[rt-users] RT-Users Digest, Vol 70, Issue 29
Tim Cutts
tjrc at sanger.ac.uk
Thu Jan 14 18:13:57 EST 2010
On 14 Jan 2010, at 7:06 pm, rt-users-request at lists.bestpractical.com
wrote:
> Unless you're authenticating against a custom mysql database, there is
> no need to tell RT::Authen::ExternalAuth about RT's internal database
> tables.
>
> It sounds like you want to tell RT::Authen::ExternalAuth to only use
> your LDAP configuration.
>
> RT will fall back to internal auth if RT::Authen::ExternalAuth fails
> to authenticate you against LDAP
Although you want to be careful about that; we got bitten by it. For
some reason, it several very old accounts in our RT database had a
default password set in the MySQL database, and people found that if
they could still use that password and get in. I personally think
that's a bug in the code, and I've changed it in our installation to
the following logic, which makes more sense to me:
1) If the account exists in the external source, then check
authentication against that source, and let the user in if appropriate.
2) If the user provides the wrong password to the external account,
immediately reject the login
3) If the user does not exist within the external source, only then
fall back to internal authentication.
Tim
--
The Wellcome Trust Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.
More information about the rt-users
mailing list