }
+ $RT::Logger->debug("LDAP DN: " . $mesg->first_entry->dn . " " . $value . "\n");
+ my $mesg2 = $ldap->bind($mesg->first_entry->dn, password =>$value );
+ if ($mesg2->code != LDAP_SUCCESS) {
+ $RT::Logger->critical("GetExternalUserWithLDAP: Cannot bind to LDAP:",
+ $mesg2->code, "\n");
+ return 0;
+ }
+ else
+ {
+ $RT::Logger->info("AUTH OK: " . $self->Name . " (" .$mesg->first_entry->dn . ")\n");
+ return 1;
+ }
}
}
More information about the rt-users
mailing list