[rt-users] Re: LDAP External Auth & Autocreating authenticated users

seph seph at directionless.org
Fri Jul 9 10:06:23 EDT 2004


> I finally figured our how to make Apache authenticate against LDAP and
> once I got over that hurdle, RT plays very nicely.

so your RT is just using ExternAuth, and apache is doing all the LDAP
auth? And everywhere you say "ldap authenticated" you mean web auth?

> I would like LDAP authenticated people to have their account
> automatically created (e.g. ($WebExternalAuto), including email
> address info if possible, (if it didn't already exist), and for those
> same people to become priveleged users.

Override the WebCanonicalizeInfo function in Interface/Web.pm, I
thought it was doc'ed.

> - I don't want everyone who sends an email to become a priveleged user
> though (just ldap authenticated folks).

so, uh, don't set it that way.

> - Presumably some of them would already have already sent an email, so
> if I let it "autocreate an account" will there be a problem because
> their old username was their email address and presumably their new
> username would be their uid?

yes, I think it would be problem. 2 accounts can't have the same email
address. You could make the web auto-create stuff more intelligent, or
have the email autocreate stuff more intelligent.

> Is there a good way native in RT or am I better off writing my own
> custom cron jobs scripts that'll check against our ldap server create
> the accounts if they don't exist, strip off @domain.com from username,
> elevate to priveleged if not, etc..?

I ended up doing both. I didn't a bulk load every couple hours that
elevated permissions, and set group membership. (group membership was
the real point of my bulk uploads) And had the web autocreate stuff
act intelligently.

> RT doesn't seem to let me try mysql authentication when the account
> doesn't exist in ldap or my password is wrong.  I've tried it with
> both undef and 1.

I haven't had a problem. You'd need to set WebFallbackToInternalAuth
to 1 (make sure to stop and start apache), make sure they have an RT
password, and make sure apache will let them access it.

seph



More information about the rt-users mailing list