Re: [rt-users] RT Extermnal Auth plugin and LDAP

[Tony Arnold]

Ruslan,

On 29/01/13 16:57, Ruslan Zakirov wrote:
> On Tue, Jan 29, 2013 at 7:17 PM, Tony Arnold
> <tony.arn...@manchester.ac.uk> wrote:
>> Ruslan,
>>
>> Thanks. I can't find a patch for this on rt.cpan.org. I've found bug
>> #69500 which refers to version 0.09 of the ExternalAuth plugin and I'm
>> on 0.12.
>>
>> Looking at the source of LDAP.pm a simple fix could be to check the
>> group membership before the user password check. Any reason why that
>> would not do the trick?
> 
> Would do. If you get to it a patch may help 0.13 release with the fix.

I've tried it and it seems to work, although it probably needs to be
more thoroughly tested.

I'm not sure what the best way of generating a patch file, but I've
attached what I have done. Patch applies to

/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm

Regards,
Tony.
-- 
Tony Arnold,                        Tel: +44 (0) 161 275 6093
Head of IT Security,                Fax: +44 (0) 705 344 3082
University of Manchester,           Mob: +44 (0) 773 330 0039
Manchester M13 9PL.                 Email: tony.arn...@manchester.ac.uk

*** LDAP.pm	Tue Jan 29 15:50:06 2013
--- LDAP.pm.orig	Tue Jan 29 15:45:00 2013
***************
*** 83,88 ****
--- 83,105 ----
      $RT::Logger->debug( "Found LDAP DN:", 
                          $ldap_dn);
  
+     # THIS bind determines success or failure on the password.
+     $ldap_msg = $ldap->bind($ldap_dn, password => $password);
+ 
+     unless ($ldap_msg->code == LDAP_SUCCESS) {
+         $RT::Logger->info(  $service,
+                             "AUTH FAILED", 
+                             $username, 
+                             "(can't bind:", 
+                             ldap_error_name($ldap_msg->code), 
+                             $ldap_msg->code, 
+                             ")");
+         # Could not bind to the LDAP server as the user we found with the password
+         # we were given, therefore the password must be wrong so we fail and
+         # jump straight to the next external auth service
+         return 0;
+     }
+ 
      # The user is authenticated ok, but is there an LDAP Group to check?
      if ($group) {
          my $group_val = lc $group_attr_val eq 'dn'
***************
*** 141,163 ****
          }
      }
      
-     # THIS bind determines success or failure on the password.
-     $ldap_msg = $ldap->bind($ldap_dn, password => $password);
- 
-     unless ($ldap_msg->code == LDAP_SUCCESS) {
-         $RT::Logger->info(  $service,
-                             "AUTH FAILED", 
-                             $username, 
-                             "(can't bind:", 
-                             ldap_error_name($ldap_msg->code), 
-                             $ldap_msg->code, 
-                             ")");
-         # Could not bind to the LDAP server as the user we found with the password
-         # we were given, therefore the password must be wrong so we fail and
-         # jump straight to the next external auth service
-         return 0;
-     }
- 
      # Any other checks you want to add? Add them here.
  
      # If we've survived to this point, we're good.
--- 158,163 ----