Mailing List Archive

rt branch, 4.4/add-ldap-email-authentication, repushed
The branch 4.4/add-ldap-email-authentication was deleted and repushed:
was 7b8e0c571627d570f70aaaa2a4242a42d4be0350
now eaf25c59d8f966d987c0f6c285cadf85e785ccbd

1: 30370812b5 ! 1: 6bb0380d95 Add LDAP email authentication
@@ -39,6 +39,8 @@
+ else {
+ $session->{'CurrentUser'}->Load($username);
+ }
++
++ delete $session->{'_ldap_attr_match'};

# Unless we have loaded a valid user with a UserID create one.
unless ($session->{'CurrentUser'}->Id) {
@@ -68,10 +70,17 @@
my $group_attr_val = $config->{'group_attr_value'} || 'dn';
my $group_scope = $config->{'group_scope'} || 'base';
my $attr_map = $config->{'attr_map'};
+- my @attrs = ('dn');
+ my $attr_match_list = $config->{'attr_match_list'};
- my @attrs = ('dn');
++
++ my @attrs;
++ foreach my $attr_match (@{$attr_match_list}) {
++ push @attrs, $attr_map->{$attr_match}
++ if exists $attr_map->{$attr_match} && $attr_map->{$attr_match};
++ }

# Make sure we fetch the user attribute we'll need for the group check
+ push @attrs, $group_attr_val
@@
my $ldap = _GetBoundLdapObj($config);
return 0 unless ($ldap);
@@ -87,7 +96,7 @@
+ # loop over each of the attr_match_list members for LDAP search
+ my $ldap_msg;
+ foreach my $attr_match ( @{$attr_match_list} ) {
-+ unless ( defined $attr_map->{$attr_match} ) {
++ unless ( exists $attr_map->{$attr_match} && $attr_map->{$attr_match} ) {
+ $RT::Logger->error( "Invalid LDAP mapping for $attr_match, no defined fields in attr_map" );
+ next;
+ }
@@ -103,7 +112,7 @@
+ '(&' .
+ $filter .
+ '(' .
-+ $config->{'attr_map'}->{$attr_match} .
++ $attr_map->{$attr_match} .
+ '=' .
+ escape_filter_value($username) .
+ '))'
@@ -130,7 +139,7 @@
- return 0;
- }
+ $ldap_msg = $ldap->search( base => $base,
-+ filter => $filter,
++ filter => $net_ldap_filter,
+ attrs => \@attrs );

- unless ($ldap_msg->count == 1) {
@@ -142,7 +151,7 @@
- return 0;
+ unless ( $ldap_msg->code == LDAP_SUCCESS || $ldap_msg->code == LDAP_PARTIAL_RESULTS ) {
+ $RT::Logger->debug( "search for",
-+ $filter->as_string,
++ $net_ldap_filter->as_string,
+ "failed:",
+ ldap_error_name($ldap_msg->code),
+ $ldap_msg->code );
@@ -150,7 +159,7 @@
+ return 0;
+ }
+
-+ unless ( $ldap_msg->count == 1 ) {
++ if ( $ldap_msg->count != 1 ) {
+ $RT::Logger->info( $service,
+ "AUTH FAILED:",
+ $username,
@@ -158,9 +167,55 @@
+ # We got no user, or too many users.. try the next attr_match_list field.
+ next;
+ }
- }
-
++ else {
++ # User was found
++ $RT::Logger->debug( "User Check Succeeded :: (",
++ $service,
++ ")",
++ $username );
++ last;
++ }
+ }
+
++ # if we didn't match anything, go to the next external auth service
++ return 0 unless $ldap_msg->first_entry;
++
my $ldap_entry = $ldap_msg->first_entry;
+ my $ldap_dn = $ldap_entry->dn;
+
+@@
+
+ # We only need the dn for the actual group since all we care about is existence
+ @attrs = qw(dn);
+- $filter = Net::LDAP::Filter->new("(${group_attr}=" . escape_filter_value($group_val) . ")");
++ my $net_ldap_filter = Net::LDAP::Filter->new("(${group_attr}=" . escape_filter_value($group_val) . ")");
+
+ $RT::Logger->debug( "LDAP Search === ",
+ "Base:",
+@@
+ "== Scope:",
+ $group_scope,
+ "== Filter:",
+- $filter->as_string,
++ $net_ldap_filter->as_string,
+ "== Attrs:",
+ join(',',@attrs));
+
+ $ldap_msg = $ldap->search( base => $group,
+- filter => $filter,
++ filter => $net_ldap_filter,
+ attrs => \@attrs,
+ scope => $group_scope);
+
+@@
+ unless ($ldap_msg->code == LDAP_SUCCESS ||
+ $ldap_msg->code == LDAP_PARTIAL_RESULTS) {
+ $RT::Logger->critical( "Search for",
+- $filter->as_string,
++ $net_ldap_filter->as_string,
+ "failed:",
+ ldap_error_name($ldap_msg->code),
+ $ldap_msg->code);
@@
}

@@ -184,20 +239,34 @@
- escape_filter_value($username) .
- '))'
- );
-- }
--
++ my $attr_map = $config->{'attr_map'};
++ my $attr_match_list = $config->{'attr_match_list'};
++
++ my @attrs;
++ foreach my $attr_match (@{$attr_match_list}) {
++ push @attrs, $attr_map->{$attr_match}
++ if exists $attr_map->{$attr_match} && $attr_map->{$attr_match};
+ }
+
- my $ldap = _GetBoundLdapObj($config);
- return unless $ldap;
-+ my $attr_match_list = $config->{'attr_match_list'};
-+ my @attrs = values( %{$config->{'attr_map'}} );
-
-- my @attrs = values(%{$config->{'attr_map'}});
+ # loop over each of the attr_match_list members for the initial lookup
+ foreach my $attr_match ( @{$attr_match_list} ) {
-+ unless ( defined $config->{'attr_map'}->{$attr_match} ) {
++ unless ( exists $attr_map->{$attr_match} && $attr_map->{$attr_match} ) {
+ $RT::Logger->error( "Invalid LDAP mapping for $attr_match, no defined fields in attr_map" );
+ next;
+ }
+
+- my @attrs = values(%{$config->{'attr_map'}});
++ my $net_ldap_filter = Net::LDAP::Filter->new(
++ '(&' .
++ $filter .
++ '(' .
++ $attr_map->{$attr_match} .
++ '=' .
++ escape_filter_value($username) .
++ '))'
++ );

