[rt-users] RT::Authen::ExternalAuth - Update LDAP information

[Kenneth Marshall]

On Fri, Jun 25, 2010 at 04:33:14PM +0200, Matthias Rieber wrote:
>  Hi,
>
> I've a few questions about RT::Authen::ExternalAuth module. I've installed 
> it and I can:
>
> 1. Authenticate using LDAP accounts and
> 2. Email addresses in new tickets will be looked up, and the configured 
> values like RealName, WorkPhone will be put in the appropriate fields.
>
> It seems that both databases are active now. I can use my LDAP password and 
> my former RT password. Is that the expected behaviour or might there a 
> problem with my configuration? Is there a proper way to erase the internal 
> password?
>
> Is it possible to refresh the information that has been pulled from LDAP? 
> For instance if employees move to another department or get a new phone 
> number?
>
> Regards,
> Matthias
>

Hi Matthias,

The stacking of authentication sources, like a PAM stack, is
normal. You can adjust it to not use the local RT password in
the code for User_*.pm. My main motivation for keeping both is
to allow the ticketing system to still be useable during any
major service outage, including the LDAP infrastructure. As
far as refreshing the information within RT, we currently
include a timestamp for the last LDAP update and have an
external script that checks for and updates the internal information
if there has been a change. The script pulls the list of users, uses
the rt commandline tool to pull the timestamp field and then an LDAP
query to compare it with the entries in the directory. If it is the
same, move to the next user. Otherwise update the appropriate user
information. We run it once a day.

Regards,
Ken