Re: [rt-users] Autocreated users and ldap auth

[Robert Munsch]

 

Subject: Re: [rt-users] Autocreated users and ldap auth

 

> I’m using Authen::ExternalAuth and it seems to be working.  If a user logs in 
> to RT using Active Directory credentials, they get in and get autocreated.  

> 

> However, if before RT login, they submit a ticket, they cannot log in: rt 
> complains that the email address is already in use (AD lookup finds the email 
> they submitted from) and says it’s in use.  I think I’ve misunderstood: I 
> thought RT would treat identical info as one account, and LDAP lookup would 
> take precedence.  How can I merge them so ldap lookup is always used, whether 
> they submitted a ticket or not..?

> 

> I’m not sure I’m asking this clearly.  Should I be turning off the 
> create-on-ticket-submit functionality to achieve this?

 

I just ran into this myself when setting up our LDAP authentication.  Our 
problem was that the LDAP server did not actually have the email address 
stored, so the username created in RT was the email address.  I had to go in 
and manually change the usernames of all the accounts with email addresses in 
the username field.

 

What’s the value of ‘attr_match_list’ and ‘attr_map’ in your RT_SiteConfig.pm 
file?

 

Haven’t altered them from initial values, since it seemed to work at first…

 

# The list of RT attributes that uniquely identify a user

             'attr_match_list'      => [    'Name',

                                            'EmailAddress',

                                       ],

             # The mapping of RT attributes on to LDAP attributes

              'attr_map'             =>  {   'Name' => 'sAMAccountName',

                                                   'EmailAddress' => 'mail',

                                                   'Organization' => 
'physicalDeliveryOfficeName',

                                                   'RealName' => 'cn',

                                                    'ExternalAuthId' => 
'sAMAccountName',

                                                    'Gecos' => 'sAMAccountName',

                                                    'WorkPhone' => 
'telephoneNumber',

                                                    'Address1' => 
'streetAddress',

                                                    'City' => 'l',

                                                    'State' => 'st',

                                                    'Zip' => 'postalCode',

                                                    'Country' => 'co'

 

Our AD has email values defined.  A ticket submitter gets created with account 
name “n...@address,” which of course also becomes that autocreated users’ email 
address.  The user then tries to log in, is checked on AD, their email address 
is the same, and it tells me “already a user with that email address.”  I want 
to tell it “yes, same person, if credentials match let them in!”

 

Thanks,

 

-----------------------

Rob Munsch

IT Administrator

http://www.PhillyCarShare.org <http://www.PhillyCarShare.org> 

Our wheels.  Your freedom.

215-730-0988 x131


BEGIN:VCARD
VERSION:2.1
N:Munsch;Robert
FN:Robert Munsch
EMAIL;PREF;INTERNET:mun...@phillycarshare.org
REV:20080605T213203Z
END:VCARD

_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sa...@bestpractical.com


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com