LdapAutocreateAuthCallback
Jump to navigation
Jump to search
This code is part of the LDAP integration overlay; you'll also need LdapSiteConfigSettings and LdapUserLocalOverlay.
Note: Previous versions included an HTML comment at the top of the callback; this breaks the rt command line tool, so it's been removed. If you're having issues with the rt command and getting an error that looks like this:
rt: Malformed RT response from [...]
... you should drop the HTML comment from the head of this file and try it again.
Put this in ${RTHOME}/local/html/Callbacks/LDAP/autohandler/Auth
:
<%init> # If the user is logging in, let's authenticate; if they can auth but don't load # (e.g. they don't have an account but external auth succeeds), we'll autocreate # their account. unless ($session{'CurrentUser'}) { if (defined ($user) && defined ($pass) ) { $session{'CurrentUser'} = RT::CurrentUser->new(); $session{'CurrentUser'}->Load($user); unless ($session{'CurrentUser'}->Id) { my $UserObj = RT::User->new($RT::SystemUser); my ($val, $msg) = $UserObj->SetName($user); if ($UserObj->IsPassword($pass)) { ### If there were a standard param to check for whether or not we ### should autocreate users, we'd check it here. my ($val, $msg) = $UserObj->Create(%{ref($RT::AutoCreate) ? $RT::AutoCreate : {}}, Name => $user, Gecos => $user, ); $RT::Logger->info("Autocreated authenticated user " . $UserObj->Name . " (" . $UserObj->Id . ")\n"); } $session{'CurrentUser'}->Load($user) if $UserObj->Id; } } if ($session{'CurrentUser'} && $session{'CurrentUser'}->Id) { $session{'CurrentUser'}->UserObj->UpdateFromLdap(); if ($session{'CurrentUser'}->UserObj->Disabled) { delete $session{'CurrentUser'}; } } # we don't want to leave unauthenticated sessions active do we? # thanks to Walter Duncan for sealing a gaping hole here. if ($session{'CurrentUser'} && $session{'CurrentUser'}->Id && $session{'CurrentUser'}->IsPassword($pass) ) { $RT::Logger->info("Successful login for $user from " . "$ENV{'REMOTE_ADDR'}"); } else { delete $session{'CurrentUser'}; } } return; </%init> <%ARGS> $user => undef $pass => undef $menu => undef </%ARGS>
For rt-3.4.5, I needed to split update & disable from actual login authorization. Otherwise we leave an active unauthenticated session lying around bypassing all authentication on existing local RT accounts. --wcd