ExternalAuth - group and group_attr question | Frage zu group und group_attr Einstellungen

RT Users
1

Hi,
my LDAP authentications works very well for me. Now i want that only users
whitch are in group ‘lg_rt_ticketsystem’ are allowed to log in. I have tried
many possibilities, but nothing changed - i can’t log-in if i add the
’group’ and ‘group_attr question’.
Can anybody tell me what values i have to add?

‘group’ => ‘cn=lg_rt_ticketsystem’,
‘group_attr’ => ‘cn=lg_rt_ticketsystem’,

or something like that:

‘group’ => ‘lg_rt_ticketsystem’,
‘group_attr’ => ‘lg_rt_ticketsystem’,

Thank for your help
regards Michael from Germany

Auf deusch:
Meine LDAP Authentifizierung funktioniert einwand frei. Nun will ich aber
das nur User die in der Gruppe ‘lg_rt_ticketsystem’ eintritt bekommen. Ich
stoße auf zwei dinge:

‘group’
‘group_attr’

Ich habe schon vieles ausprobiert, aber bei fast allem bekomme ich keinen
Zugang! Kann mir jemand die richtigen Parameter nennen damit sich nur
Gruppenuser einloggen dürfen!?
Also eher sowas:

‘group’ => ‘cn=lg_rt_ticketsystem’,
‘group_attr’ => ‘cn=lg_rt_ticketsystem’,

oder eher:

‘group’ => ‘lg_rt_ticketsystem’,
‘group_attr’ => ‘lg_rt_ticketsystem’,

Oder vielleicht mir ganzen LDAP Pfad?

Danke für eure hilfe!

Grüße
Michael

2

Michael Bieniek wrote:

Hi,
my LDAP authentications works very well for me. Now i want that only
users whitch are in group ‘lg_rt_ticketsystem’ are allowed to log in. I
have tried many possibilities, but nothing changed - i can’t log-in if i
add the ‘group’ and ‘group_attr question’.
Can anybody tell me what values i have to add?

‘group’ => ‘cn=lg_rt_ticketsystem’,
‘group_attr’ => ‘cn=lg_rt_ticketsystem’,

Try the whole distinguished name (DN), for example:

‘group’ => ‘cn=lg_rt_ticketsystem,ou=groups,ou=lg,dc=lg,dc=de’,
Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England

3

Michael Bieniek wrote:

Hi,
and what is with the ‘group_attr’ ?

It is the LDAP attribute for members, which is generally member.

The code checks that the value of group_attr is equal to the the cn of
the user who is logging in. So if the group stores members like this:

member=cn=Foo,dc=Bar,dc=Baz

Then your group_attr is ‘member’.

Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England

4

Hi,

Is there a way to restrict certain type of files a user can attach to a
ticket in RT? I wish to disallow file types like .php, or .exe amongst
others for an obvious reason. Is RT based on allow all or nothing for
attachments?

Your reply is greatly appreciated in advance.

Cheers,
Hossein

_____ _____ _____ _ _ _ _ ____ Hossein Rafighi
|_ || _ \ | || | | || _/ || __|TRIUMF, 4004 Wesbrook Mall
| | | || ) | | | | | || || |__ Vancouver BC, Canada, V6T 2A3
| | | _ / | | | _/ || _/ || |Voice: (604) 222-1047
| | | | \ \ | | | || | | || | Fax: (604) 222-1074
|| || _|_| _/ || |||_| Website: http://www.triumf.ca

5

Michael,

Is that group identifiable to LDAP? If so, set your LDAP filter for it.

Kenn
LBNLOn 11/5/2008 7:28 AM, Michael Bieniek wrote:

Hi,
my LDAP authentications works very well for me. Now i want that only
users whitch are in group ‘lg_rt_ticketsystem’ are allowed to log in. I
have tried many possibilities, but nothing changed - i can’t log-in if i
add the ‘group’ and ‘group_attr question’.
Can anybody tell me what values i have to add?