- # Check that the user exists in the LDAP service
- $RT::Logger->debug( "LDAP Search === ",
@@ -207,38 +276,9 @@
- ($filter ? $filter->as_string : ''),
- "== Attrs:",
- join(',',@attrs));
-+ my $net_ldap_filter = Net::LDAP::Filter->new(
-+ '(&' .
-+ $filter .
-+ '(' .
-+ $config->{'attr_map'}->{$attr_match} .
-+ '=' .
-+ escape_filter_value($username) .
-+ '))'
-+ );
-
-- my $user_found = $ldap->search( base => $base,
-- filter => $filter,
-- attrs => \@attrs);
+ my $ldap = _GetBoundLdapObj($config);
+ return unless $ldap;
-
-- if($user_found->count < 1) {
-- # If 0 or negative integer, no user found or major failure
-- $RT::Logger->debug( "User Check Failed :: (",
-- $service,
-- ")",
-- $username,
-- "User not found");
-- return 0;
-- } elsif ($user_found->count > 1) {
-- # If more than one result returned, die because we the username field should be unique!
-- $RT::Logger->debug( "User Check Failed :: (",
-- $service,
-- ")",
-- $username,
-- "More than one user with that username!");
-- return 0;
++
+ # Check that the user exists in the LDAP service
+ $RT::Logger->debug( "LDAP Search === ",
+ "Base:",
@@ -247,27 +287,46 @@
+ ($net_ldap_filter ? $net_ldap_filter->as_string : ''),
+ "== Attrs:",
+ join(',',@attrs) );
-+
+
+- my $user_found = $ldap->search( base => $base,
+- filter => $filter,
+- attrs => \@attrs);
+ my $user_found = $ldap->search( base => $base,
+ filter => $net_ldap_filter,
+ attrs => \@attrs );
-+
-+ if ( $user_found->count < 1 ) {
-+ # If 0 or negative integer, no user found or major failure
+
+- if($user_found->count < 1) {
+- # If 0 or negative integer, no user found or major failure
+- $RT::Logger->debug( "User Check Failed :: (",
+- $service,
+- ")",
+- $username,
+- "User not found");
+- return 0;
+- } elsif ($user_found->count > 1) {
+- # If more than one result returned, die because we the username field should be unique!
+- $RT::Logger->debug( "User Check Failed :: (",
+- $service,
+- ")",
+- $username,
+- "More than one user with that username!");
+- return 0;
++ unless ( $user_found->code == LDAP_SUCCESS || $user_found->code == LDAP_PARTIAL_RESULTS ) {
++ $RT::Logger->debug( "search for",
++ $filter->as_string,
++ "failed:",
++ ldap_error_name($user_found->code),
++ $user_found->code );
++ # Didn't even get a partial result - jump straight to the next external auth service
++ return 0;
++ }
++
++ if ( $user_found->count != 1 ) {
+ $RT::Logger->debug( "User Check Failed :: (",
+ $service,
+ ")",
+ $username,
-+ "User not found" );
-+ next;
-+ }
-+ elsif ( $user_found->count > 1 ) {
-+ # If more than one result returned, skip because we the username field should be unique!
-+ $RT::Logger->debug( "User Check Failed :: (",
-+ $service,
-+ ")",
-+ $username,
-+ "More than one user with that username!" );
++ "User not found or more than one user found with that username!" );
+ next;
+ }
+ else {
@@ -280,6 +339,7 @@
+ # RT::Authen::ExternalAuth::DoAuth needs to be able to load by either User or EmailAddress.
+ # store the key that matched into the session so DoAuth can use the correct one.
+ $session->{'_ldap_attr_match'} = $attr_match;
++
+ return 1;
+ }
}
@@ -288,8 +348,111 @@
- # If we havent returned now, there must be a valid user.
- return 1;
+ # No valid user was found using each of the search filters.
++ # go to the next external auth service.
+ return 0;
}

sub UserDisabled {
+@@
+ my $base = $config->{'base'};
+ my $filter = $config->{'filter'};
+ my $d_filter = $config->{'d_filter'};
+- my $search_filter;
+
+ # While LDAP filters must be surrounded by parentheses, an empty set
+ # of parentheses is an invalid filter and will cause failure
+@@
+ return 0;
+ }
+
+- if (defined($config->{'attr_map'}->{'Name'})) {
++ my $attr_map = $config->{'attr_map'};
++ my $attr_match_list = $config->{'attr_match_list'};
++
++ my @attrs;
++ foreach my $attr_match (@{$attr_match_list}) {
++ push @attrs, $attr_map->{$attr_match}
++ if exists $attr_map->{$attr_match} && $attr_map->{$attr_match};
++ }
++
++ # loop over each of the attr_match_list members for the initial lookup
++ foreach my $attr_match ( @{$attr_match_list} ) {
++ unless ( exists $attr_map->{$attr_match} && $attr_map->{$attr_match} ) {
++ $RT::Logger->debug( "You haven't specified an LDAP attribute to match the RT $attr_match attribute for this service ($service), so it's impossible look up the disabled status of this user ($username)" );
++ next;
++ }
++
+ # Construct the complex filter
+- $search_filter = Net::LDAP::Filter->new( '(&' .
++ my $search_filter = Net::LDAP::Filter->new( '(&' .
+ $filter .
+ $d_filter .
+ '(' .
+- $config->{'attr_map'}->{'Name'} .
++ $attr_map->{$attr_match} .
+ '=' .
+ escape_filter_value($username) .
+ '))'
+ );
+- } else {
+- $RT::Logger->debug("You haven't specified an LDAP attribute to match the RT \"Name\" attribute for this service (",
+- $service,
+- "), so it's impossible look up the disabled status of this user (",
+- $username,
+- ") so I'm just going to assume the user is not disabled");
+- return 0;
+
+- }
++ my $ldap = _GetBoundLdapObj($config);
++ next unless $ldap;
+
+- my $ldap = _GetBoundLdapObj($config);
+- next unless $ldap;
+-
+- # We only need the UID for confirmation now,
+- # the other information would waste time and bandwidth
+- my @attrs = ('uid');
+-
+- $RT::Logger->debug( "LDAP Search === ",
+- "Base:",
+- $base,
+- "== Filter:",
+- ($search_filter ? $search_filter->as_string : ''),
+- "== Attrs:",
+- join(',',@attrs));
++ $RT::Logger->debug( "LDAP Search === ",
++ "Base:",
++ $base,
++ "== Filter:",
++ ($search_filter ? $search_filter->as_string : ''),
++ "== Attrs:",
++ join(',',@attrs));
+
+- my $disabled_users = $ldap->search(base => $base,
+- filter => $search_filter,
+- attrs => \@attrs);
+- # If ANY results are returned,
+- # we are going to assume the user should be disabled
+- if ($disabled_users->count) {
+- undef $disabled_users;
+- return 1;
+- } else {
+- undef $disabled_users;
+- return 0;
++ my $disabled_users = $ldap->search(base => $base,
++ filter => $search_filter,
++ attrs => \@attrs);
++ # If ANY results are returned,
++ # we are going to assume the user should be disabled
++ if ($disabled_users->count) {
++ return 1;
++ } else {
++ next;
++ }
+ }
++
++ return 0;
+ }
+ # {{{ sub _GetBoundLdapObj
+

2: 7b8e0c5716 ! 2: eaf25c59d8 Add test for LDAP attr search and match
@@ -2,7 +2,7 @@

Add test for LDAP attr search and match

- This test verifies LDAP authentication using to second entry in
+ This test verifies LDAP authentication using a second entry in
attr_match_list. In this case EmailAddress instead of the
previously hardcoded Name key.


