[rt-users] LDAP authentication

Ray Thompson rthompson at interpublic.com
Mon Sep 27 16:21:59 EDT 2004 

The comments in User_Local.pm indicate that there are seven lines that need to be added to RT_SiteConfig.pm.  You didn't mention if you had done this.

--
Regards,
        Ray 

-----Original Message-----
From: rt-users-bounces at lists.bestpractical.com [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Sivan DERAY
Sent: Friday, September 24, 2004 10:15 AM
To: rt-users at lists.bestpractical.com
Subject: [rt-users] LDAP authentication


I read many posts about LDAP, but i'm still confused on how to implement that :

here is what a understood :

I put in the /opt/rt3/lib/RT/ directory a User_Local.pm file containing :

********
********
no warnings qw(redefine);

# {{{ sub IsPassword

# Modification Originally by Marcelo Bartsch <bartschm_cl at hotmail.com>
# Update by Stewart James <stewart.james at vu.edu.au for rt3.
# Drop this file in /opt/rt3/lib/RT/User_Local.pm
# Drop something like below in yout RT_SiteConfig.pm
# $LDAPExternalAuth = 1;
# $LdapServer="adress";
# $LdapUser="";
# $LdapPass="";
# $LdapBase="dc=domain,dc=com";
# $LdapUidAttr="uid";
# $LdapFilter="(objectclass=*)";


sub IsPassword {
        my $self  = shift;
        my $value = shift;

        #TODO there isn't any apparent way to legitimately ACL this

        # RT does not allow null passwords
        if ( ( !defined($value) ) or ( $value eq '' ) ) {
                return (undef);
        }

        if ( $self->PrincipalObj->Disabled ) {
                $RT::Logger->info(
                        "Disabled user " . $self->Name . " tried to log in" );
                return (undef);
        }

        if ( ($self->__Value('Password') eq '') ||
                ($self->__Value('Password') eq undef) )  {
                return(undef);
        }

        # generate an md5 password
        if ($self->_GeneratePassword($value) eq $self->__Value('Password')) {
                return(1);
        }

#  if it's a historical password we say ok.

        if (! $RT::LDAPExternalAuth)
        {
                if ($self->__Value('Password') eq crypt($value, $self->__Value('Password'))) {
                        return (1);
                }
                else {
                        return (undef);
                }
        }
        else
        {
                if ($self->__Value('Password') eq crypt($value, $self->__Value('Password'))) {
                        return (1);
                }
                $RT::Logger->info("Using External Authentication\n");
                use Net::LDAP;

                my $mesg;
                my $ldap = Net::LDAP->new($RT::LdapServer, version=>3) or $RT::Logger->critical("GetExternalUserWithLDAP: " . "Cannot connect to LDAP'\n"), return 0;

                # Iseem to have problems is I try and bind with a NULL username by hand
                # So this now checks to see if we are really going to bind with a
                # username.
                if (defined($RT::LdapUser) && $RT::LdapUser != '') {
                        $mesg = $ldap->bind($RT::LdapUser, password =>$RT::LdapPass );
                } else {
                        $mesg = $ldap->bind;
                }
                if ($mesg->code != LDAP_SUCCESS) {
                        $RT::Logger->critical("GetExternalUserWithLDAP: Cannot bind to LDAP:",
                                $mesg->code, "\n");
                        return 0;
                }

                my $filter = "(&(&(objectclass=person)(" . $RT::LdapUidAttr . "=" . $self->Name ."))$RT::LdapFilter)";
                $RT::Logger->debug("GetExternalUserWithLDAP: First search filter '$filter'\n");
                $mesg = $ldap->search(base   => $RT::LdapBase,
                        filter => $filter,
                        attrs  => ['dn']);
    
                if (($mesg->code != LDAP_SUCCESS) or ($mesg->code != LDAP_PARTIAL_RESULTS))
                {
                        $RT::Logger->debug("GetExternalUserWithLDAP: Could not search for $filter: ",
                                $mesg->code, "" , ldap_error_name($mesg->code) ,"\n");
                        return 0;
                }
                $RT::Logger->debug("GetExternalUserWithLDAP: First search produced ",
                        $mesg->count, " results\n");
                if (! $mesg->count)
                {
                        $RT::Logger->info("AUTH FAILED: " . $self->Name . "\n");
                        return 0;
                }
                $RT::Logger->debug("LDAP DN: " . $mesg->first_entry->dn . " " . $value . "\n");
                my $mesg2 = $ldap->bind($mesg->first_entry->dn, password =>$value );
                if ($mesg2->code != LDAP_SUCCESS) {
                        $RT::Logger->critical("GetExternalUserWithLDAP: Cannot bind to LDAP:",
                                $mesg2->code, "\n");
                        return 0;
                }
                else
                {
                        $RT::Logger->info("AUTH OK: " . $self->Name . " (" .$mesg->first_entry->dn . ")\n");
                        return 1;
                }
        }




        # no password check has succeeded. get out

        return (undef);
}

# }}}

1;


**********
**********

Next I put in httpd.conf :

# LDAP integration
<Directory /opt/rt3/share/html>
         AuthType Basic
         AuthName "Request Tracker Login"
         AuthLDAPURL ldap://ipadress
         require valid-user
</Directory>



and in Rt_SiteConfig :

Set ($WebExternalAuth , 1);
Set($WebFallbackToInternalAuth , 1);
Set($WebExternalAuto , 1);


I know i missed other things but do i have to add to meet with the needs ?

i'm running a RH7.3 - apache 1 - mod_perl 1 - RT 3.0.10

thanks a lot !!

More information about the rt-users mailing list