@@ -0,0 +1,214 @@
+0.23 2014-08-14
+ - Packaging changes only
+
+0.22_01 2014-08-13
+ - Move main configuration documentation into RT::Authen::ExternalAuth
+ - Remove unnecessary $ExternalServiceUsesSSLorTLS option
+ - Prevent segfaults during server startup when using a LDAPS connection
+ under mod_perl + mod_ssl
+
+0.21 2014-07-01 Kevin Falcone
+ - Fix another bad attr_match_list example
+ - Better documentation about anonymous binds
+
+0.20 2014-04-09 Kevin Falcone
+ - Fix bad attr_match_list example in the synopsis
+
+0.19 2014-04-04 Kevin Falcone
+ - Fix a bug in the ExternalSettings doc example in RT_SiteConfig.pm
+
+0.18 2014-03-07 Kevin Falcone
+ - Remove docs that reference unmerged features (multiple emails)
+
+0.17 2013-07-10 Thomas Sibley
+ - Forbid using RT's internal Users table as an auth service
+
+0.16 2013-06-27 Thomas Sibley
+ - Add new p_check option to DBI authentication module
+
+0.15 2013-05-22 Thomas Sibley
+ - Minor documentation updates to add NAME sections for MetaCPAN
+
+0.14 2013-05-22 Thomas Sibley
+ - Prevent potential session reuse when Apache::Session::File is RT's
+ $WebSessionClass. This is also resolved by RT versions 4.0.13 and
+ 3.8.17 and by the May 2013 security patches. Changes here are purely
+ for correctness/bulletproofing down the road.
+ - Moved much documentation from comments into POD; cleanups are still
+ needed, but this is a good start.
+
+0.13 2013-01-31 Thomas Sibley
+ - Cut down on code by using the core RT::Record->Update method
+
+0.12 2012-10-26 Thomas Sibley
+ - Redirect correctly after login on RT 4.0.8, 3.8.15, and the 2012-10-25
+ security patches
+ - Added "group_scope" as a configurable option.
+ - Tests: Add to LDAP the base DN under which we search for users/groups
+
+0.11 2012-07-03 Alex Vandiver
+ - Obfuscate passwords in RT's System Configuration page
+ - Set an empty CurrentUser on failure, instead of removing it entirely
+
+0.10_01 2012-02-23 Thomas Sibley
+ - Escape usernames in filter values so special characters don't die
+
+0.10 2012-02-17 Thomas Sibley
+ - Silence confusing log messages when $ExternalInfoPriority is empty
+
+0.09_03 2012-01-27 Thomas Sibley
+ - Fetch the necessary attributes when group_attr_value is used
+ - Test escaping of commas during the group check
+
+0.09_02 2012-01-26 Thomas Sibley
+ - Improved logging inside the LDAP group membership check
+
+0.09_01 2012-01-23 Thomas Sibley
+ - Improved logic when dealing with Disabled/disabling users
+ - Configurable group membership attribute values
+ - Group membership tests
+
+0.09 2011-05-06 Kevin Falcone
+ - compatibility fixes for 3.8.10 and 4.0.0
+ - author testsuite
+ - updated README
+
+0.08_01 2009-01-20 Mike Peachey <zordrak@cpan.org>
+ - DoAuth method created to inherit the work that used to be performed by
+ the Auth callback for autohandler.
+ - GetAuth reduced to an interface. Its purpose is now just to check what
+ type of service was passed and then call the GetAuth method from the
+ right package.
+ - Authentication now halts and returns with error if ExternalAuthPriority
+ is not set. This prevents a fairly useless compile error and logs an
+ explanation instead.
+ - Information lookup is now bypassed and logged if ExternalInfoPriority is
+ not set, preventing another useless compile error and replacing it with
+ an explanation.
+ - SSO Cookie authentication now available following the integration of
+ RT::Authen::CookieAuth. Methods updated to reflect the availability of
+ this service.
+ - File added to house the cookie grab. While SSO cookies are a function of
+ DBI authentication (at the moment at least) there is no need for DBI.pm
+ to use CGI::Cookie for this one purpose. With the future possibility of
+ futher cookie functions as well, I decided it deserved its own module.
+ - Changed an unless($base) to unless(defined($base)) to allow for the use
+ of a defined, but empty, baseDN so that an LDAP directory may be
+ searched from the root.
+ - CookieAuth settings have been merged into the ExternalAuth settings
+ hash. Example from CookieAuth has been merged in.
+ - 'auth' and 'info' settings have been deprecated and so have been removed
+ from the examples. The function they served has been replaced by the
+ ExternalAuthPriority and ExternalInfoPriority variables.
+ - The override for the IsPassword method has been deprecated and deleted.
+ It is no longer necessary to do password tests as a call to the User
+ object. The equivalent function is now provided by GetAuth in
+ ExternalAuth.pm and is called with an ExternalAuth service name,
+ username and password. Currently, this only needs to be called by DoAuth
+ in ExternalAuth.pm
+ - While RT::Authen::ExternalAuth used to be used to integrate internal RT
+ authentication with an external method as a single operation, this
+ causes a lack of modularity. Now ExternalAuth is only concerned with its
+ own authentication methods and if they fail then RT will decide to do
+ fallback to internal authentication on its own.
+ - Workaround for RT versions 3.8.0 and 3.8.1 removed.
+ RT::Authen::ExternalAuth v0.08 will be officially compatible only with
+ versions 3.8.2 and up.
+ - README: Updated to include basic information on SSO cookies.
+ - Makefile.PL: Updated to reflect the integration of
+ RT::Authen::CookieAuth.
+
+0.08 2009-01-24 Mike Peachey <zordrak@cpan.org>
+ - Added ssl_version to example LDAP config as it is used by the code, but
+ had not been demonstrated.
+ - s/Crypt::MD5::md5_hex/Digest::MD5::md5_hex/ in example DBI config.
+ - Added the ability to provide a static salt to the p_enc_sub however this
+ behavious may be reviewed in future releases to allow integration with
+ better encryption methods.
+ - s/userSupportAccess/disabled/ in example DBI config.
+ - Modified the log message regarding the RT-3.8.[01] plugin bug from error
+ level to debug level and modified the text of the message to be more
+ clear for RT-3.8.2+ users.
+
+0.07_02 2008-12-22 Kevin Falcone <falcone@cpan.org>
+ - Make the workaround needed for 3.8.1 work on 3.8.2
+
+0.07_01 2008-11-06 Mike Peachey <zordrak@cpan.org>, Kevin Falcone <falcone@cpan.org>
+ - Complete code refactoring and updates for RT-3.8.x compatability.
+
+0.06_03 2008-10-31 Mike Peachey <zordrak@cpan.org>, Kevin Falcone <falcone@cpan.org>
+ - Add fix to work around a plugin bug in RT-3.8.0 & RT-3.8.1 preventing
+ User_Vendor.pm overlay being required before RT::User is loaded.
+ - Check the return value from calling RT::User::Create.
+ - Check the return value when loading an autocreated user.
+ - README: Updated to talk about removing old files in local/.
+ - Added error-checking to complain if a an LDAP configuration is in use,
+ but no d_filter has been specified.
+
+0.06_02 2008-10-01 Kevin Falcone <falcone@cpan.org>
+ - ChangeLog: Updates to previous release.
+
+0.06_01 2008-10-17 Kevin Falcone <falcone@cpan.org>
+ - Add a patch to be compatible with 3.8
+ - Upgrade Module::Install::RTx to work better with RT-3.8.x
+
+0.06 2008-11-01 Mike Peachey <zordrak@cpan.org>
+ - A number of clarifications added to the example config comments such as
+ making clear the fact that a valid d_filter is required.
+
+0.05 2008-04-09 Mike Peachey <zordrak@cpan.org>
+ - Typo on line 962 of User_Vendor.pm: s/servicen/service/
+ - Deprecated $user_autocreated. It was being used to prevent a call to
+ RT::User::UpdateFromExternal in User_Vendor.pm because it was deemed an
+ unecessary expense to set the user's info and then look it up again
+ straight after. However, I have since realised that UpdateFromExternal
+ is the only code doing a check to see if the user has been disabled in
+ the external source and so bypassing it when users are created allows
+ new users to log in once even if they have not been "enabled". I will be
+ doing a small rewrite of this code in the future to abstract the
+ External disable-lookup code from UpdateFromExternal and perhaps remove
+ the function altogether, but for now everything will work fine.
