[rt-users] external user authentication (i.e. LDAP)

Beachey, Kendric Kendric.Beachey at garmin.com
Wed Apr 17 12:39:21 EDT 2002


From: Christian Gilmore [mailto:cgilmore at tivoli.com]
> You want to use LookupExternalUserInfo in combination with 
> WebExternalAuth
> and will need to set up your web server to authenticate users 
> against your
> external LDAP via such modules as Apache::AuthenLDAP.

Thanks for the tips, Christian.

What I've ended up with (so far) is a couple of hacks that do most of what I
want.  I am bouncing them off Jesse to see if I've done anything that's a
really bad idea, because it was only partly similar to what I found in the
contrib area.

Briefly, though:

1) When an unknown user sends mail to RT, hack #1 will attempt to find them
in LDAP, and, if successful, seed the UserInfo hash with various goodies it
finds in LDAP.  This will then be used by the stock RT code to generate the
user account.

2) When a user logs in via the web interface, hack #2 first attempts to
authenticate them against LDAP (in two different ways, for different
offices).  If that fails, the stock code takes over to authenticate them
against RT's built-in user database.  If that fails too, the user sends me
e-mail to complain.  ;-)  If LDAP recognizes the user but RT doesn't, the
user once again sends me e-mail to complain.  Sometime soon we hope to run a
one-off script to populate RT with all our users so this type of complaint
can be minimized.

I am for the time being leaving open the option of authenticating against
RT's database if LDAP fails, because some of our offices are not yet on our
latest and greatest LDAP.  This hitch also prevents me from taking the
WebExternalAuth step, which will probably be the way to go once all the
offices are upgraded.




More information about the rt-users mailing list