_______________________________________________
rt-commit mailing list
rt-commit@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-commit
rt branch, 4.4/add-ldap-email-authentication, repushed [ In reply to ]
The branch 4.4/add-ldap-email-authentication was deleted and repushed:
was eaf25c59d8f966d987c0f6c285cadf85e785ccbd
now 0d25844552b4b92481edcdf24dab918578981847

1: 6bb0380d95 ! 1: 2fe0f25870 Add LDAP email authentication
@@ -108,7 +108,7 @@
- $filter->as_string,
- "== Attrs:",
- join(',',@attrs));
-+ my $net_ldap_filter = Net::LDAP::Filter->new(
++ my $search_filter = Net::LDAP::Filter->new(
+ '(&' .
+ $filter .
+ '(' .
@@ -125,9 +125,23 @@
+ "Base:",
+ $base,
+ "== Filter:",
-+ ($net_ldap_filter ? $net_ldap_filter->as_string : ''),
++ ($search_filter ? $search_filter->as_string : ''),
+ "== Attrs:",
+ join(',',@attrs) );
++
++ $ldap_msg = $ldap->search( base => $base,
++ filter => $search_filter,
++ attrs => \@attrs );
++
++ unless ( $ldap_msg->code == LDAP_SUCCESS || $ldap_msg->code == LDAP_PARTIAL_RESULTS ) {
++ $RT::Logger->critical( "search for",
++ $search_filter->as_string,
++ "failed:",
++ ldap_error_name($ldap_msg->code),
++ $ldap_msg->code );
++ # Didn't even get a partial result - jump straight to the next external auth service
++ return 0;
++ }

- unless ($ldap_msg->code == LDAP_SUCCESS || $ldap_msg->code == LDAP_PARTIAL_RESULTS) {
- $RT::Logger->debug( "search for",
@@ -137,10 +151,19 @@
- $ldap_msg->code);
- # Didn't even get a partial result - jump straight to the next external auth service
- return 0;
-- }
-+ $ldap_msg = $ldap->search( base => $base,
-+ filter => $net_ldap_filter,
-+ attrs => \@attrs );
++ if ( $ldap_msg->count != 1 ) {
++ $RT::Logger->info( $service,
++ "AUTH FAILED:",
++ $username,
++ "User not found or more than one user found" );
++ # We got no user, or too many users.. try the next attr_match_list field.
++ next;
++ }
++ else {
++ # User was found
++ last;
++ }
+ }

- unless ($ldap_msg->count == 1) {
- $RT::Logger->info( $service,
@@ -149,46 +172,18 @@
- "User not found or more than one user found");
- # We got no user, or too many users.. jump straight to the next external auth service
- return 0;
-+ unless ( $ldap_msg->code == LDAP_SUCCESS || $ldap_msg->code == LDAP_PARTIAL_RESULTS ) {
-+ $RT::Logger->debug( "search for",
-+ $net_ldap_filter->as_string,
-+ "failed:",
-+ ldap_error_name($ldap_msg->code),
-+ $ldap_msg->code );
-+ # Didn't even get a partial result - jump straight to the next external auth service
-+ return 0;
-+ }
-+
-+ if ( $ldap_msg->count != 1 ) {
-+ $RT::Logger->info( $service,
-+ "AUTH FAILED:",
-+ $username,
-+ "User not found or more than one user found" );
-+ # We got no user, or too many users.. try the next attr_match_list field.
-+ next;
-+ }
-+ else {
-+ # User was found
-+ $RT::Logger->debug( "User Check Succeeded :: (",
-+ $service,
-+ ")",
-+ $username );
-+ last;
-+ }
- }
-
+- }
+ # if we didn't match anything, go to the next external auth service
+ return 0 unless $ldap_msg->first_entry;
-+
+
my $ldap_entry = $ldap_msg->first_entry;
my $ldap_dn = $ldap_entry->dn;
-
@@

# We only need the dn for the actual group since all we care about is existence
@attrs = qw(dn);
- $filter = Net::LDAP::Filter->new("(${group_attr}=" . escape_filter_value($group_val) . ")");
-+ my $net_ldap_filter = Net::LDAP::Filter->new("(${group_attr}=" . escape_filter_value($group_val) . ")");
++ my $search_filter = Net::LDAP::Filter->new("(${group_attr}=" . escape_filter_value($group_val) . ")");

$RT::Logger->debug( "LDAP Search === ",
"Base:",
@@ -197,13 +192,13 @@
$group_scope,
"== Filter:",
- $filter->as_string,
-+ $net_ldap_filter->as_string,
++ $search_filter->as_string,
"== Attrs:",
join(',',@attrs));

$ldap_msg = $ldap->search( base => $group,
- filter => $filter,
-+ filter => $net_ldap_filter,
++ filter => $search_filter,
attrs => \@attrs,
scope => $group_scope);

@@ -212,7 +207,7 @@
$ldap_msg->code == LDAP_PARTIAL_RESULTS) {
$RT::Logger->critical( "Search for",
- $filter->as_string,
-+ $net_ldap_filter->as_string,
++ $search_filter->as_string,
"failed:",
ldap_error_name($ldap_msg->code),
$ldap_msg->code);
@@ -258,7 +253,7 @@
+ }

- my @attrs = values(%{$config->{'attr_map'}});
-+ my $net_ldap_filter = Net::LDAP::Filter->new(
++ my $search_filter = Net::LDAP::Filter->new(
+ '(&' .
+ $filter .
+ '(' .
@@ -278,22 +273,18 @@
- join(',',@attrs));
+ my $ldap = _GetBoundLdapObj($config);
+ return unless $ldap;
-+
+
+- my $user_found = $ldap->search( base => $base,
+- filter => $filter,
+- attrs => \@attrs);
+ # Check that the user exists in the LDAP service
+ $RT::Logger->debug( "LDAP Search === ",
+ "Base:",
+ $base,
+ "== Filter:",
-+ ($net_ldap_filter ? $net_ldap_filter->as_string : ''),
++ ($search_filter ? $search_filter->as_string : ''),
+ "== Attrs:",
+ join(',',@attrs) );
-
-- my $user_found = $ldap->search( base => $base,
-- filter => $filter,
-- attrs => \@attrs);
-+ my $user_found = $ldap->search( base => $base,
-+ filter => $net_ldap_filter,
-+ attrs => \@attrs );

- if($user_found->count < 1) {
- # If 0 or negative integer, no user found or major failure
@@ -311,6 +302,10 @@
- $username,
- "More than one user with that username!");
- return 0;
++ my $user_found = $ldap->search( base => $base,
++ filter => $search_filter,
++ attrs => \@attrs );
++
+ unless ( $user_found->code == LDAP_SUCCESS || $user_found->code == LDAP_PARTIAL_RESULTS ) {
+ $RT::Logger->debug( "search for",
+ $filter->as_string,
@@ -321,21 +316,26 @@
+ return 0;
+ }
+
-+ if ( $user_found->count != 1 ) {
++ if ( $user_found->count < 1 ) {
++ # If 0 or negative integer, no user found or major failure
+ $RT::Logger->debug( "User Check Failed :: (",
+ $service,
+ ")",
+ $username,
-+ "User not found or more than one user found with that username!" );
++ "User not found" );
++ next;
++ }
++ elsif ( $user_found->count > 1 ) {
++ # If more than one result returned, jump to the next attr because the username field should be unique!
++ $RT::Logger->debug( "User Check Failed :: (",
++ $service,
++ ")",
++ $username,
++ "More than one user with that username!" );
+ next;
+ }
+ else {
+ # User was found
-+ $RT::Logger->debug( "User Check Succeeded :: (",
-+ $service,
-+ ")",
-+ $username );
-+
+ # RT::Authen::ExternalAuth::DoAuth needs to be able to load by either User or EmailAddress.
+ # store the key that matched into the session so DoAuth can use the correct one.
+ $session->{'_ldap_attr_match'} = $attr_match;
@@ -401,10 +401,8 @@
- $username,
- ") so I'm just going to assume the user is not disabled");
- return 0;
-
+-
- }
-+ my $ldap = _GetBoundLdapObj($config);
-+ next unless $ldap;

