RT Extermnal Auth plugin and LDAP

I am using the ExternalAuth plugin 0.12 on RT 3.8.14 and have configured
to use an LDAP server for authentication.

I have specified group membership as a requisite for authentication. Our
LDAP server does not allow anonymous bind for looking up group
membership, so I’ve specified some credentials for this.

However, this is failing. It seems the plugin binds as the user being
authenticated in order to check group membership rather than the
credentials specified in the config file. The user being authenticated
does not have the rights to look up the group, hence it fails.

Is this a bug or a feature? Any suggestions for a work around?

Many thanks.

Regards,
Tony.

Tony Arnold, Tel: +44 (0) 161 275 6093
Head of IT Security, Fax: +44 (0) 705 344 3082
University of Manchester, Mob: +44 (0) 773 330 0039
Manchester M13 9PL. Email: tony.arnold@manchester.ac.uk

It’s known issue that plugin checks group membership using user’s account.
I think there were a patch on rt.cpan.org for this.

Ruslan from phone.

написал:

Ruslan,

Thanks. I can’t find a patch for this on rt.cpan.org. I’ve found bug
#69500 which refers to version 0.09 of the ExternalAuth plugin and I’m
on 0.12.

Looking at the source of LDAP.pm a simple fix could be to check the
group membership before the user password check. Any reason why that
would not do the trick?

Any ideas where else to look?

Regards,
Tony.On 29/01/13 14:42, Ruslan Zakirov wrote:

It’s known issue that plugin checks group membership using user’s
account. I think there were a patch on rt.cpan.org http://rt.cpan.org
for this.

Ruslan from phone.

29.01.2013 17:43 пользователь “Tony Arnold”
<tony.arnold@manchester.ac.uk mailto:tony.arnold@manchester.ac.uk>
написал:

I am using the ExternalAuth plugin 0.12 on RT 3.8.14 and have configured
to use an LDAP server for authentication.

I have specified group membership as a requisite for authentication. Our
LDAP server does not allow anonymous bind for looking up group
membership, so I've specified some credentials for this.

However, this is failing. It seems the plugin binds as the user being
authenticated in order to check group membership rather than the
credentials specified in the config file. The user being authenticated
does not have the rights to look up the group, hence it fails.

Is this a bug or a feature? Any suggestions for a work around?

Many thanks.

Regards,
Tony.

--
Tony Arnold,                        Tel: +44 (0) 161 275 6093
Head of IT Security,                Fax: +44 (0) 705 344 3082
University of Manchester,           Mob: +44 (0) 773 330 0039
Manchester M13 9PL.                 Email:
tony.arnold@manchester.ac.uk <mailto:tony.arnold@manchester.ac.uk>

Tony Arnold, Tel: +44 (0) 161 275 6093
Head of IT Security, Fax: +44 (0) 705 344 3082
University of Manchester, Mob: +44 (0) 773 330 0039
Manchester M13 9PL. Email: tony.arnold@manchester.ac.uk

Ruslan,

Thanks. I can’t find a patch for this on rt.cpan.org. I’ve found bug
#69500 which refers to version 0.09 of the ExternalAuth plugin and I’m
on 0.12.

Looking at the source of LDAP.pm a simple fix could be to check the
group membership before the user password check. Any reason why that
would not do the trick?

Would do. If you get to it a patch may help 0.13 release with the fix.

Any ideas where else to look?

Regards,
Tony.

Best regards, Ruslan.

Ruslan,On 29/01/13 16:57, Ruslan Zakirov wrote:

On Tue, Jan 29, 2013 at 7:17 PM, Tony Arnold tony.arnold@manchester.ac.uk wrote:

Ruslan,

Thanks. I can’t find a patch for this on rt.cpan.org. I’ve found bug
#69500 which refers to version 0.09 of the ExternalAuth plugin and I’m
on 0.12.

Looking at the source of LDAP.pm a simple fix could be to check the
group membership before the user password check. Any reason why that
would not do the trick?

Would do. If you get to it a patch may help 0.13 release with the fix.

I’ve tried it and it seems to work, although it probably needs to be
more thoroughly tested.

I’m not sure what the best way of generating a patch file, but I’ve
attached what I have done. Patch applies to

/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm

Regards,
Tony.
Tony Arnold, Tel: +44 (0) 161 275 6093
Head of IT Security, Fax: +44 (0) 705 344 3082
University of Manchester, Mob: +44 (0) 773 330 0039
Manchester M13 9PL. Email: tony.arnold@manchester.ac.uk

LDAP.pm.patch (2.07 KB)

Hi,

It’s better to save on the ticket you found or create a new one with
link to old one.On Tue, Jan 29, 2013 at 10:11 PM, Tony Arnold tony.arnold@manchester.ac.uk wrote:

Ruslan,

On 29/01/13 16:57, Ruslan Zakirov wrote:

On Tue, Jan 29, 2013 at 7:17 PM, Tony Arnold tony.arnold@manchester.ac.uk wrote:

Ruslan,

Thanks. I can’t find a patch for this on rt.cpan.org. I’ve found bug
#69500 which refers to version 0.09 of the ExternalAuth plugin and I’m
on 0.12.

Looking at the source of LDAP.pm a simple fix could be to check the
group membership before the user password check. Any reason why that
would not do the trick?

Would do. If you get to it a patch may help 0.13 release with the fix.

I’ve tried it and it seems to work, although it probably needs to be
more thoroughly tested.

I’m not sure what the best way of generating a patch file, but I’ve
attached what I have done. Patch applies to

/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm

Regards,
Tony.

Tony Arnold, Tel: +44 (0) 161 275 6093
Head of IT Security, Fax: +44 (0) 705 344 3082
University of Manchester, Mob: +44 (0) 773 330 0039
Manchester M13 9PL. Email: tony.arnold@manchester.ac.uk

Best regards, Ruslan.