[rt-users] RT::Authen::ExternalAuth selectable authentication service?
William J. Horka
whorka at hmdc.harvard.edu
Wed Nov 12 13:50:25 EST 2008
Hello all,
I was just checking out RT::Authen::ExternalAuth for the first time
after seeing the recent announcements on this list, and found it to be a
useful extension of RT functionality. However, I noticed that it
always attempts to authenticate a user to the external authentication
service(s) before falling back to local authentication. I was wondering
if there was any interest in enhancing it to allow for the selection of
the authentication service on a per-user basis, perhaps based on some
user custom field.
In our RT setup, we have a small number of privileged users who can own
tickets and have accounts in our LDAP directory, but we have a large
number of people who have access only to tickets they requested in RT,
and do not have LDAP accounts. I think it would cut down on unnecessary
traffic to our LDAP server if we could add some functionality to
RT::Authen::ExternalAuth so that it only looks up privileged users in
LDAP and does local authentication for everybody else.
Maybe a user custom field could indicate which authentication service to
use for an account (e.g. LDAP, external DB, local, etc.) rather than the
global $RT::ExternalAuthPriority applying to all users? However, this
could be problematic in allowing users to change which service they
authenticate to.
Would this per-user selectable authentication service functionality be
useful to anyone else, and does anyone have an alternative suggestion
for its implementation other than by using a user custom field? Maybe by
RT group membership (e.g. by creating and populating a "auth_ldap" group
for users to auth to LDAP, and a "auth_db" group for users to auth to an
external DB, etc.)?
-Bill
--
William Horka
UNIX Systems Administrator
Harvard-MIT Data Center
More information about the rt-users
mailing list