- my $ldap = _GetBoundLdapObj($config);
- next unless $ldap;
@@ -412,7 +410,9 @@
- # We only need the UID for confirmation now,
- # the other information would waste time and bandwidth
- my @attrs = ('uid');
--
++ my $ldap = _GetBoundLdapObj($config);
++ next unless $ldap;
+
- $RT::Logger->debug( "LDAP Search === ",
- "Base:",
- $base,
2: eaf25c59d8 = 2: 0d25844552 Add test for LDAP attr search and match

_______________________________________________
rt-commit mailing list
rt-commit@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-commit
rt branch, 4.4/add-ldap-email-authentication, repushed [ In reply to ]
The branch 4.4/add-ldap-email-authentication was deleted and repushed:
was 0d25844552b4b92481edcdf24dab918578981847
now f0a107b699e5f9eaf1abe87a9ace08cbe71655a0

1: 2fe0f25870 ! 1: ed3ec68cfc Add LDAP email authentication
@@ -17,11 +17,21 @@
--- a/lib/RT/Authen/ExternalAuth.pm
+++ b/lib/RT/Authen/ExternalAuth.pm
@@
+ # safely bypass the password checking later on; primarily because
+ # it's VERY unlikely we even have a password to check if an SSO succeeded.
+ my $pass_bypass = 0;
++ my $exists;
+ if(defined($username)) {
+ $RT::Logger->debug("Pass not going to be checked, attempting SSO");
+ $pass_bypass = 1;
+@@
# Don't continue unless the $username exists in the external service

$RT::Logger->debug("Calling UserExists with \$username ($username) and \$service ($service)");
- next unless RT::Authen::ExternalAuth::UserExists($username, $service);
-+ next unless RT::Authen::ExternalAuth::UserExists($username, $service, $session);
++ $exists = RT::Authen::ExternalAuth::UserExists($username, $service) or next;
++
++ # TODO: we should last here if UserExists was a success
}

####################################################################
@@ -31,52 +41,34 @@
$session->{'CurrentUser'} = RT::CurrentUser->new();
- $session->{'CurrentUser'}->Load($username);
+
-+ # if the LDAP search in LDAP::UserExists matched using EmailAddress instead of
-+ # Name, load the RT user with that instead.
-+ if ($session->{'_ldap_attr_match'} && $session->{'_ldap_attr_match'} eq 'EmailAddress') {
++ if ( ref $exists && defined $exists->{'EmailAddress'} && $exists->{'EmailAddress'} eq $username ) {
+ $session->{'CurrentUser'}->LoadByEmail($username);
+ }
+ else {
+ $session->{'CurrentUser'}->Load($username);
+ }
+
-+ delete $session->{'_ldap_attr_match'};
++ # If LDAP search found the user, and Name was returned, ensure $username is set to Name.
++ # We want to try and ensure the autocreated user below has Name as name and not EmailAddress.
++ if ( ref $exists && $exists->{'Name'} ) {
++ $username = $exists->{'Name'};
++ }

# Unless we have loaded a valid user with a UserID create one.
unless ($session->{'CurrentUser'}->Id) {
-@@
- # Request a username/password check from the specified service
- # This is only valid for non-SSO services.
-
-- my ($username,$service) = @_;
-+ my ($username,$service,$session) = @_;
-
- my $success = 0;
-
-@@
- if ($config->{'type'} eq 'db') {
- $success = RT::Authen::ExternalAuth::DBI::UserExists($username,$service);
- } elsif ($config->{'type'} eq 'ldap') {
-- $success = RT::Authen::ExternalAuth::LDAP::UserExists($username,$service);
-+ $success = RT::Authen::ExternalAuth::LDAP::UserExists($username,$service,$session);
- }
-
- return $success;

diff --git a/lib/RT/Authen/ExternalAuth/LDAP.pm b/lib/RT/Authen/ExternalAuth/LDAP.pm
--- a/lib/RT/Authen/ExternalAuth/LDAP.pm
+++ b/lib/RT/Authen/ExternalAuth/LDAP.pm
@@
- my $group_attr_val = $config->{'group_attr_value'} || 'dn';
my $group_scope = $config->{'group_scope'} || 'base';
my $attr_map = $config->{'attr_map'};
-- my @attrs = ('dn');
+ my @attrs = ('dn');
+ my $attr_match_list = $config->{'attr_match_list'};
+
-+ my @attrs;
+ foreach my $attr_match (@{$attr_match_list}) {
+ push @attrs, $attr_map->{$attr_match}
-+ if exists $attr_map->{$attr_match} && $attr_map->{$attr_match};
++ if exists $attr_map->{$attr_match} && defined $attr_map->{$attr_match};
+ }

# Make sure we fetch the user attribute we'll need for the group check
@@ -96,7 +88,7 @@
+ # loop over each of the attr_match_list members for LDAP search
+ my $ldap_msg;
+ foreach my $attr_match ( @{$attr_match_list} ) {
-+ unless ( exists $attr_map->{$attr_match} && $attr_map->{$attr_match} ) {
++ unless ( exists $attr_map->{$attr_match} && defined $attr_map->{$attr_match} ) {
+ $RT::Logger->error( "Invalid LDAP mapping for $attr_match, no defined fields in attr_map" );
+ next;
+ }
@@ -212,15 +204,6 @@
ldap_error_name($ldap_msg->code),
$ldap_msg->code);
@@
- }
-
- sub UserExists {
-- my ($username,$service) = @_;
-+ my ($username,$service,$session) = @_;
- $RT::Logger->debug("UserExists params:\nusername: $username , service: $service");
- my $config = RT->Config->Get('ExternalSettings')->{$service};
-
-@@
# but there's no harm in doing this to be sure
undef $filter if defined $filter and $filter eq "()";

@@ -240,19 +223,34 @@
+ my @attrs;
+ foreach my $attr_match (@{$attr_match_list}) {
+ push @attrs, $attr_map->{$attr_match}
-+ if exists $attr_map->{$attr_match} && $attr_map->{$attr_match};
++ if exists $attr_map->{$attr_match} && defined $attr_map->{$attr_match};
}

- my $ldap = _GetBoundLdapObj($config);
- return unless $ldap;
++ # Ensure we try to get back a Name value from LDAP on the initial LDAP search.
++ my $name_attr;
++ if ( defined $attr_map->{'Name'} ) {
++ push @attrs, $attr_map->{'Name'};
++ $name_attr = $attr_map->{'Name'};
++ }
+
+- my @attrs = values(%{$config->{'attr_map'}});
+ # loop over each of the attr_match_list members for the initial lookup
+ foreach my $attr_match ( @{$attr_match_list} ) {
-+ unless ( exists $attr_map->{$attr_match} && $attr_map->{$attr_match} ) {
++ unless ( exists $attr_map->{$attr_match} && defined $attr_map->{$attr_match} ) {
+ $RT::Logger->error( "Invalid LDAP mapping for $attr_match, no defined fields in attr_map" );
+ next;
+ }

