[rt-users] Trying to sort out the combination of $WebExternalAuth and and RT::Authen::External

Thomas Sibley trs at bestpractical.com
Mon Oct 17 11:51:54 EDT 2011

On 10/14/2011 08:44 PM, John Andersen wrote:
> Hoping someone can point me to where I am going wrong.  I have been
> trolling the wiki, cpan, this list, and Google for the last couple of
> days with no luck so far.  Probably something apparent that I'm
> missing.....
> I am after the following behavior:
>    - A user inside our network and on a machine my company controls
> will be auto-logged in via SSO (mod_auth_kerb)
>    - Upon successful SSO login, even if it's a first time login, the
> user info in canonicalized from our LDAP dir (Active Directory)
>    - If the user cannot use SSO, the login fails gracefully back to the
> form-based login built in to RT.
>    - If the user successfully authenticates via
> RT::Authen::ExternalAuth the user info is again canonicalized even if
> it's a first time login.
>    - If an email is received from a requester, the email is looked up
> in LDAP to canonicalize the user info as well.
>    - If the email address does NOT exist in the LDAP directory, go
> ahead and create an account anyway using the email address as the
> username.

You may just want to run with mod_auth_kerb and 
RT::Extension::LDAPImport running periodically, cutting 
RT::Authen::ExternalAuth completely out of the picture.  This does 
require users can auth with mod_auth_kerb unless you give them local RT 

> The message I get in the RT log (via syslog) when a user logs in with
> SSO seems to indicate that the user variable is not being set and
> passed to the RT::Authen::ExternalAuth extension if I read the error
> right.  The odd thing to me, is that while the error says SSO is
> failing, it most definitely is not.  The user **is** successfully
> logged in.
> ----- error from syslog ---
> Oct 14 16:41:25 rt RT: Attempting to use external auth service: LDAP_DIR1
> Oct 14 16:41:25 rt RT: SSO Failed and no user to test with. Nexting
> Oct 14 16:41:25 rt RT: Autohandler called ExternalAuth. Response: (0, No User)

Just a note: ExternalAuth's SSO support is cookie based, not 
Apache/mod_auth_* based.  It is not trying to do the same SSO as the 
core RT option.


More information about the rt-users mailing list