[rt-users] Trying to sort out the combination of $WebExternalAuth and and RT::Authen::External

Ruslan Zakirov ruz at bestpractical.com
Mon Oct 17 12:19:50 EDT 2011


>From my last hacking on ExternalAuth I recall noticing that in some
case EA only lookups by Name and ignores any other mappings you may
have. I suspect that after SSO Name in RT doesn't match mapped
attribute in LDAP and EA fails to find record to fetch information.

At the moment can not find that place in the code, but may be this is
root of the problem.

On Mon, Oct 17, 2011 at 7:51 PM, Thomas Sibley <trs at bestpractical.com> wrote:
> On 10/14/2011 08:44 PM, John Andersen wrote:
>> Hoping someone can point me to where I am going wrong.  I have been
>> trolling the wiki, cpan, this list, and Google for the last couple of
>> days with no luck so far.  Probably something apparent that I'm
>> missing.....
>> I am after the following behavior:
>>   - A user inside our network and on a machine my company controls
>> will be auto-logged in via SSO (mod_auth_kerb)
>>   - Upon successful SSO login, even if it's a first time login, the
>> user info in canonicalized from our LDAP dir (Active Directory)
>>   - If the user cannot use SSO, the login fails gracefully back to the
>> form-based login built in to RT.
>>   - If the user successfully authenticates via
>> RT::Authen::ExternalAuth the user info is again canonicalized even if
>> it's a first time login.
>>   - If an email is received from a requester, the email is looked up
>> in LDAP to canonicalize the user info as well.
>>   - If the email address does NOT exist in the LDAP directory, go
>> ahead and create an account anyway using the email address as the
>> username.
> You may just want to run with mod_auth_kerb and RT::Extension::LDAPImport
> running periodically, cutting RT::Authen::ExternalAuth completely out of the
> picture.  This does require users can auth with mod_auth_kerb unless you
> give them local RT passwords.
>> The message I get in the RT log (via syslog) when a user logs in with
>> SSO seems to indicate that the user variable is not being set and
>> passed to the RT::Authen::ExternalAuth extension if I read the error
>> right.  The odd thing to me, is that while the error says SSO is
>> failing, it most definitely is not.  The user **is** successfully
>> logged in.
>> ----- error from syslog ---
>> Oct 14 16:41:25 rt RT: Attempting to use external auth service: LDAP_DIR1
>> Oct 14 16:41:25 rt RT: SSO Failed and no user to test with. Nexting
>> Oct 14 16:41:25 rt RT: Autohandler called ExternalAuth. Response: (0, No
>> User)
> Just a note: ExternalAuth's SSO support is cookie based, not
> Apache/mod_auth_* based.  It is not trying to do the same SSO as the core RT
> option.
> Thomas
> --------
> RT Training Sessions (http://bestpractical.com/services/training.html)
> *  San Francisco, CA, USA  October 18 & 19, 2011
> *  Washington DC, USA  October 31 & November 1, 2011
> *  Barcelona, Spain  November 28 & 29, 2011

Best regards, Ruslan.

More information about the rt-users mailing list