Alexander Mamchenkov – Page 45 – Blog of Alexander Mamchenkov

Quick update

These days are very hot and brain just boils :( No willingness to do anything. Lots of people coming to Cyprus for their holidays. Lots of parties and drinking.

Finally got my car back from the garage after I had a small incident (nobody died). Cost me a fortune though.

Waiting for winter to get rest from the sun.

RT3 ActiveDirectory User Attributes Sync

Ok, here is another small script to deal with RT3 and Active Directory. If you apply the apache ldap auth described previously to your RT3 installation, you will have no problem getting people logged in, but you will still have to adjust their names and emails. Doing this manually is not the best choice, so here is a small script, which can be run from the cron (or manually) to update user info in RT3 according to user attributes in Active Directory:

#!/usr/bin/php
< ?php

# Debug flag. Set to non-zero for verbose output
$debug = 0;

# Settings to use while connecting to active directory
$ldap_host = \"10.10.10.1\"; # AD server
$ldap_user = \"someuser@example.com\"; # User in AD with read writes
$ldap_pass = \"someuser_password\"; # Password for the user above
$ldap_base = \"dc=example,dc=com\"; # AD base to search (recursivly)

# Settings to use while connecting to rt3 MySQL DB
$sql_host = \"127.0.0.1\"; # MySQL server
$sql_name = \"rt3\"; # RT3 DB name in MySQL
$sql_user = \"rt3_user\"; # User to connect to above DB
$sql_pass = \"rt3_pass\"; # Password for the user above

# Map of RT3 -> AD attributes
$attr_map = array(
	\'RealName\'		=> \'displayName\',
	\'EmailAddress\'	=> \'mail\'
);

# Connect to AD and authenticate
$ldap = ldap_connect($ldap_host);
if (!$ldap) {
	die (\"Failed to connect to LDAP server: \" . ldap_error() . \"\\n\");
}
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
if (!ldap_bind($ldap,$ldap_user,$ldap_pass)) {
	die (\"Failed to bind to LDAP server: \" . ldap_error() . \"\\n\");
}

# Connect to MySQL
$sql = mysql_connect($sql_host,$sql_user,$sql_pass);
if (!$sql) {
	die (\"Failed to connect to MySQL server: \" . mysql_error() . \"\\n\");
}
if (!mysql_select_db($sql_name)) {
	die (\"Failed to select MySQL database: \" . mysql_error() . \"\\n\");
}

# Get a list of RT3 users from MySQL
$users = get_rt3_users();

# Update attributes for each RT3 user according to AD attributes
foreach ($users as $user) {
	set_rt3_user_info($user,get_ldap_user_attr($user));
}

# Close the connections to MySQL and AD
mysql_close($sql);
ldap_unbind($ldap);

# Gets a list of RT3 users from MySQL
function get_rt3_users () {
	global $sql;

	# Skips the external users (the ones that look like email address)
	$result = mysql_query(\"SELECT Name FROM Users WHERE Name NOT LIKE \'%@%\'\",$sql);
	$users = array();
	while ($user = mysql_fetch_array($result)) {
		array_push($users,$user[0]);
	}
	return $users;
}

# Gets AD attributes for the given user
function get_ldap_user_attr ($user) {
	global $ldap,$ldap_base,$attr_map,$debug;

	if ($debug) { print \"Searching for user $user\\n\"; }
	$result = ldap_search($ldap,$ldap_base,\"(sAMAccountName=$user)\");
	$entries = array();
	if ($result) {
		$entries = ldap_get_entries($ldap,$result);
	} else {
		die(\"Failed to search LDAP: \" . ldap_error($ldap) . \"\\n\");
	}
	return $entries;
}

# Updates RT3 user in MySQL with given AD attributes
function set_rt3_user_info ($user,$attr) {
	global $sql,$attr_map;

	# Construct an update SQL query arguments
	$query = \"\";
	foreach ($attr_map as $k => $v) {

		# Update field only if it is set and non empty
		if (isset($attr[0][strtolower($v)][0]) and $attr[0][strtolower($v)][0] != \"\") {
			$query .= \",$k=\'\" . mysql_escape_string($attr[0][strtolower($v)][0]) . \"\'\";
		}
	}

	# Run the actual query
	$query = \"UPDATE Users SET \".substr($query,1).\" WHERE Name=\'\".mysql_escape_string($user).\"\';\";
	mysql_query($query);
}

?>

Now each time a new user logs in to RT3 and his username appears in RT3 database, this script will update his/her name and email. You can extend a list of mapped attributes to have more info updated if you want so.

Apache MS Active Directory Auth

I know there are plenty of methods to apache auth through active directory, but recently I found out that some of them didn\’t work for me or didn\’t do well. The more or less successfull one was perl Apache2::AuthenNTLM, but when you have a lot of users, this one blocks apache now and then and causes some real problems.

Like always, found out about apache mod_authnz_external and ended up writing my own authentication script. Here is how to make things work:

First of all download and install mod_authnz_external (google for the package and installation instructions).

Then put the next script somewhere on the apache server (for example /etc/httpd/conf/ad_login.php):

< ?php

// AD server IP address
$ldap_host = \"10.10.10.1\";

// AD Base
$ldap_base = \"dc=example,dc=com\";

// AD domain
$ldap_domain = \"example.com\";

// Connect to AD server
$stderr = fopen(\"php://stderr\",\"w\");
$ldap = @ldap_connect($ldap_host);
if (!$ldap) {
	fwrite($stderr,\"AD Auth: Failed to connect to $ldap_host\\n\");
	fclose($stderr);
	exit(1);
}
@ldap_set_option($ldap, LDAP_OPT_PROTOCOLO_VERSION, 3);
@ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);

// Try to login with the supplied username and password 
// (using environment to pass the stuff)
if (!@ldap_bind($ldap,$_ENV[\'USER\'] . \'@\' . $ldap_domain,$_ENV[\'PASS\'])) {
	fwrite($stderr,\"AD Auth: Failed to authenticate \" . $_ENV[\'USER\'] . \"\\n\");
	fclose($stderr);

	// if failed - exit with 1
	exit(1);
}

ldap_unbind($ldap);
fclose($stderr);

// exit with 0 on success
exit(0);

?>

Next, add the following into VirtualHost (or similar) definition in apache config:

AddExternalAuth ad \"/usr/bin/php -f /etc/httpd/conf/ad_login.php\"
SetExternalAuthMethod ad environment

# This can go into Location or Directory sections
AuthType basic
AuthName \"My Closed Zone\"
AuthBasicProvider external
AuthExternal \"ad\"
require valid-user

Restart apache and you are done.

How does it work? Simple. Each time apache will need to authenticate a user, it will start a script (ad_login.php) and pass it username and password as environment variables. The script, in turn, will try to connect to AD and authenticate itself as given user. If that fails – login fails, otherwise – login ok. So basically, if a user has writes to connect to AD, (s)he has write to login to apache.

And of course you can extend the php script with some extras, like additional checks on username, caching and so on.

WP upgrade 2.5 to 2.7.1

Finally I got annoyed by the upgrade warning and did the thing. Looks fine (at least for me). Let me know if something went wrong from your side.

More scripts comming

Similar to the latest port, I will be putting more scripts that I use(d) here and there, since recently I found quite a few in my collection and I don\’t want to lose them as well as want other people to use them if they need.