[rt-users] REMOTE_USER, external auth, and email mismatching

Philip Brown ppb at usc.edu
Wed May 15 00:17:08 EDT 2013


Err.. thanks, but that's not what I'm looking for.
For one thing, even if I got permission to do that (which I wont), we have 40,000 users in ldap.
I dont actually WANT all of them in the rt database.
particularly since we have a 15,000 user/year churn rate.


________________________________________
From: Jok Thuau [JThuau at spacex.com]
Sent: Tuesday, May 14, 2013 05:36 PM
To: Philip Brown; rt-users at lists.bestpractical.com
Subject: Re: [rt-users] REMOTE_USER, external auth, and email mismatching

I have use the LDAPImport extension to pull all my users out of AD into
RT. I even submitted a patch on the cpan bug tracker to add a feature to
"automatically grant rights" to some groups based on LDAP queries.

(and you'll probably need to "merge" the users that you have now into
their imported equivalent)

Thanks,
Jok


--
| Joachim Thuau | IT Systems Engineer - Linux / SpaceX |





On 5/14/13 1:41 PM, "Philip Brown" <ppb at usc.edu> wrote:

>On 04/26/13 04:38 PM, Thomas Sibley wrote:
>> On 04/26/2013 02:35 PM, Philip Brown wrote:
>>> hi there,
>>> We are looking at using kerb auth and mod_auth_kerb as our external
>>>auth mechanism for RT.
>>>
>>> ... I was hoping there was potentially a way to do any of the
>>>following:
>>>
>>> a) automatically drop the @xyz from REMOTE_USER entirely
>>> b) autoconvert the @xyz to @real.domain
>>>
>>> c) (least preferable) have the autocreate routines, atomatically fill
>>>in @real.domain as the email address
>> You can accomplish (b) with these options:
>>
>>http://bestpractical.com/rt/docs/latest/RT_Config.html#CanonicalizeEmailA
>>ddressMatch-CanonicalizeEmailAddressReplace
>>
>> You can also do more sophisticated munging by writing your own
>> RT::User::CanonicalizeUserInfo:
>>
>>http://bestpractical.com/rt/docs/latest/RT/User.html#CanonicalizeUserInfo
>>-HASH-of-ARGS
>>
>> Or you can take the easy way of (a) by setting the mod_auth_kerb config
>> option that Jok pointed out earlier.
>>
>
>
>Well, I'm back, now that I've had more time to follow up :)
>
>I have tried out using the KrbLocalUser tweak, and run into problems.
>The email field does not get filled out on autocreate of an account.
>
>I then attempted to do the fallback suggested via
>
>CanonicalizeEmailAddressMatch
>
>after removing the KrbLocalUser from my apache configs.
>however, the replace did not seem to have any effect. I'm still getting
>logged in as
>user at KERB.my.com
>rather than user at my.com
>
>for the record, I'm using a match string of
>'\@.*\.my.com$'
>
>and replace of
>'\@my.com'
>
>it's kinda odd that I cant seem to google any sample RT_Config.pm files
>for this'
>
>
>
>
>
>--
>RT Training in Seattle, June 19-20: http://bestpractical.com/training






More information about the rt-users mailing list