On 14 Jan 2010, at 7:06 pm, [email protected] wrote:
> Unless you're authenticating against a custom mysql database, there is > no need to tell RT::Authen::ExternalAuth about RT's internal database > tables. > > It sounds like you want to tell RT::Authen::ExternalAuth to only use > your LDAP configuration. > > RT will fall back to internal auth if RT::Authen::ExternalAuth fails > to authenticate you against LDAP Although you want to be careful about that; we got bitten by it. For some reason, it several very old accounts in our RT database had a default password set in the MySQL database, and people found that if they could still use that password and get in. I personally think that's a bug in the code, and I've changed it in our installation to the following logic, which makes more sense to me: 1) If the account exists in the external source, then check authentication against that source, and let the user in if appropriate. 2) If the user provides the wrong password to the external account, immediately reject the login 3) If the user does not exist within the external source, only then fall back to internal authentication. Tim -- The Wellcome Trust Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE. _______________________________________________ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [email protected] 2010 RT Training Sessions! San Francisco, CA, USA - Feb 22 & 23 Dublin, Ireland - Mar 15 & 16 Boston, MA, USA - April 5 & 6 Washington DC, USA - Oct 25 & 26 Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
