[DRE-maint] Bug#606979: redmine: more secure LDAP authentication
Antoine Beaupre
anarcat at koumbit.org
Mon Dec 13 16:13:09 UTC 2010
Package: redmine
Version: 1.0.1-1
Severity: wishlist
Tags: patch
Hi,
I have been using this debian package since 0.9.1 in production. Since we are in a LDAP environment, we started using the LDAP configuration. However, the default configuration requires you to set a superuser password to bind with
at first, which is absolutely not necessary in LDAP...
I have submitted a patch to fix this about 10 months ago upstream, and so far they have failed to take that into account. I have just ported the patch to 1.0.1 and thought other debian users could benefit from this, so I include it
here for your convenience. Hopefully it will get merged upstream eventually.
It doesn't modify the database so it should fairly safe to use even if upstream takes a different direction.
See attached patch.
-- System Information:
Debian Release: 5.0.7
APT prefers stable
APT policy: (500, 'stable'), (2, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-2-vserver-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages redmine depends on:
ii dbconfig-common 1.8.39 common framework for packaging dat
ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy
ii libactionmailer-ruby 2.3.5-1~bpo50+1 Framework for generation of custom
ii libactionpack-ruby 2.3.5-1~bpo50+1 Controller and View framework used
ii libactiveresource-ruby 2.3.5-1~bpo50+1 Connects objects and REST web serv
ii libactivesupport-ruby 2.3.5-1~bpo50+1 utility classes and extensions (Ru
ii libjs-scriptaculous 1.8.3-1~bpo50+1 JavaScript library for dynamic web
ii rails 2.3.5-1~bpo50+1 MVC ruby based framework geared fo
ii redmine-mysql 0.9.1-1~bpo50+1 metapackage providing MySQL depend
ii ruby 4.2 An interpreter of object-oriented
ii ruby1.8 1.8.7.72-3lenny1 Interpreter of object-oriented scr
redmine recommends no packages.
Versions of packages redmine suggests:
ii libopenid-ruby 2.1.2debian-1 Ruby library for verifying and ser
pn librmagick-ruby <none> (no description available)
pn libsvn-ruby <none> (no description available)
-- debconf information excluded
-------------- next part --------------
--- app/models/auth_source_ldap.rb.orig 2010-12-13 10:57:01.000000000 -0500
+++ app/models/auth_source_ldap.rb 2010-12-13 10:57:06.000000000 -0500
@@ -33,7 +33,7 @@
def authenticate(login, password)
return nil if login.blank? || password.blank?
- attrs = get_user_dn(login)
+ attrs = get_user_dn(login, password)
if attrs && attrs[:dn] && authenticate_dn(attrs[:dn], password)
logger.debug "Authentication successful for '#{login}'" if logger && logger.debug?
@@ -100,8 +100,12 @@
end
# Get the user's dn and any attributes for them, given their login
- def get_user_dn(login)
- ldap_con = initialize_ldap_con(self.account, self.account_password)
+ def get_user_dn(login, password)
+ if self.account.include? "$login" then
+ ldap_con = initialize_ldap_con(self.account.sub("$login", login), password)
+ else
+ ldap_con = initialize_ldap_con(self.account, self.account_password)
+ end
login_filter = Net::LDAP::Filter.eq( self.attr_login, login )
object_filter = Net::LDAP::Filter.eq( "objectClass", "*" )
attrs = {}
More information about the Pkg-ruby-extras-maintainers
mailing list