[rt-users] RT::Authen::ExternalAuth selectable authentication service?

William J. Horka whorka at hmdc.harvard.edu
Wed Nov 12 13:50:25 EST 2008

Hello all,

I was just checking out RT::Authen::ExternalAuth for the first time 
after seeing the recent announcements on this list, and found it to be a 
  useful extension of RT functionality. However, I noticed that it 
always attempts to authenticate a user to the external authentication 
service(s) before falling back to local authentication. I was wondering 
if there was any interest in enhancing it to allow for the selection of 
the authentication service on a per-user basis, perhaps based on some 
user custom field.

In our RT setup, we have a small number of privileged users who can own 
tickets and have accounts in our LDAP directory, but we have a large 
number of people who have access only to tickets they requested in RT, 
and do not have LDAP accounts. I think it would cut down on unnecessary 
traffic to our LDAP server if we could add some functionality to 
RT::Authen::ExternalAuth so that it only looks up privileged users in 
LDAP and does local authentication for everybody else.

Maybe a user custom field could indicate which authentication service to 
use for an account (e.g. LDAP, external DB, local, etc.) rather than the 
global $RT::ExternalAuthPriority applying to all users? However, this 
could be problematic in allowing users to change which service they 
authenticate to.

Would this per-user selectable authentication service functionality be 
useful to anyone else, and does anyone have an alternative suggestion 
for its implementation other than by using a user custom field? Maybe by 
RT group membership (e.g. by creating and populating a "auth_ldap" group 
for users to auth to LDAP, and a "auth_db" group for users to auth to an 
external DB, etc.)?


William Horka
UNIX Systems Administrator
Harvard-MIT Data Center

More information about the rt-users mailing list