+
+0.04 2008-04-03 Mike Peachey <zordrak@cpan.org>
+ - The example LDAP ExternalSettings configuration did not contain example
+ values for user and pass for RT's connection to an LDAP server. These
+ have now been added. Thanks to Andrew Fay <andrew.fay@hotmail.com> for
+ noticing this one.
+
+0.03 2008-03-31 Mike Peachey <zordrak@cpan.org>
+ - Bug found on lines 94-100 in Auth callback in autohandler.
+
+ The ELSE block starting on line 95 was assigned to the IF starting
+ on 85 instead of the IF block starting on line 86. This meant that
+ if the user entered at the login screen exists no password would
+ be checked.
+
+ It was doing this:
+
+ If session has current user who has an ID
+ If password has already been validated
+ SUCCESS
+ Else
+ Return to autohandler with valid session & implicit auth
+ Else delete session
+
+ This has now been corrected to this:
+
+ If session has current user who has an ID
+ If password has already been validated
+ SUCCESS
+ Else
+ Delete session
+ Else return to autohandler with whatever we had before the block
+
+0.02 2008-03-17 Mike Peachey <zordrak@cpan.org>
+ - Bug #1 found on line 446 of User_Vendor.pm; CanonicalizeUserInfo was
+ being called directly, instead of being called on the $self user object.
+ This was causing CanonicalizeUserInfo to shift the e-mail address it was
+ passed into the $self var instead of the $email var. It was therefore
+ returning a blank e-mail address regardless of the input.
+ - User_Vendor.pm: Header comments altered to reflect that the file is part
+ of the RT::Authen::ExternalAuth extension.
+
+0.01 2008-03-13 Mike Peachey <zordrak@cpan.org>
+ - Initial Release
@@ -1,405 +0,0 @@
-0.21 2014-07-01 Kevin Falcone
- - Fix another bad attr_match_list example
- - Better documentation about anonymous binds
-
-0.20 2014-04-09 Kevin Falcone
- - Fix bad attr_match_list example in the synopsis
-
-0.19 2014-04-04 Kevin Falcone
- - Fix a bug in the ExternalSettings doc example in RT_SiteConfig.pm
-
-0.18 2014-03-07 Kevin Falcone
- - Remove docs that reference unmerged features (multiple emails)
-
-0.17 2013-07-10 Thomas Sibley
- * Forbid using RT's internal Users table as an auth service
-
-0.16 2013-06-27 Thomas Sibley
- * Add new p_check option to DBI authentication module
-
-0.15 2013-05-22 Thomas Sibley
- * Minor documentation updates to add NAME sections for MetaCPAN
-
-0.14 2013-05-22 Thomas Sibley
- * Prevent potential session reuse when Apache::Session::File is RT's
- $WebSessionClass. This is also resolved by RT versions 4.0.13 and
- 3.8.17 and by the May 2013 security patches. Changes here are purely
- for correctness/bulletproofing down the road.
-
- * Moved much documentation from comments into POD; cleanups are still
- needed, but this is a good start.
-
-0.13 2013-01-31 Thomas Sibley
- * Cut down on code by using the core RT::Record->Update method
-
-0.12 2012-10-26 Thomas Sibley
- * Redirect correctly after login on RT 4.0.8, 3.8.15, and the 2012-10-25 security patches
- * Added "group_scope" as a configurable option.
- * Tests: Add to LDAP the base DN under which we search for users/groups
-
-0.11 2012-07-03 Alex Vandiver
- * Obfuscate passwords in RT's System Configuration page
- * Set an empty CurrentUser on failure, instead of removing it entirely
-
-0.10_01 2012-02-23 Thomas Sibley
- * Escape usernames in filter values so special characters don't die
-
-0.10 2012-02-17 Thomas Sibley
- * Silence confusing log messages when $ExternalInfoPriority is empty
-
-0.09_03 2012-01-27 Thomas Sibley
- * Fetch the necessary attributes when group_attr_value is used
- * Test escaping of commas during the group check
-
-0.09_02 2012-01-26 Thomas Sibley
- * Improved logging inside the LDAP group membership check
-
-0.09_01 2012-01-23 Thomas Sibley
- * Improved logic when dealing with Disabled/disabling users
- * Configurable group membership attribute values
- * Group membership tests
-
-0.09 2011-05-06 Kevin Falcone
- * compatibility fixes for 3.8.10 and 4.0.0
- * author testsuite
- * updated README
-
-v0.08_01 2011-02-18 Kevin Falcone
- * Testing prerelase for 0.09, since 0.09_01 never made it to CPAN
- * Upgrade Module::Install
- * Remove and then replace a requires('RT') since Module::Install::RTx now
- handles that
- * Fix the features/recommends to work with modern MI
- * Use CSS to hide password box for ExternalAuth users so they don't think
- they can change their password via RT
- * Fix for 3.8.9/4.0.0 to work with new Login infrastructure
-
-
-NEVER RELEASED v0.09_01 2009-03-28 Mike Peachey <zordrak@cpan.org>
-
- * Makefile.PL
-
- Removed RT requirement since most RT installs are not done
- via CPAN and therefore CPAN installation fails dependency
- checking.
-
- * ChangeLog
-
- Added entry for v0.09_01
-
-
-v0.08 2009-01-24 Mike Peachey <zordrak@cpan.org>
-
- * lib/RT/Authen/ExternalAuth.pm
-
- Version updated to 0.08
-
- * ChangeLog
-
- Added entry for v0.08
-
- * etc/RT_SiteConfig.pm
-
- Added ssl_version to example LDAP config as it is used by
- the code, but had not been demonstrated.
-
- s/Crypt::MD5::md5_hex/Digest::MD5::md5_hex/ in example DBI
- config.
-
- Added the ability to provide a static salt to the p_enc_sub
- however this behavious may be reviewed in future releases
- to allow integration with better encryption methods.
-
- s/userSupportAccess/disabled/ in example DBI config.
-
- * html/Callbacks/ExternalAuth/autohandler/Auth
-
- Modified the log message regarding the RT-3.8.[01] plugin
- bug from error level to debug level and modified the text
- of the message to be more clear for RT-3.8.2+ users.
-
-
-v0.08_01 2009-01-20 Mike Peachey <zordrak@cpan.org>
-
- * ChangeLog
-
- Added entry for v0.08_01
-
- Tabs-to-spaces conversion made where needed.
-
- * lib/RT/Authen/ExternalAuth.pm
-
- Version updated to 0.08_01
-
- DoAuth method created to inherit the work that used to be
- performed by the Auth callback for autohandler.
-
- GetAuth reduced to an interface. Its purpose is now just to
- check what type of service was passed and then call the
- GetAuth method from the right package.
-
- Authentication now halts and returns with error if
- ExternalAuthPriority is not set. This prevents a fairly
- useless compile error and logs an explanation instead.
-
- Information lookup is now bypassed and logged if
- ExternalInfoPriority is not set, preventing another useless
- compile error and replacing it with an explanation.
-
- SSO Cookie authentication now available following the
- integration of RT::Authen::CookieAuth. Methods updated
- to reflect the availability of this service.
-
- * lib/RT/Authen/ExternalAuth/DBI/Cookie.pm
-
- File added to house the cookie grab. While SSO cookies are
- a function of DBI authentication (at the moment at least)
- there is no need for DBI.pm to use CGI::Cookie for this one
- purpose. With the future possibility of futher cookie
- functions as well, I decided it deserved its own module.
-
- * lib/RT/Authen/ExternalAuth/LDAP.pm
-
- Changed an unless($base) to unless(defined($base)) to allow
- for the use of a defined, but empty, baseDN so that an LDAP
- directory may be searched from the root.
-
- * etc/RT_SiteConfig.pm
-
- CookieAuth settings have been merged into the ExternalAuth
- settings hash. Example from CookieAuth has been merged in.
