Category: Technology

I know there are plenty of methods to apache auth through active directory, but recently I found out that some of them didn\’t work for me or didn\’t do well. The more or less successfull one was perl Apache2::AuthenNTLM, but when you have a lot of users, this one blocks apache now and then and causes some real problems.

Like always, found out about apache mod_authnz_external and ended up writing my own authentication script. Here is how to make things work:

First of all download and install mod_authnz_external (google for the package and installation instructions).

Then put the next script somewhere on the apache server (for example /etc/httpd/conf/ad_login.php):

< ?php

// AD server IP address
$ldap_host = \"10.10.10.1\";

// AD Base
$ldap_base = \"dc=example,dc=com\";

// AD domain
$ldap_domain = \"example.com\";

// Connect to AD server
$stderr = fopen(\"php://stderr\",\"w\");
$ldap = @ldap_connect($ldap_host);
if (!$ldap) {
	fwrite($stderr,\"AD Auth: Failed to connect to $ldap_host\\n\");
	fclose($stderr);
	exit(1);
}
@ldap_set_option($ldap, LDAP_OPT_PROTOCOLO_VERSION, 3);
@ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);

// Try to login with the supplied username and password 
// (using environment to pass the stuff)
if (!@ldap_bind($ldap,$_ENV[\'USER\'] . \'@\' . $ldap_domain,$_ENV[\'PASS\'])) {
	fwrite($stderr,\"AD Auth: Failed to authenticate \" . $_ENV[\'USER\'] . \"\\n\");
	fclose($stderr);

	// if failed - exit with 1
	exit(1);
}

ldap_unbind($ldap);
fclose($stderr);

// exit with 0 on success
exit(0);

?>

Next, add the following into VirtualHost (or similar) definition in apache config:

AddExternalAuth ad \"/usr/bin/php -f /etc/httpd/conf/ad_login.php\"
SetExternalAuthMethod ad environment

# This can go into Location or Directory sections
AuthType basic
AuthName \"My Closed Zone\"
AuthBasicProvider external
AuthExternal \"ad\"
require valid-user

Restart apache and you are done.

How does it work? Simple. Each time apache will need to authenticate a user, it will start a script (ad_login.php) and pass it username and password as environment variables. The script, in turn, will try to connect to AD and authenticate itself as given user. If that fails – login fails, otherwise – login ok. So basically, if a user has writes to connect to AD, (s)he has write to login to apache.

And of course you can extend the php script with some extras, like additional checks on username, caching and so on.

Recently I had to do an import of mailboxes hosted in the maildirs into RT3. Looking around on the web didn\’t found ready solutions. Looking some more and getting small portions of code here and there ended up writing my own script.

One thing though, I had to stop using rt-mailgate for the purpose of import since it was overloading Apache and MySQL. Through I still use rt-mailgate for normal mail aliases to pass incoming mail to RT.

The script should be started from inside of the root of the maildir which you want to import. Prior to this, few parameters needed to be adjusted like the RT queue, tickets status and log file (right at the top of the script).

Few notes:
– assuming RT is hosted on the same machine the maildir is located (alternativly copy the maildir to the same server).
– script works with files and RT modules (which work directly with MySQL) and is much lighter and more flexible than the default rt-mailgate.
– I am not a programmer, so don\’t blame me for bad coding, suggestions welcome.
– All the stuff is in perl, tested to be working for me on Fedora 10 with RT3 version 3.8.2
– If you uncomment the DEBUG section of the code, it will do dry run, showing what will be imported and what not, without doing actual imports or writing to any logs.
– If, by some chance, you lost your log of previous import, or want to import only a portion of emails in the current maildir, you can use unix find instead of perl glob in the for statement. (For example, put the next statement as a condition for for loop to find messages that were changed within last day: split /\\n/,`find new cur tmp .*/cur .*/new .*/tmp -mtime -1 -type f`)

Ok, here is the code:

#!/usr/bin/perl -w

use RT;
use Email::MIME;
use Data::Dumper;

