[rt-users] comments on my active directory experience

Sean Perry sean.perry at intransa.com
Fri Jul 11 14:55:54 EDT 2003 

this is mostly for people crawling the archives like I was doing last week.

What I did to get Active Directory / LDAP working.

*) used latest apache, compiled with --with-ldap --enable-ldap 
--enable-auth-ldap

*) have the following in my apache config:

<VirtualHost 172.30.1.60>
     ServerName tracker.intransa.com
     DocumentRoot /usr/local/rt3/share/html
     AddDefaultCharset UTF-8

     PerlModule Apache2 Apache::compat

     PerlModule Apache::DBI
     PerlRequire /usr/local/rt3/bin/webmux.pl

     <Directory />
         AuthType Basic
         AuthName "Request Tracker"

         # sAMAccountName is the first.last style user name
         AuthLDAPURL "ldap://my.ldap/dc=mydomain,dc=com?sAMAccountName"
         # need this account and setting because Active Directory
         # does not allow anonymous binding by default
         AuthLDAPBindDN "dummy.user at mydomain.com"
         AuthLDAPBindPassword "asdfg"
         AuthLDAPAuthoritative off
         require valid-user
     </Directory>

     <FilesMatch "\.html$">
         SetHandler perl-script
         PerlHandler RT::Mason
     </FilesMatch>
     <LocationMatch "/Attachment/">
         SetHandler perl-script
         PerlHandler RT::Mason
     </LocationMatch>
     <LocationMatch "/REST/">
         SetHandler perl-script
         PerlHandler RT::Mason
     </LocationMatch>
     # need this so the mail gateway still works
     <LocationMatch "/REST/1.0/NoAuth/">
         Satisfy Any
         Allow from all
     </LocationMatch>
</VirtualHost>

*) I have tweaked var/mason_data/obj/standard/autohandler to add users 
whenever a new user is authenticated.  This means the user logs into the 
web site once and then both mail and web access works.

I added in some magic from Chris Gilmore and others so some Net::LDAP 
magic is called.  This is because $realname has no value when using the 
apache ldap authentication, so we have to look it up.  Once again, 
sAMAccountName is the key.

sub LookupLdapUserInfo {
   use Net::LDAP;
   use Net::LDAP::Constant qw(LDAP_SUCCESS);

   use constant LDAP       => q(my.ldap.server);
   use constant LDAP_PORT  => q(389);
   use constant LDAP_BASE  => q(dc=mydomain,dc=com);
   use constant LDAP_UID   => q(sAMAccountName);
   use constant LDAP_CN    => q(cn);

   my ($user) = @_;

   my $ldap = new Net::LDAP(LDAP, port => LDAP_PORT)
       or return undef;

   my $mesg = $ldap->bind('cn=Request Tracker,cn=Users,dc=mydomain,dc=com',
                          password => 'asdfg');
   return undef unless $mesg->code == LDAP_SUCCESS;

   my $filter = "@{[ LDAP_UID ]}=$user";
   $mesg = $ldap->search(base   => LDAP_BASE,
                         filter => $filter,
                         attrs  => [ LDAP_CN ]);
   return undef unless ($mesg->code == LDAP_SUCCESS);

   if ($mesg->count != 1 ||
       ($mesg->first_entry->get_value(LDAP_CN))[0] eq '') {
     return undef;
   }

   my $cn = $mesg->first_entry->get_value(LDAP_CN);

   $mesg = $ldap->unbind();

   return $cn;
}

and later on ....

if ($RT::WebExternalAuto and !$session{'CurrentUser'}->Id() ) {
         # Create users on-the-fly with default attributes

         my $UserObj = RT::User->new(RT::CurrentUser->new('root'));

         my ($val, $msg) = $UserObj->Create(
             %{ref($RT::AutoCreate) ? $RT::AutoCreate : {}},
             Name         => $user,
             Gecos        => $user,
         );

         if ($val) {
             $UserObj->SetPrivileged(0);

             my $realname = LookupLdapUserInfo($user);
             $UserObj->SetRealName($realname) if defined $realname;
             $UserObj->SetEmailAddress("$user\@" . $RT::Organization) if 
defined $user;

             $session{'CurrentUser'}->Load($user);
         }

Hope this helps the next explorer.

More information about the rt-users mailing list