Hi there,
this patch enchants LDAP auth module to support group authentication.
so user will be only authenticated against if they are in an aproperiate
group. I used posixgroups, but since you can define anything as the
access_attr this shouldn't be much of a problem
--
Regards,
Wiktor Wodecki
diff -burN OpenTRS.orig/Kernel/Config.pm OpenTRS/Kernel/Config.pm
--- OpenTRS.orig/Kernel/Config.pm Fri Nov 29 14:52:51 2002
+++ OpenTRS/Kernel/Config.pm Fri Nov 29 15:34:42 2002
@@ -134,8 +134,13 @@
# (take care that Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'ldap1.d1.net-m.de';
- $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=net-m,dc=de';
+ $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=user,dc=net-m,dc=de';
$Self->{'AuthModule::LDAP::UID'} = 'uid';
+
+ # check if the user is allowed to auth in a posixGroup
+ $Self->{'AuthModule::LDAP::GroupDN'} =
+'cn=otrsallow,ou=posixGroups,dc=net-m,dc=de';
+ $Self->{'AuthModule::LDAP::access_attr'} = 'memberUid';
+
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
# $Self->{'AuthModule::LDAP::SearchUserDN'} = '';
diff -burN OpenTRS.orig/Kernel/System/Auth/LDAP.pm OpenTRS/Kernel/System/Auth/LDAP.pm
--- OpenTRS.orig/Kernel/System/Auth/LDAP.pm Sat Aug 3 13:57:43 2002
+++ OpenTRS/Kernel/System/Auth/LDAP.pm Fri Nov 29 15:33:57 2002
@@ -53,6 +53,8 @@
|| die "Need AuthModule::LDAPBaseDN in Kernel/Config.pm";
$Self->{SearchUserDN} =
$Self->{ConfigObject}->Get('AuthModule::LDAP::SearchUserDN') || '';
$Self->{SearchUserPw} =
$Self->{ConfigObject}->Get('AuthModule::LDAP::SearchUserPw') || '';
+ $Self->{GroupDN} = $Self->{ConfigObject}->Get('AuthModule::LDAP::GroupDN') || '';
+ $Self->{access_attr} =
+$Self->{ConfigObject}->Get('AuthModule::LDAP::access_attr') || '';
return $Self;
}
@@ -110,9 +112,33 @@
$UserDN = $Entry->dn();
}
# --
+ # just in case
+ # --
+ if ($Self->{Debug} > 0) {
+ $Self->{LogObject}->Log(
+ Priority => 'notice',
+ Message => "check for groupdn!",
+ );
+ }
+ # --
+ # search if we're allowed to
+ # --
+ my $Result2 = $LDAP->search (
+ base => $Self->{GroupDN},
+ filter => "($Self->{access_attr}=$Param{User})"
+ );
+ # --
+ # extract it
+ # --
+ my $GroupDN = '';
+ foreach my $Entry ($Result2->all_entries) {
+ $GroupDN = $Entry->dn();
+ }
+
+ # --
# log if there is no LDAP entry
# --
- if (!$UserDN) {
+ if ((!$UserDN) || (!$GroupDN)) {
# --
# failed login note
# --
@@ -130,7 +156,7 @@
# bind with user data
# --
$Result = $LDAP->bind(dn => $UserDN, password => $Param{Pw});
- if ($Result->code) {
+ if (($Result->code) || ($Result2->code)) {
# --
# failed login note
# --