-
- 'auth' and 'info' settings have been deprecated and so have
- been removed from the examples. The function they served has
- been replaced by the ExternalAuthPriority and
- ExternalInfoPriority variables.
-
- * lib/RT/Authen/User_Vendor.pm
-
- The override for the IsPassword method has been deprecated
- and deleted. It is no longer necessary to do password tests
- as a call to the User object. The equivalent function is
- now provided by GetAuth in ExternalAuth.pm and is called
- with an ExternalAuth service name, username and password.
- Currently, this only needs to be called by DoAuth in
- ExternalAuth.pm
-
- While RT::Authen::ExternalAuth used to be used to integrate
- internal RT authentication with an external method as a single
- operation, this causes a lack of modularity. Now ExternalAuth
- is only concerned with its own authentication methods and if
- they fail then RT will decide to do fallback to internal
- authentication on its own.
-
- * html/Callbacks/ExternalAuth/autohandler/Auth
-
- Workaround for RT versions 3.8.0 and 3.8.1 removed.
- RT::Authen::ExternalAuth v0.08 will be officially compatible
- only with versions 3.8.2 and up.
-
- All functionality has been replaced by a call to ExternalAuth.pm's
- DoAuth method. This is permitted by the passing of a reference to
- the current session variable. DoAuth simply modifies that variable
- as necessary to perform its function. Any data returned is purely
- informational.
-
- * README
-
- Updated to include basic information on SSO cookies.
-
- * Makefile.PL
-
- Updated to reflect the integration of RT::Authen::CookieAuth.
-
-v0.07_02 2008-12-22 Kevin Falcone <falcone@cpan.org>
-
- * html/Callbacks/ExternalAuth/autohandler/Auth
-
- Make the workaround needed for 3.8.1 work on 3.8.2
-
-v0.07_01 2008-11-06 Mike Peachey <zordrak@cpan.org>
- Kevin Falcone <falcone@cpan.org>
-
- * ALL
-
- Complete code refactoring and updates for RT-3.8.x
- compatability.
-
-v0.06 2008-11-01 Mike Peachey <zordrak@cpan.org>
-
- * README
-
- A few minor tweaks.
-
- * lib/RT/Authen/ExternalAuth.pm
-
- Version updated to 0.06
-
- * etc/RT_SiteConfig.pm
-
- A number of clarifications added to the example config comments
- such as making clear the fact that a valid d_filter is required.
-
-v0.06_03 2008-10-31 Mike Peachey <zordrak@cpan.org>
- Kevin Falcone <falcone@cpan.org>
-
- * html/Callbacks/ExternalAuth/autohandler/Auth
-
- Add fix to work around a plugin bug in RT-3.8.0 & RT-3.8.1
- preventing User_Vendor.pm overlay being required before
- RT::User is loaded.
-
- Check the return value from calling RT::User::Create.
-
- Check the return value when loading an autocreated user.
-
- * README
-
- Updated to talk about removing old files in local/.
-
- * lib/RT/Authen/User_Vendor.pm
-
- Added error-checking to complain if a an LDAP configuration is
- in use, but no d_filter has been specified.
-
- * lib/RT/Authen/ExternalAuth.pm
-
- Version updated to 0.06_03.
-
- * ChangeLog
-
- General clean-up.
-
-
-v0.06_02 2008-10-01 Kevin Falcone <falcone@cpan.org>
-
- * ChangeLog
-
- Updates to previous release.
-
- * lib/RT/Authen/ExternalAuth.pm
-
- Version updated to 0.06_02.
-
-
-v0.06_01 2008-10-17 Kevin Falcone <falcone@cpan.org>
-
- * lib/RT/Authen/User_Vendor.pm
-
- Add a patch to be compatible with 3.8
-
- * Upgrade Module::Install::RTx to work better with RT-3.8.x
-
-
-v0.05 2008-04-09 Mike Peachey <zordrak@cpan.org>
-
- * lib/RT/Authen/User_Vendor.pm
-
- Typo on line 962. s/servicen/service/
-
- * html/Callbacks/ExternalAuth/autohandler/Auth
-
- Deprecated $user_autocreated. It was being used to prevent a call
- to RT::User::UpdateFromExternal in User_Vendor.pm because it was
- deemed an unecessary expense to set the user's info and then look
- it up again straight after. However, I have since realised that
- UpdateFromExternal is the only code doing a check to see if the
- user has been disabled in the external source and so bypassing
- it when users are created allows new users to log in once even
- if they have not been "enabled".
-
- I will be doing a small rewrite of this code in the future to
- abstract the External disable-lookup code from UpdateFromExternal
- and perhaps remove the function altogether, but for now everything
- will work fine.
-
- * ChangeLog
-
- I did it again. I added a / on the front of the path to
- ExternalAuth.pm. What a plonker!
-
- * lib/RT/Authen/ExternalAuth.pm
-
- Version updated to 0.05
-
-
-v0.04 2008-04-03 Mike Peachey <zordrak@cpan.org>
-
- * etc/RT_SiteConfig.pm
-
- The example LDAP ExternalSettings configuration did not contain
- example values for user and pass for RT's connection to an LDAP
- server. These have now been added.
-
- Thanks to Andrew Fay <andrew.fay@hotmail.com> for noticing this one.
-
- * ChangeLog
-
- Removed a "/" from the start of the ExternalAuth.pm file line in 0.03
-
- * lib/RT/Authen/ExternalAuth.pm
-
- Version updated to 0.04
-
-
-v0.03 2008-03-31 Mike Peachey <zordrak@cpan.org>
-
- * html/Callbacks/ExternalAuth/autohandler/Auth
-
- Bug found on lines 94-100.
-
- The ELSE block starting on line 95 was assigned to the IF starting
- on 85 instead of the IF block starting on line 86. This meant that
- if the user entered at the login screen exists no password would
- be checked.
-
- It was doing this:
-
- If session has current user who has an ID
- If password has already been validated
- SUCCESS
- Else
- Return to autohandler with valid session & implicit auth
- Else delete session
-
-
- This has now been corrected to this:
-
- If session has current user who has an ID
- If password has already been validated
- SUCCESS
- Else
- Delete session
- Else return to autohandler with whatever we had before the block
-
- * lib/RT/Authen/ExternalAuth.pm
-
- Version updated to 0.03
-
-
-v0.02 2008-03-17 Mike Peachey <zordrak@cpan.org>
-
- * lib/RT/User_Vendor.pm
-
- Bug #1 found on line 446.
-
- CanonicalizeUserInfo was being called directly, instead of being
- called on the $self user object.
-
- This was causing CanonicalizeUserInfo to shift the e-mail address
- it was passed into the $self var instead of the $email var. It was
- therefore returning a blank e-mail address regardless of the input.
-
- * lib/RT/User_Vendor.pm
-
- Header comments altered to reflect that the file is part of the
- RT::Authen::ExternalAuth extension.
-
- * /lib/RT/Authen/ExternalAuth.pm
-
- Version updated to 0.02
-
-
-v0.01 2008-03-13 Mike Peachey <zordrak@cpan.org>
-
- * Initial Release
@@ -1,5 +1,4 @@
-ChangeLog
-etc/RT_SiteConfig.pm
+CHANGES
html/Callbacks/ExternalAuth/autohandler/Auth
html/Callbacks/ExternalAuth/autohandler/Session
html/Callbacks/ExternalAuth/Elements/Header/Head
@@ -1,7 +1,7 @@
---
abstract: 'RT Authentication using External Sources'
author:
- - 'Best Practical Solutions <modules@bestpractical.com>'
+ - 'Best Practical Solutions, LLC <modules@bestpractical.com>'
build_requires:
ExtUtils::MakeMaker: 6.59
configure_requires:
@@ -16,7 +16,6 @@ meta-spec:
name: RT-Authen-ExternalAuth
no_index:
directory:
- - etc
- html
- inc
- xt
@@ -34,6 +33,6 @@ requires:
resources:
license: http://opensource.org/licenses/gpl-license.php
repository: https://github.com/bestpractical/rt-authen-externalauth
-version: '0.21'
+version: '0.23'
x_module_install_rtx_version: 0.34_04
-x_requires_rt: 3.8.2
+x_requires_rt: 4.0.0
@@ -2,17 +2,12 @@ use inc::Module::Install;
RTx('RT-Authen-ExternalAuth');
-license('GPL version 2');
-
-all_from('lib/RT/Authen/ExternalAuth.pm');
-readme_from;
-
feature 'SSL LDAP Connections' =>
-default => 0,
recommends('Net::SSLeay' => 0),
;
-feature 'External LDAP Sources' =>
+feature 'External LDAP Sources' =>
-default => 1,
recommends('Net::LDAP' => 0),
;
@@ -22,15 +17,13 @@ feature 'External DBI Sources' =>
recommends('DBI' => 0),
;
-feature 'SSO Cookie Sources' =>
+feature 'SSO Cookie Sources' =>
-default => 1,
recommends('CGI::Cookie' => 0),
;
author_tests('xt');
-requires_rt('3.8.2');
-
&auto_install();
repository 'https://github.com/bestpractical/rt-authen-externalauth';
@@ -2,43 +2,6 @@ NAME
RT::Authen::ExternalAuth - RT Authentication using External Sources
DESCRIPTION
- A complete package for adding external authentication mechanisms to RT.
