[rt-users] RT::Authen::ExternalAuth selectable authentication service?

Kenneth Marshall ktm at rice.edu
Wed Nov 12 14:04:21 EST 2008

That seems like a lot of work to save a couple of very light-weight
LDAP queries. Plus, if anyone changes status, you will need to manually
reset their fields to get them to authenticate correctly. My two cents.


On Wed, Nov 12, 2008 at 01:50:25PM -0500, William J. Horka wrote:
> Hello all,
> I was just checking out RT::Authen::ExternalAuth for the first time 
> after seeing the recent announcements on this list, and found it to be a 
>   useful extension of RT functionality. However, I noticed that it 
> always attempts to authenticate a user to the external authentication 
> service(s) before falling back to local authentication. I was wondering 
> if there was any interest in enhancing it to allow for the selection of 
> the authentication service on a per-user basis, perhaps based on some 
> user custom field.
> In our RT setup, we have a small number of privileged users who can own 
> tickets and have accounts in our LDAP directory, but we have a large 
> number of people who have access only to tickets they requested in RT, 
> and do not have LDAP accounts. I think it would cut down on unnecessary 
> traffic to our LDAP server if we could add some functionality to 
> RT::Authen::ExternalAuth so that it only looks up privileged users in 
> LDAP and does local authentication for everybody else.
> Maybe a user custom field could indicate which authentication service to 
> use for an account (e.g. LDAP, external DB, local, etc.) rather than the 
> global $RT::ExternalAuthPriority applying to all users? However, this 
> could be problematic in allowing users to change which service they 
> authenticate to.
> Would this per-user selectable authentication service functionality be 
> useful to anyone else, and does anyone have an alternative suggestion 
> for its implementation other than by using a user custom field? Maybe by 
> RT group membership (e.g. by creating and populating a "auth_ldap" group 
> for users to auth to LDAP, and a "auth_db" group for users to auth to an 
> external DB, etc.)?
>       -Bill
> -- 
> William Horka
> UNIX Systems Administrator
> Harvard-MIT Data Center
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
> Buy a copy at http://rtbook.bestpractical.com

More information about the rt-users mailing list