[Rt-commit] rt branch, 4.4/no-password-on-external-auth, created. rt-4.4.4-137-g820ac209e4

Jim Brandt jbrandt at bestpractical.com
Fri Aug 28 16:57:06 EDT 2020 

The branch, 4.4/no-password-on-external-auth has been created
        at  820ac209e4ed7d8534cd5ef6959f8da2c9f253e5 (commit)

- Log -----------------------------------------------------------------
commit 820ac209e4ed7d8534cd5ef6959f8da2c9f253e5
Author: Jim Brandt <jbrandt at bestpractical.com>
Date:   Thu Sep 14 14:04:57 2017 -0400

    Add ExternalAuth to the exceptions for requiring a password
    
    External authentication can be enabled in RT via WebRemoteUserAuth,
    which handles authentication in Apache and passes REMOTE_USER to
    RT, or via ExternalAuth, which calls an external system from within RT.
    Add the second to the configuration checks to determine if
    external authentication is enabled and a password check cannot be
    done.
    
    Allow an exception for local-only accounts if we detect that
    the user account has a password set.

diff --git a/docs/authentication.pod b/docs/authentication.pod
index 433d8b9207..26093d82ba 100644
--- a/docs/authentication.pod
+++ b/docs/authentication.pod
@@ -46,6 +46,13 @@ OpenLDAP or Active Directory server, as the authoritative repository and keeps
 RT up to date accordingly.  This can be used in tandem with any of the external
 authentication options as it does not provide any authentication itself.
 
+Note that if you start with L<Internal Authentication> and then switch to
+L<External Authentication>, your original users will still have passwords in
+the RT database. RT ignores these passwords when handling logins, but in some
+cases RT may show a password box that would normally be hidden for external
+authentication because it detects an existing password. To avoid this, you can
+clear passwords in the Users table when you switch to external authentication.
+
 =head2 Via your web server, aka C<$WebRemoteUserAuth>, aka C<REMOTE_USER>
 
 This type of external authentication is built-in to RT and bypasses the RT
diff --git a/lib/RT/User.pm b/lib/RT/User.pm
index 5184eb3fa4..8fb36a1598 100644
--- a/lib/RT/User.pm
+++ b/lib/RT/User.pm
@@ -1314,8 +1314,9 @@ sub CurrentUserRequireToSetPassword {
         RequireCurrent => 1,
     );
 
-    if ( RT->Config->Get('WebRemoteUserAuth')
-        && !RT->Config->Get('WebFallbackToRTLogin')
+    if ( (RT->Config->Get('WebRemoteUserAuth')
+        && !RT->Config->Get('WebFallbackToRTLogin'))
+        || ( RT->Config->Get('ExternalAuth') && !$self->CurrentUser->HasPassword )
     ) {
         $res{'CanSet'} = 0;
         $res{'Reason'} = $self->loc("External authentication enabled.");

-----------------------------------------------------------------------

More information about the rt-commit mailing list