- It currently supports LDAP via Net::LDAP and External Database
- authentication for any database with an installed DBI driver.
-
- It also allows for authenticating cookie information against an external
- database through the use of the RT-Authen-CookieAuth extension.
-
-UPGRADING
- If you are upgrading from an earlier version of this extension, you must
- remove the following files manually:
-
- $RTHOME/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm
- $RTHOME/local/lib/RT/User_Vendor.pm
- $RTHOME/local/lib/RT/Authen/External_Auth.pm
-
- Otherwise you will most likely encounter an error about modifying a read
- only value and be unable to start RT.
-
- You may not have all of these files. It depends what versions you are
- upgrading between.
-
- If you are using a vendor packaged RT, your local directories are likely
- to be somewhere under /usr/local instead of in $RTHOME so you will need
- to visit Configuration -> Tools -> System Configuration to find your
- plugin root.
-
- VERSION NOTES
- If you are using RT 3.6, you want to use the 0.05 version.
-
- If you are using RT 3.8.0 or 3.8.1, you may have trouble using this due
- to RT bugs related to plugins, but you may be able to use 0.08.
-
- 0.08_02 or later will not work on 3.8.0 or 3.8.1
-
- If you are using RT 4.0.0 or greater, you must use at least 0.09
-
-MORE ABOUT THIS MODULE
This module provides the ability to authenticate RT users against one or
more external data sources at once. It will also allow information about
that user to be loaded from the same, or any other available, source as
@@ -54,57 +17,231 @@ MORE ABOUT THIS MODULE
in to your website, they will be automagically logged in to RT when they
access it.
- It was originally designed and tested against:
+INSTALLATION
+ perl Makefile.PL
+ make
+ make install
+ May need root permissions
- MySQL v4.1.21-standard MySQL v5.0.22 Windows Active Directory v2003
+ Edit your /opt/rt4/etc/RT_SiteConfig.pm
+ If you are using RT 4.2 or greater, add this line:
- But it has been designed so that it should work with ANY LDAP service
- and ANY DBI-drivable database, based upon the configuration given in
- your $RTHOME/etc/RT_SiteConfig.pm
+ Plugin('RT::Authen::ExternalAuth');
- As of v0.08 ExternalAuth also allows you to pull a browser cookie value
- and test it against a DBI data source allowing the use of cookies for
- Single Sign-On (SSO) authentication with another application or website
- login system. This is due to the merging of RT::Authen::ExternalAuth and
- RT::Authen::CookieAuth. For example, you may integrate RT with your own
- website login system so that once users log in to your website, they
- will be automagically logged in to RT when they access it.
+ For RT 4.0, add this line:
-INSTALLATION
- To install this module, run the following commands:
+ Set(@Plugins, qw(RT::Authen::ExternalAuth) );
- perl Makefile.PL
- make
- make install
+ or add RT::Authen::ExternalAuth to your existing @Plugins line.
- If you are using RT 3.8.x, you need to enable this module by adding
- RT::Authen::ExternalAuth to your @Plugins configuration:
+ See "CONFIGURATION" for additional configuration to add to your
+ RT_SiteConfig.pm file.
- Set( @Plugins, qw(RT::Authen::ExternalAuth) );
+UPGRADING
+ If you are upgrading from an earlier version of this extension, you must
+ remove the following files manually:
- If you already have a @Plugins line, add RT::Authen::ExternalAuth to the
- existing list. Adding a second @Plugins line will cause interesting
- bugs.
+ /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm
+ /opt/rt4/local/lib/RT/User_Vendor.pm
+ /opt/rt4/local/lib/RT/Authen/External_Auth.pm
- Once installed, you should view the file:
+ Otherwise you will most likely encounter an error about modifying a read
+ only value and be unable to start RT.
- 3.4/3.6 $RTHOME/local/etc/ExternalAuth/RT_SiteConfig.pm 3.8
- $RTHOME/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm
+ You may not have all of these files. It depends what versions you are
+ upgrading between.
- Then use the examples provided to prepare your own custom configuration
- which should be added to your site configuration in
- $RTHOME/etc/RT_SiteConfig.pm
+ If you are using a vendor packaged RT, your local directories are likely
+ to be somewhere under /usr/local instead of in /opt/rt4 so you will need
+ to visit Configuration -> Tools -> System Configuration to find your
+ plugin root.
+
+CONFIGURATION
+ RT::Authen::ExternalAuth provides a lot of flexibility with many
+ configuration options. The following desc these configuration options,
+ and provides a complete example.
+
+ $ExternalAuthPriority
+ The order in which the services defined in "$ExternalSettings"
+ should be used to authenticate users. Once the user has been
+ authenticated by one service, the rest are skipped.
+
+ You should remove services you don't use. For example, if you're
+ only using My_LDAP, remove My_MySQL and My_SSO_Cookie.
+
+ Set($ExternalAuthPriority, [ 'My_LDAP',
+ 'My_MySQL',
+ 'My_SSO_Cookie'
+ ]
+ );
+
+ $ExternalInfoPriority
+ When multiple auth services are available, this value defines the
+ order in which the services defined in "$ExternalSettings" should be
+ used to get information about users. This includes RealName,
+ telephone numbers etc, but also whether or not the user should be
+ considered disabled.
+
+ Once a user record is found, no more services are checked.
+
+ You CANNOT use a SSO cookie to retrieve information.
+
+ You should remove services you don't use, but you must define at
+ least one service.
+
+ Set($ExternalInfoPriority, [ 'My_LDAP',
+ 'My_MySQL',
+ ]
+ );
+
+ $AutoCreateNonExternalUsers
+ If this is set to 1, then users should be autocreated by RT as
+ internal users if they fail to authenticate from an external
+ service. This is useful if you have users outside your organization
+ who might interface with RT, perhaps by sending email to a support
+ email address.
+
+ $ExternalSettings
+ These are the full settings for each external service as a hash of
+ hashes. Note that you may have as many external services as you
+ wish. They will be checked in the order specified in
+ "$ExternalAuthPriority" and "$ExternalInfoPriority" directives
+ above.
+
+ The outer structure is a key with the authentication option (name of
+ external source). The value is a hash reference with configuration
+ keys and values, for example:
+
+ Set($ExternalSettings, {
+ My_LDAP => {
+ type => 'ldap',
+ ... other options ...
+ },
+ My_MySQL => {
+ type => 'db',
+ ... other options ...
+ },
+ ... other sources ...
+ } );
+
+ As shown above, each description should have 'type' defined. The
+ following types are supported:
+
+ ldap
+ Authenticate against and sync information with LDAP servers. See
+ RT::Authen::ExternalAuth::LDAP for details.
+
+ db Authenticate against and sync information with external RDBMS,
+ supported by Perl's DBI interface. See
+ RT::Authen::ExternalAuth::DBI for details.
+
+ cookie
+ Authenticate by cookie. See
+ RT::Authen::ExternalAuth::DBI::Cookie for details.
+
+ See the modules noted above for configuration options specific to
+ each type. The following apply to all types.
