[rt-users] RT3.8.1-Custom Login Requires Code Changes?
edward.bryan at oregonstate.edu
Thu Dec 18 18:08:37 EST 2008
Mike Peachey wrote:
> Edward Bryan wrote:
>> I've been tasked with finding a way to login to our RT system by
>> validating our cookies against a local database and then submitting a
>> valid user name as a login token to RT. The object is to write a
>> single sign on plugin that validates against a secure database for a
>> large number of diverse applications.
>> RT has facilities to query LDAP and DBI databases with ExternalAuth
>> and it also has the ability to read a cookie and validate it against
>> a database of users and user IDs with CookieAuth but it doesn't seem
>> to have a method for allowing me do to my own user validation and
>> then simply submitting a user name as a valid login token. RT retains
>> the power of the query for user validation. (Correct?)
>> I think in order to do this I will need to do some major Mason-ary
>> work and before I propose a project of that size to my customer, I
>> wanted to get confirmation that this is the only way to get RT to
>> follow our local login model.
> TBH CookieAuth is a fantastic example of how to "build your own" and
> although it's not *totally* clear what you're looking for I don't
> think you'd have to veer far from it.
> The whole validation path is quite simple.. you put in an Auth
> callback that runs whatever code you want it to when a user first
> vists and you can call any other methods you want at the same time,
> and all you need to have a logged in user is to put a user in the
> $session variable.
> If you want to do your own changes to validation of an actual
> password, you just gotta override isPassword in the USer object using
> a User_Vendor.pm or User_Local.pm.
> I can advise better if you can clarify a little what your intended
> result is.
> Kind Regards,
> Mike Peachey, IT
> Tel: +44 114 281 2655
> Fax: +44 114 281 2951
> Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
> Comp Reg No: 3191371 - Registered In England
Thanks for the quick reply. I'm sorry I wasn't more clear in my original
We have an single-sign-on application that validates all our users with
their first login to any application we run. Then, as they move from one
app to another, they are transparently validated by the SSO module at
every login. We just added RT and I've been asked to write the SSO
module that will allow already-validated-on-our-system users to step
around the RT login page and go straight to the RT "at a glance" page.
What I thought I understood from ExternalAuth and CookieAuth and the
many posts around implementing them, is that users go to the RT login
page and enter their names and passwords but that RT uses ~Auth
callbacks to query a remote database, either LDAP or another DBI type,
that then validates RT users. I've been asked to spare our users the
trouble of typing in a name and password if possible.
The closest answer I found was an "autologin" post from 2003 in which
the response was that it couldn't be done without sending the password
in clear text as part of the url.
So I think the answer to my question is that I need to modify the source
code around logging. Then again, I'm not the expert here.
Thanks for your help.
More information about the rt-users