View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0008471 | mantisbt | feature | public | 2007-10-15 10:45 | 2010-02-10 08:32 |
Reporter | neoteric | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | N/A |
Status | new | Resolution | open | ||
Platform | Intel | OS | MS Windows Server | OS Version | 2003 |
Product Version | 1.1.0rc1 | ||||
Summary | 0008471: Add feature to check required LDAP attribute for authentication | ||||
Description | I've added the ability to require the presence of a specific LDAP attribute/value pair in the user entry. This is a useful feature that is also available in MediaWiki (v 1.11.x) and Apache's mod_authnz_ldap (Apache 2.1+) module. At my company, we use LDAP attributes to specify which users are authorized to access each application, in this case the privilege of logging into Mantis. For the curious, this feature is implemented in MediaWiki via the config variable, $wgLDAPAuthAttribute (see http://www.mediawiki.org/wiki/Extension:LDAP_Authentication), and in Apache mod_authnz_ldap via the module directive, Require ldap-attribute (see http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html). | ||||
Steps To Reproduce | N/A | ||||
Additional Information | Only minor changes were needed to two files in version 1.1.0rc1: core/ldap_api.php and config_defaults_inc.php. To enable the feature, I added a line like the following to my config_inc.php: $g_ldap_auth_attribute = 'privilege=MyAppLogin'; I've attached two diff files (to version 1.1.0rc1) to implement this optional feature. | ||||
Tags | No tags attached. | ||||
Attached Files | config_defaults_inc.php.patch (80 bytes)
875a876 > $g_ldap_auth_attribute = ''; # e.g. '(privilegeName=AppLogin)' ldap_api.php.patch (836 bytes)
--- ldap_api.php.ORIG Sat Jul 21 09:38:26 2007 +++ ldap_api.php Mon Oct 15 10:18:06 2007 @@ -116,11 +116,16 @@ } $t_ldap_organization = config_get( 'ldap_organization' ); + $t_ldap_auth_attribute = config_get( 'ldap_auth_attribute' ); $t_ldap_root_dn = config_get( 'ldap_root_dn' ); $t_username = user_get_field( $p_user_id, 'username' ); $t_ldap_uid_field = config_get( 'ldap_uid_field', 'uid' ) ; - $t_search_filter = "(&$t_ldap_organization($t_ldap_uid_field=$t_username))"; + $t_search_filter = "(&$t_ldap_organization($t_ldap_uid_field=$t_username)"; + if ( $t_ldap_auth_attribute ) { + $t_search_filter .= "($t_ldap_auth_attribute)"; + } + $t_search_filter .= ")"; $t_search_attrs = array( $t_ldap_uid_field, 'dn' ); $t_ds = ldap_connect_bind(); | ||||
PS: I'm new to this group, and offer my apologies if the convention should have been first to post this to the forum for discussion. I tried to sign up for the forum, but for some reason the confirmation email never reached my email box. In any event, I hope someone looks at this and finds it suitable to add to the system. |
|