[rt-users] LDAP Auth, Part Three
John Gedeon
jgedeon at qualcomm.com
Fri Dec 6 15:06:10 EST 2002
I edited the User.pm file and the config.pm file like the example in
(of course i made changes to make it work for our site.)
http://lists.fsck.com/pipermail/rt-users/2002-May/008527.html
i then edited the autohandler file in the WebRT/html folder (See below)
I made it see if the user wasnt in the rt db then it looked in ldap if they
were there I created
a user with no pass since my LDAP authentication changes would handle
verifying the password
let me know if you have questions.
HTH
John
------
%# $Header: /raid/cvsroot/rt/webrt/autohandler,v 1.3 2002/05/03 05:54:02
jesse Exp $
<& /Elements/Footer, %ARGS &>
<%INIT>
$m->{'rt_base_time'} = time;
#if it's a noauth file, don't ask for auth.
if ($m->base_comp->path =~ '^/+NoAuth/') {
$m->call_next();
$m->abort();
}
# If RT is configured for external auth, let's get REMOTE_USER
# We intentionally don't test for REMOTE_USER to meet our policy
elsif ($RT::WebExternalAuth){
$user = $ENV{'REMOTE_USER'};
$session{'CurrentUser'} = RT::CurrentUser->new();
$session{'CurrentUser'}->Load($user);
unless ($session{'CurrentUser'}->id() ) {
delete $session{'CurrentUser'};
$m->comp('/Elements/Login', %ARGS, Error=> 'You are not an authorized
user');
$m->abort();
}
}
# If the user is loging in, let's authenticate
elsif (defined ($user) && defined ($pass)){
$session{'CurrentUser'} = RT::CurrentUser->new();
$session{'CurrentUser'}->Load($user);
+ my $Found = 1;
unless ($session{'CurrentUser'}->id() ) {
delete $session{'CurrentUser'};
+ #{{{ adding
+ # the user may not be registered. create a new one for him if he is
+ # in ldap.
+ $Found = 0;
+ my %Uinfo = ();
+ if ($RT::LookupSenderInExternalDatabase) {
+ my $email = "$user\@qualcomm.com";
+ my $name = "";
+ ($Found,%Uinfo) = RT::LookupExternalUserInfo($email,$name);
+ if ($Found) {
+ my $NewUser = RT::User->new($RT::SystemUser);
+ my ($Val, $Message) =
+ $NewUser->Create(Name => $Uinfo{'Name'},
+ EmailAddress => $Uinfo{'EmailAddress'},
+ RealName => $Uinfo{'RealName'},
+ Password => undef,
+ Privileged => 0,
+ Comments => 'Autocreated on ticket login'
+ );
+ $user = $Uinfo{'Name'};
+ $email = $Uinfo{'EmailAddress'};
+ unless ($Val) {
+ # Deal with the race condition of two
+ # account creations at once
+ #
+ if ($user) {
+ $NewUser->LoadByName($user);
+ }
+ unless ($NewUser->Id) {
+ $NewUser->LoadByEmail($email);
+ }
+ unless ($NewUser->Id) {
+ my $explanation = "User creation failed in:";
+ $explanation .= "Login: $Message";
+ MailError( To => $RT::OwnerEmail,
+ Subject => "User could not be created",
+ Explanation => $explanation,
+ LogLevel => 'crit'
+ );
+ } # unless new user id the second one
+ else # user create try auth again.
+ {
+ } # unless new user id the second one
+ } # unless Val
+ } #If found
+ } # If LookupSenderInExternalDatabase
+ #}}}
+ unless ($Found)
+ {
$m->comp('/Elements/Login', %ARGS, Error=> 'Your username or password
is incorrect');
$m->abort();
+ }
};
+ # added this to load the user since one was just made.
+ if ($Found)
+ {
+ $session{'CurrentUser'} = RT::CurrentUser->new();
+ $session{'CurrentUser'}->Load($user);
+ }
+ else
+ {
+ $m->comp('/Elements/Login', %ARGS, Error=> 'Your username or password
is incorrect');
+ $m->abort();
+ }
unless ($session{'CurrentUser'}->IsPassword($pass)) {
delete $session{'CurrentUser'};
$m->comp('/Elements/Login', Error => 'Your username or password is
incorrect', %ARGS);
$m->abort();
}
.... (more in file i didnt edit)
-----------------
At 11:48 AM 12/6/2002, you wrote:
>That's for the e-mail interface, which we've already got covered.
>
>The trick is that there's no similar routines which get called for WEB
>autocreated accounts.
>
>D
>
>
>On Friday, December 6, 2002, at 08:40 AM, Ray Thompson wrote:
>
>>I believe the reason RT has it's own user database is for historical and
>>for referential purposes. An external database might allow users to be
>>deleted and RT wouldn't know who owns/changed tickets.
>>
>>Check out http://lists.fsck.com/pipermail/rt-users/2002-November/010910.html
>>for a way to have RT canonicalize the auto created uid. Use this only if
>>your external auth util prevents duplicate uid's. Also note that the
>>changes indicated in the mentioned post need to be made more than once in
>>config.pm.
>>
>>Good Luck,
>> Ray
>>
>>Derek J. Balling wrote:
>>>OK, so with the assistance of this august crew, I got my LDAP
>>>authentication working (yayyyy).
>>>Then I went through the Users table and started "repairing" the
>>>autocreated users, changing "Name" to their LDAP uid so that they could
>>>actually get to their tickets.
>>>But now, I run into the situation where if the helpdesk staff opens a
>>>ticket for someone, and they've never communicated with RT via e-mail
>>>(to have their account autocreated based on the LDAP information), then
>>>the account is autocreated with their e-mail address in the Name field.
>>>Is there any equivalent to
>>>"LokkupSenderInExternalDatabase"/"LookupExternalUserInfo" that *also*
>>>gets called when a helpdesk weenie enters an e-mail address in the web
>>>interface and RT can't find a user for them?
>>>D
>>>_______________________________________________
>>>rt-users mailing list
>>>rt-users at lists.fsck.com
>>>http://lists.fsck.com/mailman/listinfo/rt-users
>>>Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm
>>
>>
>>
>>_______________________________________________
>>rt-users mailing list
>>rt-users at lists.fsck.com
>>http://lists.fsck.com/mailman/listinfo/rt-users
>>
>>Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm
>
>_______________________________________________
>rt-users mailing list
>rt-users at lists.fsck.com
>http://lists.fsck.com/mailman/listinfo/rt-users
>
>Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm
--
<>< Proverbs 3:5 "Trust in the Lord with all your heart and lean not on
your own understanding;"
More information about the rt-users
mailing list