[rt-users] Trying to sort out the combination of $WebExternalAuth and and RT::Authen::External
john at yvig.com
Mon Oct 17 16:15:04 EDT 2011
On Mon, Oct 17, 2011 at 8:51 AM, Thomas Sibley <trs at bestpractical.com> wrote:
> On 10/14/2011 08:44 PM, John Andersen wrote:
>> Hoping someone can point me to where I am going wrong. I have been
>> trolling the wiki, cpan, this list, and Google for the last couple of
>> days with no luck so far. Probably something apparent that I'm
>> I am after the following behavior:
>> - A user inside our network and on a machine my company controls
>> will be auto-logged in via SSO (mod_auth_kerb)
>> - Upon successful SSO login, even if it's a first time login, the
>> user info in canonicalized from our LDAP dir (Active Directory)
>> - If the user cannot use SSO, the login fails gracefully back to the
>> form-based login built in to RT.
>> - If the user successfully authenticates via
>> RT::Authen::ExternalAuth the user info is again canonicalized even if
>> it's a first time login.
>> - If an email is received from a requester, the email is looked up
>> in LDAP to canonicalize the user info as well.
>> - If the email address does NOT exist in the LDAP directory, go
>> ahead and create an account anyway using the email address as the
> You may just want to run with mod_auth_kerb and RT::Extension::LDAPImport
> running periodically, cutting RT::Authen::ExternalAuth completely out of the
> picture. This does require users can auth with mod_auth_kerb unless you
> give them local RT passwords.
Not a bad idea. That would actually work in my situation since
getting the users into the database is not time critical. Running
LDAPImport daily would probably work just fine.
I know it's petty but I was kind of hoping for the form based login
from outside the network....
>> The message I get in the RT log (via syslog) when a user logs in with
>> SSO seems to indicate that the user variable is not being set and
>> passed to the RT::Authen::ExternalAuth extension if I read the error
>> right. The odd thing to me, is that while the error says SSO is
>> failing, it most definitely is not. The user **is** successfully
>> logged in.
>> ----- error from syslog ---
>> Oct 14 16:41:25 rt RT: Attempting to use external auth service: LDAP_DIR1
>> Oct 14 16:41:25 rt RT: SSO Failed and no user to test with. Nexting
>> Oct 14 16:41:25 rt RT: Autohandler called ExternalAuth. Response: (0, No
> Just a note: ExternalAuth's SSO support is cookie based, not
> Apache/mod_auth_* based. It is not trying to do the same SSO as the core RT
I did see that. For some reason, I had the idea that even using
$WebExternalAuth it would kick off CanonicalizeUserInfo() after
logging in, but that doesn't seem to be happening. Or rather, it
*does* seem to be happening but it is running it without the username
key from mod_auth_kerberos. Thanks again for the info. I will
either try your suggestion above or go in another direction.
More information about the rt-users