[rt-users] LDAP integration works great EXCEPT group membership test
Mike Peachey
mike.peachey at jennic.com
Sat Mar 1 16:01:12 EST 2008
RT Lists wrote:
> These are the lines for our LDAP group settings in RT_SiteConfig.pm:
>
> # If you set these, only members of this group can auth via LDAP
> Set($LdapGroup, 'cn=RT,ou=ITST,ou=Everyone,dc=domain,dc=tld');
> Set($LdapGroupAttr, 'uniqueMember');
>
> The group RT in the OU ITST in the OU Everyone in the AD root definitely
> exists. It contains users that can log in just fine if those lines are
> commented out and RT is restarted. When we try to log in with these
> settings uncommented, the web interface says "Error: Your username or
> password is incorrect" and we get these lines in the debug logs:
>
<snip>
> Feb 29 12:32:26 stilgar RT: Trying LDAP authentication
> Feb 29 12:32:26 stilgar RT: RT::User::IsLDAPPassword Found LDAP DN:
> CN=rttestuser,OU=ITST,OU=Everyone,DC=domain,dc=tld
> Feb 29 12:32:26 stilgar RT: RT::User::IsLDAPPassword AUTH FAILED: rttestuser
<snip>
>
> I've been banging my head against the wall on this for a while and am
> starting to run out of ideas. If any of you fine folks can offer a
> suggestion, it would be highly appreciated :)
This is something for which you are going to need to debug the code
yourself. You need to add a few new debugging statements to the LDAP
groups code to work out exactly where the authentication is failing. It
may be that the code isn't doing group checking in the way you'd expect
for AD because AD is a poor bastardisation of good LDAP. To be honest I
can't remember exactly right now.. perhaps when I get back to work on
Monday I'll be in a position to check.
Bottom line is, the code that does the group checking is unbelievably
small and simple and with even the most basic programming knowledge, you
should be able to fix it yourself.
The code in question is inside IsLdapPassword inside
$RTHOME/local/lib/RT/User_Local.pm:
# Is there an LDAP Group to check?
if ($ldap_group) {
$filter =
Net::LDAP::Filter->new("(${ldap_group_attr}=${ldap_dn})");
$ldap_msg = $ldap->search(base => $ldap_group,
filter => $filter,
attrs => ['dn'],
scope => 'base');
unless ($ldap_msg->code == LDAP_SUCCESS ||
$ldap_msg->code == LDAP_PARTIAL_RESULTS) {
$RT::Logger->critical((caller(0))[3],
"Search for", $filter->as_string,
"failed:",
ldap_error_name($ldap_msg->code),
$ldap_msg->code);
return;
}
unless ($ldap_msg->count == 1) {
$RT::Logger->info((caller(0))[3], "AUTH FAILED:", $self->Name);
return;
}
}
Recommendations I would make would be:
1. Insert "use Data::Dumper" at the top of the file.
2. For each variable that you're not TOTALLY sure what it does and what
it's set to within the block of code above, insert
"$RT::Logger->debug("\$VARIABLE = $VARIABLE);"
3. Check your AD schema to ensure that if you were to search for
$ldap_group, using the $filter with a base scope, looking for dn attrs,
that you would return a single group.
4. If you want to be sure what the ldap search results in:
"$RT::Logger("Ldap Result:\n",Dumper($ldap_msg));" straight after the
search directive.
5. Finally, don't forget that, as shown in the code above, the group
authorisation is confirmed if the LDAP search results in one and only
one result. If it gives more than one result, the auth fails. You may
want to code your way around this if you need to have multiple possible
groups results.
As a general tip for coding in IsLdapPassword: Authorisation is
successful if the method runs to the end wihout interruption. All the
checks within it return 0 (default for return statement) if the user is
to be denied access or just continue on to the next check if a failure
wasn't detected.
Have fun...
Don't forget.. when you're done making a change to User_Local.pm:
$ apachectl stop
$ rm -rvf $RTHOME/var/mason_data/obj/*
$ apachectl start
--
Kind Regards,
___________________________________________________
Mike Peachey, IT
Tel: +44 (0) 114 281 2655
Fax: +44 (0) 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
http://www.jennic.com
Confidential
___________________________________________________
More information about the rt-users
mailing list