+
+ attr_match_list
+ The list of RT attributes that uniquely identify a user. These
+ values are used, in order, to find users in the selected
+ authentication source. Each value specified here must have a
+ mapping in the "attr_map" section below. You can remove values
+ you don't expect to match, but we recommend using Name and
+ EmailAddress at a minimum. For example:
+
+ 'attr_match_list' => [
+ 'Name',
+ 'EmailAddress',
+ ],
+
+ You should not use items that can map to multiple users (such as
+ a RealName or building name).
+
+ attr_map
+ Mapping of RT attributes on to attributes in the external
+ source. Valid keys are attributes of an RT::User
+ <http://bestpractical.com/rt/docs/latest/RT/User.html>. The
+ values are attributes from your authentication source. For
+ example, an LDAP mapping might look like:
+
+ 'attr_map' => {
+ 'Name' => 'sAMAccountName',
+ 'EmailAddress' => 'mail',
+ 'Organization' => 'physicalDeliveryOfficeName',
+ 'RealName' => 'cn',
+ ...
+ },
+
+ Example
+ # Use the below LDAP source for both authentication, as well as user
+ # information
+ Set( $ExternalAuthPriority, ["My_LDAP"] );
+ Set( $ExternalAuthInfo, ["My_LDAP"] );
+
+ # Users created from LDAP should be Privileged; this is a core RT
+ # option. Additionally, this is the 4.2 name for the option; for RT
+ # 4.0, is it named $AutoCreate See the core RT documentation at
+ # http://docs.bestpractical.com/RT_Config#UserAutocreateDefaultsOnLogin
+ # for for further details.
+ Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
+
+ # Users should still be autocreated by RT as internal users if they
+ # fail to exist in an external service; this is so requestors (who
+ # are not in LDAP) can still be created when they email in.
+ Set($AutoCreateNonExternalUsers, 1);
+
+ # Minimal LDAP configuration; see RT::Authen::ExternalAuth::LDAP for
+ # further details and examples
+ Set($ExternalSettings, {
+ 'My_LDAP' => {
+ 'type' => 'ldap',
+ 'server' => 'ldap.example.com',
+ # By not passing 'user' and 'pass' we are using an anonymous
+ # bind, which some servers to not allow
+ 'base' => 'ou=Staff,dc=example,dc=com',
+ 'filter' => '(objectClass=inetOrgPerson)',
+ # Users are allowed to log in via email address or account
+ # name
+ 'attr_match_list' => [
+ 'Name',
+ 'EmailAddress',
+ ],
+ # Import the following properties of the user from LDAP upon
+ # login
+ 'attr_map' => {
+ 'Name' => 'sAMAccountName',
+ 'EmailAddress' => 'mail',
+ 'RealName' => 'cn',
+ 'WorkPhone' => 'telephoneNumber',
+ 'Address1' => 'streetAddress',
+ 'City' => 'l',
+ 'State' => 'st',
+ 'Zip' => 'postalCode',
+ 'Country' => 'co',
+ },
+ },
+ } );
AUTHORS
- Best Practical Solutions <modules@bestpractical.com>
+ Best Practical Solutions, LLC <modules@bestpractical.com>
Originally by Mike Peachey (Jennic Ltd.) <zordrak@cpan.org>
-COPYRIGHT AND LICENCE
- Copyright (C) 2008, Jennic Ltd. Copyright 2008-2014 Best Practical
- Solutions
+BUGS
+ All bugs should be reported via email to
+
+ L<bug-RT-Authen-ExternalAuth@rt.cpan.org|mailto:bug-RT-Authen-ExternalAuth@rt.cpan.org>
+
+ or via the web at
+
+ L<rt.cpan.org|http://rt.cpan.org/Public/Dist/Display.html?Name=RT-Authen-ExternalAuth>.
+
+LICENSE AND COPYRIGHT
+ Copyright (c) 2008-2014 by Best Practical Solutions, LLC Copyright (c)
+ 2008 by Jennic Ltd.
+
+ This is free software, licensed under:
- This software is released under version 2 of the GNU General Public
- License. The license is distributed with this package in the LICENSE
- file found in the directory root.
+ The GNU General Public License, Version 2, June 1991
@@ -14,14 +14,13 @@ not run its Makefile.PL or Build.PL.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
-SHA1 274a6390b5a42c612e46119b42db5029e492a59e ChangeLog
+SHA1 ca2b85df6b0fa0b872ca50fa292c3a75b4305e18 CHANGES
SHA1 3273dec18766d9445070e6758f2edcb3760599f9 LICENSE
-SHA1 9490b8aa196586990eafa4d5814af06dc5f2be5e MANIFEST
+SHA1 3d6cfd615add58f44fd4299a8e65117402f87733 MANIFEST
SHA1 4f9a3da777764252acf6d92741bcebf505857527 MANIFEST.SKIP
-SHA1 39f37528cf1ff7790d320792a7f48aae9890d42e META.yml
-SHA1 764dcc0c77ebd0e25f40d80bcd5a2e1c8191f900 Makefile.PL
-SHA1 bc36d5030f59901701a1f9b78f732eac6043f8b2 README
-SHA1 b9e0608faec3f90687ecf5fb2cbac21eb2befcca etc/RT_SiteConfig.pm
+SHA1 18a2f0a96678397d3a320bae21d0dacc3adbdbf1 META.yml
+SHA1 3bded9dffe91ed80fb28c3eeb633c65eb807d6da Makefile.PL
+SHA1 a09a1dc64660b830cdc7928d81156e161961d3fd README
SHA1 33c97c7f30b52fd18e11f6eaf275d21627a89050 html/Callbacks/ExternalAuth/Elements/Header/Head
SHA1 3b536ec2292ce8e74cfe96f428048fb1f9589ae8 html/Callbacks/ExternalAuth/autohandler/Auth
SHA1 3f6bfd07c642fec5c2553ed97414c82a19b6107a html/Callbacks/ExternalAuth/autohandler/Session
@@ -43,22 +42,21 @@ SHA1 4c5ce519d404e242418f51dfe761287469e18e3a inc/Module/Install/Win32.pm
SHA1 47a52cf8719a283c0efa2edab0088b5d67e0f23a inc/Module/Install/WriteAll.pm
SHA1 4e09b598c2626e08cec2bed5e981492fa9e90967 inc/YAML/Tiny.pm
SHA1 034d0f3a7401dae4be3eee279258181f51a4ad81 inc/unicore/Name.pm
-SHA1 10d9d0730f9e492941ff77cb20e6ac0cef3c8128 lib/RT/Authen/ExternalAuth.pm
+SHA1 fdbd3c5871a8f6304f1b180b93cebbe1e1d032ba lib/RT/Authen/ExternalAuth.pm
SHA1 d333da0857524eead272bfb13b874b6fb221ae89 lib/RT/Authen/ExternalAuth/DBI.pm
SHA1 71d7b21728c9e4a19599f0caefb7f795e8e210f5 lib/RT/Authen/ExternalAuth/DBI/Cookie.pm
-SHA1 da0b7908668e7a7e30ebe553212ce8f3ceff18de lib/RT/Authen/ExternalAuth/LDAP.pm
-SHA1 43212d5284b9885e21f193c24f70e1ecfe84ff2f xt/ldap.t
-SHA1 98828af03131d63d502145f4f03f550a1ea47fa0 xt/ldap_escaping.t
-SHA1 767315675c4efb476ef607c3d2eaa832ab0b4ed9 xt/ldap_group.t
-SHA1 3c09dffc83aca3717304274aef6c1ad30c69b6e2 xt/ldap_privileged.t
+SHA1 a7cbdd3ee9a448e99888ef9fbe418f57778c8ad6 lib/RT/Authen/ExternalAuth/LDAP.pm
+SHA1 f8945f8859ff7c53e9e0e366f54e6ec483674e83 xt/ldap.t
+SHA1 9b1656e947f2a59f0251582503d1752dbf1ad85f xt/ldap_escaping.t
+SHA1 1a4e26ff4a820fc7a856598fa3e38131a6953506 xt/ldap_group.t
+SHA1 4b0e4614d63ad0d12e51ea44600d8eb6b102fcf7 xt/ldap_privileged.t
SHA1 e97f3d74032286ca82fd3c01ea78147010667a89 xt/obfuscate-password.t
-SHA1 83d28e80fd93774fdf224236fa5b284b27f1beea xt/sessions.t
-SHA1 c229f65c585595c160ea1e2ab0fa69d6df29b602 xt/sqlite.t
+SHA1 f050c619336def037bccef9e7e4f9baf71b2f3a0 xt/sessions.t
+SHA1 2c18aacfc5a462553b8e2c30a8ac98d30401386a xt/sqlite.t
-----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.12 (Darwin)
-Comment: GPGTools - http://gpgtools.org
+Version: GnuPG v1.4.11 (GNU/Linux)
-iEYEARECAAYFAlOzbEsACgkQ0+gKWp5CJQrJOQCgz7VoZbc4S+Qhy5l7GjTw73E0
-uBAAnRndGv1GHR0JDUO6+A8ZyHTm0gcz
-=NQV+
+iEYEARECAAYFAlPs8ZYACgkQMflWJZZAbqA4VwCfQVr+iwnF4V0lgzdAYaI4alS/
+JtkAn3xAIjmzGSyvyJ3DYzoC6iEKE74A
+=EZmh
-----END PGP SIGNATURE-----
@@ -1,243 +0,0 @@
-=head1 NAME
-
-External Authentication Configuration - Sample configs for L<RT::Authen::ExternalAuth>
-
-=head1 DESCRIPTION
-
-L<RT::Authen::ExternalAuth> provides a lot of flexibility
-with many configuration options. This file describes these
-configuration options and is itself a sample configuration
-suitable for dropping into your C<etc/RT_SiteConfig.pm>
-file and modifying.
