[rt-users] ExternalAuth and Active Directory questions

[Brian Buchanan]

Hi,

I was able to get ExternalAuth working and authentication and
information seem to be being pulled from my Active Directory, but I've
got some questions as to how it actually works, specifically around auto
creating accounts.

1. A user sends an E-mail to RT, what happens exactly?

This is what I've seen; prior to the ExternalAuth, RT would auto-create
an RT user, where the "Username" was their E-mail address, "Email" was
their E-mail address, and "Real Name" was either their E-mail address,
or if the FROM: field contained a real name, that was used.

Now with ExternalAuth, I'm confused, and that's why I'm asking here, but
this is what it looks like is happening.

First the internal DB is checked for an exact match of FROM E-mail
address.  If found the ticket is created and we're done.

If no internal user is found, ExternalAuth will search the LDAP for a
user object with a matching E-mail address.

If a match on E-mail address is found, an RT User account is
automatically created with details from the User's account and the
ticket is created.

If an exact match is not found, the automatic user creation fails, and
the sender gets three messages back, "User could not be created", "User
could not be loaded" and "Could not load a valid user".  (unless I've
accidentally turned off RT's automatic user creation when I moved RT to
a new server a few weeks ago.)

I have a nagging feeling that ExternalAuth is called first, and if it
fails, then the internal DB is checked, basically the reverse of the way
I've layed it out above.

2. A user logs into the website.

Prior to ExternalAuth, an user unknown to the internal database could
not login.  Pretty simple.

After ExternalAuth, the LDAP directory is checked first.  If external
authentication succeeds, then an internal RT user is auto-created with
details pulled from the Active Directory at that time.  The "Username"
becomes the contents of sAMAccountName, "Email" is filled with the
E-mail address and Real Name is the account Full Name.


Is any of the above obviously wrong?

Is ExternalAuth supposed to be blocking the automatic user creation when
the LDAP search fails?  Or should I be looking elsewhere to solve that
problem?

On a received E-mail, what is ExternalAuth searching the LDAP for?
E-mail address? sAMAccountName?  Real/Full Name?

When ExternalAuth auto-creates an account, what is the password set to?
(for example if ExternalAuth ever went away or if the domain controller
was unavailable).

Most of my users already have RT accounts, and I've gone through RT to
correct the Username to match their AD sAMAccountName, but most the AD
objects are missing a value for their E-mail address; is this going to
mess up ExternalAuth for existing RT accounts, or only new accounts?

Thanks for any help in understanding the process with ExternalAuth.

Brian Buchanan