[Rt-commit] rt branch, 5.0/disable-password-for-auth-token-config, repushed

Jim Brandt jbrandt at bestpractical.com
Mon Dec 21 17:04:05 EST 2020


The branch 5.0/disable-password-for-auth-token-config was deleted and repushed:
       was 8df779384a1814b759639b102fc741aafa28c3a2
       now b148f34f9e3ccc32dba18181ee031497aecd3804

-:  ------- > 1: 8b6872cfe1 Align "Time to display" in footer
1: 9b90fbeac1 ! 2: c466142ae3 Add option to disable password prompt when creating tokens
    @@ -1,10 +1,13 @@
     Author: Aaron Trevena <ast at bestpractical.com>
     
    -    Add config option to disable password for auth tokens
    +    Add option to disable password prompt when creating tokens
         
    -    Added and documented new configuration option to not require a password
    -    when adding a new auth token, this solves problems with requiring a password
    -    in a hybrid RT where both external and local accounts are used.
    +    If RT allows both local RT auth and federated auth, we
    +    can't automatically determine when to supress the password
    +    prompt during token creation. RT can't run a password check
    +    against a federated auth system, so users can be blocked from
    +    creating tokens. Provide an option to allow admins to explicitly
    +    omit the password check to prevent this.
     
     diff --git a/docs/authentication.pod b/docs/authentication.pod
     --- a/docs/authentication.pod
    @@ -13,43 +16,35 @@
      
          SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
      
    -+
    -+If you have a mix of local and external authentication you can disable
    -+requiring a password to create tokens with the following line in
    -+C<RT_SiteConfig.pm>:
    -+
    -+   Set($DisablePasswordForAuthToken, 1);
    -+
    -+
    - You can find more information about tokens in L<RT::Authen::Token>.
    +-You can find more information about tokens in L<RT::Authen::Token>.
    ++Since tokens grant access on behalf of a user, RT prompts for a password
    ++when a user is creating a token. However, if you have a mix of RT and
    ++federated authentication, RT can't authenticate users via the federated
    ++password system. For this case, you can explicitly disable the password
    ++check with the C<$DisablePasswordForAuthToken> configuration option.
      
      =head1 External Authentication
    + 
     
     diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
     --- a/etc/RT_Config.pm.in
     +++ b/etc/RT_Config.pm.in
     @@
    - 
    - Set($MinimumPasswordLength, 5);
    + are not in LDAP can still be created when they email in.
    + See L<RT::Authen::ExternalAuth> for details.
      
     +=item C<$DisablePasswordForAuthToken>
     +
    -+If you have a mix of local and external authentication you can disable
    -+requiring a password to create tokens with the following line in
    -+C<etc/RT_SiteConfig.pm>. You can find more information about tokens in
    -+L<RT::Authen::Token>.
    ++If you have a mix of RT and federated authentication, RT can't directly
    ++verify a user's password against the federated IdP. You can explicitly
    ++disable the password prompt when creating a token by setting this option
    ++to true (1).
     +
    - =back
    - 
    - =head3 External Authentication and Authorization
    -@@
    - 
      =back
      
     +=cut
     +
     +Set($DisablePasswordForAuthToken, 0);
    -+
      
      =head2 Initialdata Formats
      
2: 5b53164822 = 3: 27e2eeb6a1 Switch to Obfuscate callback for $DatabasePassword/$LDAPPassword configs
3: 8df779384a = 4: b148f34f9e Remove special handling of password like core variables on configuration page



More information about the rt-commit mailing list