-
-=over 4
-
-=item C<$ExternalAuthPriority>
-
-The order in which the services defined in ExternalSettings
-should be used to authenticate users. User is authenticated
-if successfully confirmed by any service - no more services
-are checked.
-
-You should remove services you don't use. For example,
-if you're only using My_LDAP, remove My_MySQL and My_SSO_Cookie.
-
-=cut
-
-Set($ExternalAuthPriority, [ 'My_LDAP',
- 'My_MySQL',
- 'My_SSO_Cookie'
- ]
-);
-
-=item C<$ExternalInfoPriority>
-
-When multiple auth services are available, this value defines
-the order in which the services defined in ExternalSettings
-should be used to get information about users. This includes
-RealName, Tel numbers etc, but also whether or not the user
-should be considered disabled.
-
-Once a user record is found, no more services are checked.
-
-You CANNOT use a SSO cookie to retrieve information.
-
-You should remove services you don't use, but you must define
-at least one service.
-
-=cut
-
-Set($ExternalInfoPriority, [ 'My_LDAP',
- 'My_MySQL',
- ]
-);
-
-=item C<$ExternalServiceUsesSSLorTLS>
-
-If this is set to true, then the relevant packages will
-be loaded to use SSL/TLS connections. At the moment,
-this just means L<Net::SSLeay>.
-
-=cut
-
-Set($ExternalServiceUsesSSLorTLS, 0);
-
-=item C<$AutoCreateNonExternalUsers>
-
-If this is set to 1, then users should be autocreated by RT
-as internal users if they fail to authenticate from an
-external service. This is useful if you have users outside
-your organization who might interface with RT, perhaps by sending
-email to a support email address.
-
-=cut
-
-Set($AutoCreateNonExternalUsers, 0);
-
-=item C<$ExternalSettings>
-
-These are the full settings for each external service as a HashOfHashes.
-Note that you may have as many external services as you wish. They will
-be checked in the order specified in $ExternalAuthPriority and
-$ExternalInfoPriority directives above.
-
-The outer structure is a key with the authentication option (name of external
-source). The value is a hash reference with configuration keys and values,
-for example:
-
- Set($ExternalSettings, {
- MyLDAP => {
- type => 'ldap',
- ... other options ...
- },
- MyMySQL => {
- type => 'db',
- ... other options ...
- },
- ... other sources ...
- } );
-
-As shown above, each description should have 'type' defined.
-The following types are supported:
-
-=over 4
-
-=item ldap
-
-Authenticate against and sync information with LDAP servers.
-See L<RT::Authen::ExternalAuth::LDAP> for details.
-
-=item db
-
-Authenticate against and sync information with external RDBMS,
-supported by Perl's L<DBI> interface. See L<RT::Authen::ExternalAuth::DBI>
-for details.
-
-=item cookie
-
-Authenticate by cookie. See L<RT::Authen::ExternalAuth::DBI::Cookie>
-for details.
-
-=back
-
-See the modules noted above for configuration options specific to each type.
-The following apply to all types.
-
-=over 4
-
-=item attr_match_list
-
-The list of RT attributes that uniquely identify a user. These values
-are used, in order, to find users in the selected authentication
-source. Each value specified here must have a mapping in the
-L</"attr_map"> section below. You can remove values you don't
-expect to match, but it's recommended to use 'Name' and 'EmailAddress'
-at minimum. For example:
-
- 'attr_match_list' => [
- 'Name',
- 'EmailAddress',
- ],
-
-You should not use items that can map to multiple users (such as a
-RealName or building name).
-
-=item attr_map
-
-Mapping of RT attributes on to attributes in the external source.
-Valid keys are attributes of an
-L<RT::User|http://bestpractical.com/rt/docs/latest/RT/User.html>.
-The values are attributes from your authentication source.
-For example, an LDAP mapping might look like:
-
- 'attr_map' => {
- 'Name' => 'sAMAccountName',
- 'EmailAddress' => 'mail',
- 'Organization' => 'physicalDeliveryOfficeName',
- 'RealName' => 'cn',
- ...
- },
-
-=back
-
-=cut
-
-Set($ExternalSettings, {
- # AN EXAMPLE DB SERVICE
- 'My_MySQL' => {
- 'type' => 'db',
- 'server' => 'server.domain.tld',
- 'database' => 'DB_NAME',
- 'table' => 'USERS_TABLE',
- 'user' => 'DB_USER',
- 'pass' => 'DB_PASS',
- 'port' => 'DB_PORT',
- 'dbi_driver' => 'DBI_DRIVER',
- 'u_field' => 'username',
- 'p_field' => 'password',
- 'p_enc_pkg' => 'Crypt::MySQL',
- 'p_enc_sub' => 'password',
- 'd_field' => 'disabled',
- 'd_values' => ['0'],
- 'attr_match_list' => [
- 'Gecos',
- 'Name',
- ],
- 'attr_map' => {
- 'Name' => 'username',
- 'EmailAddress' => 'email',
- 'ExternalAuthId' => 'username',
- 'Gecos' => 'userID',
- },
- },
- # AN EXAMPLE LDAP SERVICE
- 'My_LDAP' => {
- 'type' => 'ldap',
- 'server' => 'server.domain.tld',
- 'user' => 'rt_ldap_username',
- 'pass' => 'rt_ldap_password',
- 'base' => 'ou=Organisational Unit,dc=domain,dc=TLD',
- 'filter' => '(FILTER_STRING)',
- 'd_filter' => '(FILTER_STRING)',
- 'group' => 'GROUP_NAME',
- 'group_attr' => 'GROUP_ATTR',
- 'tls' => 0,
- 'ssl_version' => 3,
- 'net_ldap_args' => [ version => 3 ],
- 'group_scope' => 'base',
- 'group_attr_value' => 'GROUP_ATTR_VALUE',
- 'attr_match_list' => [
- 'Name',
- 'EmailAddress',
- 'RealName',
- ],
- 'attr_map' => {
- 'Name' => 'sAMAccountName',
- 'EmailAddress' => 'mail',
- 'Organization' => 'physicalDeliveryOfficeName',
- 'RealName' => 'cn',
- 'ExternalAuthId' => 'sAMAccountName',
- 'Gecos' => 'sAMAccountName',
- 'WorkPhone' => 'telephoneNumber',
- 'Address1' => 'streetAddress',
- 'City' => 'l',
- 'State' => 'st',
- 'Zip' => 'postalCode',
- 'Country' => 'co'
- },
- },
- # An example SSO cookie service
- 'My_SSO_Cookie' => {
- 'type' => 'cookie',
- 'name' => 'loginCookieValue',
- 'u_table' => 'users',
- 'u_field' => 'username',
- 'u_match_key' => 'userID',
- 'c_table' => 'login_cookie',
- 'c_field' => 'loginCookieValue',
- 'c_match_key' => 'loginCookieUserID',
- 'db_service_name' => 'My_MySQL'
- },
-} );
-
-1;
@@ -6,8 +6,6 @@ use Net::LDAP::Filter;
use strict;
-require Net::SSLeay if $RT::ExternalServiceUsesSSLorTLS;
-
=head1 NAME
RT::Authen::ExternalAuth::LDAP - LDAP source for RT authentication
@@ -606,6 +604,7 @@ sub _GetBoundLdapObj {
}
if ($ldap_tls) {
+ require Net::SSLeay;
$Net::SSLeay::ssl_version = $ldap_ssl_ver;
# Thanks to David Narayan for the fault tolerance bits
eval { $ldap->start_tls; };
@@ -1,6 +1,6 @@
package RT::Authen::ExternalAuth;
-our $VERSION = '0.21';
+our $VERSION = '0.23';
=head1 NAME
@@ -8,21 +8,58 @@ RT::Authen::ExternalAuth - RT Authentication using External Sources
=head1 DESCRIPTION
-A complete package for adding external authentication mechanisms
-to RT. It currently supports LDAP via Net::LDAP and External Database
-authentication for any database with an installed DBI driver.
+This module provides the ability to authenticate RT users against one or
+more external data sources at once. It will also allow information about
+that user to be loaded from the same, or any other available, source as
+well as allowing multple redundant servers for each method.
-It also allows for authenticating cookie information against an
-external database through the use of the RT-Authen-CookieAuth extension.
+The extension currently supports authentication and information from
+LDAP via the Net::LDAP module, and from any data source that an
+installed DBI driver is available for.
+
+It is also possible to use cookies set by an alternate application for
+Single Sign-On (SSO) with that application. For example, you may
+integrate RT with your own website login system so that once users log
+in to your website, they will be automagically logged in to RT when they
+access it.
+
+=head1 INSTALLATION
+
+=over
+
+=item C<perl Makefile.PL>
+
+=item C<make>
+
+=item C<make install>
+
+May need root permissions
+
+=item Edit your F</opt/rt4/etc/RT_SiteConfig.pm>
+
+If you are using RT 4.2 or greater, add this line:
+
+ Plugin('RT::Authen::ExternalAuth');
+
+For RT 4.0, add this line:
+
+ Set(@Plugins, qw(RT::Authen::ExternalAuth) );
+
+or add C<RT::Authen::ExternalAuth> to your existing C<@Plugins> line.
+
+See L</CONFIGURATION> for additional configuration to add to your
+F<RT_SiteConfig.pm> file.
+
+=back
=head1 UPGRADING
If you are upgrading from an earlier version of this extension, you must
remove the following files manually:
- $RTHOME/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm
- $RTHOME/local/lib/RT/User_Vendor.pm
- $RTHOME/local/lib/RT/Authen/External_Auth.pm
+ /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm
+ /opt/rt4/local/lib/RT/User_Vendor.pm
+ /opt/rt4/local/lib/RT/Authen/External_Auth.pm
Otherwise you will most likely encounter an error about modifying a read
only value and be unable to start RT.
@@ -31,103 +68,224 @@ You may not have all of these files. It depends what versions you are
upgrading between.
If you are using a vendor packaged RT, your local directories are likely
-to be somewhere under /usr/local instead of in $RTHOME so you will need
+to be somewhere under /usr/local instead of in /opt/rt4 so you will need
to visit Configuration -> Tools -> System Configuration to find your
plugin root.
-=head2 VERSION NOTES
+=head1 CONFIGURATION
-If you are using RT 3.6, you want to use the 0.05 version.
+L<RT::Authen::ExternalAuth> provides a lot of flexibility with many
+configuration options. The following desc these configuration options,
+and provides a complete example.
-If you are using RT 3.8.0 or 3.8.1, you may have trouble using this
-due to RT bugs related to plugins, but you may be able to use 0.08.
+=over 4
-0.08_02 or later will not work on 3.8.0 or 3.8.1
+=item C<$ExternalAuthPriority>
-If you are using RT 4.0.0 or greater, you must use at least 0.09
+The order in which the services defined in L</$ExternalSettings> should
+be used to authenticate users. Once the user has been authenticated by
+one service, the rest are skipped.
-=head1 MORE ABOUT THIS MODULE
+You should remove services you don't use. For example, if you're only
+using C<My_LDAP>, remove C<My_MySQL> and C<My_SSO_Cookie>.
-This module provides the ability to authenticate RT users
-against one or more external data sources at once. It will
-also allow information about that user to be loaded from
-the same, or any other available, source as well as allowing
-multple redundant servers for each method.
+ Set($ExternalAuthPriority, [ 'My_LDAP',
+ 'My_MySQL',
+ 'My_SSO_Cookie'
+ ]
+ );
-The extension currently supports authentication and
-information from LDAP via the Net::LDAP module, and from
-any data source that an installed DBI driver is available
-for.
+=item C<$ExternalInfoPriority>
-It is also possible to use cookies set by an alternate
-application for Single Sign-On (SSO) with that application.
-For example, you may integrate RT with your own website login
-system so that once users log in to your website, they will be
-automagically logged in to RT when they access it.
+When multiple auth services are available, this value defines the order
+in which the services defined in L</$ExternalSettings> should be used to
+get information about users. This includes C<RealName>, telephone
+numbers etc, but also whether or not the user should be considered
+disabled.
-It was originally designed and tested against:
+Once a user record is found, no more services are checked.
-MySQL v4.1.21-standard
-MySQL v5.0.22
-Windows Active Directory v2003
+You CANNOT use a SSO cookie to retrieve information.
-But it has been designed so that it should work with ANY
-LDAP service and ANY DBI-drivable database, based upon the
-configuration given in your $RTHOME/etc/RT_SiteConfig.pm
+You should remove services you don't use, but you must define
+at least one service.
-As of v0.08 ExternalAuth also allows you to pull a browser
-cookie value and test it against a DBI data source allowing
-the use of cookies for Single Sign-On (SSO) authentication
-with another application or website login system. This is
-due to the merging of RT::Authen::ExternalAuth and
-RT::Authen::CookieAuth. For example, you may integrate RT
-with your own website login system so that once users log in
-to your website, they will be automagically logged in to RT
-when they access it.
+ Set($ExternalInfoPriority, [ 'My_LDAP',
+ 'My_MySQL',
+ ]
+ );
+=item C<$AutoCreateNonExternalUsers>
-=head1 INSTALLATION
+If this is set to 1, then users should be autocreated by RT
+as internal users if they fail to authenticate from an
+external service. This is useful if you have users outside
+your organization who might interface with RT, perhaps by sending
+email to a support email address.
-To install this module, run the following commands:
+=item C<$ExternalSettings>
- perl Makefile.PL
- make
- make install
+These are the full settings for each external service as a hash of
+hashes. Note that you may have as many external services as you wish.
+They will be checked in the order specified in L</$ExternalAuthPriority>
+and L</$ExternalInfoPriority> directives above.
-If you are using RT 3.8.x, you need to enable this
-module by adding RT::Authen::ExternalAuth to your
-@Plugins configuration:
+The outer structure is a key with the authentication option (name of
+external source). The value is a hash reference with configuration keys
+and values, for example:
- Set( @Plugins, qw(RT::Authen::ExternalAuth) );
+ Set($ExternalSettings, {
+ My_LDAP => {
+ type => 'ldap',
+ ... other options ...
+ },
+ My_MySQL => {
+ type => 'db',
+ ... other options ...
+ },
+ ... other sources ...
+ } );
+
+As shown above, each description should have 'type' defined.
+The following types are supported:
+
+=over 4
+
+=item ldap
+
+Authenticate against and sync information with LDAP servers. See
+L<RT::Authen::ExternalAuth::LDAP> for details.
