Skip Menu |

This queue is for tickets about the RT-Authen-ExternalAuth CPAN distribution.

Report information
The Basics
Id: 69500
Status: open
Priority: 0/
Queue: RT-Authen-ExternalAuth

People
Owner: Nobody in particular
Requestors: bohonek.robert [...] post.cz
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Bug in LDAP authentication - group checking
Date: Fri, 15 Jul 2011 14:55:38 +0200
To: bug-RT-Authen-ExternalAuth [...] rt.cpan.org
From: Robert Bohoněk <bohonek.robert [...] post.cz>
Hello, i have problem with group authentication. After new installation of Request Tracker and RT-Authen-ExternalAuth i try to setup ldap authentication with group checking. Without group checking everything goes ok, but with group authentization failed. After debugging i found problem in LDAP.pm module. LDAP.pm: line 78 # THIS bind determines success or failure on the password. line 79 $ldap_msg = $ldap->bind($ldap_dn, password => $password); line 96 if ($group) { .... line 108 $ldap_msg = $ldap->search( base => $group, line 109 filter => $filter, line 110 attrs => \@attrs, line 111 scope => 'base'); At line 79 you try to bind user to check user password, but in this step (after success) you change the bind user for LDAP searches and than at line 108 you make search under new logged user, not under bind user from RT_SiteConfig.pm. Logged user has fewer rights (in our case) to LDAP tree as bind user from config file, therefore authentication failed. So i think that group checking must be before password checking (before new bind command). Here is my configuration: Distribution name and version: RT-Authen-ExternalAuth-0.09 Perl version: 5.8.8 Operating System vendor and version: Centos 5.6 (Final), 2.6.18-194.32.1.el5 RT version: 4.0.1 Thanks, Robert Bohonek
Subject: Re: [rt.cpan.org #69500] Bug in LDAP authentication - group checking
Date: Tue, 19 Jul 2011 12:42:17 -0400
To: "bohonek.robert via RT" <bug-RT-Authen-ExternalAuth [...] rt.cpan.org>
From: Kevin Falcone <falcone [...] bestpractical.com>
Hi Robert I can see how this would be a problem when the regular users can't do the group query. Unfortunately, it's a non-trivial change, so there will need to be some updates to the test suite to confirm behavior before we could make this change. -kevin On Fri, Jul 15, 2011 at 08:55:58AM -0400, bohonek.robert via RT wrote: Show quoted text
> i have problem with group authentication. After new installation of > Request Tracker and RT-Authen-ExternalAuth i try to setup ldap > authentication with group checking. Without group checking everything > goes ok, but with group authentization failed. After debugging i found > problem in LDAP.pm module. > > LDAP.pm: > > line 78 # THIS bind determines success or failure on the password. > line 79 $ldap_msg = $ldap->bind($ldap_dn, password => $password); > > line 96 if ($group) { > .... > line 108 $ldap_msg = $ldap->search( base => $group, > line 109 filter => $filter, > line 110 attrs => \@attrs, > line 111 scope => 'base'); > > At line 79 you try to bind user to check user password, but in this step > (after success) you change the bind user for LDAP searches and than at > line 108 you make search under new logged user, not under bind user from > RT_SiteConfig.pm. Logged user has fewer rights (in our case) to LDAP > tree as bind user from config file, therefore authentication failed. > > So i think that group checking must be before password checking (before > new bind command). > > Here is my configuration: > Distribution name and version: RT-Authen-ExternalAuth-0.09 > Perl version: 5.8.8 > Operating System vendor and version: Centos 5.6 (Final), 2.6.18-194.32.1.el5 > RT version: 4.0.1 > > Thanks, > Robert Bohonek > > > >
From: tony.arnold [...] manchester.ac.uk
I've made a simple patch to LDAP.pm in RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth which does the group membership check before the password check, thus the credentials specified in the config file must have rights to the group membership and not the user being authenticated. The patch file is attached. This works for me but could probably do with testing more thoroughly. Regards, Tony. On Tue Jul 19 12:42:23 2011, falcone@bestpractical.com wrote: Show quoted text
> Hi Robert > > I can see how this would be a problem when the regular users can't do > the group query. Unfortunately, it's a non-trivial change, so there > will need to be some updates to the test suite to confirm behavior > before we could make this change. > > -kevin > > On Fri, Jul 15, 2011 at 08:55:58AM -0400, bohonek.robert via RT wrote:
> > i have problem with group authentication. After new installation of > > Request Tracker and RT-Authen-ExternalAuth i try to setup ldap > > authentication with group checking. Without group checking
> everything
> > goes ok, but with group authentization failed. After debugging i
> found
> > problem in LDAP.pm module. > > > > LDAP.pm: > > > > line 78 # THIS bind determines success or failure on the
> password.
> > line 79 $ldap_msg = $ldap->bind($ldap_dn, password =>
> $password);
> > > > line 96 if ($group) { > > .... > > line 108 $ldap_msg = $ldap->search( base => $group, > > line 109 filter => $filter, > > line 110 attrs => \@attrs, > > line 111 scope => 'base'); > > > > At line 79 you try to bind user to check user password, but in this
> step
> > (after success) you change the bind user for LDAP searches and than
> at
> > line 108 you make search under new logged user, not under bind user
> from
> > RT_SiteConfig.pm. Logged user has fewer rights (in our case) to LDAP > > tree as bind user from config file, therefore authentication failed. > > > > So i think that group checking must be before password checking
> (before
> > new bind command). > > > > Here is my configuration: > > Distribution name and version: RT-Authen-ExternalAuth-0.09 > > Perl version: 5.8.8 > > Operating System vendor and version: Centos 5.6 (Final), 2.6.18-
> 194.32.1.el5
> > RT version: 4.0.1 > > > > Thanks, > > Robert Bohonek > > > > > > > >
Subject: LDAP.pm.patch
*** LDAP.pm Tue Jan 29 15:50:06 2013 --- LDAP.pm.orig Tue Jan 29 15:45:00 2013 *************** *** 83,88 **** --- 83,105 ---- $RT::Logger->debug( "Found LDAP DN:", $ldap_dn); + # THIS bind determines success or failure on the password. + $ldap_msg = $ldap->bind($ldap_dn, password => $password); + + unless ($ldap_msg->code == LDAP_SUCCESS) { + $RT::Logger->info( $service, + "AUTH FAILED", + $username, + "(can't bind:", + ldap_error_name($ldap_msg->code), + $ldap_msg->code, + ")"); + # Could not bind to the LDAP server as the user we found with the password + # we were given, therefore the password must be wrong so we fail and + # jump straight to the next external auth service + return 0; + } + # The user is authenticated ok, but is there an LDAP Group to check? if ($group) { my $group_val = lc $group_attr_val eq 'dn' *************** *** 141,163 **** } } - # THIS bind determines success or failure on the password. - $ldap_msg = $ldap->bind($ldap_dn, password => $password); - - unless ($ldap_msg->code == LDAP_SUCCESS) { - $RT::Logger->info( $service, - "AUTH FAILED", - $username, - "(can't bind:", - ldap_error_name($ldap_msg->code), - $ldap_msg->code, - ")"); - # Could not bind to the LDAP server as the user we found with the password - # we were given, therefore the password must be wrong so we fail and - # jump straight to the next external auth service - return 0; - } - # Any other checks you want to add? Add them here. # If we've survived to this point, we're good. --- 158,163 ----