[rt-users] LDAP authentication

Ray Thompson rthompson at interpublic.com
Tue Sep 28 10:17:50 EDT 2004


You shouldn't need the 

> # LDAP integration
> <Directory /opt/rt3/share/html>
>          AuthType Basic
>          AuthName "Request Tracker Login"
>          AuthLDAPURL ldap://ipadress
>          require valid-user
> </Directory>

part in your httpd.conf since your telling RT to use LDAP and not Apache.

I assume you've also modified "$LdapServer and $LdapBase in RT_Siteconfig.pm to reflect your environment.

-Ray

> -----Original Message-----
> From: Sivan DERAY [mailto:sivan.deray at net-aptitude.fr] 
> Sent: Tuesday, September 28, 2004 3:45 AM
> To: Ray Thompson; rt-users at lists.bestpractical.com
> Subject: [rt-users] LDAP authentication
> 
> 
> yes i have added in the RT_Siteconfig.pm file 
> 
> Set ($WebExternalAuth , 1);
> $LDAPExternalAuth = 1;
> $LdapServer="adress";
> $LdapUser="";
> $LdapPass="";
> $LdapBase="dc=domain,dc=com";
> $LdapUidAttr="uid";
> $LdapFilter="(objectclass=*)";
> 
> do i need to add mod_auth module or something else ?
> 
> 
> 
> 
> 
> -----Message d'origine-----
> De : Ray Thompson [mailto:rthompson at interpublic.com] 
> Envoyé : lundi 27 septembre 2004 22:22
> À : Sivan DERAY; rt-users at lists.bestpractical.com
> Objet : [Spam probable] RE: [rt-users] LDAP authentication
> 
> 
> The comments in User_Local.pm indicate that there are seven 
> lines that need to be added to RT_SiteConfig.pm.  You didn't 
> mention if you had done this.
> 
> --
> Regards,
>         Ray 
> 
> -----Original Message-----
> From: rt-users-bounces at lists.bestpractical.com 
> [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf 
> Of Sivan DERAY
> Sent: Friday, September 24, 2004 10:15 AM
> To: rt-users at lists.bestpractical.com
> Subject: [rt-users] LDAP authentication
> 
> 
> I read many posts about LDAP, but i'm still confused on how 
> to implement that :
> 
> here is what a understood :
> 
> I put in the /opt/rt3/lib/RT/ directory a User_Local.pm file 
> containing :
> 
> ********
> ********
> no warnings qw(redefine);
> 
> # {{{ sub IsPassword
> 
> # Modification Originally by Marcelo Bartsch 
> <bartschm_cl at hotmail.com> # Update by Stewart James 
> <stewart.james at vu.edu.au for rt3. # Drop this file in 
> /opt/rt3/lib/RT/User_Local.pm # Drop something like below in 
> yout RT_SiteConfig.pm # $LDAPExternalAuth = 1; # 
> $LdapServer="adress"; # $LdapUser=""; # $LdapPass=""; # 
> $LdapBase="dc=domain,dc=com"; # $LdapUidAttr="uid"; # 
> $LdapFilter="(objectclass=*)";
> 
> 
> sub IsPassword {
>         my $self  = shift;
>         my $value = shift;
> 
>         #TODO there isn't any apparent way to legitimately ACL this
> 
>         # RT does not allow null passwords
>         if ( ( !defined($value) ) or ( $value eq '' ) ) {
>                 return (undef);
>         }
> 
>         if ( $self->PrincipalObj->Disabled ) {
>                 $RT::Logger->info(
>                         "Disabled user " . $self->Name . " 
> tried to log in" );
>                 return (undef);
>         }
> 
>         if ( ($self->__Value('Password') eq '') ||
>                 ($self->__Value('Password') eq undef) )  {
>                 return(undef);
>         }
> 
>         # generate an md5 password
>         if ($self->_GeneratePassword($value) eq 
> $self->__Value('Password')) {
>                 return(1);
>         }
> 
> #  if it's a historical password we say ok.
> 
>         if (! $RT::LDAPExternalAuth)
>         {
>                 if ($self->__Value('Password') eq 
> crypt($value, $self->__Value('Password'))) {
>                         return (1);
>                 }
>                 else {
>                         return (undef);
>                 }
>         }
>         else
