[rt-users] LDAP authentication
Sivan DERAY
sivan.deray at net-aptitude.fr
Tue Sep 28 04:44:41 EDT 2004
yes i have added in the RT_Siteconfig.pm file
Set ($WebExternalAuth , 1);
$LDAPExternalAuth = 1;
$LdapServer="adress";
$LdapUser="";
$LdapPass="";
$LdapBase="dc=domain,dc=com";
$LdapUidAttr="uid";
$LdapFilter="(objectclass=*)";
do i need to add mod_auth module or something else ?
-----Message d'origine-----
De : Ray Thompson [mailto:rthompson at interpublic.com]
Envoyé : lundi 27 septembre 2004 22:22
À : Sivan DERAY; rt-users at lists.bestpractical.com
Objet : [Spam probable] RE: [rt-users] LDAP authentication
The comments in User_Local.pm indicate that there are seven lines that need to be added to RT_SiteConfig.pm. You didn't mention if you had done this.
--
Regards,
Ray
-----Original Message-----
From: rt-users-bounces at lists.bestpractical.com [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Sivan DERAY
Sent: Friday, September 24, 2004 10:15 AM
To: rt-users at lists.bestpractical.com
Subject: [rt-users] LDAP authentication
I read many posts about LDAP, but i'm still confused on how to implement that :
here is what a understood :
I put in the /opt/rt3/lib/RT/ directory a User_Local.pm file containing :
********
********
no warnings qw(redefine);
# {{{ sub IsPassword
# Modification Originally by Marcelo Bartsch <bartschm_cl at hotmail.com> # Update by Stewart James <stewart.james at vu.edu.au for rt3. # Drop this file in /opt/rt3/lib/RT/User_Local.pm # Drop something like below in yout RT_SiteConfig.pm # $LDAPExternalAuth = 1; # $LdapServer="adress"; # $LdapUser=""; # $LdapPass=""; # $LdapBase="dc=domain,dc=com"; # $LdapUidAttr="uid"; # $LdapFilter="(objectclass=*)";
sub IsPassword {
my $self = shift;
my $value = shift;
#TODO there isn't any apparent way to legitimately ACL this
# RT does not allow null passwords
if ( ( !defined($value) ) or ( $value eq '' ) ) {
return (undef);
}
if ( $self->PrincipalObj->Disabled ) {
$RT::Logger->info(
"Disabled user " . $self->Name . " tried to log in" );
return (undef);
}
if ( ($self->__Value('Password') eq '') ||
($self->__Value('Password') eq undef) ) {
return(undef);
}
# generate an md5 password
if ($self->_GeneratePassword($value) eq $self->__Value('Password')) {
return(1);
}
# if it's a historical password we say ok.
if (! $RT::LDAPExternalAuth)
{
if ($self->__Value('Password') eq crypt($value, $self->__Value('Password'))) {
return (1);
}
else {
return (undef);
}
}
else
{
if ($self->__Value('Password') eq crypt($value, $self->__Value('Password'))) {
return (1);
}
$RT::Logger->info("Using External Authentication\n");
use Net::LDAP;
my $mesg;
my $ldap = Net::LDAP->new($RT::LdapServer, version=>3) or $RT::Logger->critical("GetExternalUserWithLDAP: " . "Cannot connect to LDAP'\n"), return 0;
# Iseem to have problems is I try and bind with a NULL username by hand
# So this now checks to see if we are really going to bind with a
# username.
if (defined($RT::LdapUser) && $RT::LdapUser != '') {
$mesg = $ldap->bind($RT::LdapUser, password =>$RT::LdapPass );
} else {
$mesg = $ldap->bind;
}
if ($mesg->code != LDAP_SUCCESS) {
$RT::Logger->critical("GetExternalUserWithLDAP: Cannot bind to LDAP:",
$mesg->code, "\n");
return 0;
}
my $filter = "(&(&(objectclass=person)(" . $RT::LdapUidAttr . "=" . $self->Name ."))$RT::LdapFilter)";
$RT::Logger->debug("GetExternalUserWithLDAP: First search filter '$filter'\n");
$mesg = $ldap->search(base => $RT::LdapBase,
filter => $filter,
attrs => ['dn']);
if (($mesg->code != LDAP_SUCCESS) or ($mesg->code != LDAP_PARTIAL_RESULTS))
{
$RT::Logger->debug("GetExternalUserWithLDAP: Could not search for $filter: ",
$mesg->code, "" , ldap_error_name($mesg->code) ,"\n");
return 0;
}
$RT::Logger->debug("GetExternalUserWithLDAP: First search produced ",
$mesg->count, " results\n");
if (! $mesg->count)
{
$RT::Logger->info("AUTH FAILED: " . $self->Name . "\n");
return 0;
}
$RT::Logger->debug("LDAP DN: " . $mesg->first_entry->dn . " " . $value . "\n");
my $mesg2 = $ldap->bind($mesg->first_entry->dn, password =>$value );
if ($mesg2->code != LDAP_SUCCESS) {
$RT::Logger->critical("GetExternalUserWithLDAP: Cannot bind to LDAP:",
$mesg2->code, "\n");
return 0;
}
else
{
$RT::Logger->info("AUTH OK: " . $self->Name . " (" .$mesg->first_entry->dn . ")\n");
return 1;
}
}
# no password check has succeeded. get out
return (undef);
}
# }}}
1;
**********
**********
Next I put in httpd.conf :
# LDAP integration
<Directory /opt/rt3/share/html>
AuthType Basic
AuthName "Request Tracker Login"
AuthLDAPURL ldap://ipadress
require valid-user
</Directory>
and in Rt_SiteConfig :
Set ($WebExternalAuth , 1);
Set($WebFallbackToInternalAuth , 1);
Set($WebExternalAuto , 1);
I know i missed other things but do i have to add to meet with the needs ?
i'm running a RH7.3 - apache 1 - mod_perl 1 - RT 3.0.10
thanks a lot !!
More information about the rt-users
mailing list