[rt-users] Migrating existing RT to LDAP for Authentication

Wed Feb 1 13:49:32 EST 2006

We've been using RT for over 2 years (and 34000 tickets) now. At the time, 
we had no LDAP for authentication. Now we do and I would like to know if 
anyone has any advice on migrating the authentication component from the 
RT built-in authentciation to an LDAP authentication piece. Specifically:

1) What happens to the existing accounts when someone logs in using LDAP 
after the conversion? This is a complex question in my brain anyway, so 
forgive the longevity here. Presently, our users do not login to RT at all 
to check ticket status. We would like for them to be able to do this now 
but we don't want them to have yet another password to remember (thus the 
desire to cutover to LDAP for authentication). So when a user submits a 
ticket after a cutover to LDAP,  RT already has a non-priv account for the 
user in question (I noticed that email address is an indexed field - no 
duplicates) from before the cutover, when the user logs in to the web 
interface (now via LDAP) to check ticket status, how does RT know that the 
LDAP username that they are logging in with will be associated with the 
email address that was already in RT (that they used to submit the ticket 
after the cutover to LDAP).

2) What RT user account fields (if any) are auto-populated when someone 
logs in with a valid LDAP account for the first time?

Thanks for the help!

Also, as a feature suggestion:
We have a spam filtering appliance that sends the user an email every day 
starting at a designated time to remind them to check their quarantine. 
There is a link in the message that, when clicked, takes them to the 
appliance web page and logs them in automatically. This is great, because 
most of our users do not want to remember another password (they usually 
login to the appliance via the link from the email message anyway) and for 
those rare users who do occasionally log in to the appliance directly 
(rather than using the link in the email), it gives them an opportunity to 
change their password if they forget it. Anyway, my suggestion is this:
Have a feature in RT (that is either on or off in the RT_SiteConfig.pm 
file) that allows the user to click a link present in any correspondence 
within a ticket that will take them to the RT webpage, log them in, and 
let them look at the status of the ticket. As an added feature, it might 
be nice to have a rule (once again that could be turned on or off) that 
would NOT allow this type of action for someone with a privileged account. 
In other words, Joe User can click a link in their ticket correspondence 
that will take them to the RT site for the organization, log them in, and 
let them look at the status and history of their ticket. Jane Tech 
however, a privileged user, would not have a link in correspondence for 
tickets that they are the requester for (so that someone cannot just click 
a link and login to RT as a privileged user). Just a thought.

Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20060201/16ebbc9e/attachment.htm>