[rt-users] Trying to sort out the combination of $WebExternalAuth and and RT::Authen::External
Thomas Sibley
trs at bestpractical.com
Mon Oct 17 11:51:54 EDT 2011
On 10/14/2011 08:44 PM, John Andersen wrote:
> Hoping someone can point me to where I am going wrong. I have been
> trolling the wiki, cpan, this list, and Google for the last couple of
> days with no luck so far. Probably something apparent that I'm
> missing.....
>
> I am after the following behavior:
> - A user inside our network and on a machine my company controls
> will be auto-logged in via SSO (mod_auth_kerb)
> - Upon successful SSO login, even if it's a first time login, the
> user info in canonicalized from our LDAP dir (Active Directory)
> - If the user cannot use SSO, the login fails gracefully back to the
> form-based login built in to RT.
> - If the user successfully authenticates via
> RT::Authen::ExternalAuth the user info is again canonicalized even if
> it's a first time login.
> - If an email is received from a requester, the email is looked up
> in LDAP to canonicalize the user info as well.
> - If the email address does NOT exist in the LDAP directory, go
> ahead and create an account anyway using the email address as the
> username.
You may just want to run with mod_auth_kerb and
RT::Extension::LDAPImport running periodically, cutting
RT::Authen::ExternalAuth completely out of the picture. This does
require users can auth with mod_auth_kerb unless you give them local RT
passwords.
> The message I get in the RT log (via syslog) when a user logs in with
> SSO seems to indicate that the user variable is not being set and
> passed to the RT::Authen::ExternalAuth extension if I read the error
> right. The odd thing to me, is that while the error says SSO is
> failing, it most definitely is not. The user **is** successfully
> logged in.
> ----- error from syslog ---
> Oct 14 16:41:25 rt RT: Attempting to use external auth service: LDAP_DIR1
> Oct 14 16:41:25 rt RT: SSO Failed and no user to test with. Nexting
> Oct 14 16:41:25 rt RT: Autohandler called ExternalAuth. Response: (0, No User)
Just a note: ExternalAuth's SSO support is cookie based, not
Apache/mod_auth_* based. It is not trying to do the same SSO as the
core RT option.
Thomas
More information about the rt-users
mailing list