Hi there,
Sometime ago I got an authentication failure when using LDAP overlay
(Jim Meyer's contribution).
I noticed this would happen when a LDAP user logged in (web) for the
first time which in turn would let autohandler callback do the user auto
creation.
The failure would occur in the following snippet of autohandler/Auth
callback:
my $UserObj = RT::User->new($RT::SystemUser);
my ($val, $msg) = $UserObj->SetName($user); <<--
Somehow the user name was never set . The return message ($msg) was 'Can
not modify system users'.
Since IsLDAPPassword() needs user name to fill out a LDAP filter, this
filter ends up having empty user info causing the operation to fail.
Please see output below:
[Wed Aug 16 17:35:36 2006] [debug]: RT::User::IsLDAPPassword search for
(&(sAMAccountName=)(objectclass=user)) failed: LDAP_INVALID_SYNTAX 21
(/l/disk0/tools/rt/gp/local/lib/RT/User_Local.pm:176)
Note sAMAAccountName is empty !
To fix this problem, I made some changes to Auth callback and
User_Local.pm. Please see attached file for more information.
Basically I added a new argument to IsPassword() method in order to have
user information when creating a LDAP filter.
Please let me know your comments on this.
I want to make sure I am not messing up Jim Meyer's contribution.
Thanks,
Dário
diff -prauN local/html/Callbacks/LDAP/autohandler/Auth
local.new/html/Callbacks/LDAP/autohandler/Auth
--- local/html/Callbacks/LDAP/autohandler/Auth 2006-08-16 14:37:51.000000000
-0300
+++ local.new/html/Callbacks/LDAP/autohandler/Auth 2006-08-16
14:41:04.000000000 -0300
@@ -14,7 +14,7 @@ unless ($session{'CurrentUser'}) {
my $UserObj = RT::User->new($RT::SystemUser);
my ($val, $msg) = $UserObj->SetName($user);
- if ($UserObj->IsPassword($pass)) {
+ if ($UserObj->IsPassword($pass,$user)) {
### If there were a standard param to check for whether or not
we
### should autocreate users, we'd check it here.
my ($val, $msg) =
@@ -57,3 +57,4 @@ $user => undef
$pass => undef
$menu => undef
</%ARGS>
+
diff -prauN local/lib/RT/User_Local.pm local.new/lib/RT/User_Local.pm
--- local/lib/RT/User_Local.pm 2006-08-16 14:37:51.000000000 -0300
+++ local.new/lib/RT/User_Local.pm 2006-08-16 14:39:07.000000000 -0300
@@ -142,6 +142,7 @@ sub LdapConfigAuthAndInfoAreSame {
sub IsLDAPPassword {
my $self = shift;
my $value = shift;
+ my $user = shift;
# Don't ask for external authentication unless enabled in RT_SiteConfig
unless ($RT::LdapExternalAuth) {
@@ -163,8 +164,16 @@ sub IsLDAPPassword {
my $ldap = $self->_GetBoundLdapObj('Auth', version=>3);
return unless ($ldap);
- my $filter_string = '(&(' . $RT::LdapAttrMap->{'Name'} . '=' .
+ $RT::Logger->debug("[IsLDAPPassword] user=$user");
+ my $filter_string = '';
+ if ( ( !defined($user) ) or ( $user eq '' ) ) {
+ $filter_string = '(&(' . $RT::LdapAttrMap->{'Name'} . '=' .
$self->Name . ')' . $ldap_filter . ')';
+ } else {
+ $filter_string = '(&(' . $RT::LdapAttrMap->{'Name'} . '=' .
+ $user . ')' . $ldap_filter . ')';
+ }
+
my $filter = Net::LDAP::Filter->new($filter_string);
my $ldap_msg = $ldap->search(base => $ldap_base,
@@ -227,6 +236,7 @@ sub IsLDAPPassword {
sub IsInternalPassword {
my $self = shift;
my $value = shift;
+ my $user = shift;
unless ($self->HasPassword) {
$RT::Logger->info((caller(0))[3],
@@ -262,6 +272,7 @@ sub IsInternalPassword {
sub IsPassword {
my $self = shift;
my $value = shift;
+ my $user = shift;
#TODO there isn't any apparent way to legitimately ACL this
@@ -285,7 +296,7 @@ sub IsPassword {
# Eval this since they might specify an auth method without
# an "Is<auth>Password" method implemented
eval {
- $success = $self->$method($value);
+ $success = $self->$method($value,$user);
};
$RT::Logger->debug((caller(0))[3], "auth method $method",
@@ -627,3 +638,4 @@ sub UpdateFromLdap {
}
1;
+
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
