[rt-users] Can RT Authen ExternalAuth change account name to match Active Directory?
Kevin Falcone
falcone at bestpractical.com
Thu Feb 17 17:36:29 EST 2011
On Thu, Feb 17, 2011 at 11:30:21AM -0800, Mark A Bentley wrote:
>
>
> I'm using The RT::Authen::ExternalAuth Plugin, and all is working nicely.
>
> The one things that I'd like is that when a user logs in, in addition to
> updating the various account info (Real Name, Address, etc), I would like
> the actual RT account username to be updated to match the account name
> in Active Directory.
RT-Authen-ExternalAuth currently has no code to handle this.
You might be able to do it with RT-Extension-LDAPImporter, but fixing
RT-Authen-ExternalAuth to handle it has been a longstanding feature
request
-kevin
> In other words, I'd like the sAMAccountName from AD/LDAP to be applied
> to the RT account name just like this plugin does for other info fields.
>
> I'm wondering if this is even possible?
>
> Right now I have this in my config:
>
> [snip]
> 'attr_match_list' => [ 'Name',
> 'EmailAddress',
> ],
> # The mapping of RT attributes on to LDAP attributes
> 'attr_map' => { 'Name' => 'sAMAccountName',
> 'EmailAddress' => 'mail',
> 'Organization' => 'department',
> 'RealName' => 'cn',
> 'ExternalAuthId' => 'sAMAccountName',
> 'Gecos' => 'sAMAccountName',
> 'WorkPhone' => 'telephoneNumber',
> 'MobilePhone' => 'mobile',
> 'Address1' => 'streetAddress',
> 'Address2' => 'physicalDeliveryOfficeName',
> 'City' => 'l',
> 'State' => 'st',
> 'Zip' => 'postalCode',
> 'Country' => 'co',
> 'MobilePhone' => 'mobile',
> }
> },
> [snip]
>
> One thing I wanted to try was to remove 'Name' from the attr_match_list, but
> I'm not sure that will achieve what I want, and I don't have an RT
> test system to test this on.
>
>
> The issue I'm trying to get around is this:
> 1) Most of our RT users already have an RT account (auto-generated) from
> previous interaction with RT.
> 2) They try to login with their Active Directory credentials.
> 3) Their E-mail address in AD matches RT, but RT account name does not match, so authentication fails.
>
> To get around this I'm always having to lookup the person's AD account name,
> then go into RT, and edit their RT account name to match AD. (Kind of time
> consuming.) If they already have an AD account, I'd like RT to just let them
> login and update their RT account name to match AD.
>
> Does any of this make sense? Any suggestions would be appreciated.
>
> Thanks,
>
> --Mark
>
>
> --
> Mark A Bentley
> CTO Lab Systems Support
> AT&T Mobility, Redmond, WA
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20110217/7f44d9f8/attachment.sig>
More information about the rt-users
mailing list