-- my @attrs = values(%{$config->{'attr_map'}});
+- # Check that the user exists in the LDAP service
+- $RT::Logger->debug( "LDAP Search === ",
+- "Base:",
+- $base,
+- "== Filter:",
+- ($filter ? $filter->as_string : ''),
+- "== Attrs:",
+- join(',',@attrs));
+ my $search_filter = Net::LDAP::Filter->new(
+ '(&' .
+ $filter .
@@ -263,28 +261,11 @@
+ '))'
+ );

-- # Check that the user exists in the LDAP service
-- $RT::Logger->debug( "LDAP Search === ",
-- "Base:",
-- $base,
-- "== Filter:",
-- ($filter ? $filter->as_string : ''),
-- "== Attrs:",
-- join(',',@attrs));
-+ my $ldap = _GetBoundLdapObj($config);
-+ return unless $ldap;
-
- my $user_found = $ldap->search( base => $base,
- filter => $filter,
- attrs => \@attrs);
-+ # Check that the user exists in the LDAP service
-+ $RT::Logger->debug( "LDAP Search === ",
-+ "Base:",
-+ $base,
-+ "== Filter:",
-+ ($search_filter ? $search_filter->as_string : ''),
-+ "== Attrs:",
-+ join(',',@attrs) );
++ my $ldap = _GetBoundLdapObj($config);
++ return unless $ldap;

- if($user_found->count < 1) {
- # If 0 or negative integer, no user found or major failure
@@ -302,6 +283,15 @@
- $username,
- "More than one user with that username!");
- return 0;
++ # Check that the user exists in the LDAP service
++ $RT::Logger->debug( "LDAP Search === ",
++ "Base:",
++ $base,
++ "== Filter:",
++ ($search_filter ? $search_filter->as_string : ''),
++ "== Attrs:",
++ join(',',@attrs) );
++
+ my $user_found = $ldap->search( base => $base,
+ filter => $search_filter,
+ attrs => \@attrs );
@@ -336,11 +326,18 @@
+ }
+ else {
+ # User was found
-+ # RT::Authen::ExternalAuth::DoAuth needs to be able to load by either User or EmailAddress.
-+ # store the key that matched into the session so DoAuth can use the correct one.
-+ $session->{'_ldap_attr_match'} = $attr_match;
-+
-+ return 1;
++ my $match = {
++ $attr_match => $username,
++ };
++
++ if ( $attr_match ne 'Name' && $name_attr ) {
++ my $ldap_entry = $user_found->first_entry;
++ my $name_value = $ldap_entry->get_value($name_attr);
++
++ $match->{'Name'} = $name_value;
++ }
++
++ return $match;
+ }
}
- undef $user_found;
@@ -353,106 +350,4 @@
}

sub UserDisabled {
-@@
- my $base = $config->{'base'};
- my $filter = $config->{'filter'};
- my $d_filter = $config->{'d_filter'};
-- my $search_filter;
-
- # While LDAP filters must be surrounded by parentheses, an empty set
- # of parentheses is an invalid filter and will cause failure
-@@
- return 0;
- }
-
-- if (defined($config->{'attr_map'}->{'Name'})) {
-+ my $attr_map = $config->{'attr_map'};
-+ my $attr_match_list = $config->{'attr_match_list'};
-+
-+ my @attrs;
-+ foreach my $attr_match (@{$attr_match_list}) {
-+ push @attrs, $attr_map->{$attr_match}
-+ if exists $attr_map->{$attr_match} && $attr_map->{$attr_match};
-+ }
-+
-+ # loop over each of the attr_match_list members for the initial lookup
-+ foreach my $attr_match ( @{$attr_match_list} ) {
-+ unless ( exists $attr_map->{$attr_match} && $attr_map->{$attr_match} ) {
-+ $RT::Logger->debug( "You haven't specified an LDAP attribute to match the RT $attr_match attribute for this service ($service), so it's impossible look up the disabled status of this user ($username)" );
-+ next;
-+ }
-+
- # Construct the complex filter
-- $search_filter = Net::LDAP::Filter->new( '(&' .
-+ my $search_filter = Net::LDAP::Filter->new( '(&' .
- $filter .
- $d_filter .
- '(' .
-- $config->{'attr_map'}->{'Name'} .
-+ $attr_map->{$attr_match} .
- '=' .
- escape_filter_value($username) .
- '))'
- );
-- } else {
-- $RT::Logger->debug("You haven't specified an LDAP attribute to match the RT \"Name\" attribute for this service (",
-- $service,
-- "), so it's impossible look up the disabled status of this user (",
-- $username,
-- ") so I'm just going to assume the user is not disabled");
-- return 0;
--
-- }
-
-- my $ldap = _GetBoundLdapObj($config);
-- next unless $ldap;
--
-- # We only need the UID for confirmation now,
-- # the other information would waste time and bandwidth
-- my @attrs = ('uid');
-+ my $ldap = _GetBoundLdapObj($config);
-+ next unless $ldap;
-
-- $RT::Logger->debug( "LDAP Search === ",
-- "Base:",
-- $base,
-- "== Filter:",
-- ($search_filter ? $search_filter->as_string : ''),
-- "== Attrs:",
-- join(',',@attrs));
-+ $RT::Logger->debug( "LDAP Search === ",
-+ "Base:",
-+ $base,
-+ "== Filter:",
-+ ($search_filter ? $search_filter->as_string : ''),
-+ "== Attrs:",
-+ join(',',@attrs));
-
-- my $disabled_users = $ldap->search(base => $base,
-- filter => $search_filter,
-- attrs => \@attrs);
-- # If ANY results are returned,
-- # we are going to assume the user should be disabled
-- if ($disabled_users->count) {
-- undef $disabled_users;
-- return 1;
-- } else {
-- undef $disabled_users;
-- return 0;
-+ my $disabled_users = $ldap->search(base => $base,
-+ filter => $search_filter,
-+ attrs => \@attrs);
-+ # If ANY results are returned,
-+ # we are going to assume the user should be disabled
-+ if ($disabled_users->count) {
-+ return 1;
-+ } else {
-+ next;
-+ }
- }
-+
-+ return 0;
- }
- # {{{ sub _GetBoundLdapObj
-

2: 0d25844552 = 2: f0a107b699 Add test for LDAP attr search and match

_______________________________________________
rt-commit mailing list
rt-commit@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-commit
rt branch, 4.4/add-ldap-email-authentication, repushed [ In reply to ]
The branch 4.4/add-ldap-email-authentication was deleted and repushed:
was f0a107b699e5f9eaf1abe87a9ace08cbe71655a0
now 64f64c1521c0abddf5bc88cc6a195d9654dc9fcc

1: ed3ec68cfc ! 1: 57b60e5c77 Add LDAP email authentication
@@ -41,18 +41,18 @@
$session->{'CurrentUser'} = RT::CurrentUser->new();
- $session->{'CurrentUser'}->Load($username);
+
-+ if ( ref $exists && defined $exists->{'EmailAddress'} && $exists->{'EmailAddress'} eq $username ) {
-+ $session->{'CurrentUser'}->LoadByEmail($username);
-+ }
-+ else {
-+ $session->{'CurrentUser'}->Load($username);
-+ }
-+
-+ # If LDAP search found the user, and Name was returned, ensure $username is set to Name.
-+ # We want to try and ensure the autocreated user below has Name as name and not EmailAddress.
-+ if ( ref $exists && $exists->{'Name'} ) {
-+ $username = $exists->{'Name'};
-+ }
++ # If a user was found during the LDAP search in UserExists, we need to ensure
++ # $username is Name instead of EmailAddress, if the user used that to auth.
++ if ( ref $exists eq 'RT::User' ) {
++ $username = $exists->Name;
++ }
++ # This check is strange, but we need to also allow for other ExternalAuth types to return 1
++ # for UserExists, while still checking for a valid username from LDAP.
++ elsif ( $exists !~ /^1$/ ) {
++ $username = $exists;
++ }
++
++ $session->{CurrentUser}->Load($username);

