Bug #69500 for RT-Authen-ExternalAuth: Groups membership is checked after the user bind

Fri Jul 15 08:55:56 2011 bohonek.robert [...] post.cz - Ticket created

Subject:	Bug in LDAP authentication - group checking
Date:	Fri, 15 Jul 2011 14:55:38 +0200
To:	bug-RT-Authen-ExternalAuth [...] rt.cpan.org
From:	Robert Bohoněk <bohonek.robert [...] post.cz>

Hello, i have problem with group authentication. After new installation of Request Tracker and RT-Authen-ExternalAuth i try to setup ldap authentication with group checking. Without group checking everything goes ok, but with group authentization failed. After debugging i found problem in LDAP.pm module. LDAP.pm: line 78 # THIS bind determines success or failure on the password. line 79 $ldap_msg = $ldap->bind($ldap_dn, password => $password); line 96 if ($group) { .... line 108 $ldap_msg = $ldap->search( base => $group, line 109 filter => $filter, line 110 attrs => \@attrs, line 111 scope => 'base'); At line 79 you try to bind user to check user password, but in this step (after success) you change the bind user for LDAP searches and than at line 108 you make search under new logged user, not under bind user from RT_SiteConfig.pm. Logged user has fewer rights (in our case) to LDAP tree as bind user from config file, therefore authentication failed. So i think that group checking must be before password checking (before new bind command). Here is my configuration: Distribution name and version: RT-Authen-ExternalAuth-0.09 Perl version: 5.8.8 Operating System vendor and version: Centos 5.6 (Final), 2.6.18-194.32.1.el5 RT version: 4.0.1 Thanks, Robert Bohonek

Tue Jul 19 12:42:23 2011 falcone [...] bestpractical.com - Correspondence added

Subject:	Re: [rt.cpan.org #69500] Bug in LDAP authentication - group checking
Date:	Tue, 19 Jul 2011 12:42:17 -0400
To:	"bohonek.robert via RT" <bug-RT-Authen-ExternalAuth [...] rt.cpan.org>
From:	Kevin Falcone <falcone [...] bestpractical.com>

Hi Robert I can see how this would be a problem when the regular users can't do the group query. Unfortunately, it's a non-trivial change, so there will need to be some updates to the test suite to confirm behavior before we could make this change. -kevin On Fri, Jul 15, 2011 at 08:55:58AM -0400, bohonek.robert via RT wrote: Show quoted text

> i have problem with group authentication. After new installation of > Request Tracker and RT-Authen-ExternalAuth i try to setup ldap > authentication with group checking. Without group checking everything > goes ok, but with group authentization failed. After debugging i found > problem in LDAP.pm module. > > LDAP.pm: > > line 78 # THIS bind determines success or failure on the password. > line 79 $ldap_msg = $ldap->bind($ldap_dn, password => $password); > > line 96 if ($group) { > .... > line 108 $ldap_msg = $ldap->search( base => $group, > line 109 filter => $filter, > line 110 attrs => \@attrs, > line 111 scope => 'base'); > > At line 79 you try to bind user to check user password, but in this step > (after success) you change the bind user for LDAP searches and than at > line 108 you make search under new logged user, not under bind user from > RT_SiteConfig.pm. Logged user has fewer rights (in our case) to LDAP > tree as bind user from config file, therefore authentication failed. > > So i think that group checking must be before password checking (before > new bind command). > > Here is my configuration: > Distribution name and version: RT-Authen-ExternalAuth-0.09 > Perl version: 5.8.8 > Operating System vendor and version: Centos 5.6 (Final), 2.6.18-194.32.1.el5 > RT version: 4.0.1 > > Thanks, > Robert Bohonek > > > >

Tue Jul 19 12:42:24 2011 The RT System itself - Status changed from 'new' to 'open'

Thu Jan 26 16:02:49 2012 tsibley [...] cpan.org - Subject changed from 'Bug in LDAP authentication - group checking' to 'Don't check groups as the bound user'

