[rt-users] Recommended method for auto creating users with Active Directory and Authen-ExternalAuth
L B
bertignac at gmail.com
Fri Jan 15 01:08:10 EST 2010
I'll try Ken's tip and let you know the results.
I'll also reply to this this thread with my script (probably end of)
next week once it's cleaned up.
--
LB
On Thu, Jan 14, 2010 at 10:14 PM, Ken Crocker <kfcrocker at lbl.gov> wrote:
> Gary,
>
> Thanks. I'll look that over. We use LDAP as well, so this might make it all
> easier. Thanks.
>
> Kenn
> LBNL
>
> On 1/14/2010 12:17 PM, Gary Greene wrote:
>
> Why bother with that, when you just need to change the attribute you're
> using for the account name. Here's a sanitized version of my
> RT_SiteConfig.pm
>
> # Any configuration directives you include here will override
> # RT's default configuration file, RT_Config.pm
> #
> # To include a directive here, just copy the equivalent statement
> # from RT_Config.pm and change the value. We've included a single
> # sample value below.
> #
> # This file is actually a Perl module, so you can include valid
> # Perl code, as well.
> #
> # The converse is also true, if this file isn't valid Perl, you're
> # going to run into trouble. To check your SiteConfig file, use
> # this command:
> #
> # perl -c /path/to/your/etc/RT_SiteConfig.pm
>
> Set($rtname, 'minervanetworks.com');
> Set($Organization, "minervanetworks.com");
> Set($Timezone, 'US/Pacific');
> Set($WebPath, "/rt3");
> Set($WebPort, 443);
> Set($WebDomain, 'rt.minervanetworks.com');
> Set($WebBaseURL, 'https://' . RT->Config->Get('WebDomain') . ':' .
> RT->Config->Get('WebPort'));
> Set($WebURL, RT->Config->Get('WebBaseURL') . RT->Config->Get('WebPath') .
> "/");
> Set($WebImagesURL, RT->Config->Get('WebPath') . "/NoAuth/images/");
> Set($WebImagesURL , $WebPath . "/images/"); # need this for below
> Set($LogoURL, "https://rt.minervanetworks.com/Home_Logo.jpg");
> Set($LogoLinkURL, 'https://www.minervanetworks.com/');
> Set($LogoAltText, "Minerva Networks");
> Set($AutoLogoff, 30);
> Set($EnableReminders,1);
> Set($LogToSyslog, 'info');
> Set($LogDir, '/var/log');
> Set($LogToFileNamed, "rt.log");
> Set($LogToFile, 'info');
> Set($NotifyActor, 1);
> Set($OwnerEmail , 'XXXXXXXX at minervanetworks.com');
> Set(@Plugins, qw(RT::Authen::ExternalAuth RT::FM));
> Set($LDAPHost, 'HOSTNAME.DOMAIN.TLD');
> Set($LDAPUser, 'cn=BINDUSER,dc=DOMAIN,dc=TLD');
> Set($LDAPPassword, 'PASSWORD');
> Set($LDAPBase, 'dc=minervanetworks,dc=com');
> Set($LDAPFilter, '(&(objectClass=user))');
> Set($LDAPMapping, {
> 'Name' => 'sAMAccountName',
> 'EmailAddress' => 'mail',
> 'RealName' => 'cn',
> 'ExternalAuthId' => 'sAMAccountName',
> 'Gecos' => 'sAMAccountName',
> 'WorkPhone' => 'telephoneNumber',
> 'Address1' => 'streetAddress',
> 'City' => 'l',
> 'State' => 'st',
> 'Zip' => 'postalCode',
> 'Country' => 'co'
> }
> );
> Set($LDAPGroupName,'Employees');
> Set($LDAPUpdateUsers,1);
> Set($ExternalAuthPriority, ['My_LDAP']);
> Set($ExternalInfoPriority, ['My_LDAP']);
> Set($ExternalServiceUsesSSLorTLS, 0);
> Set($AutoCreateNonExternalUsers, 0);
> Set(
> $ExternalSettings, {
> 'My_LDAP' => {
> 'type' => 'ldap',
> 'auth' => 1,
> 'info' => 1,
> 'server' => 'HOSTNAME.DOMAIN.TLD',
> 'user' => 'cn=BINDUSER,dc=DOMAIN,dc=TLD',
> 'pass' => 'PASSWORD',
> 'base' => 'dc=DOMAIN,dc=TLD',
> 'filter' => '(objectClass=*)',
> 'd_filter' => '(userAccountControl:1.2.840.113556.1.4.803:=2)',
> 'tls' => 0,
> 'net_ldap_args' => [ version => 3 ],
> 'attr_match_list' => [ 'Name', 'EmailAddress', 'RealName' ],
> 'attr_map' => {
> 'Name' => 'sAMAccountName',
> 'EmailAddress' => 'mail',
> 'RealName' => 'cn',
> 'ExternalAuthId' => 'sAMAccountName',
> 'Gecos' => 'sAMAccountName',
> 'WorkPhone' => 'telephoneNumber',
> 'Address1' => 'streetAddress',
> 'City' => 'l',
> 'State' => 'st',
> 'Zip' => 'postalCode',
> 'Country' => 'co'
> }
> }
> }
> );
>
> 1;
>
>
>
>
> On 1/14/10 11:49 AM, "Ken Crocker" <kfcrocker at lbl.gov> wrote:
>
>
>
> LB,
>
> This would be REALLY help for me. I've been doing this one user at a
> time whenever I get some frre time (which isn't ofetn). I'd love a copy
> of your code. Thanks.
>
> Kenn
> LBNL
>
> On 1/14/2010 10:34 AM, L B wrote:
>
>
> I'm going to think about it, but the problem I see it that email
> addresses might not be unique (I mean we can have two AD accounts with
> the same email address).
>
> I have already done a script to mass-rename email addresses to AD
> logins, because we use AD authentication for a long time and we wanted
> to make the users use their AD login instead of their email address.
> This script is not linked to the plugin, but I think it might be
> useful for some admins. I can upload it on the wiki or maybe it can be
> part of an "extras" directory in the plugin package. I have to cleanup
> my code and make it generic, but it does the job, I already applied it
> successfully on many RT instances.
>
> Don't you think
> http://www.zanfur.com/rt3-contrib/AutoCreateFromExternalUserInfo/CurrentUser_
> Local.pm
> but using RT-Authen-ExternalAuth variables could do the on-the-fly job
> ? Maybe with some stuff to check duplicates etc...
>
> If you think it doesn't, can you or Mike point me into the good
> direction to (try to) develop it ?
>
> Thanks !
>
>
>
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
>
> 2010 RT Training Sessions!
> San Francisco, CA, USA - Feb 22 & 23
> Dublin, Ireland - Mar 15 & 16
> Boston, MA, USA - April 5 & 6
> Washington DC, USA - Oct 25 & 26
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com
>
>
>
--
L.B.
More information about the rt-users
mailing list