[DRE-maint] Bug#606979: redmine: more secure LDAP authentication

Antoine Beaupre anarcat at koumbit.org
Mon Dec 13 16:13:09 UTC 2010


Package: redmine
Version: 1.0.1-1
Severity: wishlist
Tags: patch

Hi,

I have been using this debian package since 0.9.1 in production. Since we are in a LDAP environment, we started using the LDAP configuration. However, the default configuration requires you to set a superuser password to bind with 
at first, which is absolutely not necessary in LDAP...

I have submitted a patch to fix this about 10 months ago upstream, and so far they have failed to take that into account. I have just ported the patch to 1.0.1 and thought other debian users could benefit from this, so I include it 
here for your convenience. Hopefully it will get merged upstream eventually.

It doesn't modify the database so it should fairly safe to use even if upstream takes a different direction.

See attached patch.

-- System Information:
Debian Release: 5.0.7
  APT prefers stable
  APT policy: (500, 'stable'), (2, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-vserver-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages redmine depends on:
ii  dbconfig-common         1.8.39           common framework for packaging dat
ii  debconf [debconf-2.0]   1.5.24           Debian configuration management sy
ii  libactionmailer-ruby    2.3.5-1~bpo50+1  Framework for generation of custom
ii  libactionpack-ruby      2.3.5-1~bpo50+1  Controller and View framework used
ii  libactiveresource-ruby  2.3.5-1~bpo50+1  Connects objects and REST web serv
ii  libactivesupport-ruby   2.3.5-1~bpo50+1  utility classes and extensions (Ru
ii  libjs-scriptaculous     1.8.3-1~bpo50+1  JavaScript library for dynamic web
ii  rails                   2.3.5-1~bpo50+1  MVC ruby based framework geared fo
ii  redmine-mysql           0.9.1-1~bpo50+1  metapackage providing MySQL depend
ii  ruby                    4.2              An interpreter of object-oriented 
ii  ruby1.8                 1.8.7.72-3lenny1 Interpreter of object-oriented scr

redmine recommends no packages.

Versions of packages redmine suggests:
ii  libopenid-ruby             2.1.2debian-1 Ruby library for verifying and ser
pn  librmagick-ruby            <none>        (no description available)
pn  libsvn-ruby                <none>        (no description available)

-- debconf information excluded
-------------- next part --------------
--- app/models/auth_source_ldap.rb.orig	2010-12-13 10:57:01.000000000 -0500
+++ app/models/auth_source_ldap.rb	2010-12-13 10:57:06.000000000 -0500
@@ -33,7 +33,7 @@
   
   def authenticate(login, password)
     return nil if login.blank? || password.blank?
-    attrs = get_user_dn(login)
+    attrs = get_user_dn(login, password)
     
     if attrs && attrs[:dn] && authenticate_dn(attrs[:dn], password)
       logger.debug "Authentication successful for '#{login}'" if logger && logger.debug?
@@ -100,8 +100,12 @@
   end
 
   # Get the user's dn and any attributes for them, given their login
-  def get_user_dn(login)
-    ldap_con = initialize_ldap_con(self.account, self.account_password)
+  def get_user_dn(login, password)
+    if self.account.include? "$login" then
+      ldap_con = initialize_ldap_con(self.account.sub("$login", login), password)
+    else
+      ldap_con = initialize_ldap_con(self.account, self.account_password)
+    end
     login_filter = Net::LDAP::Filter.eq( self.attr_login, login ) 
     object_filter = Net::LDAP::Filter.eq( "objectClass", "*" ) 
     attrs = {}


More information about the Pkg-ruby-extras-maintainers mailing list