[rt-users] Recommended method for auto creating users with Active Directory and Authen-ExternalAuth
Gary Greene
ggreene at minervanetworks.com
Thu Jan 14 15:17:40 EST 2010
Why bother with that, when you just need to change the attribute you're
using for the account name. Here's a sanitized version of my
RT_SiteConfig.pm
# Any configuration directives you include here will override
# RT's default configuration file, RT_Config.pm
#
# To include a directive here, just copy the equivalent statement
# from RT_Config.pm and change the value. We've included a single
# sample value below.
#
# This file is actually a Perl module, so you can include valid
# Perl code, as well.
#
# The converse is also true, if this file isn't valid Perl, you're
# going to run into trouble. To check your SiteConfig file, use
# this command:
#
# perl -c /path/to/your/etc/RT_SiteConfig.pm
Set($rtname, 'minervanetworks.com');
Set($Organization, "minervanetworks.com");
Set($Timezone, 'US/Pacific');
Set($WebPath, "/rt3");
Set($WebPort, 443);
Set($WebDomain, 'rt.minervanetworks.com');
Set($WebBaseURL, 'https://' . RT->Config->Get('WebDomain') . ':' .
RT->Config->Get('WebPort'));
Set($WebURL, RT->Config->Get('WebBaseURL') . RT->Config->Get('WebPath') .
"/");
Set($WebImagesURL, RT->Config->Get('WebPath') . "/NoAuth/images/");
Set($WebImagesURL , $WebPath . "/images/"); # need this for below
Set($LogoURL, "https://rt.minervanetworks.com/Home_Logo.jpg");
Set($LogoLinkURL, 'https://www.minervanetworks.com/');
Set($LogoAltText, "Minerva Networks");
Set($AutoLogoff, 30);
Set($EnableReminders,1);
Set($LogToSyslog, 'info');
Set($LogDir, '/var/log');
Set($LogToFileNamed, "rt.log");
Set($LogToFile, 'info');
Set($NotifyActor, 1);
Set($OwnerEmail , 'XXXXXXXX at minervanetworks.com');
Set(@Plugins, qw(RT::Authen::ExternalAuth RT::FM));
Set($LDAPHost, 'HOSTNAME.DOMAIN.TLD');
Set($LDAPUser, 'cn=BINDUSER,dc=DOMAIN,dc=TLD');
Set($LDAPPassword, 'PASSWORD');
Set($LDAPBase, 'dc=minervanetworks,dc=com');
Set($LDAPFilter, '(&(objectClass=user))');
Set($LDAPMapping, {
'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'RealName' => 'cn',
'ExternalAuthId' => 'sAMAccountName',
'Gecos' => 'sAMAccountName',
'WorkPhone' => 'telephoneNumber',
'Address1' => 'streetAddress',
'City' => 'l',
'State' => 'st',
'Zip' => 'postalCode',
'Country' => 'co'
}
);
Set($LDAPGroupName,'Employees');
Set($LDAPUpdateUsers,1);
Set($ExternalAuthPriority, ['My_LDAP']);
Set($ExternalInfoPriority, ['My_LDAP']);
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);
Set(
$ExternalSettings, {
'My_LDAP' => {
'type' => 'ldap',
'auth' => 1,
'info' => 1,
'server' => 'HOSTNAME.DOMAIN.TLD',
'user' => 'cn=BINDUSER,dc=DOMAIN,dc=TLD',
'pass' => 'PASSWORD',
'base' => 'dc=DOMAIN,dc=TLD',
'filter' => '(objectClass=*)',
'd_filter' => '(userAccountControl:1.2.840.113556.1.4.803:=2)',
'tls' => 0,
'net_ldap_args' => [ version => 3 ],
'attr_match_list' => [ 'Name', 'EmailAddress', 'RealName' ],
'attr_map' => {
'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'RealName' => 'cn',
'ExternalAuthId' => 'sAMAccountName',
'Gecos' => 'sAMAccountName',
'WorkPhone' => 'telephoneNumber',
'Address1' => 'streetAddress',
'City' => 'l',
'State' => 'st',
'Zip' => 'postalCode',
'Country' => 'co'
}
}
}
);
1;
On 1/14/10 11:49 AM, "Ken Crocker" <kfcrocker at lbl.gov> wrote:
> LB,
>
> This would be REALLY help for me. I've been doing this one user at a
> time whenever I get some frre time (which isn't ofetn). I'd love a copy
> of your code. Thanks.
>
> Kenn
> LBNL
>
> On 1/14/2010 10:34 AM, L B wrote:
>> I'm going to think about it, but the problem I see it that email
>> addresses might not be unique (I mean we can have two AD accounts with
>> the same email address).
>>
>> I have already done a script to mass-rename email addresses to AD
>> logins, because we use AD authentication for a long time and we wanted
>> to make the users use their AD login instead of their email address.
>> This script is not linked to the plugin, but I think it might be
>> useful for some admins. I can upload it on the wiki or maybe it can be
>> part of an "extras" directory in the plugin package. I have to cleanup
>> my code and make it generic, but it does the job, I already applied it
>> successfully on many RT instances.
>>
>> Don't you think
>> http://www.zanfur.com/rt3-contrib/AutoCreateFromExternalUserInfo/CurrentUser_
>> Local.pm
>> but using RT-Authen-ExternalAuth variables could do the on-the-fly job
>> ? Maybe with some stuff to check duplicates etc...
>>
>> If you think it doesn't, can you or Mike point me into the good
>> direction to (try to) develop it ?
>>
>> Thanks !
>>
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
>
> 2010 RT Training Sessions!
> San Francisco, CA, USA - Feb 22 & 23
> Dublin, Ireland - Mar 15 & 16
> Boston, MA, USA - April 5 & 6
> Washington DC, USA - Oct 25 & 26
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com
--
Gary L. Greene, Jr.
IT Operations
Minerva Networks, Inc.
Cell: (650) 704-6633
Phone: (408) 240-1239
More information about the rt-users
mailing list