# Unless we have loaded a valid user with a UserID create one.
unless ($session->{'CurrentUser'}->Id) {
@@ -68,7 +68,7 @@
+
+ foreach my $attr_match (@{$attr_match_list}) {
+ push @attrs, $attr_map->{$attr_match}
-+ if exists $attr_map->{$attr_match} && defined $attr_map->{$attr_match};
++ if defined $attr_map->{$attr_match};
+ }

# Make sure we fetch the user attribute we'll need for the group check
@@ -88,7 +88,7 @@
+ # loop over each of the attr_match_list members for LDAP search
+ my $ldap_msg;
+ foreach my $attr_match ( @{$attr_match_list} ) {
-+ unless ( exists $attr_map->{$attr_match} && defined $attr_map->{$attr_match} ) {
++ unless ( defined $attr_map->{$attr_match} ) {
+ $RT::Logger->error( "Invalid LDAP mapping for $attr_match, no defined fields in attr_map" );
+ next;
+ }
@@ -223,22 +223,18 @@
+ my @attrs;
+ foreach my $attr_match (@{$attr_match_list}) {
+ push @attrs, $attr_map->{$attr_match}
-+ if exists $attr_map->{$attr_match} && defined $attr_map->{$attr_match};
++ if defined $attr_map->{$attr_match};
}

- my $ldap = _GetBoundLdapObj($config);
- return unless $ldap;
+ # Ensure we try to get back a Name value from LDAP on the initial LDAP search.
-+ my $name_attr;
-+ if ( defined $attr_map->{'Name'} ) {
-+ push @attrs, $attr_map->{'Name'};
-+ $name_attr = $attr_map->{'Name'};
-+ }
++ push @attrs, $attr_map->{'Name'};

- my @attrs = values(%{$config->{'attr_map'}});
+ # loop over each of the attr_match_list members for the initial lookup
+ foreach my $attr_match ( @{$attr_match_list} ) {
-+ unless ( exists $attr_map->{$attr_match} && defined $attr_map->{$attr_match} ) {
++ unless ( defined $attr_map->{$attr_match} ) {
+ $RT::Logger->error( "Invalid LDAP mapping for $attr_match, no defined fields in attr_map" );
+ next;
+ }
@@ -325,16 +321,21 @@
+ next;
+ }
+ else {
-+ # User was found
-+ my $match = {
-+ $attr_match => $username,
-+ };
-+
-+ if ( $attr_match ne 'Name' && $name_attr ) {
++ # User was found in LDAP
++ my $match = RT::User->new($RT::SystemUser);
++ if ( $attr_match eq 'EmailAddress' ) {
++ $match->LoadByEmail($username);
++ }
++ else {
++ $match->Load($username);
++ }
++
++ # If the user doesn't exist in RT, return the Name value we got from LDAP
++ # incase we need to create the user in RT.
++ unless ( $match->Id ) {
+ my $ldap_entry = $user_found->first_entry;
-+ my $name_value = $ldap_entry->get_value($name_attr);
-+
-+ $match->{'Name'} = $name_value;
++ my $name_value = $ldap_entry->get_value($attr_map->{'Name'});
++ $match = $name_value;
+ }
+
+ return $match;
2: f0a107b699 = 2: 64f64c1521 Add test for LDAP attr search and match

_______________________________________________
rt-commit mailing list
rt-commit@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-commit
rt branch, 4.4/add-ldap-email-authentication, repushed [ In reply to ]
The branch 4.4/add-ldap-email-authentication was deleted and repushed:
was 64f64c1521c0abddf5bc88cc6a195d9654dc9fcc
now e4e26e8a031f33262dee929b2ad5cde7166750b1

1: 57b60e5c77 = 1: 57b60e5c77 Add LDAP email authentication
2: 64f64c1521 ! 2: 64f64c1521 Add test for LDAP attr search and match
@@ -105,3 +105,4 @@
+$ldap->unbind();
+
+done_testing;
+
-: ------- > 3: e4e26e8a03 Add test for user autocreation with LDAP attr

_______________________________________________
rt-commit mailing list
rt-commit@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-commit
rt branch, 4.4/add-ldap-email-authentication, repushed [ In reply to ]
The branch 4.4/add-ldap-email-authentication was deleted and repushed:
was e4e26e8a031f33262dee929b2ad5cde7166750b1
now 6d978cb6f30325dd961bd5bd9c3a95f37d0f8d2e

1: 57b60e5c77 ! 1: 909b322ee4 Add LDAP email authentication
@@ -17,10 +17,18 @@
--- a/lib/RT/Authen/ExternalAuth.pm
+++ b/lib/RT/Authen/ExternalAuth.pm
@@
+ return (0, "User already logged in!") if ($session->{'CurrentUser'} && $session->{'CurrentUser'}->Id);
+
+ # For each of those services..
++ my ( $matched_field, $matched_username );
+ foreach my $service (@auth_services) {
+
+ # Get the full configuration for that service as a hashref
+@@
# safely bypass the password checking later on; primarily because
# it's VERY unlikely we even have a password to check if an SSO succeeded.
my $pass_bypass = 0;
-+ my $exists;
++ my $field;
if(defined($username)) {
$RT::Logger->debug("Pass not going to be checked, attempting SSO");
$pass_bypass = 1;
@@ -29,9 +37,9 @@

$RT::Logger->debug("Calling UserExists with \$username ($username) and \$service ($service)");
- next unless RT::Authen::ExternalAuth::UserExists($username, $service);
-+ $exists = RT::Authen::ExternalAuth::UserExists($username, $service) or next;
-+
-+ # TODO: we should last here if UserExists was a success
++ $field = RT::Authen::ExternalAuth::UserExists( $username, $service ) or next;
++ # 1 means no field info, which will fall back to Name
++ undef $field if $field && $field eq '1';
}

####################################################################
@@ -40,22 +48,83 @@
# Does user already exist internally to RT?
$session->{'CurrentUser'} = RT::CurrentUser->new();
- $session->{'CurrentUser'}->Load($username);
-+
-+ # If a user was found during the LDAP search in UserExists, we need to ensure
-+ # $username is Name instead of EmailAddress, if the user used that to auth.
-+ if ( ref $exists eq 'RT::User' ) {
-+ $username = $exists->Name;
-+ }
-+ # This check is strange, but we need to also allow for other ExternalAuth types to return 1
-+ # for UserExists, while still checking for a valid username from LDAP.
-+ elsif ( $exists !~ /^1$/ ) {
-+ $username = $exists;
-+ }
-+
-+ $session->{CurrentUser}->Load($username);
++ $session->{CurrentUser}->LoadByCols( $field || 'Name', $username );

