[rt-users] LDAP Auth, Part Three

John Gedeon jgedeon at qualcomm.com
Fri Dec 6 15:06:10 EST 2002


I edited the User.pm file and the config.pm file like the example in
(of course i made changes to make it work for our site.)
http://lists.fsck.com/pipermail/rt-users/2002-May/008527.html
i then edited the autohandler file in the WebRT/html folder (See below)

I made it see if the user wasnt in the rt db then it looked in ldap if they 
were there I created
a user with no pass since my LDAP authentication changes would handle 
verifying the password
let me know if you have questions.
HTH
John
------
%# $Header: /raid/cvsroot/rt/webrt/autohandler,v 1.3 2002/05/03 05:54:02 
jesse Exp $
<& /Elements/Footer, %ARGS &>
<%INIT>
$m->{'rt_base_time'} = time;
#if it's a noauth file, don't ask for auth.
if ($m->base_comp->path =~ '^/+NoAuth/') {
   $m->call_next();
   $m->abort();
}
# If RT is configured for external auth, let's get REMOTE_USER
# We intentionally don't test for REMOTE_USER to meet our policy
elsif ($RT::WebExternalAuth){
   $user = $ENV{'REMOTE_USER'};
   $session{'CurrentUser'} = RT::CurrentUser->new();
   $session{'CurrentUser'}->Load($user);
   unless ($session{'CurrentUser'}->id() ) {
     delete $session{'CurrentUser'};
     $m->comp('/Elements/Login', %ARGS, Error=> 'You are not an authorized 
user');
     $m->abort();
   }
}
# If the user is loging in, let's authenticate
elsif (defined ($user) && defined ($pass)){
   $session{'CurrentUser'} = RT::CurrentUser->new();
   $session{'CurrentUser'}->Load($user);
+ my $Found = 1;
   unless ($session{'CurrentUser'}->id() ) {
     delete $session{'CurrentUser'};
+    #{{{ adding
+    # the user may not be registered. create a new one for him if he is
+    # in ldap.
+    $Found = 0;
+    my %Uinfo = ();
+    if ($RT::LookupSenderInExternalDatabase) {
+     my $email = "$user\@qualcomm.com";
+     my $name = "";
+     ($Found,%Uinfo) = RT::LookupExternalUserInfo($email,$name);
+     if ($Found) {
+       my $NewUser = RT::User->new($RT::SystemUser);
+       my ($Val, $Message) =
+       $NewUser->Create(Name => $Uinfo{'Name'},
+                                   EmailAddress => $Uinfo{'EmailAddress'},
+                                   RealName => $Uinfo{'RealName'},
+                                   Password => undef,
+                                   Privileged => 0,
+                                   Comments => 'Autocreated on ticket login'
+                                   );
+       $user = $Uinfo{'Name'};
+       $email = $Uinfo{'EmailAddress'};
+       unless ($Val) {
+         # Deal with the race condition of two
+         # account creations at once
+         #
+         if ($user) {
+          $NewUser->LoadByName($user);
+         }
+         unless ($NewUser->Id) {
+          $NewUser->LoadByEmail($email);
+         }
+         unless ($NewUser->Id) {
+           my $explanation = "User creation failed in:";
+           $explanation .= "Login: $Message";
+           MailError( To => $RT::OwnerEmail,
+                          Subject => "User could not be created",
+                          Explanation => $explanation,
+                          LogLevel => 'crit'
+                        );
+         } # unless new user id the second one
+         else # user create try auth again.
+         {
+         } # unless new user id the second one
+       } # unless Val
+     } #If found
+   } # If LookupSenderInExternalDatabase
+   #}}}
+   unless ($Found)
+   {
      $m->comp('/Elements/Login', %ARGS, Error=> 'Your username or password 
is incorrect');
       $m->abort();
+    }
   };
+ # added this to load the user since one was just made.
+ if ($Found)
+ {
+   $session{'CurrentUser'} = RT::CurrentUser->new();
+   $session{'CurrentUser'}->Load($user);
+ }
+ else
+ {
+   $m->comp('/Elements/Login', %ARGS, Error=> 'Your username or password 
is incorrect');
+   $m->abort();
+ }
unless ($session{'CurrentUser'}->IsPassword($pass)) {
   delete $session{'CurrentUser'};
   $m->comp('/Elements/Login', Error => 'Your username or password is 
incorrect', %ARGS);
   $m->abort();
}
.... (more in file i didnt edit)
-----------------
At 11:48 AM 12/6/2002, you wrote:
>That's for the e-mail interface, which we've already got covered.
>
>The trick is that there's no similar routines which get called for WEB 
>autocreated accounts.
>
>D
>
>
>On Friday, December 6, 2002, at 08:40  AM, Ray Thompson wrote:
>
>>I believe the reason RT has it's own user database is for historical and 
>>for referential purposes.  An external database might allow users to be 
>>deleted and RT wouldn't know who owns/changed tickets.
>>
>>Check out http://lists.fsck.com/pipermail/rt-users/2002-November/010910.html
>>for a way to have RT canonicalize the auto created uid.  Use this only if 
>>your external auth util prevents duplicate uid's.  Also note that the 
>>changes indicated in the mentioned post need to be made more than once in 
>>config.pm.
>>
>>Good Luck,
>>   Ray
>>
>>Derek J. Balling wrote:
>>>OK, so with the assistance of this august crew, I got my LDAP 
>>>authentication working (yayyyy).
>>>Then I went through the Users table and started "repairing" the 
>>>autocreated users, changing "Name" to their LDAP uid so that they could 
>>>actually get to their tickets.
>>>But now, I run into the situation where if the helpdesk staff opens a 
>>>ticket for someone, and they've never communicated with RT via e-mail 
>>>(to have their account autocreated based on the LDAP information), then 
>>>the account is autocreated with their e-mail address in the Name field.
>>>Is there any equivalent to 
>>>"LokkupSenderInExternalDatabase"/"LookupExternalUserInfo" that *also* 
>>>gets called when a helpdesk weenie enters an e-mail address in the web 
>>>interface and RT can't find a user for them?
>>>D
>>>_______________________________________________
>>>rt-users mailing list
>>>rt-users at lists.fsck.com
>>>http://lists.fsck.com/mailman/listinfo/rt-users
>>>Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm
>>
>>
>>
>>_______________________________________________
>>rt-users mailing list
>>rt-users at lists.fsck.com
>>http://lists.fsck.com/mailman/listinfo/rt-users
>>
>>Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm
>
>_______________________________________________
>rt-users mailing list
>rt-users at lists.fsck.com
>http://lists.fsck.com/mailman/listinfo/rt-users
>
>Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm


--
<>< Proverbs 3:5 "Trust in the Lord with all your heart and lean not on 
your own understanding;"




More information about the rt-users mailing list