[DRE-maint] Bug#606979: marked as done (redmine: more secure LDAP authentication)

Wed, 22 Nov 2017 00:10:05 -0800 

Your message dated Wed, 22 Nov 2017 16:57:04 +0900
with message-id <[email protected]>
and subject line Re: redmine: more secure LDAP authentication
has caused the Debian Bug report #606979,
regarding redmine: more secure LDAP authentication
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
606979: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606979
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: redmine
Version: 1.0.1-1
Severity: wishlist
Tags: patch

Hi,

I have been using this debian package since 0.9.1 in production. Since we are 
in a LDAP environment, we started using the LDAP configuration. However, the 
default configuration requires you to set a superuser password to bind with 
at first, which is absolutely not necessary in LDAP...

I have submitted a patch to fix this about 10 months ago upstream, and so far 
they have failed to take that into account. I have just ported the patch to 
1.0.1 and thought other debian users could benefit from this, so I include it 
here for your convenience. Hopefully it will get merged upstream eventually.

It doesn't modify the database so it should fairly safe to use even if upstream 
takes a different direction.

See attached patch.

-- System Information:
Debian Release: 5.0.7
  APT prefers stable
  APT policy: (500, 'stable'), (2, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-vserver-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages redmine depends on:
ii  dbconfig-common         1.8.39           common framework for packaging dat
ii  debconf [debconf-2.0]   1.5.24           Debian configuration management sy
ii  libactionmailer-ruby    2.3.5-1~bpo50+1  Framework for generation of custom
ii  libactionpack-ruby      2.3.5-1~bpo50+1  Controller and View framework used
ii  libactiveresource-ruby  2.3.5-1~bpo50+1  Connects objects and REST web serv
ii  libactivesupport-ruby   2.3.5-1~bpo50+1  utility classes and extensions (Ru
ii  libjs-scriptaculous     1.8.3-1~bpo50+1  JavaScript library for dynamic web
ii  rails                   2.3.5-1~bpo50+1  MVC ruby based framework geared fo
ii  redmine-mysql           0.9.1-1~bpo50+1  metapackage providing MySQL depend
ii  ruby                    4.2              An interpreter of object-oriented 
ii  ruby1.8                 1.8.7.72-3lenny1 Interpreter of object-oriented scr

redmine recommends no packages.

Versions of packages redmine suggests:
ii  libopenid-ruby             2.1.2debian-1 Ruby library for verifying and ser
pn  librmagick-ruby            <none>        (no description available)
pn  libsvn-ruby                <none>        (no description available)

-- debconf information excluded

--- app/models/auth_source_ldap.rb.orig 2010-12-13 10:57:01.000000000 -0500
+++ app/models/auth_source_ldap.rb      2010-12-13 10:57:06.000000000 -0500
@@ -33,7 +33,7 @@
   
   def authenticate(login, password)
     return nil if login.blank? || password.blank?
-    attrs = get_user_dn(login)
+    attrs = get_user_dn(login, password)
     
     if attrs && attrs[:dn] && authenticate_dn(attrs[:dn], password)
       logger.debug "Authentication successful for '#{login}'" if logger && 
logger.debug?
@@ -100,8 +100,12 @@
   end
 
   # Get the user's dn and any attributes for them, given their login
-  def get_user_dn(login)
-    ldap_con = initialize_ldap_con(self.account, self.account_password)
+  def get_user_dn(login, password)
+    if self.account.include? "$login" then
+      ldap_con = initialize_ldap_con(self.account.sub("$login", login), 
password)
+    else
+      ldap_con = initialize_ldap_con(self.account, self.account_password)
+    end
     login_filter = Net::LDAP::Filter.eq( self.attr_login, login ) 
     object_filter = Net::LDAP::Filter.eq( "objectClass", "*" ) 
     attrs = {}

--- End Message ---
--- Begin Message --- 
Quack,

So this is fixed in all Debian versions, closing.

Thanks for reporting this problem.

\_o<

--
Marc Dequènes

--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers

Reply via email to