# RT Queue to import email to
my $desired_queue = \"my_rt_queue_name_here\";

# Log file to write update (and read old data from)
my $log_file = \"/tmp/rt3_import_log-$desired_queue.txt\";

# Status of the tickets created
my $status = \'resolved\';

# Get connected to RT
RT::LoadConfig();
RT::Init();
RT::ConnectToDatabase();

# Store already imported emails here
my $imported = {};

# If the log file already exists
if (-f $log_file) {

	# Try to read it and get all email ids
	# that were already imported
	open LOG, \"< $log_file\";
	while (my $line = ) {
		if (my $id = get_msgid($line)) {
			$imported->{$id} = 1;
		}
	}
	close LOG;
}


open LOG, \">>$log_file\";
my $total = 0;

# Find all files in current dir (recursivly
for my $file (glob \"cur/* tmp/* new/* .*/cur/* .*/tmp/* .*/new/*\") {

	$total++;
	print \"$file: \";

	# Try to get message ID
	my $msgid = get_msgid($file);
	if ($msgid) {

		# Skip if already imported
		if (defined($imported->{$msgid}) && $imported->{$msgid} == 1) {
			print \"skipping\\n\";
			next;
		}
	} else {

		# Skip of no message ID
		print \"no message id\\n\";
		next;
	}

# DEBUG!!!
#	print \"fetching\\n\";
#	next;
# !DEBUG

	# Try to create a ticket
	my ($id,$error) = create_ticket($desired_queue,$file,$status);


	if ($id) {

		# Log to STDOUT and log file on success
		print \" $id\\n\";
		print LOG \"$file: $id\\n\";
		$imported->{$msgid} = 1;

	} else {

		# Log to STDOUT on failure
		print \"$error\\n\";
	}

	# Sleep for 30 secs each 50 msgs not to overload MySQL
	# (Adjust if needed, this is for heavy production systems)
	if ($total == 50) {
		$total = 0;
		sleep 30;
	}
}

close LOG;

# Parse message ID from file name
sub get_msgid {
	my $msg = shift;

	if ($msg =~ /^.*\\/([0-9A-Z]+)\\.([0-9A-Z]+)\\.[^\\/]+?:.*$/) {

		# Return only the first two portions of msg ID
		# (works file with Exim/Dovecot IDs)
		return \"$1.$2\";
	}

	return 0;
}

# Create a ticket in RT
sub create_ticket {
	my ($queue,$filename,$ticket_status) = @_;

	# Read the content of the msg file
	open FH,\"< $filename\";
	my $message = \"\";
	my $subject = \"\";
	while (my $line = ) {
		$message .= \"$line\";

		# Try to find out the subject 
		if ($line =~ /^Subject: (.*)\\n$/ && $subject eq \"\") {
			$subject = $1;
		}
	}
	close FH;

	# Create MIME entity (RT wants it like this)
	my $entity = new Email::MIME($message);

	# Parse it the way RT wants
	my $parser = RT::EmailParser->new();
	$parser->SmartParseMIMEEntityFromScalar(Message => $entity->as_string);

	# Create the ticket
	my $ticket = new RT::Ticket($RT::SystemUser);
	my ($t_id,$transaction,$error_str) = $ticket->Create(
			Queue => $queue,
			Requestor => $entity->header(\'From\'),
			Subject => $subject,
			MIMEObj => $parser->Entity,
			Status => $ticket_status,
	);

	# Give back ID and message
	return ($t_id,$error_str);
}

There is an annoying problem with RT3 sending emails through exim are shown in outlook as being from apache@your-domain.com, istead of the email assigned to the queue in RT (like support@your-domain.com).

To fix this boolshit:

– add a line trusted_users: apache into exim config (you might need to replace apache with whatever user apache is running under)

– add a line apache@your-domain.com \”${if !eq {$header_From:}{}{$header_sender:$header_From:}fail}\” Fs in the rewrite section of exim config (adjust apache@your-domain.com to whatever fits you)

– restart/reload exim