[rt-users] Authentication against LDAP and Authorization against internal db

Asif Iqbal vadud3 at gmail.com
Sat Jun 16 00:34:49 EDT 2012


>
>  >> On Tue, Jun 12, 2012 at 5:38 AM, Asif Iqbal <vadud3 at gmail.com> wrote:
>>>> >> > I am using external authentication against our corporate AD server
>>>> >> > successfully, using the  RT::Authen::ExternalAuth.
>>>> >> >
>>>> >> > But I like the authorization done against internal db for user
>>>> account.
>>>> >> >
>>>> >> > Just because a user has a valid AD credential is not enough for
>>>> him/her
>>>> >> > to
>>>> >> > be able to login to our RT. We like
>>>> >> > to manage the login by creating the user account into internal db
>>>> using
>>>> >> > the
>>>> >> > Web UI.
>>>> >> >
>>>> >> > So we still like the user to use their AD credential and no need to
>>>> >> > remember
>>>> >> > another password, and at the same time
>>>> >> > only be able to login if the same username is available in
>>>> internal db.
>>>> >> >
>>>> >> > Is that possible? Any suggestion/tip is appreciated.
>>>> >>
>>>> >> Yes, it is possible, but not like you want it to be.
>>>> >>
>>>> >> As far as I can see users need AD record anyway, just mark them
>>>> >> somehow in AD and use this marking in ExternalAuth filter.
>>>> >>
>>>> >
>>>> > I have no access to AD. It belongs to corporate group and will not be
>>>> able
>>>> > to manage a group.
>>>> >
>>>> > There is no way to control the Authorization part locally?
>>>>
>>>> Not out of the box. Patch external auth module and add option to avoid
>>>> creation of new users.
>>>>
>>>>
>>> So I could just comment this section out to avoid user create as one
>>> option? I know, ugly.
>>>
>>>  http://paste.ubuntu.com/1039210/
>>>
>>>
>> This seem to have worked.
>>
>>  http://paste.ubuntu.com/1039233/
>>
>>
>
> fixed some of the comments to reflect the intention
>
> http://paste.ubuntu.com/1039239/
>
>
>


I am getting this error after applying RT::Authen::ExternalAuth, and
patched to disable the "user creation
part". This is the patch I applied http://paste.ubuntu.com/1039239/ .


[Sat Jun 16 04:03:50 2012] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Comments:
Autocreated on ticket submission, Disabled: , EmailAddress:
service at example.com, Name: service at example.com, Password: , Privileged: ,
RealName: Service Example
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:633)
[Sat Jun 16 04:03:50 2012] [crit]: User creation failed in mailgateway:
Could not set user info (/opt/rt3/bin/../lib/RT/Interface/Email.pm:244)
[Sat Jun 16 04:03:50 2012] [warning]: Couldn't load user '
service at example.com'.giving up
(/opt/rt3/bin/../lib/RT/Interface/Email.pm:806)
[Sat Jun 16 04:03:50 2012] [crit]: User  'service at example.com' could not be
loaded in the mail gateway (/opt/rt3/bin/../lib/RT/Interface/Email.pm:244)
[Sat Jun 16 04:03:51 2012] [error]: RT could not load a valid user, and
RT's configuration does not allow
for the creation of a new user for this email (service at example.com).
You might need to grant 'Everyone' the right 'CreateTicket' for the
queue support. (/opt/rt3/bin/../lib/RT/Interface/Email.pm:244)
[Sat Jun 16 04:03:51 2012] [error]: RT could not load a valid user, and
RT's configuration does not allow
for the creation of a new user for your email.
(/opt/rt3/bin/../lib/RT/Interface/Email.pm:244)
[Sat Jun 16 04:03:51 2012] [error]: Could not record email: Could not load
a valid user (/opt/rt3/share/html/REST/1.0/NoAuth/mail-gateway:75)


While I definitely don't want to create a user account while user trying to
login, I am not sure if it is hurting
mailgateway. Will anyone still be able to create a ticket through email
after applying the external auth
module (patched version)?

-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20120616/9a0ac516/attachment.htm>


More information about the rt-users mailing list