[rt-users] Questions about ExternalAuth

Kevin Falcone falcone at bestpractical.com
Sat Nov 26 20:03:46 EST 2011 

On Thu, Nov 24, 2011 at 09:14:26AM +0100, Bart wrote:
>      * Will the plugin ensure that only LDAP users can login? (I'm assuming yes)

There's a configuration option to control who can log in.
You will always be able to log in as a non-disabled internal RT user
if the user has a password set (such as the root user).

>      * What happens if just a random LDAP user logs into RT? Will he/she be marked as privileged,
>        or will they simply go to the SelfService portal?

This is configurable by you using $AutoCreate.
Also, you can limit which LDAP users can log in by writing an
appropriate filter.

>           * I'm hoping the last + thus that a random LDAP user won't have any rights until I
>             define them inside RT)=.
> 
>      * What happens when a new requestor sends an e-mail, by default RT creates an unprivileged
>        user but what I'd want is that RT only creates that user inside its own database (not
>        inside the LDAP). Is this how ExternalAuth works or will ExternalAuth try to create that
>        user inside the LDAP?

ExternalAuth will never attempt to create a user in your external LDAP
server.

>      * When I only us the LDAP for authentication, do I need to configure the RT MySQL database
>        as well for information or is the DB configuration only required for extra databases
>        outside RT's own database?

Do no attempt to configure RT::Authen::ExternalAuth to authenticate
against RT's internal database.  It automatically falls back to
internal auth.

>    I wasn't able to get the above answers in the documentation, even though I expect the answers
>    to be pretty straight forward. I just want to make sure that I understand the plugin correctly
>    before I start testing it, if ExternalAuth does things differently from what I'm hoping then I
>    might have to look into WebExternalAuth instead (though I'm leaving that one as a last
>    resort).

WebExternalAuth works quite differently, as it relies on your web
server config.

It would be great to see a patch to the documentations now that you
have these answers.

-kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20111126/de2b26bd/attachment.sig>

More information about the rt-users mailing list