Permalink
Browse files

initial import of RT-Authen-ExternalAuth 0.01 from CPAN

git-cpan-module:   RT-Authen-ExternalAuth
git-cpan-version:  0.01
git-cpan-authorid: ZORDRAK
git-cpan-file:     authors/id/Z/ZO/ZORDRAK/RT-Authen-ExternalAuth-0.01.tar.gz
  • Loading branch information...
0 parents commit 9b8e351fa4f9f7bb14118cef257b5467fd07ecaa Mike Peachey committed with alexmv Mar 13, 2008
344 LICENSE
Oops, something went wrong.
@@ -0,0 +1,18 @@
+etc/RT_SiteConfig.pm
+html/Callbacks/ExternalAuth/autohandler/Auth
+inc/Module/Install.pm
+inc/Module/Install/Base.pm
+inc/Module/Install/Can.pm
+inc/Module/Install/Fetch.pm
+inc/Module/Install/Makefile.pm
+inc/Module/Install/Metadata.pm
+inc/Module/Install/RTx.pm
+inc/Module/Install/Win32.pm
+inc/Module/Install/WriteAll.pm
+lib/RT/Authen/ExternalAuth.pm
+lib/RT/User_Vendor.pm
+LICENSE
+Makefile.PL
+MANIFEST This list of files
+META.yml
+README
@@ -0,0 +1,20 @@
+---
+abstract: RT Authen-ExternalAuth Extension
+author:
+ - 'Mike Peachey <zordrak@cpan.org>'
+distribution_type: module
+generated_by: Module::Install version 0.68
+license: GPL version 2
+meta-spec:
+ url: http://module-build.sourceforge.net/META-spec-v1.3.html
+ version: 1.3
+name: RT-Authen-ExternalAuth
+no_index:
+ directory:
+ - etc
+ - html
+ - inc
+ - t
+requires:
+ RT: 0
+version: 0.01
@@ -0,0 +1,12 @@
+use inc::Module::Install;
+
+RTx('RT-Authen-ExternalAuth');
+
+license('GPL version 2');
+author('Mike Peachey <zordrak@cpan.org>');
+
+all_from('lib/RT/Authen/ExternalAuth.pm');
+
+requires('RT');
+
+&WriteAll;
55 README
@@ -0,0 +1,55 @@
+RT-Authen-ExternalAuth
+
+This module provides the ability to authenticate RT users
+against one or more external data sources at once. It will
+also allow information about that user to be loaded from
+the same, or any other available, source.
+
+The extension currently supports authentication and
+information from LDAP via the Net::LDAP module, and from
+any data source that an installed DBI driver is available
+for.
+
+It was originally designed and tested against:
+
+MySQL v4.1.21-standard
+MySQL v5.0.22
+Windows Active Directory v2003
+
+But it has been designed so that it should work with ANY
+LDAP service and ANY DBI-drivable database, based upon the
+configuration given in your $RTHOME/etc/RT_SiteConfig.pm
+
+INSTALLATION
+
+To install this module, run the following commands:
+
+ perl Makefile.PL
+ make
+ make install
+
+Once installed, you should view the file:
+
+ $RTHOME/local/etc/ExternalAuth/RT_SiteConfig.pm
+
+Then use the examples provided to prepare your own custom
+configuration which should reside in
+$RTHOME/etc/RT_SiteConfig.pm
+
+Alternatively, you may alter the provided examples directly
+and then include the extra directives by including the
+example file's path at the end of your RT_SiteConfig.pm
+
+AUTHOR
+ Mike Peachey
+ Jennic Ltd.
+ zordrak@cpan.org
+
+COPYRIGHT AND LICENCE
+
+Copyright (C) 2008, Jennic Ltd.
+
+This software is released under version 2 of the GNU
+General Public License. The license is distributed with
+this package in the LICENSE file found in the directory
+root.
@@ -0,0 +1,141 @@
+# The order in which the services defined in ExternalSettings
+# should be used to authenticate users. User is authenticated
+# if successfully confirmed by any service - no more services
+# are checked.
+Set($ExternalAuthPriority, [ 'My_LDAP',
+ 'My_MySQL'
+ ]
+);
+
+# The order in which the services defined in ExternalSettings
+# should be used to get information about users. This includes
+# RealName, Tel numbers etc, but also whether or not the user
+# should be considered disabled.
+# Once user info is found, no more services are checked.
