[rt-users] AD integration for external auth

[Todd Wade]

On 7/7/15 4:50 PM, Yan Seiner wrote:
> But the way ExternalAuth is set up, I have to provide the ldap userid
> and password, which in our system would be a real user.
>
>              'user'                      =>  'rt_ldap_username',
>              'pass'                      =>  'rt_ldap_password',
>
> Is there any way to get ExternalAuth to use the credentials entered in
> the login to bind to the ldap server?

At user login ExternalAuth first finds the user with the credentials you 
mention above, and then attempts to bind with the login provided 
credentials. A successful bind is how it knows that the user is 
authenticated. From the code:

my $ldap_entry = $ldap_msg->first_entry;
my $ldap_dn    = $ldap_entry->dn;

# THIS bind determines success or failure on the password.
$ldap_msg = $ldap->bind($ldap_dn, password => $password);

> But notice that I need to use either 'HPM\yans' for the user or the
> older 'yans at hpm.net' for the system to allow me to bind to the ldap
> server. The way we're set up, any user can bind to the server with
> valid credentials, but anonymous binds are not allowed.

For the former, you'd have to modify the extension to prefix the 
username it attempts to bind with. The subroutine is 
RT::Authen::ExternalAuth::LDAP::GetAuth. You could make a command line 
script to call this and debug it until you get it to return 1. Like 
jdg117 mentioned, you have to get Net::LDAP connecting to your LDAP and 
then figure out how to configure or modify the extension to get it to 
connect in the same way.

For the latter I think you can update the configuration to store the 
email address as the name so that its used when the bind is attempted. 
You'd have to use the email address to log in to RT.

Perhaps make attr_match_list just 'EmailAddress' and then have in the 
attr_map:

                 'Name' => 'mail', # instead of sAMAccountName
                 'EmailAddress' => 'mail',