Thu Jan 26 16:03:08 2012 tsibley [...] cpan.org - Subject changed from 'Don't check groups as the bound user' to 'Groups membership is checked after the user bind'

Tue Jan 29 18:32:58 2013 tony.arnold [...] manchester.ac.uk - Correspondence added

From:

tony.arnold [...] manchester.ac.uk

I've made a simple patch to LDAP.pm in RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth which does the group membership check before the password check, thus the credentials specified in the config file must have rights to the group membership and not the user being authenticated. The patch file is attached. This works for me but could probably do with testing more thoroughly. Regards, Tony. On Tue Jul 19 12:42:23 2011, falcone@bestpractical.com wrote: Show quoted text

> Hi Robert > > I can see how this would be a problem when the regular users can't do > the group query. Unfortunately, it's a non-trivial change, so there > will need to be some updates to the test suite to confirm behavior > before we could make this change. > > -kevin > > On Fri, Jul 15, 2011 at 08:55:58AM -0400, bohonek.robert via RT wrote:

> > i have problem with group authentication. After new installation of > > Request Tracker and RT-Authen-ExternalAuth i try to setup ldap > > authentication with group checking. Without group checking

> everything

> > goes ok, but with group authentization failed. After debugging i

> found

> > problem in LDAP.pm module. > > > > LDAP.pm: > > > > line 78 # THIS bind determines success or failure on the

> password.

> > line 79 $ldap_msg = $ldap->bind($ldap_dn, password =>

> $password);

> > > > line 96 if ($group) { > > .... > > line 108 $ldap_msg = $ldap->search( base => $group, > > line 109 filter => $filter, > > line 110 attrs => \@attrs, > > line 111 scope => 'base'); > > > > At line 79 you try to bind user to check user password, but in this

> step

> > (after success) you change the bind user for LDAP searches and than

> at

> > line 108 you make search under new logged user, not under bind user

> from

> > RT_SiteConfig.pm. Logged user has fewer rights (in our case) to LDAP > > tree as bind user from config file, therefore authentication failed. > > > > So i think that group checking must be before password checking

> (before

> > new bind command). > > > > Here is my configuration: > > Distribution name and version: RT-Authen-ExternalAuth-0.09 > > Perl version: 5.8.8 > > Operating System vendor and version: Centos 5.6 (Final), 2.6.18-

> 194.32.1.el5

> > RT version: 4.0.1 > > > > Thanks, > > Robert Bohonek > > > > > > > >

Subject:

LDAP.pm.patch

*** LDAP.pm Tue Jan 29 15:50:06 2013 --- LDAP.pm.orig Tue Jan 29 15:45:00 2013 *************** *** 83,88 **** --- 83,105 ---- $RT::Logger->debug( "Found LDAP DN:", $ldap_dn); + # THIS bind determines success or failure on the password. + $ldap_msg = $ldap->bind($ldap_dn, password => $password); + + unless ($ldap_msg->code == LDAP_SUCCESS) { + $RT::Logger->info( $service, + "AUTH FAILED", + $username, + "(can't bind:", + ldap_error_name($ldap_msg->code), + $ldap_msg->code, + ")"); + # Could not bind to the LDAP server as the user we found with the password + # we were given, therefore the password must be wrong so we fail and + # jump straight to the next external auth service + return 0; + } + # The user is authenticated ok, but is there an LDAP Group to check? if ($group) { my $group_val = lc $group_attr_val eq 'dn' *************** *** 141,163 **** } } - # THIS bind determines success or failure on the password. - $ldap_msg = $ldap->bind($ldap_dn, password => $password); - - unless ($ldap_msg->code == LDAP_SUCCESS) { - $RT::Logger->info( $service, - "AUTH FAILED", - $username, - "(can't bind:", - ldap_error_name($ldap_msg->code), - $ldap_msg->code, - ")"); - # Could not bind to the LDAP server as the user we found with the password - # we were given, therefore the password must be wrong so we fail and - # jump straight to the next external auth service - return 0; - } - # Any other checks you want to add? Add them here. # If we've survived to this point, we're good. --- 158,163 ----