[rt-users] Fwd: Login persistence

Rory rclerkin at gmail.com
Fri May 23 12:47:20 EDT 2014 

> Should the RT user record still contain the user's (LDAP) email address
> as the Username to log in with?

I'm not quite sure, maybe somebody else can weigh in here.
On my own install I have I've tried a few different changes in the
RT_SiteConfig.pm but wasn't able to log in with an email address (we
normally use the user account name). It may be that the username is saved
in the RT database on the first login.

##################
 'attr_match_list'       =>      ['Name', 'EmailAddress'],
'attr_map'              =>      {

    'Name'          =>      'sAMAccountName',

    'EmailAddress'  =>      'mail',

    'Organization'  =>      'company',

    'RealName'      =>      'cn',

    'NickName'      =>      'extensionAttribute1',

    'ExternalAuthId'=>      'sAMAccountName',

    'Gecos'         =>      'sAMAccountName',

    'WorkPhone'     =>      'telephoneNumber',

    'Address1'      =>      'streetAddress',

    'City'          =>      'l',

    'State'         =>      'st',

    'Zip'           =>      'postalCode',

    'Country'       =>      'co'

    }
                                                },

##################

I've tried different combinations of removing 'Name' from the
'attr_match_list' and changing 'ExternalAuthId' to use 'mail' in the
'attr_map'.

Kind regards,
Rory

Rory


On 23 May 2014 15:57, Flynn, Peter <pflynn at ucc.ie> wrote:

> On 23/05/14 10:20, Rory wrote:
> > Hi Peter,
> >
> > As you noted your web environment is essentially holding the login token.
> > When you click logout, Apache serves up the "you are logged out" page,
> > processes the authentication configuration and, because of this line:,
> > # allow web auth to pass login status to RT
> > Set($WebRemoteUserAuth, 1);
> > RT accepts the authentication from Apache which logs the user back in.
> [...]
> > So in short, your login session on RT is tied to the web browsers
> > session with the web server.
>
> Right.
>
> > To make it work as you would like (clicking logout ends Apaches login
> > session) the website would need to make a change to the web server. This
> > generally is not allowed to happen as it's a potential security flaw.
>
> Indeed.
>
> > If you want the users login session to be controlled by the RT
> > application then you'll need to configure LDAP authentication within the
> > RT Configuration.
>
> Thank you: I must have misread this. I didn't think RT could do LDAP
> auth itself. I wouldn't have bothered with the Apache route otherwise.
>
> > To be able to do this you need at least these Perl modules (and maybe
> > some others that I'm neglecting too);
> > Net::LDAP
> > RT::Authen::ExternalAuth
>
> Done. CPAN complained about a dependency:
>  >> No tests defined for RT::Authen::ExternalAuth extension
> but I used -f :-)
>
> > You then need to add the plugin to your RT_SiteConfig.pm;
> > Set( @Plugins, qw(RT::Authen::ExternalAuth) );
>
> OK.
>
> > And set the LDAP configuration by following the example SiteConfig file
> > in the plugin etc directory.
>
> I'll need to get some more local LDAP help with that.
>
> > Lastly you'll need to remove the Auth config from your Apache virtual
> > host and change:
> > Set($WebRemoteUserAuth, 1);
> > to
> > Set($WebRemoteUserAuth, 0);
>
> Should the RT user record still contain the user's (LDAP) email address
> as the Username to log in with?
>
> ///Peter
> --
> Peter Flynn | Academic & Collaborative Technologies | University College
> Cork IT Services | ☎ +353 21 490 2609 | ✉ pflynn at ucc.ie | 🌍 www.ucc.ie
> --
> RT Training - Boston, September 9-10
> http://bestpractical.com/training
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20140523/6dfb3d3f/attachment.htm>

More information about the rt-users mailing list