On 7/7/15 4:50 PM, Yan Seiner wrote:
But the way ExternalAuth is set up, I have to provide the ldap userid
and password, which in our system would be a real user.
'user' => 'rt_ldap_username',
'pass' => 'rt_ldap_password',
Is there any way to get ExternalAuth to use the credentials entered in
the login to bind to the ldap server?
At user login ExternalAuth first finds the user with the credentials you
mention above, and then attempts to bind with the login provided
credentials. A successful bind is how it knows that the user is
authenticated. From the code:
my $ldap_entry = $ldap_msg->first_entry;
my $ldap_dn = $ldap_entry->dn;
# THIS bind determines success or failure on the password.
$ldap_msg = $ldap->bind($ldap_dn, password => $password);
But notice that I need to use either 'HPM\yans' for the user or the
older '[email protected]' for the system to allow me to bind to the ldap
server. The way we're set up, any user can bind to the server with
valid credentials, but anonymous binds are not allowed.
For the former, you'd have to modify the extension to prefix the
username it attempts to bind with. The subroutine is
RT::Authen::ExternalAuth::LDAP::GetAuth. You could make a command line
script to call this and debug it until you get it to return 1. Like
jdg117 mentioned, you have to get Net::LDAP connecting to your LDAP and
then figure out how to configure or modify the extension to get it to
connect in the same way.
For the latter I think you can update the configuration to store the
email address as the name so that its used when the bind is attempted.
You'd have to use the email address to log in to RT.
Perhaps make attr_match_list just 'EmailAddress' and then have in the
attr_map:
'Name' => 'mail', # instead of sAMAccountName
'EmailAddress' => 'mail',
