[rt-users] RT ExternalAuth LDAP and Adding Local users in 3.8.2
Susan McClure
smcclure at rice.edu
Wed Jun 3 17:29:53 EDT 2009
I have been reading the postings about RT-Authen-ExternalAuth
but am confused on what appears to be some conflicting setup
information.
I am using:
RT 3.8.2
RT-Authen-ExternalAuth 0.08
I would like to use LDAP for authentication and information first,
and that part seems to work OK.
But I also would like to:
- add LOCAL users to RT internal DB (i.e; test and test-admin type
accounts)
- NOT autocreate a new RT account, if we receive an email from
a user that is unknown in local RT or LDAP.
- NOT make multiple accounts for a user's multiple email aliases.
(Our ldap contains several email addresses for each user (uid) )
When I try to add a local account through the Web(using Root,
Configuration->Users->Create). I receive the error "Name in Use"
The username I am trying to create is NOT in existence, but the email
for that new account IS.
My error_log shows:
==================================
> [Tue Jun 2 17:45:21 2009] [debug]: User Check Failed :: ( My_LDAP ) root User not found (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:318)
> [Tue Jun 2 17:45:21 2009] [debug]: Autohandler called ExternalAuth. Response: (0, No User)
> (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
> [Tue Jun 2 17:45:21 2009] [info]: Successful login for root from 168.7.56.227 (/usr/site/rt-3.8/PROD/share/html/autohandler:276)
> [Tue Jun 2 17:46:40 2009] [debug]: /ServiceUpdate/Elements/Header calls old style callback, use $m->callback (/usr/site/rt-3.8/PROD/share/html/Elements/Callback:51)
> [Tue Jun 2 17:46:40 2009] [crit]: HasRight called with no valid object (/usr/site/rt-3.8/PROD/bin/../lib/RT/Principal_Overlay.pm:322)
> [Tue Jun 2 17:51:36 2009] [debug]: RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User /opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm 20 with: Address1: , Address2: , AuthSystem: , City: , Comments: Admin Authority Level Account for RT, ContactInfoSystem: , Country: , Disabled: 0, EmailAddress: smcclure at rice.edu, EmailEncoding: , ExternalAuthId: , ExternalContactInfoId: , FreeformContactInfo: , Gecos: , HomePhone: , Lang: en, MobilePhone: , Name: smcclure-admin, NickName: Smcclure-Admin,
> Organization: , PagerPhone: , Privileged: 1, RealName: Susan McClure, Signature: , State: ,
> WebEncoding: , WorkPhone: , Zip: (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:450)
> [Tue Jun 2 17:51:36 2009] [debug]: Attempting to get user info using this external service: My_LDAP (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:458)
> [Tue Jun 2 17:51:36 2009] [debug]: Attempting to use this canonicalization key: Name (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472)
> [Tue Jun 2 17:51:36 2009] [debug]: LDAP Search === Base: ou=People,dc=rice,dc=edu == Filter: (&(objectclass=*)(uid=smcclure-admin)) == Attrs: Houston,cn,TX,mail,gecos,postalAddress,postalCode,telephoneNumber,uid,physicalDeliveryOfficeName,uid (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:195)
> [Tue Jun 2 17:51:36 2009] [debug]: Attempting to use this canonicalization key: EmailAddress (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472)
> [Tue Jun 2 17:51:36 2009] [debug]: LDAP Search === Base: ou=People,dc=rice,dc=edu == Filter: (&(objectclass=*)(mail=smcclure at rice.edu)) == Attrs: Houston,cn,TX,mail,gecos,postalAddress,postalCode,telephoneNumber,uid,physicalDeliveryOfficeName,uid (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:195)
> [Tue Jun 2 17:51:36 2009] [info]: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning
> Address1: 6100 Main Street, Address2: , AuthSystem: , City: , Comments: Admin Authority Level Account for RT, ContactInfoSystem: , Country: , Disabled: 0, EmailAddress: smcclure at rice.edu, EmailEncoding: , ExternalAuthId: smcclure, ExternalContactInfoId: , FreeformContactInfo: , Gecos: , HomePhone: , Lang: en, MobilePhone: , Name: smcclure, NickName: Smcclure-Admin,
> Organization: 222 Mudd Building, PagerPhone: , Privileged: 1, RealName: McClure, Susan, Signature: , State: , WebEncoding: , WorkPhone: 713-348-4852, Zip: 77005 (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
==============
My Current RT_SiteConfig.pm for LDAP and External Auth has
====================================
Set(@Plugins,qw(RT::FM RT::IR RT::Authen::ExternalAuth .......
and for LDAP
# special options for various plugins
# Authen::ExternalAuth
Set($ExternalAuthPriority, ['My_LDAP'] );
Set($ExternalInfoPriority, ['My_LDAP'] );
Set($ExternalServiceUsesSSLorTLS, 1);
Set($ExternalSettings, {
'My_LDAP' => { ## GENERIC
SECTION
'type'
=> 'ldap',
'server'
=> 'ldap.rice.edu',
'user'
=> 'cn=requesttracker,ou=Service Accounts,dc=rice,dc=edu',
..... etc etc .........
.................
And the LDAP Attributes mappings:
> ## RT ATTRIBUTE MATCHING SECTION
> # The list of RT attributes that uniquely identify a user
> # This example shows what you *can* specify.. I recommend reducing this
> # to just the Name and EmailAddress to save encountering problems later.
> 'attr_match_list' => [ 'Name',
> 'EmailAddress',
> 'RealName',
> 'WorkPhone',
> 'Address2'
> ],
> # The mapping of RT attributes on to LDAP attributes
> 'attr_map' => { 'Name' => 'uid',
> 'EmailAddress' => 'mail',
> 'Organization' => 'physicalDeliveryOfficeName',
> 'RealName' => 'cn',
> 'ExternalAuthId' => 'uid',
> 'Gecos' => 'gecos',
> 'WorkPhone' => 'telephoneNumber',
> 'Address1' => 'postalAddress',
> 'City' => 'Houston',
> 'State' => 'TX',
> 'Zip' => 'postalCode'
> }
> }
> }
>
> );
===================
Looking at all the postings, I am afraid that if I add:
==> Set($AutoCreateNonExternalUsers, 1);
That I will automatically MAKE a new account for users that send email
or authenticate in some way other than being in our LDAP.
Can someone clarify the different options to help me get the
setup I want please?
Thanks
Susie McClure
smcclure at rice.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smcclure.vcf
Type: text/x-vcard
Size: 166 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20090603/67d9b2e9/attachment.vcf>
More information about the rt-users
mailing list