# Unless we have loaded a valid user with a UserID create one.
unless ($session->{'CurrentUser'}->Id) {
+ my $UserObj = RT::User->new($RT::SystemUser);
+ my $create = RT->Config->Get('UserAutocreateDefaultsOnLogin')
+ || RT->Config->Get('AutoCreate');
+- my ($val, $msg) =
+- $UserObj->Create(%{ref($create) ? $create : {}},
+- Name => $username,
+- Gecos => $username,
+- );
++
++ my ( $val, $msg ) = $UserObj->Create( %{ ref($create) ? $create : {} },
++ $field ? ( $field => $username ) : ( 'Name' => $username, Gecos => $username, ) );
+ unless ($val) {
+ $RT::Logger->error( "Couldn't create user $username: $msg" );
+ next;
+@@
+ $RT::Logger->debug("Loading new user (",
+ $username,
+ ") into current session");
+- $session->{'CurrentUser'}->Load($username);
++ $session->{'CurrentUser'}->Load($UserObj->Id);
+ }
+
+ ####################################################################
+@@
+
+ # If the password check succeeded then this is our authoritative service
+ # and we proceed to user information update and login.
+- last if $success;
++ if ( $success ) {
++ $matched_field = $field if $field;
++ $matched_username = $username;
++ last;
++ }
+ }
+
+ # If we got here and don't have a user loaded we must have failed to
+@@
+ if ( @{ RT->Config->Get('ExternalInfoPriority') } ) {
+ # Note that UpdateUserInfo does not care how we authenticated the user
+ # It will look up user info from whatever is specified in $RT::ExternalInfoPriority
+- ($info_updated,$info_updated_msg) = RT::Authen::ExternalAuth::UpdateUserInfo($session->{'CurrentUser'}->Name);
++ ($info_updated,$info_updated_msg) = RT::Authen::ExternalAuth::UpdateUserInfo($matched_username, $matched_field || 'Name');
+ }
+
+ # Now that we definitely have up-to-date user information,
+@@
+ }
+
+ sub UpdateUserInfo {
+- my $username = shift;
++ my $username = shift;
++ my $field = shift || 'Name';
+
+ # Prepare for the worst...
+ my $found = 0;
+@@
+ my $user_disabled = RT::Authen::ExternalAuth::UserDisabled($username);
+
+ my $UserObj = RT::User->new(RT->SystemUser);
+- $UserObj->Load($username);
++ $UserObj->LoadByCols($field => $username);
+
+ # If user is disabled, set the RT::Principal to disabled and return out of the function.
+ # I think it's a waste of time and energy to update a user's information if they are disabled
+@@
+ # Update their info from external service using the username as the lookup key
+ # CanonicalizeUserInfo will work out for itself which service to use
+ # Passing it a service instead could break other RT code
+- my %args = (Name => $username);
++ my %args = ($field => $username);
+ $UserObj->CanonicalizeUserInfo(\%args);
+
+ # For each piece of information returned by CanonicalizeUserInfo,

diff --git a/lib/RT/Authen/ExternalAuth/LDAP.pm b/lib/RT/Authen/ExternalAuth/LDAP.pm
--- a/lib/RT/Authen/ExternalAuth/LDAP.pm
@@ -65,11 +134,6 @@
my $attr_map = $config->{'attr_map'};
my @attrs = ('dn');
+ my $attr_match_list = $config->{'attr_match_list'};
-+
-+ foreach my $attr_match (@{$attr_match_list}) {
-+ push @attrs, $attr_map->{$attr_match}
-+ if defined $attr_map->{$attr_match};
-+ }

# Make sure we fetch the user attribute we'll need for the group check
push @attrs, $group_attr_val
@@ -117,7 +181,7 @@
+ "Base:",
+ $base,
+ "== Filter:",
-+ ($search_filter ? $search_filter->as_string : ''),
++ $search_filter->as_string,
+ "== Attrs:",
+ join(',',@attrs) );
+
@@ -226,10 +290,11 @@
+ if defined $attr_map->{$attr_match};
}

-- my $ldap = _GetBoundLdapObj($config);
-- return unless $ldap;
+ # Ensure we try to get back a Name value from LDAP on the initial LDAP search.
+ push @attrs, $attr_map->{'Name'};
++
+ my $ldap = _GetBoundLdapObj($config);
+ return unless $ldap;

- my @attrs = values(%{$config->{'attr_map'}});
+ # loop over each of the attr_match_list members for the initial lookup
@@ -256,29 +321,7 @@
+ escape_filter_value($username) .
+ '))'
+ );
-
-- my $user_found = $ldap->search( base => $base,
-- filter => $filter,
-- attrs => \@attrs);
-+ my $ldap = _GetBoundLdapObj($config);
-+ return unless $ldap;
-
-- if($user_found->count < 1) {
-- # If 0 or negative integer, no user found or major failure
-- $RT::Logger->debug( "User Check Failed :: (",
-- $service,
-- ")",
-- $username,
-- "User not found");
-- return 0;
-- } elsif ($user_found->count > 1) {
-- # If more than one result returned, die because we the username field should be unique!
-- $RT::Logger->debug( "User Check Failed :: (",
-- $service,
-- ")",
-- $username,
-- "More than one user with that username!");
-- return 0;
++
+ # Check that the user exists in the LDAP service
+ $RT::Logger->debug( "LDAP Search === ",
+ "Base:",
@@ -287,11 +330,30 @@
+ ($search_filter ? $search_filter->as_string : ''),
+ "== Attrs:",
+ join(',',@attrs) );
-+
+
+- my $user_found = $ldap->search( base => $base,
+- filter => $filter,
+- attrs => \@attrs);
+ my $user_found = $ldap->search( base => $base,
+ filter => $search_filter,
+ attrs => \@attrs );
-+
+
+- if($user_found->count < 1) {
+- # If 0 or negative integer, no user found or major failure
+- $RT::Logger->debug( "User Check Failed :: (",
+- $service,
+- ")",
+- $username,
+- "User not found");
+- return 0;
+- } elsif ($user_found->count > 1) {
+- # If more than one result returned, die because we the username field should be unique!
+- $RT::Logger->debug( "User Check Failed :: (",
+- $service,
+- ")",
+- $username,
+- "More than one user with that username!");
+- return 0;
+ unless ( $user_found->code == LDAP_SUCCESS || $user_found->code == LDAP_PARTIAL_RESULTS ) {
+ $RT::Logger->debug( "search for",
+ $filter->as_string,
@@ -322,23 +384,7 @@
+ }
+ else {
+ # User was found in LDAP
-+ my $match = RT::User->new($RT::SystemUser);
-+ if ( $attr_match eq 'EmailAddress' ) {
-+ $match->LoadByEmail($username);
-+ }
-+ else {
-+ $match->Load($username);
-+ }
-+
-+ # If the user doesn't exist in RT, return the Name value we got from LDAP
-+ # incase we need to create the user in RT.
-+ unless ( $match->Id ) {
-+ my $ldap_entry = $user_found->first_entry;
-+ my $name_value = $ldap_entry->get_value($attr_map->{'Name'});
-+ $match = $name_value;
-+ }
-+
-+ return $match;
++ return $attr_match;
+ }
}
- undef $user_found;
@@ -351,4 +397,95 @@
}

