<div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px">> Should the RT user record still contain the user's (LDAP) email address</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">> as the Username to log in with?</span><br>
<div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">I'm not quite sure, maybe somebody else can weigh in here.</span></div><div>
<span style="font-family:arial,sans-serif;font-size:13px">On my own install I have I've tried a few different changes in the RT_SiteConfig.pm but wasn't able to log in with an email address (we normally use the user account name). It may be that the username is saved in the RT database on the first login.</span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">##################</span></div><div><span style="font-family:arial,sans-serif;font-size:13px"><div>
 'attr_match_list'       =>      ['Name', 'EmailAddress'],</div><div>'attr_map'              =>      {</div><div>                                                                                'Name'          =>      'sAMAccountName',</div>
<div>                                                                                'EmailAddress'  =>      'mail',</div><div>                                                                                'Organization'  =>      'company',</div>
<div>                                                                                'RealName'      =>      'cn',</div><div>                                                                                'NickName'      =>      'extensionAttribute1',</div>
<div>                                                                                'ExternalAuthId'=>      'sAMAccountName',</div><div>                                                                                'Gecos'         =>      'sAMAccountName',</div>
<div>                                                                                'WorkPhone'     =>      'telephoneNumber',</div><div>                                                                                'Address1'      =>      'streetAddress',</div>
<div>                                                                                'City'          =>      'l',</div><div>                                                                                'State'         =>      'st',</div>
<div>                                                                                'Zip'           =>      'postalCode',</div><div>                                                                                'Country'       =>      'co'</div>
<div>                                                                                }</div><div>                                                },</div><div><br></div><div>##################</div><div><br></div><div>I've tried different combinations of removing 'Name' from the 'attr_match_list' and changing 'ExternalAuthId' to use 'mail' in the 'attr_map'.</div>
<div><br></div><div>Kind regards,</div><div>Rory</div></span></div></div><div class="gmail_extra"><br clear="all"><div><div dir="ltr">Rory</div></div>
<br><br><div class="gmail_quote">On 23 May 2014 15:57, Flynn, Peter <span dir="ltr"><<a href="mailto:pflynn@ucc.ie" target="_blank">pflynn@ucc.ie</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="">On 23/05/14 10:20, Rory wrote:<br>
> Hi Peter,<br>
><br>
> As you noted your web environment is essentially holding the login token.<br>
> When you click logout, Apache serves up the "you are logged out" page,<br>
> processes the authentication configuration and, because of this line:,<br>
> # allow web auth to pass login status to RT<br>
> Set($WebRemoteUserAuth, 1);<br>
> RT accepts the authentication from Apache which logs the user back in.<br>
</div>[...]<br>
<div class="">> So in short, your login session on RT is tied to the web browsers<br>
> session with the web server.<br>
<br>
</div>Right.<br>
<div class=""><br>
> To make it work as you would like (clicking logout ends Apaches login<br>
> session) the website would need to make a change to the web server. This<br>
> generally is not allowed to happen as it's a potential security flaw.<br>
<br>
</div>Indeed.<br>
<div class=""><br>
> If you want the users login session to be controlled by the RT<br>
> application then you'll need to configure LDAP authentication within the<br>
> RT Configuration.<br>
<br>
</div>Thank you: I must have misread this. I didn't think RT could do LDAP<br>
auth itself. I wouldn't have bothered with the Apache route otherwise.<br>
<div class=""><br>
> To be able to do this you need at least these Perl modules (and maybe<br>
> some others that I'm neglecting too);<br>
> Net::LDAP<br>
> RT::Authen::ExternalAuth<br>
<br>
</div>Done. CPAN complained about a dependency:<br>
 >> No tests defined for RT::Authen::ExternalAuth extension<br>
but I used -f :-)<br>
<div class=""><br>
> You then need to add the plugin to your RT_SiteConfig.pm;<br>
> Set( @Plugins, qw(RT::Authen::ExternalAuth) );<br>
<br>
</div>OK.<br>
<div class=""><br>
> And set the LDAP configuration by following the example SiteConfig file<br>
> in the plugin etc directory.<br>
<br>
</div>I'll need to get some more local LDAP help with that.<br>
<div class=""><br>
> Lastly you'll need to remove the Auth config from your Apache virtual<br>
> host and change:<br>
> Set($WebRemoteUserAuth, 1);<br>
> to<br>
> Set($WebRemoteUserAuth, 0);<br>
<br>
</div>Should the RT user record still contain the user's (LDAP) email address<br>
as the Username to log in with?<br>
<div class="HOEnZb"><div class="h5"><br>
///Peter<br>
--<br>
Peter Flynn | Academic & Collaborative Technologies | University College<br>
Cork IT Services | ☎ <a href="tel:%2B353%2021%20490%202609" value="+353214902609">+353 21 490 2609</a> | ✉ <a href="mailto:pflynn@ucc.ie">pflynn@ucc.ie</a> | 🌍 <a href="http://www.ucc.ie" target="_blank">www.ucc.ie</a><br>

--<br>
RT Training - Boston, September 9-10<br>
<a href="http://bestpractical.com/training" target="_blank">http://bestpractical.com/training</a></div></div></blockquote></div><br></div>