[rt-users] LDAP CONTRIB: Looking for a few good guinea pigs
Jim Meyer
purp at acm.org
Fri Jan 6 23:15:40 EST 2006
Hello!
It's been stable for a few weeks, so I'm making available for beta
testing a new, integrated approach to LDAP user auth and info services.
It's a huge refactor of the approaches previously contributed, with a
new approach to the authentication bits and a lot of new code. See below
for a short list of changes, things which need to be tested, and things
left to do.
The odd hitch is that the code I'm releasing actually factors out some
ugly hacks that I'm using to account for our, er, *unique* LDAP
configuration at present. This means I can't test it here until the
reason for those hacks goes away, which should be moderately soon. While
the code I'm releasing is very, very similar, and while I've been very,
very careful, it's not been tested beyond being sure that `perl -c
User_Local.pm` succeeds. Ugh.
If you're feeling brave, please have a go at:
http://wiki.bestpractical.com/index.cgi?LDAP
... and let me know how it pans out. I'll try to turn around any bug
fixes quickly.
Thanks!
--j
Things which need to be tested:
* Drop-in replacement of previous contrib implementations
* SSL (TLS) LDAP connections
* Non-Linux installations
Changes in this implementation:
* Added $RT::AuthMethods as basis for auth method lists;
currently supports LDAP, Internal
* Implemented Phillip Cole's suggested $RT::LdapAttrMap
* Implemented $RT::LdapRTAttrMatchList and $RT::LdapEmailAttrMatchList
to help guide LDAP searches more effectively
* Added LdapAuth* and LdapInfo* variables to allow authentication
and information from separate LDAP servers; didn't invalidate
older Ldap{Server,Base,User,Pass,etc} variables.
* Added LdapConfigInfo() to get integrated config info
To do:
* LdapConfigInfo() should take an optional list of required
config vars and fail if they're not all defined
* Refactor code to eliminate goofy $ldap_foo = $ldap_config{foo}
statements.
* Refactor auth methods to use LookupExternalUserInfo()
* Make LDAP-sourced user information immutable in all RT interfaces
(web and CLI)
* Cause LDAP-sourced user info stored in the RT database to behave
as a cache, auto-updating after some (admin-configurable) time period.
Will need to deal with failure modes such as:
o LDAP server down
o LDAP server up but failing catastrophically
(e.g. presenting no results when searched for valid record)
o User record has been removed
o uid or other identifying info changes (e.g. Jane Doe with
login jdoe marries John Smith, changes login to jsmith)
--
Jim Meyer, Geek at Large purp at acm.org
More information about the rt-users
mailing list