[rt-users] RT ExternalAuth LDAP and Adding Local users in 3.8.2

Susan McClure smcclure at rice.edu
Tue Jun 2 15:05:23 EDT 2009


I have been reading the postings about RT-Authen-ExternalAuth
but am confused on what appears to be some conflicting setup
information.

I am using:
  RT 3.8.2
  RT-Authen-ExternalAuth 0.08

I would like to use LDAP for authentication and information first,
and that part seems to work OK.
But  I also would like to:
  - add LOCAL users to RT internal DB (i.e; test and test-admin type
accounts)
  - NOT autocreate a new RT account, if we receive an email from
a user that is unknown in local RT or LDAP.
  - NOT make multiple accounts for a user's multiple email aliases.
(Our ldap contains several email addresses for each user (uid) )


When I try to add a local account through the Web(using Root,
Configuration->Users->Create). I receive the error "Name in Use"
The username I am trying to create is NOT in existence, but the email
for that new account IS.

My  error_log shows:
==================================
> [Tue Jun  2 17:45:21 2009] [debug]: User Check Failed :: ( My_LDAP ) root User not found (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:318)
> [Tue Jun  2 17:45:21 2009] [debug]: Autohandler called ExternalAuth. Response: (0, No User)
> (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
> [Tue Jun  2 17:45:21 2009] [info]: Successful login for root from 168.7.56.227 (/usr/site/rt-3.8/PROD/share/html/autohandler:276)
> [Tue Jun  2 17:46:40 2009] [debug]: /ServiceUpdate/Elements/Header calls old style callback, use $m->callback (/usr/site/rt-3.8/PROD/share/html/Elements/Callback:51)
> [Tue Jun  2 17:46:40 2009] [crit]: HasRight called with no valid object (/usr/site/rt-3.8/PROD/bin/../lib/RT/Principal_Overlay.pm:322)
> [Tue Jun  2 17:51:36 2009] [debug]: RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User /opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm 20 with: Address1: , Address2: , AuthSystem: , City: , Comments: Admin Authority Level Account for RT, ContactInfoSystem: , Country: , Disabled: 0, EmailAddress: smcclure at rice.edu, EmailEncoding: , ExternalAuthId: , ExternalContactInfoId: , FreeformContactInfo: , Gecos: , HomePhone: , Lang: en, MobilePhone: , Name: smcclure-admin, NickName: Smcclure-Admin,
> Organization: , PagerPhone: , Privileged: 1, RealName: Susan McClure, Signature: , State: ,
> WebEncoding: , WorkPhone: , Zip:  (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:450)
> [Tue Jun  2 17:51:36 2009] [debug]: Attempting to get user info using this external service: My_LDAP (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:458)
> [Tue Jun  2 17:51:36 2009] [debug]: Attempting to use this canonicalization key: Name (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472)
> [Tue Jun  2 17:51:36 2009] [debug]: LDAP Search ===  Base: ou=People,dc=rice,dc=edu == Filter: (&(objectclass=*)(uid=smcclure-admin)) == Attrs: Houston,cn,TX,mail,gecos,postalAddress,postalCode,telephoneNumber,uid,physicalDeliveryOfficeName,uid (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:195)
> [Tue Jun  2 17:51:36 2009] [debug]: Attempting to use this canonicalization key: EmailAddress (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472)
> [Tue Jun  2 17:51:36 2009] [debug]: LDAP Search ===  Base: ou=People,dc=rice,dc=edu == Filter: (&(objectclass=*)(mail=smcclure at rice.edu)) == Attrs: Houston,cn,TX,mail,gecos,postalAddress,postalCode,telephoneNumber,uid,physicalDeliveryOfficeName,uid (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:195)
> [Tue Jun  2 17:51:36 2009] [info]: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning
> Address1: 6100 Main Street, Address2: , AuthSystem: , City: , Comments: Admin Authority Level Account for RT, ContactInfoSystem: , Country: , Disabled: 0, EmailAddress: smcclure at rice.edu, EmailEncoding: , ExternalAuthId: smcclure, ExternalContactInfoId: , FreeformContactInfo: , Gecos: , HomePhone: , Lang: en, MobilePhone: , Name: smcclure, NickName: Smcclure-Admin,
> Organization: 222 Mudd Building, PagerPhone: , Privileged: 1, RealName: McClure, Susan, Signature: , State: , WebEncoding: , WorkPhone: 713-348-4852, Zip: 77005 (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
==============

My Current RT_SiteConfig.pm for LDAP and External Auth has
====================================
Set(@Plugins,qw(RT::FM RT::IR RT::Authen::ExternalAuth .......

and for LDAP
#  special options for various plugins
#  Authen::ExternalAuth
Set($ExternalAuthPriority, ['My_LDAP'] );
Set($ExternalInfoPriority,  ['My_LDAP'] );
Set($ExternalServiceUsesSSLorTLS,    1);
Set($ExternalSettings,      {
                                      'My_LDAP'     =>  {   ## GENERIC
SECTION
                                               'type'
   =>  'ldap',
                                               'server'
   =>  'ldap.rice.edu',
                                               'user'
   =>  'cn=requesttracker,ou=Service Accounts,dc=rice,dc=edu',
     ..... etc etc .........
.................
And the LDAP Attributes mappings:
> ## RT ATTRIBUTE MATCHING SECTION
>                                                # The list of RT attributes that uniquely identify a user
>                                                # This example shows what you *can* specify.. I recommend reducing this
>                                                # to just the Name and EmailAddress to save encountering problems later.
>                                                'attr_match_list'           => [    'Name',
>                                                                                    'EmailAddress',
>                                                                                    'RealName',
>                                                        			           'WorkPhone',
> 										   'Address2'
>                                                                                ],
>                                                # The mapping of RT attributes on to LDAP attributes
>                                                 'attr_map'              =>  {   'Name' => 'uid',
>                                                                                 'EmailAddress' => 'mail',
>                                                                                 'Organization' => 'physicalDeliveryOfficeName',
>                                                                                 'RealName' => 'cn',
>                                                                                 'ExternalAuthId' => 'uid',
>                                                                                 'Gecos' => 'gecos',
>                                                                                 'WorkPhone' => 'telephoneNumber',
>                                                                                 'Address1' => 'postalAddress',
>                                                                                 'City' => 'Houston',
>                                                                                 'State' => 'TX',
>                                                                                 'Zip' => 'postalCode'
>                                                                             }
>                                                              }
> 	                         }
> 
> );
===================

Looking at all the postings, I am afraid that if I add:

==> Set($AutoCreateNonExternalUsers,    1);

That I will automatically MAKE a new account for users that send email
or authenticate in some way other than being in our LDAP.

Can someone clarify the different options to help me get the
setup I want please?

Thanks

Susie McClure

smcclure at rice.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smcclure.vcf
Type: text/x-vcard
Size: 166 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20090602/1432e9c4/attachment.vcf>


More information about the rt-users mailing list