[rt-users] Authentication against LDAP and Authorization against internal db

Joachim Thuau JThuau at spacex.com
Wed Jun 13 11:30:38 EDT 2012


Coming in late to the party, but wouldn't apache auth do what you are talking about? Combined with ldapimport, you can import users over ldap, but not groups. Then you can define your group for authorization as you wish within rt.

At that point you should be able to have both internal and AD groups for authz, and 'ldap' for authn.

Am I missing something?

Jok

On Jun 13, 2012, at 8:14 AM, "Asif Iqbal" <vadud3 at gmail.com<mailto:vadud3 at gmail.com>> wrote:

On Tue, Jun 12, 2012 at 1:57 PM, Ruslan Zakirov <ruz at bestpractical.com<mailto:ruz at bestpractical.com>> wrote:
On Tue, Jun 12, 2012 at 6:35 PM, Asif Iqbal <vadud3 at gmail.com<mailto:vadud3 at gmail.com>> wrote:
> On Tue, Jun 12, 2012 at 5:51 AM, Ruslan Zakirov <ruz at bestpractical.com<mailto:ruz at bestpractical.com>>
> wrote:
>>
>> On Tue, Jun 12, 2012 at 5:38 AM, Asif Iqbal <vadud3 at gmail.com<mailto:vadud3 at gmail.com>> wrote:
>> > I am using external authentication against our corporate AD server
>> > successfully, using the  RT::Authen::ExternalAuth.
>> >
>> > But I like the authorization done against internal db for user account.
>> >
>> > Just because a user has a valid AD credential is not enough for him/her
>> > to
>> > be able to login to our RT. We like
>> > to manage the login by creating the user account into internal db using
>> > the
>> > Web UI.
>> >
>> > So we still like the user to use their AD credential and no need to
>> > remember
>> > another password, and at the same time
>> > only be able to login if the same username is available in internal db.
>> >
>> > Is that possible? Any suggestion/tip is appreciated.
>>
>> Yes, it is possible, but not like you want it to be.
>>
>> As far as I can see users need AD record anyway, just mark them
>> somehow in AD and use this marking in ExternalAuth filter.
>>
>
> I have no access to AD. It belongs to corporate group and will not be able
> to manage a group.
>
> There is no way to control the Authorization part locally?

Not out of the box. Patch external auth module and add option to avoid
creation of new users.


So I could just comment this section out to avoid user create as one option? I know, ugly.

 http://paste.ubuntu.com/1039210/



>> > --
>> > Asif Iqbal
>> > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu<http://pgp.mit.edu>
>> > A: Because it messes up the order in which people normally read text.
>> > Q: Why is top-posting such a bad thing?
>> >
>> >
>>
>>
>>
>> --
>> Best regards, Ruslan.
>
>
>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu<http://pgp.mit.edu>
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>
>



--
Best regards, Ruslan.



--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu<http://pgp.mit.edu>
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?





More information about the rt-users mailing list