From Request Tracker Wiki
Jump to navigation Jump to search

This code is part of the LDAP integration overlay; you'll also need LdapSiteConfigSettings and LdapUserLocalOverlay.

Note: Previous versions included an HTML comment at the top of the callback; this breaks the rt command line tool, so it's been removed. If you're having issues with the rt command and getting an error that looks like this:

rt: Malformed RT response from [...]

... you should drop the HTML comment from the head of this file and try it again.

Put this in ${RTHOME}/local/html/Callbacks/LDAP/autohandler/Auth:

<%init> # If the user is logging in, let's authenticate; if they can auth but don't load # (e.g. they don't have an account but external auth succeeds), we'll autocreate # their account. unless ($session{'CurrentUser'}) { if (defined ($user) && defined ($pass) ) { $session{'CurrentUser'} = RT::CurrentUser->new(); $session{'CurrentUser'}->Load($user); <code><pre> unless ($session{'CurrentUser'}-&gt;Id) { my $UserObj = RT::User-&gt;new($RT::SystemUser); my ($val, $msg) = $UserObj-&gt;SetName($user); if ($UserObj-&gt;IsPassword($pass)) { ### If there were a standard param to check for whether or not we ### should autocreate users, we'd check it here. my ($val, $msg) = $UserObj-&gt;Create(%{ref($RT::AutoCreate) ? $RT::AutoCreate : {}}, Name =&gt; $user, Gecos =&gt; $user, ); $RT::Logger-&gt;info("Autocreated authenticated user " . $UserObj-&gt;Name . " (" . $UserObj-&gt;Id . ")\n"); } $session{'CurrentUser'}-&gt;Load($user) if $UserObj-&gt;Id; } } if ($session{'CurrentUser'} &amp;&amp; $session{'CurrentUser'}-&gt;Id) { $session{'CurrentUser'}-&gt;UserObj-&gt;UpdateFromLdap(); if ($session{'CurrentUser'}-&gt;UserObj-&gt;Disabled) { delete $session{'CurrentUser'}; } } # we don't want to leave unauthenticated sessions active do we? # thanks to Walter Duncan for sealing a gaping hole here. if ($session{'CurrentUser'} &amp;&amp; $session{'CurrentUser'}-&gt;Id &amp;&amp; $session{'CurrentUser'}-&gt;IsPassword($pass) ) { $RT::Logger-&gt;info("Successful login for $user from " . "$ENV{'REMOTE_ADDR'}"); } else { delete $session{'CurrentUser'}; } </pre></code> } return; </%init> <%ARGS> $user => undef $pass => undef $menu => undef </%ARGS>

For rt-3.4.5, I needed to split update & disable from actual login authorization. Otherwise we leave an active unauthenticated session lying around bypassing all authentication on existing local RT accounts. --wcd