[rt-users] LDAP authentication
Ray Thompson
rthompson at interpublic.com
Tue Sep 28 10:17:50 EDT 2004
You shouldn't need the
> # LDAP integration
> <Directory /opt/rt3/share/html>
> AuthType Basic
> AuthName "Request Tracker Login"
> AuthLDAPURL ldap://ipadress
> require valid-user
> </Directory>
part in your httpd.conf since your telling RT to use LDAP and not Apache.
I assume you've also modified "$LdapServer and $LdapBase in RT_Siteconfig.pm to reflect your environment.
-Ray
> -----Original Message-----
> From: Sivan DERAY [mailto:sivan.deray at net-aptitude.fr]
> Sent: Tuesday, September 28, 2004 3:45 AM
> To: Ray Thompson; rt-users at lists.bestpractical.com
> Subject: [rt-users] LDAP authentication
>
>
> yes i have added in the RT_Siteconfig.pm file
>
> Set ($WebExternalAuth , 1);
> $LDAPExternalAuth = 1;
> $LdapServer="adress";
> $LdapUser="";
> $LdapPass="";
> $LdapBase="dc=domain,dc=com";
> $LdapUidAttr="uid";
> $LdapFilter="(objectclass=*)";
>
> do i need to add mod_auth module or something else ?
>
>
>
>
>
> -----Message d'origine-----
> De : Ray Thompson [mailto:rthompson at interpublic.com]
> Envoyé : lundi 27 septembre 2004 22:22
> À : Sivan DERAY; rt-users at lists.bestpractical.com
> Objet : [Spam probable] RE: [rt-users] LDAP authentication
>
>
> The comments in User_Local.pm indicate that there are seven
> lines that need to be added to RT_SiteConfig.pm. You didn't
> mention if you had done this.
>
> --
> Regards,
> Ray
>
> -----Original Message-----
> From: rt-users-bounces at lists.bestpractical.com
> [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf
> Of Sivan DERAY
> Sent: Friday, September 24, 2004 10:15 AM
> To: rt-users at lists.bestpractical.com
> Subject: [rt-users] LDAP authentication
>
>
> I read many posts about LDAP, but i'm still confused on how
> to implement that :
>
> here is what a understood :
>
> I put in the /opt/rt3/lib/RT/ directory a User_Local.pm file
> containing :
>
> ********
> ********
> no warnings qw(redefine);
>
> # {{{ sub IsPassword
>
> # Modification Originally by Marcelo Bartsch
> <bartschm_cl at hotmail.com> # Update by Stewart James
> <stewart.james at vu.edu.au for rt3. # Drop this file in
> /opt/rt3/lib/RT/User_Local.pm # Drop something like below in
> yout RT_SiteConfig.pm # $LDAPExternalAuth = 1; #
> $LdapServer="adress"; # $LdapUser=""; # $LdapPass=""; #
> $LdapBase="dc=domain,dc=com"; # $LdapUidAttr="uid"; #
> $LdapFilter="(objectclass=*)";
>
>
> sub IsPassword {
> my $self = shift;
> my $value = shift;
>
> #TODO there isn't any apparent way to legitimately ACL this
>
> # RT does not allow null passwords
> if ( ( !defined($value) ) or ( $value eq '' ) ) {
> return (undef);
> }
>
> if ( $self->PrincipalObj->Disabled ) {
> $RT::Logger->info(
> "Disabled user " . $self->Name . "
> tried to log in" );
> return (undef);
> }
>
> if ( ($self->__Value('Password') eq '') ||
> ($self->__Value('Password') eq undef) ) {
> return(undef);
> }
>
> # generate an md5 password
> if ($self->_GeneratePassword($value) eq
> $self->__Value('Password')) {
> return(1);
> }
>
> # if it's a historical password we say ok.
>
> if (! $RT::LDAPExternalAuth)
> {
> if ($self->__Value('Password') eq
> crypt($value, $self->__Value('Password'))) {
> return (1);
> }
> else {
> return (undef);
> }
> }
> else
> {
> if ($self->__Value('Password') eq
> crypt($value, $self->__Value('Password'))) {
> return (1);
> }
> $RT::Logger->info("Using External Authentication\n");
> use Net::LDAP;
>
> my $mesg;
> my $ldap = Net::LDAP->new($RT::LdapServer,
> version=>3) or
> $RT::Logger->critical("GetExternalUserWithLDAP: " . "Cannot
> connect to LDAP'\n"), return 0;
>
> # Iseem to have problems is I try and bind
> with a NULL username by hand
> # So this now checks to see if we are really
> going to bind with a
> # username.
> if (defined($RT::LdapUser) && $RT::LdapUser != '') {
> $mesg = $ldap->bind($RT::LdapUser,
> password =>$RT::LdapPass );
> } else {
> $mesg = $ldap->bind;
> }
> if ($mesg->code != LDAP_SUCCESS) {
>
> $RT::Logger->critical("GetExternalUserWithLDAP: Cannot bind to LDAP:",
> $mesg->code, "\n");
> return 0;
> }
>
> my $filter = "(&(&(objectclass=person)(" .
> $RT::LdapUidAttr . "=" . $self->Name ."))$RT::LdapFilter)";
> $RT::Logger->debug("GetExternalUserWithLDAP:
> First search filter '$filter'\n");
> $mesg = $ldap->search(base => $RT::LdapBase,
> filter => $filter,
> attrs => ['dn']);
>
> if (($mesg->code != LDAP_SUCCESS) or
> ($mesg->code != LDAP_PARTIAL_RESULTS))
> {
>
> $RT::Logger->debug("GetExternalUserWithLDAP: Could not search
> for $filter: ",
> $mesg->code, "" ,
> ldap_error_name($mesg->code) ,"\n");
> return 0;
> }
> $RT::Logger->debug("GetExternalUserWithLDAP:
> First search produced ",
> $mesg->count, " results\n");
> if (! $mesg->count)
> {
> $RT::Logger->info("AUTH FAILED: " .
> $self->Name . "\n");
> return 0;
> }
> $RT::Logger->debug("LDAP DN: " .
> $mesg->first_entry->dn . " " . $value . "\n");
> my $mesg2 =
> $ldap->bind($mesg->first_entry->dn, password =>$value );
> if ($mesg2->code != LDAP_SUCCESS) {
>
> $RT::Logger->critical("GetExternalUserWithLDAP: Cannot bind to LDAP:",
> $mesg2->code, "\n");
> return 0;
> }
> else
> {
> $RT::Logger->info("AUTH OK: " .
> $self->Name . " (" .$mesg->first_entry->dn . ")\n");
> return 1;
> }
> }
>
>
>
>
> # no password check has succeeded. get out
>
> return (undef);
> }
>
> # }}}
>
> 1;
>
>
> **********
> **********
>
> Next I put in httpd.conf :
>
> # LDAP integration
> <Directory /opt/rt3/share/html>
> AuthType Basic
> AuthName "Request Tracker Login"
> AuthLDAPURL ldap://ipadress
> require valid-user
> </Directory>
>
>
>
> and in Rt_SiteConfig :
>
> Set ($WebExternalAuth , 1);
> Set($WebFallbackToInternalAuth , 1);
> Set($WebExternalAuto , 1);
>
>
> I know i missed other things but do i have to add to meet
> with the needs ?
>
> i'm running a RH7.3 - apache 1 - mod_perl 1 - RT 3.0.10
>
> thanks a lot !!
>
>
More information about the rt-users
mailing list