<div>b) should be done easily using ExternalAuth. when I say easily, I mean, as soon as you get ExternalAuth working, b is done.... but it did take me almost a week to figure out my issues(a spelling mistake in the config file :'()</div>
<div> </div>
<div>a) sounds like you want ExternalAuth with AutoCreate Privleged=>0 set, but you'd also need to tweak the RT system.</div>
<div> </div>
<div>The problem with just doing the above, if someone has already sent an email to your system prior to attempting to login, their email address generates a user in RT. That user has username = email address, as well as email address filled out too. Then when they go to login, ExternalAuth pulls the user's email address from LDAP and attempts to create the user with that email address, however that email address already exists on the autocreated user from the email they sent in.. so the create user fails.</div>
<div> </div>
<div>Ken Marshall shared something on the listserv of a way to fix this, but I haven't got it working yet(I'm new to perl, still learning)</div>
<div> </div>
<div> </div>
<div>He edited the spot in RT that runs everytime an email address is found. From reading the code, I believe his changes makes the CanonicalizeEmailAddress subroutine connect to your LDAP and pull the LDAP info in (as defined in ExternalAuth's config) instead of just creating a user using the email address alone.</div>
<div> </div>
<div>What I mean is, RT out of the box, when an email comes in, the unedited CanonicalizeEmailAddress sub does pretty much nothing but a word substitution(based on a config file setting), but Ken's version actually connects to LDAP and pulls the real name, the username, etc. </div>
<div> </div>
<div>The way Ken explained it to me, it should not only fix old accounts that already exist, but ensure all new accounts work correctly as well.</div>
<div> </div>
<div>Below is the code, also search the listserv for my post about workarounds while waiting for ExternalAuth 0.09.</div>
<div> </div>
<div>Good luck!</div>
<div>Mike</div>
<div>***Ken's code below***</div>
<div> </div>
<div>sub CanonicalizeEmailAddress {<br> my $self = shift;<br> my $email = shift;</div>
<div> # Leave some addresses intact<br> if ( $email =~ /[\w-]+\@<a href="http://mysafe1.rice.edu">mysafe1.rice.edu</a>$/ ) {<br> return ($email);<br> }<br> if ( $email =~ /[\w-]+\@<a href="http://mysafe2.rice.edu">mysafe2.rice.edu</a>$/ ) {<br>
return ($email);<br> }</div>
<div> # Example: the following rule would treat all email<br> # coming from a subdomain as coming from second level domain<br> # <a href="http://foo.com">foo.com</a><br> if ( my $match = RT->Config->Get('CanonicalizeEmailAddressMatch') and<br>
my $replace = RT->Config->Get('CanonicalizeEmailAddressReplace') )<br> {<br> $email =~ s/$match/$replace/gi;<br> }<br> $email .= <a href="mailto:'@rice.edu'">'@rice.edu'</a> if ($email =~ /^[\w-]+$/);</div>
<div> #<br> # Now we should have an Email address that is of the form <a href="mailto:addr@rice.edu">addr@rice.edu</a><br> # Use LDAP to map this to the primary vanity Email alias.</div>
<div> my $params = ( Name => undef,<br> EmailAddress => undef);</div>
<div> my $ldap = new Net::LDAP($RT::LdapServer)<br> or $RT::Logger->critical("CanonicalizeEmailAddress: Cannot connect to LDAP\n"),<br> return ($email);</div>
<div> my $mesg = $ldap->bind();</div>
<div> if ($mesg->code != LDAP_SUCCESS) {<br> $RT::Logger->critical("CanonicalizeEmailAddress: Unable to bind to $RT::LdapServer: ",<br> ldap_error_name($mesg->code), "\n");</div>
<div> return ($email);<br> }</div>
<div> # First check to see if the E-mail address uniquely characterizes the<br> # user. If so, update the information with the LDAP query results.<br> my $filter = "(mailAlternateAddress=$email)";<br> $mesg = $ldap->search(base => $RT::LdapBase,<br>
filter => $filter,<br> attrs => [ $RT::LdapMailAttr ]);</div>
<div> if ($mesg->code != LDAP_SUCCESS and $mesg->code != LDAP_PARTIAL_RESULTS) {<br> $RT::Logger->critical("Unable to search in LDAP: ", ldap_error_name($mesg->code), "\n");</div>
<div> return ($email);<br> }</div>
<div> # The search succeeded with just one match<br> if ($mesg->count == 1) {<br> $email = ($mesg->first_entry->get_value($RT::LdapMailAttr))[0];<br> }</div>
<div> $mesg = $ldap->unbind();<br> if ($mesg->code != LDAP_SUCCESS) {<br> $RT::Logger->critical("Could not unbind from LDAP: ", ldap_error_name($mesg->code), "\n");</div>
