[rt-users] Self user creation
Anthony Lincoln
ahlincoln at lbl.gov
Tue Mar 21 13:51:15 EST 2006
Rick Russell wrote:
> Ken Crocker wrote:
>
>>NEVER!!
>
>
> Religious invective aside... :-)
>
> We've set up a web form that sends a specially-crafted e-mail to our RT
> instance, which then auto-replies with a new password for that user. It
> can be used for new or existing users.
>
> http://is.rice.edu/~rickr/webdocs/RT/passreset.html
>
> Of course, you can only request a password if you have a Rice e-mail
> address :-)
A couple years ago I hacked RT to allow users to self-create upon login
as long as they have a valid entry in our enterprise LDAP server and it
contains a valid orgcode. I like it because it doesn't require any
action on my part, but still has a nice built-in set of constraints. I
wrote the code for allowing users to self-create via email, but given
the ease of spoofing, I leave it toggled off:
Set($LDAPExternalAuth, 1); # enable LDAP authentication/lookups
Set($LDAPWebExternalAuto, 1); # create user acct from LDAP at login
Set($LDAPMailExternalAuto, 0); # create user acct from LDAP at email
I included a plethora of other options, including LDAP/S connectivity,
attribute selection/mapping (below).
Has anyone used the new LDAP overlay stuff? Does it allow for this
level of granularity?
Thanks,
Tony
Set($LDAPExternalAuth, 1); # enable LDAP authentication/lookups
Set($LDAPWebExternalAuto, 1); # create user acct from LDAP at login
Set($LDAPMailExternalAuto, 0); # create user acct from LDAP at email
Set($LDAPHost, 'myldaphost.foo.bar');
Set($LDAPSSLHost, 'sslldaphost.foo.bar');
Set($LDAPPort, '389');
Set($LDAPSSLPort, '636');
Set($LDAPBase, 'dc=foo,dc=bar');
Set($LDAPSSLAuth, 1); # set to 1 for encrypted connections for auth
Set($LDAPSSLSearch, 0); # set to 1 for encrypted connections for
searches
Set($LDAPCert, '/path/to/ldapcert');
# set these two for non-anonymous lookups
Set($LDAPBind, '');
Set($LDAPPass, '');
# use this to narrow the filter for authentication; any LDAP search filter
# placed here will be concatenated with a (uid=username) filter
# Leaving it 'undef' means default filter of (uid=username) will be used)
Set($LDAPSearchFilter,
'(&(status=active)(|(orgcode=ABC*)(lblpan=DEF)))'
);
# define which attrs we want to pull back
@LDAPSearchAttrs = qw(mail cn division uid displayName telephoneNumber);
Set($LDAPMailAttr, 'mail');
Set($LDAPCnameAttr, 'cn');
Set($LDAPOrgAttr, 'division');
Set($LDAPUidAttr, 'uid');
Set($LDAPFullNameAttr, 'displayName');
Set($LDAPPhoneAttr, 'telephoneNumber');
More information about the rt-users
mailing list