[rt-users] LDAP External Auth & Autocreating authenticated users
Mike Patterson
mikep at uclink.berkeley.edu
Fri Jul 9 02:57:08 EDT 2004
I finally figured our how to make Apache authenticate against LDAP and
once I got over that hurdle, RT plays very nicely.
Now that I have this in place there are a few more things I'd like to do.
Issue 1)
I would like LDAP authenticated people to have their account
automatically created (e.g. ($WebExternalAuto), including email address
info if possible, (if it didn't already exist), and for those same
people to become priveleged users.
----------------------------------------------------------------------
- I don't want everyone who sends an email to become a priveleged user
though (just ldap authenticated folks).
- Presumably some of them would already have already sent an email, so
if I let it "autocreate an account" will there be a problem because
their old username was their email address and presumably their new
username would be their uid?
Is there a good way native in RT or am I better off writing my own
custom cron jobs scripts that'll check against our ldap server create
the accounts if they don't exist, strip off @domain.com from username,
elevate to priveleged if not, etc..?
Could I use RT scrip actions that to elevate ldap authenticated people
to priveleged users?
Any tips or examples of how to do this? I know there used to be
contributed code dump from LDAP for RT2, anything that works on 3.2?
Issue 2)
RT doesn't seem to let me try mysql authentication when the account
doesn't exist in ldap or my password is wrong. I've tried it with both
undef and 1.
Set($WebFallbackToInternalAuth , undef);
-------------
FYI: I find it useful to see people's install steps, config files so I'm
sharing it here.
My build: FreeBSD 4.8 , Perl 5.8.4 , Apache/1.3.31, mod_perl/1.29,
mod_ssl/2.8.18, OpenSSL/0.9.7d , Mysql 4.0.2, RT 3.2.0 , RTFM 2.0.2 ,
Stats v_0_15
(against openldap our server for example called "directory.ourdomain.com")
1) I installed the auth_ldap & openldapclient ports (I may have
installed some other things, imported a certificate etc when trying to
get the TLS option to work).
2) Set my httpd.conf to look like this:
Alias /rt3/rt3/NoAuth/images/ /usr/local/rt3/share/html/NoAuth/images
Alias /rt3 /usr/local/rt3/share/html/
PerlRequire /usr/local/rt3/bin/webmux.pl
<Location /rt3>
SetHandler perl-script
PerlHandler RT::Mason
PerlModule Apache::DBI
</Location>
<Directory "/usr/local/rt3/share/html">
Options FollowSymLinks
AllowOverride All
#variables from now until bottom for ldap auth
require valid-user
#optional TLS encryption to LDAP server
AuthLDAPStartTLS On
AuthType Basic
authName "LDAP/email username and password"
AuthLDAPURL
#you may want ou=people
ldap://directory.ourdomain.com:389/dc=ourdomain,dc=com?uid
</Directory>
3) Set($WebExternalAuth , 1); in my RT_SiteConfig
4) stopped and started apache
----------------
ht:\\Dig on bestpractical
----------------------
FYI ht:\\Dig on http://lists.bestpractical.com/search.html appears to
need a reindexing or at least I kept getting null results the last few
times I ran a search.
More information about the rt-users
mailing list