[Rt-devel] Proposed Contrib: External (LDAP) user info attr
mapping
Jim Meyer
purp at acm.org
Thu Dec 1 15:30:57 EST 2005
Hello!
Other than Jesse's comment, this has been Warnocked so I'm going forward
on the hope that it means no one sees a fatal flaw.
Cheers!
--j
On Tue, 2005-11-29 at 21:35, Jim Meyer wrote:
> Hello!
>
> I apologize in advance for the length of this. I hate long email but I
> value the advice of this list when approaching something as complex as
> I'm describing below ... and if I can't adequately explain it here, I
> feel like I shouldn't do it at all. So you get to read a long email.
> Sorry. =\
>
> I want to implement the mapping of LDAP attr -> RT field mentioned in
> Philip Cole's code comments at
> http://wiki.bestpractical.com/index.cgi?AutoCreateAndCanonicalizeUserInfo and, in order to avoid synchronization issues, I want information which is gotten from LDAP to be immutable in all RT interfaces (web and CLI). I have the additional challenge of five valid FQDNs by which you can reach folks here using some various combos of unix login, first-initial-last-name, and first.last left of the @ ... but there's no one LHS which is universal to all five RHS.
>
> I should mention that I have no control of, and little influence in, how
> this all works, so cleaning it up isn't an option for me. I'm also in a
> hurry (I need to finish this by Friday), so waiting for the coming
> cleanup isn't an option, either.
>
> Fun, eh?
>
> I'm considering doing this like so:
>
> * Add %RT::LdapAttrMap as Philip Cole suggests, with some way of
> indicating user-based custom fields as well. Perhaps:
>
> %RT::LdapAttrMap = ( Name=> 'uid',
> RealName=> 'cn',
> EmailAdress=> 'mail',
> CF::ExternalObjectID=> 'dn'
> ...);
>
>
> * Add $RT::LdapUserInfoEnable and $RT::LdapUserInfoTTL (in minutes)
> to control whether user info is acquired from LDAP and, if so, how
> long it's considered valid before rechecking LDAP.
>
> * Add user-based CFs for:
> * preferred email (Freeform single, set when receiving user email)
> * valid email addrs (Freeform multiple, cached from LDAP)
> * ExternalObjectId (Freeform single, cached from LDAP)
> * last LDAP update (Freeform single, set while getting LDAP info);
> alternately, this could just use the existing "LastUpdate"
> RT::User attr ... though I was thinking that forcing a cache
> refresh could be as easy as blanking this CF and clicking
> "Save Preferences".
>
> * Refactor Philip Cole's RT::User::LookupExternalUserInfo() to accept
> ExternalObjectId or ExternalUserName (for use with the LDAP auth
> params), as well as the current key/value scheme.
>
> * Add a method, RT::User->RefreshFromExternalUserInfo(), which calls
> LookupExternalUserInfo() then uses the mapping defined in
> %RT::LdapAttrMap to set the current objects attrs appropriately.
>
> * Any time user info is loaded RT::User->Load(), check that the cached
> data hasn't outlived its expiration and, if it has, call
> RefreshFromExternalInfo(). Failure of this refresh generates a
> warning (info? crit?) but is not fatal.
>
> So where are the holes I've missed?
>
> Thanks for reading this far!
>
> --j
>
> p.s. if ever you want to be sure to understand what you intend, compose
> your plans in an email to people smarter than yourself and in front of
> whom you'd like not to make a fool of yourself. It's worked for me. =]
>
> p.p.s. A minor digression: if I were implementing directly in RT rather
> than as a contrib, I'd extend the Users table with ExternalObjectId and
> LastExternalUpdate columns, both of which would only be seen on the
> /Admin/Users/Modify page. I'd also add an EmailAddresses table with id,
> ObjectId (users or groups, right?), EmailAddress, and Preferred
> (boolean) columns.
>
> I'd also work to better integrate the external autho/info methods
> (RT::ExternalInfo.pm? $RT::ExternalAuthMethod? Dunno =). It might be fun
> to leverage this to groups, too (manage RT group membership in LDAP;
> give groups a distinct email address and leave off emailing individuals;
> etc.)
>
> If someone cares to comment on this approach, I'd enjoy the benefit of
> their knowledge.
--
Jim Meyer, Geek at Large purp at acm.org
More information about the Rt-devel
mailing list