LdapAutocreateAuthCallback

From Request Tracker Wiki
Revision as of 15:14, 6 April 2016 by Admin (talk | contribs) (4 revisions imported)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

This code is part of the LDAP integration overlay; you'll also need LdapSiteConfigSettings and LdapUserLocalOverlay.

Note: Previous versions included an HTML comment at the top of the callback; this breaks the rt command line tool, so it's been removed. If you're having issues with the rt command and getting an error that looks like this:

rt: Malformed RT response from [...]

... you should drop the HTML comment from the head of this file and try it again.

Put this in ${RTHOME}/local/html/Callbacks/LDAP/autohandler/Auth:

<%init>
 
 # If the user is logging in, let's authenticate; if they can auth but don't load
 # (e.g. they don't have an account but external auth succeeds), we'll autocreate
 # their account.
 unless ($session{'CurrentUser'}) {
     if (defined ($user) && defined ($pass) ) {
         $session{'CurrentUser'} = RT::CurrentUser->new();
         $session{'CurrentUser'}->Load($user);
 
         unless ($session{'CurrentUser'}->Id) {
             my $UserObj = RT::User->new($RT::SystemUser);
             my ($val, $msg) = $UserObj->SetName($user);
 
             if ($UserObj->IsPassword($pass)) {
                 ### If there were a standard param to check for whether or not we
                 ### should autocreate users, we'd check it here.
                 my ($val, $msg) =
                   $UserObj->Create(%{ref($RT::AutoCreate) ? $RT::AutoCreate : {}},
                                    Name   => $user,
                                    Gecos  => $user,
                                   );
                 $RT::Logger->info("Autocreated authenticated user " . $UserObj->Name .
                                   " (" . $UserObj->Id . ")\n");
             }
 
             $session{'CurrentUser'}->Load($user) if $UserObj->Id;
         }
     }
 
     if ($session{'CurrentUser'} && $session{'CurrentUser'}->Id) {
         $session{'CurrentUser'}->UserObj->UpdateFromLdap();
 
        if ($session{'CurrentUser'}->UserObj->Disabled) {
             delete $session{'CurrentUser'};
        }
     }
     # we don't want to leave unauthenticated sessions active do we?
     # thanks to Walter Duncan for sealing a gaping hole here.
     if ($session{'CurrentUser'} &&
         $session{'CurrentUser'}->Id &&
         $session{'CurrentUser'}->IsPassword($pass)
         ) {
             $RT::Logger->info("Successful login for $user from " .
                               "$ENV{'REMOTE_ADDR'}");
     } else {
         delete $session{'CurrentUser'};
     }
 }
 return;
 </%init>
 
 <%ARGS>
 $user => undef
 $pass => undef
 $menu => undef
 </%ARGS>
 

For rt-3.4.5, I needed to split update & disable from actual login authorization. Otherwise we leave an active unauthenticated session lying around bypassing all authentication on existing local RT accounts. --wcd