Re: [rt-users] Trying to sort out the combination of $WebExternalAuth and and RT::Authen::External

Mon, 17 Oct 2011 08:52:18 -0700 

On 10/14/2011 08:44 PM, John Andersen wrote:

Hoping someone can point me to where I am going wrong.  I have been
trolling the wiki, cpan, this list, and Google for the last couple of
days with no luck so far.  Probably something apparent that I'm
missing.....

I am after the following behavior:
   - A user inside our network and on a machine my company controls
will be auto-logged in via SSO (mod_auth_kerb)
   - Upon successful SSO login, even if it's a first time login, the
user info in canonicalized from our LDAP dir (Active Directory)
   - If the user cannot use SSO, the login fails gracefully back to the
form-based login built in to RT.
   - If the user successfully authenticates via
RT::Authen::ExternalAuth the user info is again canonicalized even if
it's a first time login.
   - If an email is received from a requester, the email is looked up
in LDAP to canonicalize the user info as well.
   - If the email address does NOT exist in the LDAP directory, go
ahead and create an account anyway using the email address as the
username.
You may just want to run with mod_auth_kerb and RT::Extension::LDAPImport running periodically, cutting RT::Authen::ExternalAuth completely out of the picture. This does require users can auth with mod_auth_kerb unless you give them local RT passwords. 


The message I get in the RT log (via syslog) when a user logs in with
SSO seems to indicate that the user variable is not being set and
passed to the RT::Authen::ExternalAuth extension if I read the error
right.  The odd thing to me, is that while the error says SSO is
failing, it most definitely is not.  The user **is** successfully
logged in.
----- error from syslog ---
Oct 14 16:41:25 rt RT: Attempting to use external auth service: LDAP_DIR1
Oct 14 16:41:25 rt RT: SSO Failed and no user to test with. Nexting
Oct 14 16:41:25 rt RT: Autohandler called ExternalAuth. Response: (0, No User)
Just a note: ExternalAuth's SSO support is cookie based, not Apache/mod_auth_* based. It is not trying to do the same SSO as the core RT option. 

Thomas
--------
RT Training Sessions (http://bestpractical.com/services/training.html)
*  San Francisco, CA, USA  October 18 & 19, 2011
*  Washington DC, USA  October 31 & November 1, 2011
*  Barcelona, Spain  November 28 & 29, 2011

Reply via email to