[Rt-commit] rt branch, 4.4-trunk, updated. rt-4.4.4-195-gc237545f3a

? sunnavy sunnavy at bestpractical.com
Thu Dec 31 14:38:08 EST 2020 

The branch, 4.4-trunk has been updated
       via  c237545f3acb8160582e115b425ff44737f95957 (commit)
       via  801e13a18327df2ae84c54fb14be1d3dbbddb4d2 (commit)
      from  51dce7dc9b65f6ea4b932ff0c6b351298346d6a8 (commit)

Summary of changes:
 docs/authentication.pod | 7 +++++++
 lib/RT/User.pm          | 6 +++---
 2 files changed, 10 insertions(+), 3 deletions(-)

- Log -----------------------------------------------------------------
commit 801e13a18327df2ae84c54fb14be1d3dbbddb4d2
Author: Jim Brandt <jbrandt at bestpractical.com>
Date:   Thu Sep 14 14:04:57 2017 -0400

    Add ExternalAuth to the exceptions for requiring a password
    
    External authentication can be enabled in RT via WebRemoteUserAuth,
    which handles authentication in Apache and passes REMOTE_USER to
    RT, or via ExternalAuth, which calls an external system from within RT.
    Add the second to the configuration checks to determine if
    external authentication is enabled and a password check cannot be
    done.
    
    Allow an exception for local-only accounts if we detect that
    the user account has a password set.

diff --git a/docs/authentication.pod b/docs/authentication.pod
index 433d8b9207..26093d82ba 100644
--- a/docs/authentication.pod
+++ b/docs/authentication.pod
@@ -46,6 +46,13 @@ OpenLDAP or Active Directory server, as the authoritative repository and keeps
 RT up to date accordingly.  This can be used in tandem with any of the external
 authentication options as it does not provide any authentication itself.
 
+Note that if you start with L<Internal Authentication> and then switch to
+L<External Authentication>, your original users will still have passwords in
+the RT database. RT ignores these passwords when handling logins, but in some
+cases RT may show a password box that would normally be hidden for external
+authentication because it detects an existing password. To avoid this, you can
+clear passwords in the Users table when you switch to external authentication.
+
 =head2 Via your web server, aka C<$WebRemoteUserAuth>, aka C<REMOTE_USER>
 
 This type of external authentication is built-in to RT and bypasses the RT
diff --git a/lib/RT/User.pm b/lib/RT/User.pm
index 5184eb3fa4..ce57d6fcb9 100644
--- a/lib/RT/User.pm
+++ b/lib/RT/User.pm
@@ -1314,9 +1314,9 @@ sub CurrentUserRequireToSetPassword {
         RequireCurrent => 1,
     );
 
-    if ( RT->Config->Get('WebRemoteUserAuth')
-        && !RT->Config->Get('WebFallbackToRTLogin')
-    ) {
+    if (   ( RT->Config->Get('WebRemoteUserAuth') && !RT->Config->Get('WebFallbackToRTLogin') )
+        || ( RT->Config->Get('ExternalAuth') && !$self->CurrentUser->HasPassword ) )
+    {
         $res{'CanSet'} = 0;
         $res{'Reason'} = $self->loc("External authentication enabled.");
     } elsif ( !$self->CurrentUser->HasPassword ) {

commit c237545f3acb8160582e115b425ff44737f95957
Merge: 51dce7dc9b 801e13a183
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Fri Jan 1 03:28:32 2021 +0800

    Merge branch '4.4/no-password-on-external-auth' into 4.4-trunk


-----------------------------------------------------------------------

More information about the rt-commit mailing list