<div> }<br> undef $ldap;<br> undef $mesg;<br> return ($email);<br>}</div>
<div><br>You will also need these somewhere ahead of there use:</div>
<div>use Net::LDAP;<br>use Net::LDAP::Constant qw(LDAP_SUCCESS LDAP_PARTIAL_RESULTS);<br>use Net::LDAP::Util qw (ldap_error_name);<br>use Net::LDAP::Filter;</div>
<div>We have them at the top under "use strict".<br><br></div>
<div class="gmail_quote">On Wed, Aug 4, 2010 at 10:58 PM, Eugene M. Evans <span dir="ltr"><<a href="mailto:EMEvans@heapy.com" target="_blank">EMEvans@heapy.com</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">
<div>
<div><font size="2" face="Arial"><span>I am trying to accomplish two things:</span></font></div>
<div><font size="2" face="Arial"><span></span></font> </div>
<div><font size="2" face="Arial"><span>First, to integrate RT with Active Directory such that an RT user account will automatically be created in either of the following cases.</span></font></div>
<div><font size="2" face="Arial"><span> a) when a user first submits a ticket request via email, and</span></font></div>
<div><font size="2"><span></span></font><font size="2" face="Arial"><span> b) when a user first logs in via the RT web interface</span></font></div>
<div><font size="2" face="Arial"><span></span></font> </div>
<div><font size="2" face="Arial"><span>Secondly, Single sign-on, such that once an RT account has been created an MS-Windows user will not need to enter their password on subsequent visits to the RT web interface.</span></font></div>
<div><font size="2" face="Arial"><span></span></font> </div>
<div><font size="2" face="Arial"><span>I've started by attempting to implement the Auth::ExternalAuth extension but have been unable to get it working. I cannot log into the RT web interface using any account except the root account that has already been created within RT. Once in RT as root, I am unable to create a new user. I get the error "<em>User could not be created: Could not set user info</em>."</span></font></div>
<div><font size="2" face="Arial"><span></span></font> </div>
<div><font size="2" face="Verdana"><span><font face="Arial">I've tried the solution mentioned in this thread --> </font><a href="http://www.gossamer-threads.com/lists/rt/users/94218" target="_blank">http://www.gossamer-threads.com/lists/rt/users/94218</a><font face="Arial"> to get RT to auto-create users, but to no avail.</font></span></font></div>
<div><font size="2" face="Arial"><span>Note that when I uncomment the statement "Set($WebExternalAuto,1);" and restart apache the RT login screen provides no login box in which to enter a username or a password. </span></font></div>
<div><font size="2" face="Arial"><span></span></font> </div>
<div><font size="2" face="Arial"><span>Any advice would be greatly appreciated.</span></font></div>
<div><font size="2" face="Arial"><span></span></font> </div>
<div><font size="2" face="Arial"><span>Below is my RT configuration.</span></font></div>
<div><font size="2" face="Arial"><span></span></font> </div>
<div><font size="2" face="Courier New"><span></span></font> </div><span>
<div><span></span><font size="2" face="Courier New"><span>#Begin /opt/rt3/etc/RT_SiteConfig.pm tail</span></font></div>
<div><font size="2"><font face="Courier New">.<span>..</span></font></font></div>
<div><font size="2" face="Courier New"># The following two <span>statements</span> support single sign-on.</font></div>
<div><font size="2" face="Courier New"># <span>but </span><span>I have</span> commented <span>them </span>out <span>for now </span>since they are </font></div>
<div><font face="Courier New"><font size="2"><span># </span>said to conflict with the ExternalAuth extension.</font></font></div>
<div><font size="2" face="Courier New"># See </font><a href="http://wiki.bestpractical.com/view/ExternalAuth" target="_blank"><font size="2" face="Courier New">http://wiki.bestpractical.com/view/ExternalAuth</font></a><font size="2" face="Courier New">.<br>
</font><font face="Courier New"><font size="2"><br># Tell RT to trust the webserver to handle authentication.</font></font><font size="2" face="Courier New"></font></div>
<div><font size="2" face="Courier New"># Set($WebExternalAuth, 3);<br></font></div>
