[rt-users] Can RT Authen ExternalAuth change account name to match Active Directory?

Mark A Bentley bentlema at tdg.mobilephone.net
Thu Feb 17 14:30:21 EST 2011



I'm using The RT::Authen::ExternalAuth Plugin, and all is working nicely.

The one things that I'd like is that when a user logs in, in addition to
updating the various account info (Real Name, Address, etc), I would like
the actual RT account username to be updated to match the account name
in Active Directory.

In other words, I'd like the sAMAccountName from AD/LDAP to be applied
to the RT account name just like this plugin does for other info fields.

I'm wondering if this is even possible?

Right now I have this in my config:

[snip]
            'attr_match_list'           => [    'Name',
                                                'EmailAddress',
                                            ],
            # The mapping of RT attributes on to LDAP attributes
            'attr_map'                  =>  {   'Name' => 'sAMAccountName',
                                                'EmailAddress' => 'mail',
                                                'Organization' => 'department',
                                                'RealName' => 'cn',
                                                'ExternalAuthId' => 'sAMAccountName',
                                                'Gecos' => 'sAMAccountName',
                                                'WorkPhone' => 'telephoneNumber',
                                                'MobilePhone' => 'mobile',
                                                'Address1' => 'streetAddress',
                                                'Address2' => 'physicalDeliveryOfficeName',
                                                'City' => 'l',
                                                'State' => 'st',
                                                'Zip' => 'postalCode',
                                                'Country' => 'co',
                                                'MobilePhone' => 'mobile',
                                            }
            },
[snip]

One thing I wanted to try was to remove 'Name' from the attr_match_list, but
I'm not sure that will achieve what I want, and I don't have an RT test 
system to test this on.


The issue I'm trying to get around is this:
1) Most of our RT users already have an RT account (auto-generated) from
     previous interaction with RT.
2) They try to login with their Active Directory credentials.
3) Their E-mail address in AD matches RT, but RT account name does not match, so authentication fails.

To get around this I'm always having to lookup the person's AD account name,
then go into RT, and edit their RT account name to match AD. (Kind of time
consuming.)  If they already have an AD account, I'd like RT to just let them
login and update their RT account name to match AD.

Does any of this make sense?  Any suggestions would be appreciated.

Thanks,

     --Mark


-- 
Mark A Bentley
CTO Lab Systems Support
AT&T Mobility, Redmond, WA




More information about the rt-users mailing list