‘group’ => ‘cn=lg_rt_ticketsystem’,
‘group_attr’ => ‘cn=lg_rt_ticketsystem’,

or something like that:

‘group’ => ‘lg_rt_ticketsystem’,
‘group_attr’ => ‘lg_rt_ticketsystem’,

Thank for your help
regards Michael from Germany

Auf deusch:
Meine LDAP Authentifizierung funktioniert einwand frei. Nun will ich
aber das nur User die in der Gruppe ‘lg_rt_ticketsystem’ eintritt
bekommen. Ich sto�e auf zwei dinge:

‘group’
‘group_attr’

Ich habe schon vieles ausprobiert, aber bei fast allem bekomme ich
keinen Zugang! Kann mir jemand die richtigen Parameter nennen damit sich
nur Gruppenuser einloggen d�rfen!?
Also eher sowas:

‘group’ => ‘cn=lg_rt_ticketsystem’,
‘group_attr’ => ‘cn=lg_rt_ticketsystem’,

oder eher:

‘group’ => ‘lg_rt_ticketsystem’,
‘group_attr’ => ‘lg_rt_ticketsystem’,

Oder vielleicht mir ganzen LDAP Pfad?

Danke f�r eure hilfe!

Gr��e
Michael

The rt-users Archives

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

6

Michael Bieniek wrote:

Hi!
In my ActiveDirectoryExplorer i must search for:

memberOf=CN=lg_rt_ticketsystem,OU=Gruppen,OU=Scanplus,DC=scanplus,DC=local

If i search for this string, i will get back the right users.
But if i show the log of rt, the ldap filter does not search for the
right string:

I will look into this later on while doing v0.07, but IIRC the reason
for this is the broken way that AD does group membership.

For everyone else, there is a group object with CNs as members. In AD,
each member has its groups stored in its own CN as “memberOf”.

Backwards Microsoft charlatans!
Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England

7

I will look into this later on while doing v0.07, but IIRC the reason
for this is the broken way that AD does group membership.

For everyone else, there is a group object with CNs as members. In AD,
each member has its groups stored in its own CN as “memberOf”.

Having just been looking at group membership in AD, let me chime in
here. While Microsoft has made some questionable decisions here and
there, I think they do group membership sanely. Group memberships are
effectively a doubly-linked list:

  • Users have “memberOf” attributes that enumerate the groups of which
    they are a member.

  • Groups have a “member” attribute that enumerates the users that are
    members of that group.

This means that it is easy both to (a) find all the groups of which a
user is a member and (b) find all the users who are members of a
particular group. This is in fact much easier than, say, group
membership under Linux, where (a) is hard (you have to scan through
the entire list of groups and then for each group loop through all the
members), and (b) is only easy if you ignore primary group membership.

AD supports recursive group membership, which means that groups can be
members of other groups (groups can have “memberOf” attributes, and
may include groups in their “member” attributes). This is great from
an organizational standpoint; for example, in our IT organization, we
have groups for engineering, helpdesk, web, etc., and then a single
“itstaff” group of which all the other groups are members. Typically,
this means that when someone joins, we only need to add them to a
single group to give them appropriate permissions, rather than to a
series of groups. Note that NIS Netgroups work the same way.

For example, the following Python code (because I happen to have it
sitting in front of me right now) resolves group membership for a
given DN. Basically, we start with the list of groups in the
“memberOf” attribute for the given DN, and then recursively call the
resolveGroups() function for each of those DNs and so work our way up
the chain:

def resolveGroups( dn ):
groups =

obj = ldapServer.search(dn, scope = ldap.SCOPE_BASE)

Note that this returns a list of list, of the form:

( (dn, attributes), (dn, attributes) )

Which should explain all of the list dereferencing you’re about to see.

We only expect a single result (or no result), which is why we’re

only looking

at obj[0].

if obj and obj[0][0]:
# add contents of memberOf attribute to list of groups
groups.extend(obj[0][1].get(‘memberOf’, ))
# call resolveGroups for each of those group DNs
for gdn in obj[0][1].get(‘memberOf’, ):
groups = groups + resolveGroups(gdn)

return groups

Lars Kellogg-Stedman lars@oddbit.com