[rt-users] Self user creation

Anthony Lincoln ahlincoln at lbl.gov
Tue Mar 21 13:51:15 EST 2006


Rick Russell wrote:
> Ken Crocker wrote:
> 
>>NEVER!!
> 
> 
> Religious invective aside... :-)
> 
> We've set up a web form that sends a specially-crafted e-mail to our RT
> instance, which then auto-replies with a new password for that user. It
> can be used for new or existing users.
> 
> http://is.rice.edu/~rickr/webdocs/RT/passreset.html
> 
> Of course, you can only request a password if you have a Rice e-mail
> address :-)

A couple years ago I hacked RT to allow users to self-create upon login 
as long as they have a valid entry in our enterprise LDAP server and it 
contains a valid orgcode.  I like it because it doesn't require any 
action on my part, but still has a nice built-in set of constraints.  I 
wrote the code for allowing users to self-create via email, but given 
the ease of spoofing, I leave it toggled off:

Set($LDAPExternalAuth,          1); # enable LDAP authentication/lookups
Set($LDAPWebExternalAuto,       1); # create user acct from LDAP at login
Set($LDAPMailExternalAuto,      0); # create user acct from LDAP at email

I included a plethora of other options, including LDAP/S connectivity, 
attribute selection/mapping (below).

Has anyone used the new LDAP overlay stuff?  Does it allow for this 
level of granularity?

Thanks,

Tony

Set($LDAPExternalAuth,          1); # enable LDAP authentication/lookups
Set($LDAPWebExternalAuto,       1); # create user acct from LDAP at login
Set($LDAPMailExternalAuto,      0); # create user acct from LDAP at email

Set($LDAPHost,          'myldaphost.foo.bar');
Set($LDAPSSLHost,       'sslldaphost.foo.bar');
Set($LDAPPort,          '389');
Set($LDAPSSLPort,       '636');
Set($LDAPBase,          'dc=foo,dc=bar');
Set($LDAPSSLAuth,       1); # set to 1 for encrypted connections for auth
Set($LDAPSSLSearch,     0); # set to 1 for encrypted connections for 
searches
Set($LDAPCert,          '/path/to/ldapcert');

# set these two for non-anonymous lookups
Set($LDAPBind, '');
Set($LDAPPass, '');

# use this to narrow the filter for authentication; any LDAP search filter
# placed here will be concatenated with a (uid=username) filter
# Leaving it 'undef' means default filter of (uid=username) will be used)
Set($LDAPSearchFilter,
'(&(status=active)(|(orgcode=ABC*)(lblpan=DEF)))'
);

# define which attrs we want to pull back
@LDAPSearchAttrs = qw(mail cn division uid displayName telephoneNumber);

Set($LDAPMailAttr,      'mail');
Set($LDAPCnameAttr,     'cn');
Set($LDAPOrgAttr,       'division');
Set($LDAPUidAttr,       'uid');
Set($LDAPFullNameAttr,  'displayName');
Set($LDAPPhoneAttr,     'telephoneNumber');





More information about the rt-users mailing list