Subject: | Bug in LDAP authentication - group checking |
Date: | Fri, 15 Jul 2011 14:55:38 +0200 |
To: | bug-RT-Authen-ExternalAuth [...] rt.cpan.org |
From: | Robert Bohoněk <bohonek.robert [...] post.cz> |
Hello,
i have problem with group authentication. After new installation of
Request Tracker and RT-Authen-ExternalAuth i try to setup ldap
authentication with group checking. Without group checking everything
goes ok, but with group authentization failed. After debugging i found
problem in LDAP.pm module.
LDAP.pm:
line 78 # THIS bind determines success or failure on the password.
line 79 $ldap_msg = $ldap->bind($ldap_dn, password => $password);
line 96 if ($group) {
....
line 108 $ldap_msg = $ldap->search( base => $group,
line 109 filter => $filter,
line 110 attrs => \@attrs,
line 111 scope => 'base');
At line 79 you try to bind user to check user password, but in this step
(after success) you change the bind user for LDAP searches and than at
line 108 you make search under new logged user, not under bind user from
RT_SiteConfig.pm. Logged user has fewer rights (in our case) to LDAP
tree as bind user from config file, therefore authentication failed.
So i think that group checking must be before password checking (before
new bind command).
Here is my configuration:
Distribution name and version: RT-Authen-ExternalAuth-0.09
Perl version: 5.8.8
Operating System vendor and version: Centos 5.6 (Final), 2.6.18-194.32.1.el5
RT version: 4.0.1
Thanks,
Robert Bohonek