>         {
>                 if ($self->__Value('Password') eq 
> crypt($value, $self->__Value('Password'))) {
>                         return (1);
>                 }
>                 $RT::Logger->info("Using External Authentication\n");
>                 use Net::LDAP;
> 
>                 my $mesg;
>                 my $ldap = Net::LDAP->new($RT::LdapServer, 
> version=>3) or 
> $RT::Logger->critical("GetExternalUserWithLDAP: " . "Cannot 
> connect to LDAP'\n"), return 0;
> 
>                 # Iseem to have problems is I try and bind 
> with a NULL username by hand
>                 # So this now checks to see if we are really 
> going to bind with a
>                 # username.
>                 if (defined($RT::LdapUser) && $RT::LdapUser != '') {
>                         $mesg = $ldap->bind($RT::LdapUser, 
> password =>$RT::LdapPass );
>                 } else {
>                         $mesg = $ldap->bind;
>                 }
>                 if ($mesg->code != LDAP_SUCCESS) {
>                         
> $RT::Logger->critical("GetExternalUserWithLDAP: Cannot bind to LDAP:",
>                                 $mesg->code, "\n");
>                         return 0;
>                 }
> 
>                 my $filter = "(&(&(objectclass=person)(" . 
> $RT::LdapUidAttr . "=" . $self->Name ."))$RT::LdapFilter)";
>                 $RT::Logger->debug("GetExternalUserWithLDAP: 
> First search filter '$filter'\n");
>                 $mesg = $ldap->search(base   => $RT::LdapBase,
>                         filter => $filter,
>                         attrs  => ['dn']);
>     
>                 if (($mesg->code != LDAP_SUCCESS) or 
> ($mesg->code != LDAP_PARTIAL_RESULTS))
>                 {
>                         
> $RT::Logger->debug("GetExternalUserWithLDAP: Could not search 
> for $filter: ",
>                                 $mesg->code, "" , 
> ldap_error_name($mesg->code) ,"\n");
>                         return 0;
>                 }
>                 $RT::Logger->debug("GetExternalUserWithLDAP: 
> First search produced ",
>                         $mesg->count, " results\n");
>                 if (! $mesg->count)
>                 {
>                         $RT::Logger->info("AUTH FAILED: " . 
> $self->Name . "\n");
>                         return 0;
>                 }
>                 $RT::Logger->debug("LDAP DN: " . 
> $mesg->first_entry->dn . " " . $value . "\n");
>                 my $mesg2 = 
> $ldap->bind($mesg->first_entry->dn, password =>$value );
>                 if ($mesg2->code != LDAP_SUCCESS) {
>                         
> $RT::Logger->critical("GetExternalUserWithLDAP: Cannot bind to LDAP:",
>                                 $mesg2->code, "\n");
>                         return 0;
>                 }
>                 else
>                 {
>                         $RT::Logger->info("AUTH OK: " . 
> $self->Name . " (" .$mesg->first_entry->dn . ")\n");
>                         return 1;
>                 }
>         }
> 
> 
> 
> 
>         # no password check has succeeded. get out
> 
>         return (undef);
> }
> 
> # }}}
> 
> 1;
> 
> 
> **********
> **********
> 
> Next I put in httpd.conf :
> 
> # LDAP integration
> <Directory /opt/rt3/share/html>
>          AuthType Basic
>          AuthName "Request Tracker Login"
>          AuthLDAPURL ldap://ipadress
>          require valid-user
> </Directory>
> 
> 
> 
> and in Rt_SiteConfig :
> 
> Set ($WebExternalAuth , 1);
> Set($WebFallbackToInternalAuth , 1);
> Set($WebExternalAuto , 1);
> 
> 
> I know i missed other things but do i have to add to meet 
> with the needs ?
> 
> i'm running a RH7.3 - apache 1 - mod_perl 1 - RT 3.0.10
> 
> thanks a lot !!
> 
> 




More information about the rt-users mailing list