[rt-users] Self user creation

Jim Meyer purp at acm.org
Tue Mar 21 15:05:02 EST 2006


Hello!

On Tue, 2006-03-21 at 10:51 -0800, Anthony Lincoln wrote:
> Rick Russell wrote:
> A couple years ago I hacked RT to allow users to self-create upon login 
> as long as they have a valid entry in our enterprise LDAP server and it 
> contains a valid orgcode.  I like it because it doesn't require any 
> action on my part, but still has a nice built-in set of constraints.  I 
> wrote the code for allowing users to self-create via email, but given 
> the ease of spoofing, I leave it toggled off:
> 
> Set($LDAPExternalAuth,          1); # enable LDAP authentication/lookups
> Set($LDAPWebExternalAuto,       1); # create user acct from LDAP at login
> Set($LDAPMailExternalAuto,      0); # create user acct from LDAP at email
> 
> I included a plethora of other options, including LDAP/S connectivity, 
> attribute selection/mapping (below).
> 
> Has anyone used the new LDAP overlay stuff?  Does it allow for this 
> level of granularity?

Most of that, yes. It allows you to separate auth from info so you can
choose different LDAP servers for each function if you wish (yes, it was
necessary; no, I'm not proud of that) and allows you to config SSL,
base, filter, and user/password per server. No password is considered to
mean the LDAP server doesn't need authentication. 

Rather than provide a static list of attributes, the new overlay uses a
hash ref where you map RT attrs to your LDAP fields. It also does
something similar to your LDAPSearchAttrs. It doesn't currently
autocreate accounts on failed login. You can have a peek at the code and
config twiddles at http://wiki.bestpractical.com/?LDAP (check out the
RT_SiteConfig.pm stuff).

I'm pondering the autocreation thing as an overlay separate from the
LDAP overlay. My approach would be that the front page could provide a
link for "Create New Account" which would require name, email, and
password, then activation by emailing you a link, etc. I would also
include hooks such that if you can successfully auth externally (LDAP,
$REMOTE_USER, etc.) you can skip all of that. All with config twiddles
for inside vs. outside users, etc.

Would there be general interest in this?

Cheers!

--j
-- 
Jim Meyer, Geek at Large                                    purp at acm.org




More information about the rt-users mailing list