Skip Menu |

This queue is for tickets about the RT-Authen-ExternalAuth CPAN distribution.

Report information
The Basics
Id: 70941
Status: resolved
Priority: 0/
Queue: RT-Authen-ExternalAuth
People
Owner: Nobody in particular
Requestors: mepstein [...] illinois.edu
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Tue Sep 13 16:24:24 2011 mepstein [...] illinois.edu - Ticket created
Subject: RT-Authen-ExternalAuth modification, group membership check
Date: Tue, 13 Sep 2011 15:24:14 -0500 (CDT)
To: bug-RT-Authen-ExternalAuth [...] rt.cpan.org
From: Milt Epstein <mepstein [...] illinois.edu>
Greetings, My colleague and I have made a minor but hopefully useful modification to RT-Authen-ExternalAuth. Based on the text at: http://requesttracker.wikia.com/wiki/ExternalAuth this is an attempt to pass this modification back to the authors of this module. Right now it is possible to have LDAP authentication depend on a group membership, by specifying the group and group_attr LDAP settings. But the value of group_attr is fixed as the dn of the user. Our modification allows this value to be either the dn or the username itself. It adds the LDAP setting group_attr_is_dn. It is similar to the mod_authnz_ldap directive AuthLDAPGroupAttributeIsDN: http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapgroupattributeisdn In particular, it defaults to 1 (i.e., true). Below are the diffs in the two files necessary for this change (etc/RT_SiteConfig.pm and lib/RT/Authen/ExternalAuth/LDAP.pm). We have tested this modification in our setup (using OpenLDAP). Milt Epstein Applications Developer Graduate School of Library and Information Science (GSLIS) University of Illinois at Urbana-Champaign (UIUC) mepstein@illinois.edu diff -u RT_SiteConfig.pm RT_SiteConfig.pm.orig --- RT_SiteConfig.pm 2011-09-13 13:28:16.220536389 -0500 +++ RT_SiteConfig.pm.orig 2011-09-08 15:51:52.076585790 -0500 @@ -130,10 +130,6 @@ 'group' => 'GROUP_NAME', # What is the attribute for the group object that determines membership? 'group_attr' => 'GROUP_ATTR', - # Whether the membership attribute value is the dn or the username - # This is similar to AuthLDAPGroupAttributeIsDN in mod_authnz_ldap: - # http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapgroupattributeisdn - 'group_attr_is_dn' => 1, ## RT ATTRIBUTE MATCHING SECTION # The list of RT attributes that uniquely identify a user # This example shows what you *can* specify.. I recommend reducing this diff -u LDAP.pm LDAP.pm.orig --- LDAP.pm 2011-09-13 11:34:22.525531397 -0500 +++ LDAP.pm.orig 2011-09-13 10:22:04.344531352 -0500 @@ -19,10 +19,6 @@ my $filter = $config->{'filter'}; my $group = $config->{'group'}; my $group_attr = $config->{'group_attr'}; - # defaults to 1/true if not set - my $group_attr_is_dn = - defined($config->{'group_attr_is_dn'}) ? - $config->{'group_attr_is_dn'} : 1; my $attr_map = $config->{'attr_map'}; my @attrs = ('dn'); @@ -99,9 +95,7 @@ # The user is authenticated ok, but is there an LDAP Group to check? if ($group) { # If we've been asked to check a group... - # The attribute value to check against, either the dn or the username - my $attr_val = $group_attr_is_dn ? $ldap_dn : $username; - $filter = Net::LDAP::Filter->new("(${group_attr}=${attr_val})"); + $filter = Net::LDAP::Filter->new("(${group_attr}=${ldap_dn})"); $RT::Logger->debug( "LDAP Search === ", "Base:",
  Mon Jan 23 13:18:51 2012 tsibley [...] cpan.org - Correspondence added
A more flexible version of this feature is in the development version of RT-Authen-ExternalAuth 0.09_01 that I just released. You want the group_attr_value option. Please test it out and let me know if it works for you. I'm closing this ticket in the meantime. If you reply, we'll see it and the ticket will automatically reopen. Thanks, Thomas
  Mon Jan 23 13:18:53 2012 The RT System itself - Status changed from 'new' to 'open'
  Mon Jan 23 13:18:53 2012 tsibley [...] cpan.org - Status changed from 'open' to 'resolved'