[rt-users] Partially solved - was: WebExternalAuth AND an RT::Authen::ExternalAuth LDAP ExternalInfo provider..?

jan.grant at bristol.ac.uk jan.grant at bristol.ac.uk
Thu Sep 17 10:40:30 EDT 2009


On Tue, 15 Sep 2009, jan.grant at bristol.ac.uk wrote:

> I'm using (aspiring to use) apache's mod_auth_cas to do external 
> authentication, plus RT::Authen::ExternalAuth as an info provider to 
> provide information about the apache-supplied username.
> 
> Is this actually *possible*? RT 3.8.4. Basically, the idea is to use our 
> common CAS SSO setup to provide usernames to RT, and then to rely on LDAP 
> if the user doesn't already exist in order to create the new account.
> 
> Unfortunately, putting RT::Authen::ExternalAuth on the @Plugins appears to 
> disable WebExternalAuth.
> 
> Can this be made to work? And if so, how?

Okay. With help from IRC this appears to be doable, but requires 
additional code (rather than just configuration) to achieve what we're 
after (unless anyone knows better).


We use apache mod_auth_cas; turn on WebExternalAuth and so on:

Set($WebExternalAuth, 1);
Set($WebFallbackToInternalAuth , 1);
Set($WebExternalAuto, 1);
Set($AutoCreate, {Privileged => 1}); # or whatver you need here

I've then got

Set($ExternalAuthPriority, [  ]);
Set($ExternalInfoPriority, [ 'My_LDAP' ]);

to populate some fields (just following the example supplied in the 
plugin).


What's missing:

I'd at least like to be able to use LDAP group membership to supply the 
initial group membership of newly-created users within RT. Without this 
there's little point actually using the LDAP module since I'm going to 
have to prepopulate RT with my users anyway :-(

Having looked a bit further at this, it also seems like the "rt" 
command-line tool hasn't really moved on from 3.6; I hacked some code to 
support a few more operations against types that weren't "ticket" back 
then.

- are there hooks for user creation that I can write minimally-invasive 
code for in order to grab what I need out of LDAP?

- Are there plans to complete support for non-ticket types with the rt 
command-line tool?

- if not, what's the recommended route for scripted creation of queues, 
groups, users, etc?

- what FM should I be Ring for this? :-)


What'd be lovely:

It'd be really, really nice if RT had a completely pluggable system for 
supplying group membership information on the fly. I realise that there 
are some issues with this and the cached group membership that RT does 
under the hood, and in particular the generation of ACL queries would need 
a rethink; but as far as I can see at the moment any hope of doing some 
live integration with an external group manager is going to be a bit of a 
bodge, to say the least. Maybe in RT 4?



-- 
jan grant, ISYS, University of Bristol. http://www.bris.ac.uk/
Tel +44 (0)117 3317661   http://ioctl.org/jan/
Ceci n'est pas une pipe |



More information about the rt-users mailing list