sub UserDisabled {
+@@
+ return 0;
+ }
+
+- if (defined($config->{'attr_map'}->{'Name'})) {
+- # Construct the complex filter
+- $search_filter = Net::LDAP::Filter->new( '(&' .
+- $filter .
+- $d_filter .
+- '(' .
+- $config->{'attr_map'}->{'Name'} .
+- '=' .
+- escape_filter_value($username) .
+- '))'
+- );
+- } else {
+- $RT::Logger->debug("You haven't specified an LDAP attribute to match the RT \"Name\" attribute for this service (",
+- $service,
+- "), so it's impossible look up the disabled status of this user (",
+- $username,
+- ") so I'm just going to assume the user is not disabled");
+- return 0;
+-
+- }
+-
+ my $ldap = _GetBoundLdapObj($config);
+- next unless $ldap;
++ return unless $ldap;
+
+- # We only need the UID for confirmation now,
+- # the other information would waste time and bandwidth
+- my @attrs = ('uid');
++ my $attr_map = $config->{'attr_map'};
++ my $attr_match_list = $config->{'attr_match_list'};
++ my @attrs = 'uid';
+
+- $RT::Logger->debug( "LDAP Search === ",
+- "Base:",
+- $base,
+- "== Filter:",
+- ($search_filter ? $search_filter->as_string : ''),
+- "== Attrs:",
+- join(',',@attrs));
++ foreach my $attr_match ( @{$attr_match_list} ) {
++ unless ( defined $attr_map->{$attr_match} ) {
++ $RT::Logger->error("Invalid LDAP mapping for $attr_match, no defined fields in attr_map");
++ next;
++ }
+
+- my $disabled_users = $ldap->search(base => $base,
+- filter => $search_filter,
+- attrs => \@attrs);
+- # If ANY results are returned,
+- # we are going to assume the user should be disabled
+- if ($disabled_users->count) {
+- undef $disabled_users;
+- return 1;
+- } else {
+- undef $disabled_users;
+- return 0;
++ my $search_filter = Net::LDAP::Filter->new(
++ '(&' . $filter . $d_filter . '(' . $attr_map->{$attr_match} . '=' . escape_filter_value($username) . '))' );
++
++ # Check that the user exists in the LDAP service
++ $RT::Logger->debug(
++ "LDAP Search === ",
++ "Base:", $base, "== Filter:", ( $search_filter ? $search_filter->as_string : '' ),
++ "== Attrs:", join( ',', @attrs )
++ );
++
++ my $disabled_users = $ldap->search(
++ base => $base,
++ filter => $search_filter,
++ attrs => \@attrs
++ );
++
++ # If ANY results are returned,
++ # we are going to assume the user should be disabled
++ if ( $disabled_users->count ) {
++ undef $disabled_users;
++ return 1;
++ }
++ else {
++ undef $disabled_users;
++ return 0;
++ }
+ }
++ return 0;
+ }
+ # {{{ sub _GetBoundLdapObj
+

2: 64f64c1521 < -: ------- Add test for LDAP attr search and match
3: e4e26e8a03 < -: ------- Add test for user autocreation with LDAP attr
-: ------- > 2: 6d978cb6f3 Add tests for user email login

_______________________________________________
rt-commit mailing list
rt-commit@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-commit
rt branch, 4.4/add-ldap-email-authentication, repushed [ In reply to ]
The branch 4.4/add-ldap-email-authentication was deleted and repushed:
was 6d978cb6f30325dd961bd5bd9c3a95f37d0f8d2e
now d2a595fcdb58713e0596e89317e4fe11b3b4b632

1: 909b322ee4 ! 1: 63c81c99b9 Add LDAP email authentication
@@ -398,94 +398,37 @@

sub UserDisabled {
@@
+ my ($username,$service) = @_;
+
+ # FIRST, check that the user exists in the LDAP service
+- unless(UserExists($username,$service)) {
++ my $field = UserExists( $username, $service );
++
++ unless($field) {
+ $RT::Logger->debug("User (",$username,") doesn't exist! - Assuming not disabled for the purposes of disable checking");
return 0;
}
+@@
+ return 0;
+ }

- if (defined($config->{'attr_map'}->{'Name'})) {
-- # Construct the complex filter
-- $search_filter = Net::LDAP::Filter->new( '(&' .
-- $filter .
-- $d_filter .
-- '(' .
++ if (defined($config->{'attr_map'}->{$field})) {
+ # Construct the complex filter
+ $search_filter = Net::LDAP::Filter->new( '(&' .
+ $filter .
+ $d_filter .
+ '(' .
- $config->{'attr_map'}->{'Name'} .
-- '=' .
-- escape_filter_value($username) .
-- '))'
-- );
-- } else {
++ $config->{'attr_map'}->{$field} .
+ '=' .
+ escape_filter_value($username) .
+ '))'
+ );
+ } else {
- $RT::Logger->debug("You haven't specified an LDAP attribute to match the RT \"Name\" attribute for this service (",
-- $service,
-- "), so it's impossible look up the disabled status of this user (",
-- $username,
-- ") so I'm just going to assume the user is not disabled");
-- return 0;
--
-- }
--
- my $ldap = _GetBoundLdapObj($config);
-- next unless $ldap;
-+ return unless $ldap;
-
-- # We only need the UID for confirmation now,
-- # the other information would waste time and bandwidth
-- my @attrs = ('uid');
-+ my $attr_map = $config->{'attr_map'};
-+ my $attr_match_list = $config->{'attr_match_list'};
-+ my @attrs = 'uid';
-
-- $RT::Logger->debug( "LDAP Search === ",
-- "Base:",
-- $base,
-- "== Filter:",
-- ($search_filter ? $search_filter->as_string : ''),
-- "== Attrs:",
-- join(',',@attrs));
-+ foreach my $attr_match ( @{$attr_match_list} ) {
-+ unless ( defined $attr_map->{$attr_match} ) {
-+ $RT::Logger->error("Invalid LDAP mapping for $attr_match, no defined fields in attr_map");
-+ next;
-+ }
-
-- my $disabled_users = $ldap->search(base => $base,
-- filter => $search_filter,
-- attrs => \@attrs);
-- # If ANY results are returned,
-- # we are going to assume the user should be disabled
-- if ($disabled_users->count) {
-- undef $disabled_users;
-- return 1;
-- } else {
-- undef $disabled_users;
-- return 0;
-+ my $search_filter = Net::LDAP::Filter->new(
-+ '(&' . $filter . $d_filter . '(' . $attr_map->{$attr_match} . '=' . escape_filter_value($username) . '))' );
-+
-+ # Check that the user exists in the LDAP service
-+ $RT::Logger->debug(
-+ "LDAP Search === ",
-+ "Base:", $base, "== Filter:", ( $search_filter ? $search_filter->as_string : '' ),
-+ "== Attrs:", join( ',', @attrs )
-+ );
-+
-+ my $disabled_users = $ldap->search(
-+ base => $base,
-+ filter => $search_filter,
-+ attrs => \@attrs
-+ );
-+
-+ # If ANY results are returned,
-+ # we are going to assume the user should be disabled
-+ if ( $disabled_users->count ) {
-+ undef $disabled_users;
-+ return 1;
-+ }
-+ else {
-+ undef $disabled_users;
-+ return 0;
-+ }
- }
-+ return 0;
- }
- # {{{ sub _GetBoundLdapObj
-
++ $RT::Logger->debug("You haven't specified an LDAP attribute to match the RT \"$field\" attribute for this service (",
+ $service,
+ "), so it's impossible look up the disabled status of this user (",
+ $username,

2: 6d978cb6f3 = 2: d2a595fcdb Add tests for user email login

_______________________________________________
rt-commit mailing list
rt-commit@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-commit