[rt-users] AD domains with RT::Authen::ExternalAuth

[Chris Davies]

At the moment using RT::Authen::ExternAuth for LDAP authentication to 
Active Directory it's not possible to use DOMAIN\user syntax. This is at 
odds with much of the other (Windows based) infrastructure we use, and 
it confuses our users. Until recently we've been trying to mitigate the 
issue with a message that reminds people to omit the domain part, but 
it's not a clean solution and has been bugging me.

I've finally got around to making some changes to 
RT::Authen::ExternalAuth that allows me to define the Windows domain. 
This isn't a true Forest/Trust model but it's sufficient for us. The 
change is, I believe, backwards compatible with existing installations 
as the domain can be an optional component.

Examples:
     "DOMAIN\user" - succeeds if DOMAIN is required and matches, and 
user is authenticated in LDAP
     "user" - succeeds if DOMAIN is optional, and user is authenticated 
in LDAP
     "OTHERDOMAIN\user" - fails if DOMAIN is required but does not match
     "DOMAIN\otheruser" - fails if DOMAIN matches, but otheruser is not 
authenticated in LDAP

In order to support this I've added three new configuration elements in 
RT_Site_Config.pm, settable per LDAP configuration section:
     'ad_domain_prefix' => 'DOMAIN',    # is case insensitive
     'ad_domain_required' => 'no',    # { 'yes' | 'no' }
     'ad_domain_separator' => '\\',    # split domain\user with this 
character


Are the patches something that would be useful to share here? I've tried 
emailing the contact in the RT::Authen::ExternalAuth but heard nothing back.

Chris

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3746 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20131129/fdb30b94/attachment.bin>