# Plugins Information Set( @Plugins, qw(RT::Authen::ExternalAuth) ); # Enabling RT_ExternalAuthentication Module # The order in which the services defined in ExternalSettings # should be used to authenticate users. User is authenticated # if successfully confirmed by any service - no more services # are checked. Set($ExternalAuthPriority, [ 'My_LDAP', 'My_MySQL', 'My_SSO_Cookie' ] ); # The order in which the services defined in ExternalSettings # should be used to get information about users. This includes # RealName, Tel numbers etc, but also whether or not the user # should be considered disabled. # # Once user info is found, no more services are checked. # # You CANNOT use a SSO cookie for authentication. Set($ExternalInfoPriority, [ 'My_LDAP', 'My_MySQL' ] ); # If this is set to true, then the relevant packages will # be loaded to use SSL/TLS connections. At the moment, # this just means "use Net::SSLeay;" Set($ExternalServiceUsesSSLorTLS, 1); # If this is set to 1, then users should be autocreated by RT # as internal users if they fail to authenticate from an # external service. Set($AutoCreateNonExternalUsers, 0); # These are the full settings for each external service as a HashOfHashes # Note that you may have as many external services as you wish. They will # be checked in the order specified in the Priority directives above. # e.g. # Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP','Other-DB']); # Set($ExternalSettings, { # AN EXAMPLE DB SERVICE 'My_MySQL' => { ## GENERIC SECTION # The type of service (db/ldap/cookie) 'type' => 'db', # The server hosting the service 'server' => 'localhost', ## SERVICE-SPECIFIC SECTION # The database name 'database' => 'rt4', # The database table 'table' => 'Users', # The user to connect to the database as 'user' => 'xxxx', # The password to use to connect with 'pass' => 'xxxxx', # The port to use to connect with (e.g. 3306) 'port' => '3306', # The name of the Perl DBI driver to use (e.g. mysql) 'dbi_driver' => 'mysql', # The field in the table that holds usernames 'u_field' => 'Name', # The field in the table that holds passwords 'p_field' => 'Password', # The Perl package & subroutine used to encrypt passwords # e.g. if the passwords are stored using the MySQL v3.23 "PASSWORD" # function, then you will need Crypt::MySQL::password, but for the # MySQL4+ password function you will need Crypt::MySQL::password41 # Alternatively, you could use Digest::MD5::md5_hex or any other # encryption subroutine you can load in your perl installation 'p_enc_pkg' => 'Crypt::MySQL', 'p_enc_sub' => 'password', # If your p_enc_sub takes a salt as a second parameter, # uncomment this line to add your salt #'p_salt' => 'SALT', # # The field and values in the table that determines if a user should # be disabled. For example, if the field is 'user_status' and the values # are ['0','1','2','disabled'] then the user will be disabled if their # user_status is set to '0','1','2' or the string 'disabled'. # Otherwise, they will be considered enabled. 'd_field' => 'disabled', 'd_values' => ['0'], ## RT ATTRIBUTE MATCHING SECTION # The list of RT attributes that uniquely identify a user 'attr_match_list' => [ 'Gecos', 'Name' ], # The mapping of RT attributes on to field names 'attr_map' => { 'Name' => 'username', 'EmailAddress' => 'email', 'ExternalAuthId' => 'username', 'Gecos' => 'userID' } }, # AN EXAMPLE LDAP SERVICE 'My_LDAP' => { ## GENERIC SECTION # The type of service (db/ldap/cookie) 'type' => 'ldap', # The server hosting the service 'server' => 'xxxx.xxxx.com', ## SERVICE-SPECIFIC SECTION # If you can bind to your LDAP server anonymously you should # remove the user and pass config lines, otherwise specify them here: # # The username RT should use to connect to the LDAP server 'user' => 'username', # The password RT should use to connect to the LDAP server 'pass' => 'password', # # The LDAP search base 'base' => 'ou=xxx,dc=xxx,dc=xx,dc=com', # # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES! # YOU **MUST** SPECIFY A filter AND A d_filter!! # # The filter to use to match RT-Users 'filter' => '(sAMAccountName=%u)', # A catch-all example filter: '(objectClass=*)' # # The filter that will only match disabled users #'d_filter' => '(&(objectCategory=person)(objectClass=user))', # A catch-none example d_filter: '(objectClass=FooBarBaz)' # # Should we try to use TLS to encrypt connections? 'tls' => 0, # SSL Version to provide to Net::SSLeay *if* using SSL 'ssl_version' => 3, # What other args should I pass to Net::LDAP->new($host,@args)? 'net_ldap_args' => [ version => 3 ], # Does authentication depend on group membership? What group name? #'group' => 'DataCenter User Group', # What is the attribute for the group object that determines membership? #'group_attr' => 'DataCenter User Group', ## RT ATTRIBUTE MATCHING SECTION # The list of RT attributes that uniquely identify a user # This example shows what you *can* specify.. I recommend reducing this # to just the Name and EmailAddress to save encountering problems later. 'attr_match_list' => [ 'Name', 'EmailAddress', 'RealName', 'WorkPhone', 'Address2' ], # The mapping of RT attributes on to LDAP attributes 'attr_map' => { 'Name' => 'sAMAccountName', # 'EmailAddress' => 'mail', # 'Organization' => 'physicalDeliveryOfficeName', # 'RealName' => 'cn', # 'ExternalAuthId' => 'sAMAccountName', 'Gecos' => 'sAMAccountName', # 'WorkPhone' => 'telephoneNumber', # 'Address1' => 'streetAddress', # 'City' => 'l', # 'State' => 'st', # 'Zip' => 'postalCode', # 'Country' => 'co' } }, # An example SSO cookie service 'My_SSO_Cookie' => { # # The type of service (db/ldap/cookie) 'type' => 'cookie', # The name of the cookie to be used 'name' => 'loginCookieValue', # The users table 'u_table' => 'Users', # The username field in the users table 'u_field' => 'Name', # The field in the users table that uniquely identifies a user # and also exists in the cookies table 'u_match_key' => 'ID', # The cookies table 'c_table' => 'login_cookie', # The field that stores cookie values 'c_field' => 'loginCookieValue', # The field in the cookies table that uniquely identifies a user # and also exists in the users table 'c_match_key' => 'loginCookieUserID', # The DB service in this configuration to use to lookup the cookie information 'db_service_name' => 'My_MySQL' } } ); 1;