[rt-users] LDAP CONTRIB: Looking for a few good guinea pigs

Jim Meyer purp at acm.org
Fri Jan 6 23:15:40 EST 2006 

Hello!

It's been stable for a few weeks, so I'm making available for beta
testing a new, integrated approach to LDAP user auth and info services.
It's a huge refactor of the approaches previously contributed, with a
new approach to the authentication bits and a lot of new code. See below
for a short list of changes, things which need to be tested, and things
left to do.

The odd hitch is that the code I'm releasing actually factors out some
ugly hacks that I'm using to account for our, er, *unique* LDAP
configuration at present. This means I can't test it here until the
reason for those hacks goes away, which should be moderately soon. While
the code I'm releasing is very, very similar, and while I've been very,
very careful, it's not been tested beyond being sure that `perl -c
User_Local.pm` succeeds. Ugh.

If you're feeling brave, please have a go at:

    http://wiki.bestpractical.com/index.cgi?LDAP

... and let me know how it pans out. I'll try to turn around any bug
fixes quickly.

Thanks!

--j

Things which need to be tested:
* Drop-in replacement of previous contrib implementations
* SSL (TLS) LDAP connections
* Non-Linux installations

Changes in this implementation:
* Added $RT::AuthMethods as basis for auth method lists;
  currently supports LDAP, Internal
* Implemented Phillip Cole's suggested $RT::LdapAttrMap
* Implemented $RT::LdapRTAttrMatchList and $RT::LdapEmailAttrMatchList
  to help guide LDAP searches more effectively
* Added LdapAuth* and LdapInfo* variables to allow authentication
  and information from separate LDAP servers; didn't invalidate
  older Ldap{Server,Base,User,Pass,etc} variables.
* Added LdapConfigInfo() to get integrated config info

To do:
* LdapConfigInfo() should take an optional list of required 
  config vars and fail if they're not all defined
* Refactor code to eliminate goofy $ldap_foo = $ldap_config{foo}
  statements.
* Refactor auth methods to use LookupExternalUserInfo()
* Make LDAP-sourced user information immutable in all RT interfaces 
  (web and CLI)
* Cause LDAP-sourced user info stored in the RT database to behave 
  as a cache, auto-updating after some (admin-configurable) time period.
  Will need to deal with failure modes such as:
  o LDAP server down
  o LDAP server up but failing catastrophically
    (e.g. presenting no results when searched for valid record)
  o User record has been removed
  o uid or other identifying info changes (e.g. Jane Doe with 
    login jdoe marries John Smith, changes login to jsmith)
-- 
Jim Meyer, Geek at Large                                    purp at acm.org

More information about the rt-users mailing list