+Set($ExternalInfoPriority, [ 'My_MySQL',
+ 'My_LDAP'
+ ]
+);
+
+# If this is set to true, then the relevant packages will
+# be loaded to use SSL/TLS connections. At the moment,
+# this just means "use Net::SSLeay;"
+Set($ExternalServiceUsesSSLorTLS, 0);
+
+# If this is set to 1, then users should be autocreated by RT
+# as internal users if they fail to authenticate from an
+# external service.
+Set($AutoCreateNonExternalUsers, 0);
+
+# These are the full settings for each external service as a HashOfHashes
+# Note that you may have as many external services as you wish. They will
+# be checked in the order specified in the Priority directives above.
+# e.g.
+# Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP','Other-DB']);
+#
+Set($ExternalSettings, { # AN EXAMPLE DB SERVICE
+ 'My_MySQL' => { ## GENERIC SECTION
+ # The type of service (db/ldap)
+ 'type' => 'db',
+ # Should the service be used for authentication?
+ 'auth' => 1,
+ # Should the service be used for information?
+ 'info' => 1,
+ # The server hosting the service
+ 'server' => 'server.domain.tld',
+ ## SERVICE-SPECIFIC SECTION
+ # The database name
+ 'database' => 'DB_NAME',
+ # The database table
+ 'table' => 'USERS_TABLE',
+ # The user to connect to the database as
+ 'user' => 'DB_USER',
+ # The password to use to connect with
+ 'pass' => 'DB_PASS',
+ # The port to use to connect with (e.g. 3306)
+ 'port' => 'DB_PORT',
+ # The name of the Perl DBI driver to use (e.g. mysql)
+ 'dbi_driver' => 'DBI_DRIVER',
+ # The field in the table that holds usernames
+ 'u_field' => 'username',
+ # The field in the table that holds passwords
+ 'p_field' => 'password',
+ # The Perl package & subroutine used to encrypt passwords
+ # e.g. if the passwords are stored using the MySQL v3.23 "PASSWORD"
+ # function, then you will need Crypt::MySQL::password, but for the
+ # MySQL4+ password function you will need Crypt::MySQL::password41
+ # Alternatively, you could use Crypt::MD5::md5_hex or any other
+ # encryption subroutine you can load in your perl installation
+ 'p_enc_pkg' => 'Crypt::MySQL',
+ 'p_enc_sub' => 'password',
+ # The field and values in the table that determines if a user should
+ # be disabled. For example, if the field is 'user_status' and the values
+ # are ['0','1','2','disabled'] then the user will be disabled if their
+ # user_status is set to '0','1','2' or the string 'disabled'.
+ # Otherwise, they will be considered enabled.
+ 'd_field' => 'userSupportAccess',
+ 'd_values' => ['0'],
+ ## RT ATTRIBUTE MATCHING SECTION
+ # The list of RT attributes that uniquely identify a user
+ 'attr_match_list' => [ 'Gecos',
+ 'Name'
+ ],
+ # The mapping of RT attributes on to field names
+ 'attr_map' => { 'Name' => 'username',
+ 'EmailAddress' => 'email',
+ 'ExternalAuthId' => 'username',
+ 'Gecos' => 'userID'
+ }
+ },
+ # AN EXAMPLE LDAP SERVICE
+ 'My_LDAP' => { ## GENERIC SECTION
+ # The type of service (db/ldap/cookie)
+ 'type' => 'ldap',
+ # Should the service be used for authentication?
+ 'auth' => 1,
+ # Should the service be used for information?
+ 'info' => 1,
+ # The server hosting the service
+ 'server' => 'server.domain.tld',
+ ## SERVICE-SPECIFIC SECTION
+ # The LDAP search base
+ 'base' => 'ou=Organisational Unit,dc=domain,dc=TLD',
+ # The filter to use to match RT-Users
+ 'filter' => '(FILTER_STRING)',
+ # The filter that will only match disabled users
+ 'd_filter' => '(FILTER_STRING)',
+ # Should we try to use TLS to encrypt connections?
+ 'tls' => 0,
+ # What other args should I pass to Net::LDAP->new($host,@args)?
+ 'net_ldap_args' => [ version => 3 ],
+ # Does authentication depend on group membership? What group name?
+ 'group' => 'GROUP_NAME',
+ # What is the attribute for the group object that determines membership?
