((Apologies for top-posting, but it's just easier at the moment for me to use
outlook to send email))
I can answer a few of your questsions:-
1) Users with multiple email addresses on our system become one single user,
the LDAP query finds the one user responsible for the email address, and just
link the submitted ticket to the correct ID.
2) You cannot have multiple RT accounts with the same email address in the
system, we had a lot of cleanup when we migrated to 3.8.2 from a badly botched
install of 3.6, and this was our biggest hassle.
3) I have AutoCreateNonExternalUsers on, but that's mostly because of the
nature of the business my company is in :) However, the system seems to work
fine with that disabled, and it doesn't autocreate any non-LDAP accounts unless
you do so yourself.
On another level, I know you'll hear this from a lot of angles, but it always
deserves to be said... You should try this sort of thing out on a test system
before setting it up in production... Especially when dealing with things like
authentication, you really want to make sure youself that it does what you want
it to do...
--
Cass
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Susan McClure
Sent: Wednesday, June 03, 2009 2:30 PM
To: [email protected]
Cc: Susan McClure
Subject: [rt-users] RT ExternalAuth LDAP and Adding Local users in 3.8.2
I have been reading the postings about RT-Authen-ExternalAuth but am confused
on what appears to be some conflicting setup information.
I am using:
RT 3.8.2
RT-Authen-ExternalAuth 0.08
I would like to use LDAP for authentication and information first, and that
part seems to work OK.
But I also would like to:
- add LOCAL users to RT internal DB (i.e; test and test-admin type
accounts)
- NOT autocreate a new RT account, if we receive an email from a user that is
unknown in local RT or LDAP.
- NOT make multiple accounts for a user's multiple email aliases.
(Our ldap contains several email addresses for each user (uid) )
When I try to add a local account through the Web(using Root,
Configuration->Users->Create). I receive the error "Name in Use"
The username I am trying to create is NOT in existence, but the email for that
new account IS.
My error_log shows:
==================================
[Tue Jun 2 17:45:21 2009] [debug]: User Check Failed :: ( My_LDAP )
root User not found
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth/LDAP.pm:318)
[Tue Jun 2 17:45:21 2009] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
html/Callbacks/ExternalAuth/autohandler/Auth:26)
[Tue Jun 2 17:45:21 2009] [info]: Successful login for root from
168.7.56.227 (/usr/site/rt-3.8/PROD/share/html/autohandler:276)
[Tue Jun 2 17:46:40 2009] [debug]: /ServiceUpdate/Elements/Header
calls old style callback, use $m->callback
(/usr/site/rt-3.8/PROD/share/html/Elements/Callback:51)
[Tue Jun 2 17:46:40 2009] [crit]: HasRight called with no valid
object (/usr/site/rt-3.8/PROD/bin/../lib/RT/Principal_Overlay.pm:322)
[Tue Jun 2 17:51:36 2009] [debug]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User
/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/l
ib/RT/User_Vendor.pm 20 with: Address1: , Address2: , AuthSystem: ,
City: , Comments: Admin Authority Level Account for RT,
ContactInfoSystem: , Country: , Disabled: 0, EmailAddress:
[email protected], EmailEncoding: , ExternalAuthId: ,
ExternalContactInfoId: , FreeformContactInfo: , Gecos: , HomePhone: ,
Lang: en, MobilePhone: , Name: smcclure-admin, NickName:
Smcclure-Admin,
Organization: , PagerPhone: , Privileged: 1, RealName: Susan McClure,
Signature: , State: ,
WebEncoding: , WorkPhone: , Zip:
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth.pm:450)
[Tue Jun 2 17:51:36 2009] [debug]: Attempting to get user info using
this external service: My_LDAP
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth.pm:458)
[Tue Jun 2 17:51:36 2009] [debug]: Attempting to use this
canonicalization key: Name
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth.pm:472)
[Tue Jun 2 17:51:36 2009] [debug]: LDAP Search === Base:
ou=People,dc=rice,dc=edu == Filter:
(&(objectclass=*)(uid=smcclure-admin)) == Attrs:
Houston,cn,TX,mail,gecos,postalAddress,postalCode,telephoneNumber,uid,
physicalDeliveryOfficeName,uid
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth/LDAP.pm:195)
[Tue Jun 2 17:51:36 2009] [debug]: Attempting to use this
canonicalization key: EmailAddress
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth.pm:472)
[Tue Jun 2 17:51:36 2009] [debug]: LDAP Search === Base:
ou=People,dc=rice,dc=edu == Filter:
(&(objectclass=*)([email protected])) == Attrs:
Houston,cn,TX,mail,gecos,postalAddress,postalCode,telephoneNumber,uid,
physicalDeliveryOfficeName,uid
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth/LDAP.pm:195)
[Tue Jun 2 17:51:36 2009] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning
Address1: 6100 Main Street, Address2: , AuthSystem: , City: ,
Comments: Admin Authority Level Account for RT, ContactInfoSystem: ,
Country: , Disabled: 0, EmailAddress: [email protected],
EmailEncoding: , ExternalAuthId: smcclure, ExternalContactInfoId: ,
FreeformContactInfo: , Gecos: , HomePhone: , Lang: en, MobilePhone: ,
Name: smcclure, NickName: Smcclure-Admin,
Organization: 222 Mudd Building, PagerPhone: , Privileged: 1,
RealName: McClure, Susan, Signature: , State: , WebEncoding: ,
WorkPhone: 713-348-4852, Zip: 77005
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth.pm:536)
==============
My Current RT_SiteConfig.pm for LDAP and External Auth has
====================================
Set(@Plugins,qw(RT::FM RT::IR RT::Authen::ExternalAuth .......
and for LDAP
# special options for various plugins
# Authen::ExternalAuth
Set($ExternalAuthPriority, ['My_LDAP'] ); Set($ExternalInfoPriority,
['My_LDAP'] );
Set($ExternalServiceUsesSSLorTLS, 1);
Set($ExternalSettings, {
'My_LDAP' => { ## GENERIC
SECTION
'type'
=> 'ldap',
'server'
=> 'ldap.rice.edu',
'user'
=> 'cn=requesttracker,ou=Service Accounts,dc=rice,dc=edu',
..... etc etc .........
.................
And the LDAP Attributes mappings:
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that
uniquely identify a user
# This example shows what you
*can* specify.. I recommend reducing this
# to just the Name and
EmailAddress to save encountering problems later.
'attr_match_list' => [
'Name',
'EmailAddress',
'RealName',
'WorkPhone',
'Address2'
],
# The mapping of RT attributes
on to LDAP attributes
'attr_map' => {
'Name' => 'uid',
'EmailAddress' => 'mail',
'Organization' => 'physicalDeliveryOfficeName',
'RealName' => 'cn',
'ExternalAuthId' => 'uid',
'Gecos' => 'gecos',
'WorkPhone' => 'telephoneNumber',
'Address1' => 'postalAddress',
'City' => 'Houston',
'State' => 'TX',
'Zip' => 'postalCode'
}
}
}
);
===================
Looking at all the postings, I am afraid that if I add:
==> Set($AutoCreateNonExternalUsers, 1);
That I will automatically MAKE a new account for users that send email or
authenticate in some way other than being in our LDAP.
Can someone clarify the different options to help me get the setup I want
please?
Thanks
Susie McClure
[email protected]
----------------------------------
Check out the Barracuda Spam & Virus Firewall - offering the fastest
virus & malware protection in the industry: www.barracudanetworks.com/spam
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
Community help: http://wiki.bestpractical.com
Commercial support: [email protected]
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
