[rt-users] LDAP authentication

Sivan DERAY sivan.deray at net-aptitude.fr
Fri Sep 24 11:15:18 EDT 2004


I read many posts about LDAP, but i'm still confused on how to implement
that :
 
here is what a understood :
 
I put in the /opt/rt3/lib/RT/ directory a User_Local.pm file containing
:
 
********
********
no warnings qw(redefine);
 
# {{{ sub IsPassword
 
# Modification Originally by Marcelo Bartsch <bartschm_cl at hotmail.com>
# Update by Stewart James <stewart.james at vu.edu.au for rt3.
# Drop this file in /opt/rt3/lib/RT/User_Local.pm
# Drop something like below in yout RT_SiteConfig.pm
# $LDAPExternalAuth = 1;
# $LdapServer="adress";
# $LdapUser="";
# $LdapPass="";
# $LdapBase="dc=domain,dc=com";
# $LdapUidAttr="uid";
# $LdapFilter="(objectclass=*)";
 

sub IsPassword {
        my $self  = shift;
        my $value = shift;
 
        #TODO there isn't any apparent way to legitimately ACL this
 
        # RT does not allow null passwords
        if ( ( !defined($value) ) or ( $value eq '' ) ) {
                return (undef);
        }
 
        if ( $self->PrincipalObj->Disabled ) {
                $RT::Logger->info(
                        "Disabled user " . $self->Name . " tried to log
in" );
                return (undef);
        }
 
        if ( ($self->__Value('Password') eq '') ||
                ($self->__Value('Password') eq undef) )  {
                return(undef);
        }
 
        # generate an md5 password
        if ($self->_GeneratePassword($value) eq
$self->__Value('Password')) {
                return(1);
        }
 
#  if it's a historical password we say ok.
 
        if (! $RT::LDAPExternalAuth)
        {
                if ($self->__Value('Password') eq crypt($value,
$self->__Value('Password'))) {
                        return (1);
                }
                else {
                        return (undef);
                }
        }
        else
        {
                if ($self->__Value('Password') eq crypt($value,
$self->__Value('Password'))) {
                        return (1);
                }
                $RT::Logger->info("Using External Authentication\n");
                use Net::LDAP;
 
                my $mesg;
                my $ldap = Net::LDAP->new($RT::LdapServer, version=>3)
or $RT::Logger->critical("GetExternalUserWithLDAP: " . "Cannot connect
to LDAP'\n"), return 0;
 
                # Iseem to have problems is I try and bind with a NULL
username by hand
                # So this now checks to see if we are really going to
bind with a
                # username.
                if (defined($RT::LdapUser) && $RT::LdapUser != '') {
                        $mesg = $ldap->bind($RT::LdapUser, password
=>$RT::LdapPass );
                } else {
                        $mesg = $ldap->bind;
                }
                if ($mesg->code != LDAP_SUCCESS) {
                        $RT::Logger->critical("GetExternalUserWithLDAP:
Cannot bind to LDAP:",
                                $mesg->code, "\n");
                        return 0;
                }
 
                my $filter = "(&(&(objectclass=person)(" .
$RT::LdapUidAttr . "=" . $self->Name ."))$RT::LdapFilter)";
                $RT::Logger->debug("GetExternalUserWithLDAP: First
search filter '$filter'\n");
                $mesg = $ldap->search(base   => $RT::LdapBase,
                        filter => $filter,
                        attrs  => ['dn']);
    
                if (($mesg->code != LDAP_SUCCESS) or ($mesg->code !=
LDAP_PARTIAL_RESULTS))
                {
                        $RT::Logger->debug("GetExternalUserWithLDAP:
Could not search for $filter: ",
                                $mesg->code, "" ,
ldap_error_name($mesg->code) ,"\n");
                        return 0;
                }
                $RT::Logger->debug("GetExternalUserWithLDAP: First
search produced ",
                        $mesg->count, " results\n");
                if (! $mesg->count)
                {
                        $RT::Logger->info("AUTH FAILED: " . $self->Name
. "\n");
                        return 0;
                }
                $RT::Logger->debug("LDAP DN: " . $mesg->first_entry->dn
. " " . $value . "\n");
                my $mesg2 = $ldap->bind($mesg->first_entry->dn, password
=>$value );
                if ($mesg2->code != LDAP_SUCCESS) {
                        $RT::Logger->critical("GetExternalUserWithLDAP:
Cannot bind to LDAP:",
                                $mesg2->code, "\n");
                        return 0;
                }
                else
                {
                        $RT::Logger->info("AUTH OK: " . $self->Name . "
(" .$mesg->first_entry->dn . ")\n");
                        return 1;
                }
        }
 
 
 

        # no password check has succeeded. get out
 
        return (undef);
}
 
# }}}
 
1;
 
 
**********
**********
 
Next I put in httpd.conf :
 
# LDAP integration
<Directory /opt/rt3/share/html>
         AuthType Basic
         AuthName "Request Tracker Login"
         AuthLDAPURL ldap://ipadress
         require valid-user
</Directory>
 
 
 
and in Rt_SiteConfig :
 
Set ($WebExternalAuth , 1);
Set($WebFallbackToInternalAuth , 1);
Set($WebExternalAuto , 1);
 
 
I know i missed other things but do i have to add to meet with the needs
?
 
i'm running a RH7.3 - apache 1 - mod_perl 1 - RT 3.0.10
 
thanks a lot !!
 
 





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20040924/2fd93f5c/attachment.htm>


More information about the rt-users mailing list