+
+=item db
+
+Authenticate against and sync information with external RDBMS, supported
+by Perl's L<DBI> interface. See L<RT::Authen::ExternalAuth::DBI> for
+details.
+
+=item cookie
+
+Authenticate by cookie. See L<RT::Authen::ExternalAuth::DBI::Cookie> for
+details.
+
+=back
+
+See the modules noted above for configuration options specific to each
+type. The following apply to all types.
+
+=over 4
+
+=item attr_match_list
+
+The list of RT attributes that uniquely identify a user. These values
+are used, in order, to find users in the selected authentication
+source. Each value specified here must have a mapping in the
+L</attr_map> section below. You can remove values you don't expect to
+match, but we recommend using C<Name> and C<EmailAddress> at a
+minimum. For example:
+
+ 'attr_match_list' => [
+ 'Name',
+ 'EmailAddress',
+ ],
+
+You should not use items that can map to multiple users (such as a
+C<RealName> or building name).
+
+=item attr_map
+
+Mapping of RT attributes on to attributes in the external source.
+Valid keys are attributes of an
+L<RT::User|http://bestpractical.com/rt/docs/latest/RT/User.html>.
+The values are attributes from your authentication source.
+For example, an LDAP mapping might look like:
+
+ 'attr_map' => {
+ 'Name' => 'sAMAccountName',
+ 'EmailAddress' => 'mail',
+ 'Organization' => 'physicalDeliveryOfficeName',
+ 'RealName' => 'cn',
+ ...
+ },
+
+=back
+
+=back
+
+=head2 Example
+
+ # Use the below LDAP source for both authentication, as well as user
+ # information
+ Set( $ExternalAuthPriority, ["My_LDAP"] );
+ Set( $ExternalAuthInfo, ["My_LDAP"] );
+
+ # Users created from LDAP should be Privileged; this is a core RT
+ # option. Additionally, this is the 4.2 name for the option; for RT
+ # 4.0, is it named $AutoCreate See the core RT documentation at
+ # http://docs.bestpractical.com/RT_Config#UserAutocreateDefaultsOnLogin
+ # for for further details.
+ Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
+
+ # Users should still be autocreated by RT as internal users if they
+ # fail to exist in an external service; this is so requestors (who
+ # are not in LDAP) can still be created when they email in.
+ Set($AutoCreateNonExternalUsers, 1);
+
+ # Minimal LDAP configuration; see RT::Authen::ExternalAuth::LDAP for
+ # further details and examples
+ Set($ExternalSettings, {
+ 'My_LDAP' => {
+ 'type' => 'ldap',
+ 'server' => 'ldap.example.com',
+ # By not passing 'user' and 'pass' we are using an anonymous
+ # bind, which some servers to not allow
+ 'base' => 'ou=Staff,dc=example,dc=com',
+ 'filter' => '(objectClass=inetOrgPerson)',
+ # Users are allowed to log in via email address or account
+ # name
+ 'attr_match_list' => [
+ 'Name',
+ 'EmailAddress',
+ ],
+ # Import the following properties of the user from LDAP upon
+ # login
+ 'attr_map' => {
+ 'Name' => 'sAMAccountName',
+ 'EmailAddress' => 'mail',
+ 'RealName' => 'cn',
+ 'WorkPhone' => 'telephoneNumber',
+ 'Address1' => 'streetAddress',
+ 'City' => 'l',
+ 'State' => 'st',
+ 'Zip' => 'postalCode',
+ 'Country' => 'co',
+ },
+ },
+ } );
-If you already have a @Plugins line, add RT::Authen::ExternalAuth to the
-existing list. Adding a second @Plugins line will cause interesting
-bugs.
+=head1 AUTHORS
-Once installed, you should view the file:
-
-3.4/3.6 $RTHOME/local/etc/ExternalAuth/RT_SiteConfig.pm
-3.8 $RTHOME/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm
+Best Practical Solutions, LLC E<lt>modules@bestpractical.comE<gt>
-Then use the examples provided to prepare your own custom
-configuration which should be added to your site configuration in
-$RTHOME/etc/RT_SiteConfig.pm
+Originally by Mike Peachey (Jennic Ltd.) <zordrak@cpan.org>
-=head1 AUTHORS
+=head1 BUGS
-Best Practical Solutions <modules@bestpractical.com>
+All bugs should be reported via email to
-Originally by Mike Peachey (Jennic Ltd.) <zordrak@cpan.org>
+ L<bug-RT-Authen-ExternalAuth@rt.cpan.org|mailto:bug-RT-Authen-ExternalAuth@rt.cpan.org>
+
+or via the web at
+
+ L<rt.cpan.org|http://rt.cpan.org/Public/Dist/Display.html?Name=RT-Authen-ExternalAuth>.
+
+=head1 LICENSE AND COPYRIGHT
-=head1 COPYRIGHT AND LICENCE
+Copyright (c) 2008-2014 by Best Practical Solutions, LLC
+Copyright (c) 2008 by Jennic Ltd.
-Copyright (C) 2008, Jennic Ltd.
-Copyright 2008-2014 Best Practical Solutions
+This is free software, licensed under:
-This software is released under version 2 of the GNU
-General Public License. The license is distributed with
-this package in the LICENSE file found in the directory
-root.
+ The GNU General Public License, Version 2, June 1991
=cut
@@ -31,7 +31,6 @@ $ldap->add( $dn, attr => [%$entry] );
RT->Config->Set( ExternalAuthPriority => ['My_LDAP'] );
RT->Config->Set( ExternalInfoPriority => ['My_LDAP'] );
-RT->Config->Set( ExternalServiceUsesSSLorTLS => 0 );
RT->Config->Set( AutoCreateNonExternalUsers => 0 );
RT->Config->Set( AutoCreate => undef );
RT->Config->Set(
@@ -52,7 +52,6 @@ $ldap->add(
RT->Config->Set( ExternalAuthPriority => ['My_LDAP'] );
RT->Config->Set( ExternalInfoPriority => ['My_LDAP'] );
-RT->Config->Set( ExternalServiceUsesSSLorTLS => 0 );
RT->Config->Set( AutoCreateNonExternalUsers => 0 );
RT->Config->Set( AutoCreate => undef );
RT->Config->Set(
@@ -60,7 +60,6 @@ $ldap->add(
#RT->Config->Set( Plugins => 'RT::Authen::ExternalAuth' );
RT->Config->Set( ExternalAuthPriority => ['My_LDAP'] );
RT->Config->Set( ExternalInfoPriority => ['My_LDAP'] );
-RT->Config->Set( ExternalServiceUsesSSLorTLS => 0 );
RT->Config->Set( AutoCreateNonExternalUsers => 0 );
RT->Config->Set( AutoCreate => undef );
RT->Config->Set(
@@ -30,7 +30,6 @@ $ldap->add( $dn, attr => [%$entry] );
RT->Config->Set( ExternalAuthPriority => ['My_LDAP'] );
RT->Config->Set( ExternalInfoPriority => ['My_LDAP'] );
-RT->Config->Set( ExternalServiceUsesSSLorTLS => 0 );
RT->Config->Set( AutoCreateNonExternalUsers => 0 );
RT->Config->Set( AutoCreate => { Privileged => 1 } );
RT->Config->Set(
@@ -94,7 +94,6 @@ sub setup_auth_source {
RT->Config->Set( ExternalAuthPriority => ['My_SQLite'] );
RT->Config->Set( ExternalInfoPriority => ['My_SQLite'] );
- RT->Config->Set( ExternalServiceUsesSSLorTLS => 0 );
RT->Config->Set( AutoCreateNonExternalUsers => 0 );
RT->Config->Set( AutoCreate => undef );
RT->Config->Set(
@@ -30,7 +30,6 @@ $dbh->do(
RT->Config->Set( ExternalAuthPriority => ['My_SQLite'] );
RT->Config->Set( ExternalInfoPriority => ['My_SQLite'] );
-RT->Config->Set( ExternalServiceUsesSSLorTLS => 0 );
RT->Config->Set( AutoCreateNonExternalUsers => 0 );
RT->Config->Set( AutoCreate => undef );
RT->Config->Set(