Comments on my active directory experience

Senoner_Samuel · July 30, 2003, 7:40am

This is a part of my autohandler, I used this to activate do an
Externaluserinfo lookup:

If RT is configured for external auth, let’s get REMOTE_USER

elsif ($RT::WebExternalAuth and length($ENV{‘REMOTE_USER’})) {
my $orig_user = $user;

$user = $ENV{'REMOTE_USER'};
$session{'CurrentUser'} = RT::CurrentUser->new();
my $load_method = $RT::WebExternalGecos ? 'LoadByGecos' : 'Load';

if ($^O eq 'MSWin32' and $RT::WebExternalGecos) {
    my $NodeName = Win32::NodeName();
    $user =~ s/^\Q$NodeName\E\\//i;
}

$session{'CurrentUser'}->$load_method($user);

if ($RT::WebExternalAuto and !$session{'CurrentUser'}->Id() ) {
    # Create users on-the-fly with default attributes

    my $UserObj = RT::User->new(RT::CurrentUser->new('root'));

    #Lines inserted for LDAP User Lookup

    my %UserInfo = ();
    my $ UserFoundInExternalDatabase;
    ( $UserFoundInExternalDatabase, %UserInfo) =
         RT::EmailParser::LookupExternalUserInfo($user, $user);
    

    my ($val, $msg) = $UserObj->Create(
        %{ref($RT::AutoCreate) ? $RT::AutoCreate : {}},
        Name         => $user,
        Gecos        => $user,
        %UserInfo    #added by SeS
    );

LookupExternalUserInfo is in EmailParser_Local, but this function is
also in Emailparser, but empty.
So, I think, it whouldn’t be bad to insert this code in the
distribution, because I saw that there are many interested in
externallookup?
Jesse?

I also had to add in /usr/share/perl5/HTML/Mason/Request.pm a use
RT::EmailParser, so autohandler is able to call the lookupfunction.

Also the change in the normal user creation whould be interesting, I
already sent it, also as bug, this whould be interesting so anyone who
has an externallookup functions can only insert this function in
EmaiParser_Local and a controlled rest of the system.

Samuel-----Original Message-----
From: John Jasen [mailto:jjasen@datafoundation.com]
Sent: Monday,28 July,2003 20:15
To: Senoner Samuel
Subject: comments on my active directory experience

Do you have a diff or a text file of what you did to
var/mason_data/obj/standard/autohandler? There’s a lot of mungery in the

html archive…

http://lists.fsck.com/pipermail/rt-users/2003-July/015399.html

Sean_Perry · July 11, 2003, 6:55pm

this is mostly for people crawling the archives like I was doing last week.

What I did to get Active Directory / LDAP working.

*) used latest apache, compiled with --with-ldap --enable-ldap
–enable-auth-ldap

*) have the following in my apache config:

<VirtualHost 172.30.1.60>
ServerName tracker.intransa.com
DocumentRoot /usr/local/rt3/share/html
AddDefaultCharset UTF-8

 PerlModule Apache2 Apache::compat

 PerlModule Apache::DBI
 PerlRequire /usr/local/rt3/bin/webmux.pl

 <Directory />
     AuthType Basic
     AuthName "Request Tracker"

     # sAMAccountName is the first.last style user name
     AuthLDAPURL "ldap://my.ldap/dc=mydomain,dc=com?sAMAccountName"
     # need this account and setting because Active Directory
     # does not allow anonymous binding by default
     AuthLDAPBindDN "dummy.user@mydomain.com"
     AuthLDAPBindPassword "asdfg"
     AuthLDAPAuthoritative off
     require valid-user
 </Directory>

 <FilesMatch "\.html$">
     SetHandler perl-script
     PerlHandler RT::Mason
 </FilesMatch>
 <LocationMatch "/Attachment/">
     SetHandler perl-script
     PerlHandler RT::Mason
 </LocationMatch>
 <LocationMatch "/REST/">
     SetHandler perl-script
     PerlHandler RT::Mason
 </LocationMatch>
 # need this so the mail gateway still works
 <LocationMatch "/REST/1.0/NoAuth/">
     Satisfy Any
     Allow from all
 </LocationMatch>

*) I have tweaked var/mason_data/obj/standard/autohandler to add users
whenever a new user is authenticated. This means the user logs into the
web site once and then both mail and web access works.

I added in some magic from Chris Gilmore and others so some Net::LDAP
magic is called. This is because $realname has no value when using the
apache ldap authentication, so we have to look it up. Once again,
sAMAccountName is the key.

sub LookupLdapUserInfo {
use Net::LDAP;
use Net::LDAP::Constant qw(LDAP_SUCCESS);

use constant LDAP => q(my.ldap.server);
use constant LDAP_PORT => q(389);
use constant LDAP_BASE => q(dc=mydomain,dc=com);
use constant LDAP_UID => q(sAMAccountName);
use constant LDAP_CN => q(cn);

my ($user) = @_;

my $ldap = new Net::LDAP(LDAP, port => LDAP_PORT)
or return undef;

my $mesg = $ldap->bind(‘cn=Request Tracker,cn=Users,dc=mydomain,dc=com’,
password => ‘asdfg’);
return undef unless $mesg->code == LDAP_SUCCESS;

my $filter = “@{[ LDAP_UID ]}=$user”;
$mesg = $ldap->search(base => LDAP_BASE,
filter => $filter,
attrs => [ LDAP_CN ]);
return undef unless ($mesg->code == LDAP_SUCCESS);

if ($mesg->count != 1 ||
($mesg->first_entry->get_value(LDAP_CN))[0] eq ‘’) {
return undef;
}

my $cn = $mesg->first_entry->get_value(LDAP_CN);

$mesg = $ldap->unbind();

return $cn;
}

and later on …

if ($RT::WebExternalAuto and !$session{‘CurrentUser’}->Id() ) {
# Create users on-the-fly with default attributes

     my $UserObj = RT::User->new(RT::CurrentUser->new('root'));

     my ($val, $msg) = $UserObj->Create(
         %{ref($RT::AutoCreate) ? $RT::AutoCreate : {}},
         Name         => $user,
         Gecos        => $user,
     );

     if ($val) {
         $UserObj->SetPrivileged(0);

         my $realname = LookupLdapUserInfo($user);
         $UserObj->SetRealName($realname) if defined $realname;
         $UserObj->SetEmailAddress("$user\@" . $RT::Organization) if

defined $user;

         $session{'CurrentUser'}->Load($user);
     }

Hope this helps the next explorer.

Senoner_Samuel · July 16, 2003, 4:34pm

I also setup such a system and used RT3, apache 1.3.27 auth_ldap, all
debian packages.
I used the externaluserlookup with ldap, that was posted here some time
ago, changed all uids with sAMAccuontName,
So I have imported all the informations from LDAP,Full Name, account
name, e-mail, phone, description and so on, In autohandler I only
inserted lookupexternaldatabase before the creation of the new user, I
also hat to add use RT::EmailParser (an Overlay was provided with
emailLDAP).

I hope this helped somebody, who wants more information-----Original Message-----
From: Sean Perry [mailto:sean.perry@intransa.com]
Sent: Friday,11 July,2003 20:56
To: rt-users@lists.fsck.com
Subject: [rt-users] comments on my active directory experience

this is mostly for people crawling the archives like I was doing last
week.