[rt-users] RT-Users Digest, Vol 70, Issue 29

Tim Cutts tjrc at sanger.ac.uk
Thu Jan 14 18:13:57 EST 2010


On 14 Jan 2010, at 7:06 pm, rt-users-request at lists.bestpractical.com  
wrote:

> Unless you're authenticating against a custom mysql database, there is
> no need to tell RT::Authen::ExternalAuth about RT's internal database
> tables.
>
> It sounds like you want to tell RT::Authen::ExternalAuth to only use
> your LDAP configuration.
>
> RT will fall back to internal auth if RT::Authen::ExternalAuth fails
> to authenticate you against LDAP

Although you want to be careful about that; we got bitten by it.  For  
some reason, it several very old accounts in our RT database had a  
default password set in the MySQL database, and people found that if  
they could still use that password and get in.  I personally think  
that's a bug in the code, and I've changed it in our installation to  
the following logic, which makes more sense to me:

1)  If the account exists in the external source, then check  
authentication against that source, and let the user in if appropriate.
2)  If the user provides the wrong password to the external account,  
immediately reject the login
3)  If the user does not exist within the external source, only then  
fall back to internal authentication.

Tim


-- 
 The Wellcome Trust Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE. 



More information about the rt-users mailing list