+ 'group_attr' => 'GROUP_ATTR',
+ ## RT ATTRIBUTE MATCHING SECTION
+ # The list of RT attributes that uniquely identify a user
+ 'attr_match_list' => [ 'Name',
+ 'EmailAddress',
+ 'RealName',
+ 'WorkPhone',
+ 'Address2'
+ ],
+ # The mapping of RT attributes on to LDAP attributes
+ 'attr_map' => { 'Name' => 'sAMAccountName',
+ 'EmailAddress' => 'mail',
+ 'Organization' => 'physicalDeliveryOfficeName',
+ 'RealName' => 'cn',
+ 'ExternalAuthId' => 'sAMAccountName',
+ 'Gecos' => 'sAMAccountName',
+ 'WorkPhone' => 'telephoneNumber',
+ 'Address1' => 'streetAddress',
+ 'City' => 'l',
+ 'State' => 'st',
+ 'Zip' => 'postalCode',
+ 'Country' => 'co'
+ }
+ }
+ }
+);
+
+1;
@@ -0,0 +1,109 @@
+<%init>
+
+# If the user is logging in, let's authenticate; if they can auth but don't load
+# (e.g. they don't have an account but external auth succeeds), we'll autocreate
+# their account.
+unless ($session{'CurrentUser'}) {
+
+ # Password has not been confirmed valid until we say so
+ my $password_validated;
+ # User has only been autocreated if we say so later on
+ # This is used to stop a pointless LookupExternalUserInfo
+ # called by LookupFromExternal later on since it's already
+ # called by RT::User::Create if the user was autocreated
+ my $user_autocreated = 0;
+
+ # If $user has been passed by login page,
+ # or any other custom code previous to this
+ if (defined ($user)) {
+ $session{'CurrentUser'} = RT::CurrentUser->new();
+ $session{'CurrentUser'}->Load($user);
+
+ # Unless we have loaded a valid user with a UserID
+ unless ($session{'CurrentUser'}->Id) {
+ # Start with a new SystemUser
+ my $UserObj = RT::User->new($RT::SystemUser);
+ # Set the user's name to the one we were given
+ my ($val, $msg) = $UserObj->SetName($user);
+
+ # If a password was given on the login page, validate it
+ if (defined($pass)) {
+ $password_validated = $UserObj->IsPassword($pass);
+ }
+
+ # If the password was validated successfully
+ # start the autocreation process to create the user
+ # permanently in RT
+ if ($password_validated) {
+ ### If there were a standard param to check for whether or not we
+ ### should autocreate authenticated users, we'd check it here.
+ my ($val, $msg) =
+ $UserObj->Create(%{ref($RT::AutoCreate) ? $RT::AutoCreate : {}},
+ Name => $user,
+ Gecos => $user,
+ );
+ $RT::Logger->info( "Autocreated authenticated user",
+ $UserObj->Name,
+ "(",
+ $UserObj->Id,
+ ")");
+ $user_autocreated = 1;
+ }
+
+ # If we autocreated a user, then load the user as the CurrentUser in $session
+ # To RT, this means we have a valid, authenticated user
+ $session{'CurrentUser'}->Load($user) if $UserObj->Id;
+ }
+ }
+
+ # If we now have a completely valid RT user to play with...
+ if ($session{'CurrentUser'} && $session{'CurrentUser'}->Id) {
+ unless($user_autocreated){
+ # If we definitely have an authenticated user and all is well,
+ # and we haven't JUST created the user, then update their
+ # information from external services before doing anything else
+ $session{'CurrentUser'}->UserObj->UpdateFromExternal();
+ }
+
+ # Now that we definitely have up-to-date user information,
+ # if the user is disabled, kick them out. Now!
+ if ($session{'CurrentUser'}->UserObj->Disabled) {
+ delete $session{'CurrentUser'};
+ }
+ }
+ # Original thank to Walter Duncan for these session deletes.
+
+ # If the user has already been authenticated successfully above
+ # then all is well, log the successful user auth
+ # Else, ensure the session dies.
+
+ # We will not check the password here, because this will be
+ # done by the autohandler this Callback is extending if
+ # we delete the session.
+
+ # If we have a full user and the session hasn't already been deleted
+ if ($session{'CurrentUser'} && $session{'CurrentUser'}->Id) {
+ if($password_validated) {
+
+ $RT::Logger->info( "Successful login for",
+ $user,
+ "from",
+ $ENV{'REMOTE_ADDR'});
+ # Do not delete the session. User stays logged in and
+ # autohandler will not check the password again
+ }
+ } else {
+ # Make SURE the session is deleted.
+ delete $session{'CurrentUser'};
+ # This will cause autohandler to request IsPassword
+ # which will in turn call IsExternalPassword
+ }
+}
+return;
+</%init>
+
+<%ARGS>
+$user => undef
+$pass => undef
+$menu => undef
+</%ARGS>
Oops, something went wrong.

0 comments on commit 9b8e351

Please sign in to comment.