stackoom
  简体   繁体   中英

Bugzilla doesn't map LDAP-authenticated user to bugzilla email-based user

 原文  2020-09-30 21:52:56       apache/ bugzilla

Question

On a fresh install of Bugzilla 5.0.6 with Apache 2.4.41 on Ubuntu 20 I'd like to map our domain users to our existing Bugzilla accounts. (We're migrating from an earlier version of Bugzilla but on Apache with Windows, so it's almost a new install except for the database migration.)

To do this I've skipped Bugzilla's LDAP settings in favor of using the Apache integration with authnz, which is what we did a long time ago with the original setup. (To be fair, Apache on Windows uses a different module for this, SSPI). We also have this setup working on other servers (eg, a wiki). My LDAP settings look like this:

<Location "/">
AuthName "Bugzilla user login (WHL user/pwd)"
AuthType Basic
AuthBasicProvider ldap
LDAPReferrals Off
# If desired add port 389 or 3268
AuthLDAPUrl ldap://ldapserver/dc=org1,dc=org2?sAMAccountName?sub?(objectClass=*)
AuthLDAPBindDN "CN=name,OU=accounts,DC=org1,DC=org2"
AuthLDAPBindPassword "xxxpwdxxx"
Require valid-user
</Location>

I think it's close to working for a few reasons:

  1. The ldap authentication succeeds but Bugzilla shows an error: "We received an email address ([domain login]) that didn't pass our syntax checking for a legal email address [...]"
  2. Wireshark trace of the http request shows that no X-Remote-User is being sent in the http header
  3. Apache error.log has an entry like this: "auth_ldap authenticate: REMOTE_USER was to be set with attribute 'userPrincipalName', but this attribute was not requested for in the LDAP query for the user. REMOTE_USER will fall back to username or DN as appropriate."

This would point to a problem with the AuthLDAPUrl, but no combinations I've found so far have worked. Looking for any suggestions to fix this up.

Or if this isn't the way to do it and the preferred way is to use Bugzilla's ldap authentication, please let me know.

1 answers

solution1
 0 ACCPTED  2020-10-01 01:21:24

As I suspected the solution was close, but since it wasn't horseshoes or hand grenades here we are. It turns out this string

AuthLDAPUrl ldap://ldapserver/dc=org1,dc=org2?sAMAccountName?sub?(objectClass=*)

needed an additional lookup, which was the rather important userPrincipalName (email), a la

AuthLDAPUrl ldap://ldapserver/dc=org1,dc=org2?sAMAccountName,userPrincipalName?sub?(objectClass=*)

In addition, this line

AuthLDAPRemoteUserAttribute userPrincipalName

instructed Apache to put that email address in the X-Remote-User http header. et voila, it all works.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Can't reach Bugzilla on localhost CaseStudy in Bugzilla Couldn't spawn child process: C:/bugzilla/admin.cgi bugzilla configuration on apache2 Changing Bugzilla url Bugzilla Apache server config how to get mod_ldap authenticated user information in java Bugzilla Internal Server Error 500 - .htaccess in Bugzilla Directory Bugzilla install on Windows 7 with Apache & Mysql Bugzilla - Internal Server Error 500
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM