[rt-users] Trying to sort out the combination of $WebExternalAuth and and RT::Authen::External

John Andersen john at yvig.com
Mon Oct 17 16:15:04 EDT 2011

On Mon, Oct 17, 2011 at 8:51 AM, Thomas Sibley <trs at bestpractical.com> wrote:
> On 10/14/2011 08:44 PM, John Andersen wrote:
>> Hoping someone can point me to where I am going wrong.  I have been
>> trolling the wiki, cpan, this list, and Google for the last couple of
>> days with no luck so far.  Probably something apparent that I'm
>> missing.....
>> I am after the following behavior:
>>   - A user inside our network and on a machine my company controls
>> will be auto-logged in via SSO (mod_auth_kerb)
>>   - Upon successful SSO login, even if it's a first time login, the
>> user info in canonicalized from our LDAP dir (Active Directory)
>>   - If the user cannot use SSO, the login fails gracefully back to the
>> form-based login built in to RT.
>>   - If the user successfully authenticates via
>> RT::Authen::ExternalAuth the user info is again canonicalized even if
>> it's a first time login.
>>   - If an email is received from a requester, the email is looked up
>> in LDAP to canonicalize the user info as well.
>>   - If the email address does NOT exist in the LDAP directory, go
>> ahead and create an account anyway using the email address as the
>> username.
> You may just want to run with mod_auth_kerb and RT::Extension::LDAPImport
> running periodically, cutting RT::Authen::ExternalAuth completely out of the
> picture.  This does require users can auth with mod_auth_kerb unless you
> give them local RT passwords.

Not a bad idea.  That would actually work in my situation since
getting the users into the database is not time critical.  Running
LDAPImport daily would probably work just fine.

I know it's petty but I was kind of hoping for the form based login
from outside the network....

>> The message I get in the RT log (via syslog) when a user logs in with
>> SSO seems to indicate that the user variable is not being set and
>> passed to the RT::Authen::ExternalAuth extension if I read the error
>> right.  The odd thing to me, is that while the error says SSO is
>> failing, it most definitely is not.  The user **is** successfully
>> logged in.
>> ----- error from syslog ---
>> Oct 14 16:41:25 rt RT: Attempting to use external auth service: LDAP_DIR1
>> Oct 14 16:41:25 rt RT: SSO Failed and no user to test with. Nexting
>> Oct 14 16:41:25 rt RT: Autohandler called ExternalAuth. Response: (0, No
>> User)
> Just a note: ExternalAuth's SSO support is cookie based, not
> Apache/mod_auth_* based.  It is not trying to do the same SSO as the core RT
> option.
> Thomas

I did see that.  For some reason, I had the idea that even using
$WebExternalAuth it would kick off CanonicalizeUserInfo() after
logging in, but that doesn't seem to be happening. Or rather, it
*does* seem to be happening but it is running it without the username
key from mod_auth_kerberos.    Thanks again for the info.  I will
either try your suggestion above or go in another direction.


More information about the rt-users mailing list