<div><font size="2" face="Courier New"># If the webserver hands RT a user RT is not<br># familiar with, RT should just go ahead and<br># create an account.</font></div>
<div><font size="2" face="Courier New"><span># </span>Set($WebExternalAuto, 1);</font></div>
<div><font size="2" face="Courier New"></font> </div>
<div><font size="2" face="Courier New"><span>...</span></font></div>
<div><font size="2" face="Courier New"># Include the configuration for the ExternalAuth extension.<br>require "/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm";<br>Set($AutoCreate,{Privileged => 0});</font></div>
<div><font size="2" face="Verdana"></font> </div>
<div><font size="2" face="Verdana">1;</font></div>
<div><font size="2" face="Courier New"><span>#End /opt/rt3/etc/RT_SiteConfig.pm</span></font></div>
<div><font size="2" face="Verdana"><font face="Arial"></font></font> </div>
<div><font size="2" face="Verdana"><font face="Arial"></font></font> </div><font face="Verdana"><font face="Arial">
<div><span><font size="2" face="Courier New"></font></span> </div>
<div><span><font size="2" face="Courier New"></font></span> </div>
<div><span><font size="2" face="Courier New">#Begin /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm in its entirety.</font></span></div>
<div><span><font size="2" face="Courier New"></font></span><br><font size="2" face="Courier New">Set($ExternalAuthPriority, [ 'Heapy_AD_LDAP' ] );<br>Set($ExternalInfoPriority, [ 'Heapy_AD_LDAP' ] );<br>
Set($ExternalServiceUsesSSLorTLS, 0);<br>Set($AutoCreateNonExternalUsers, 0);</font></div>
<div><font size="2" face="Courier New"></font> </div>
<div><font size="2" face="Courier New">Set($ExternalSettings, {<br> '<span>Heapy</span>_AD_LDAP' => {</font></div>
<div><font size="2" face="Courier New"></font> </div>
<div><font size="2" face="Courier New"> 'type' => 'ldap',<br> 'server' => <span>'serverxyz.domain.domainSuffix</span>',<br>
'user' => 'cn=ldap,ou=Services,dc=<span>domain</span>,dc=<span>domainSuffix</span>',<br> 'pass' => '<span>the_ldap_password</span>',<br>
'base' => 'dc=<span>domain</span>,dc=<span>domainSuffix</span>',</font></div>
<div><font size="2" face="Courier New"></font> </div>
<div><font size="2" face="Courier New"> 'filter' => '(&(ObjectCategory=User)(ObjectClass=Person))',<br> 'd_filter' => '(userAccountControl:1.2.840.113556.1.4.803:=2)',</font></div>
<div><font size="2" face="Courier New"></font> </div>
<div><font size="2" face="Courier New"># 'tls' => 0,<br># 'ssl_version' => 3,</font></div>
<div><font size="2" face="Courier New"></font> </div>
<div><font size="2" face="Courier New"> 'net_ldap_args' => [ version => 3 ],<br> 'group' => 'cn=<span>group</span>,ou=Services,dc=<span>domain</span>,dc=<span>domainSuffix</span>',<br>
'group_attr' => 'member',</font></div>
<div><font size="2" face="Courier New"></font> </div>
<div><font size="2" face="Courier New"> 'attr_match_list' => [ 'Name', 'EmailAddress' ],<br> 'attr_map' => { 'Name' => 'sAMAccountName',<br>
'EmailAddress' => 'mail',<br> 'Organization' => 'physicalDeliveryOfficeName',<br>
'RealName' => 'cn',<br> 'ExternalAuthId' => 'sAMAccountName',<br> 'Gecos' => 'sAMAccountName',<br>
'WorkPhone' => 'telephoneNumber',<br> 'Address1' => 'streetAddress',<br> 'City' => 'l',<br>
'State' => 'st',<br> 'Zip' => 'postalCode',<br> 'Country' => 'co'<br>
}<br> }<br> }<br>);</font></div>
<div><font size="2" face="Courier New"></font> </div>
<div><font size="2"><font face="Courier New">Set(@Plugins, qw(RT::Authen::ExternalAuth));<br>1;</font></font></div>
<div><font size="2"><span><font size="2" face="Courier New">#End /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm</font></span><br></font></div></font></font>
<div><font size="2"><br></font></div>
<div><font size="2" face="Verdana"></font> </div>
<div><font size="2" face="Verdana"><font face="Arial"></font></font> </div>
<div><font size="2" face="Verdana"><font face="Arial"></font> </font></div></span></div><br><br>Discover RT's hidden secrets with RT Essentials from O'Reilly Media.<br>Buy a copy at <a href="http://rtbook.bestpractical.com/" target="_blank">http://rtbook.bestpractical.com</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>Mike Johnson<br>Datatel Programmer/Analyst<br>Northern Ontario School of Medicine<br>955 Oliver Road<br>Thunder Bay, ON P7B 5E1<br>Phone: (807) 766-7331<br>Email: <a href="mailto:mike.johnson@nosm.ca" target="_blank">mike.johnson@nosm.ca</a><br>