On Mon, Oct 17, 2011 at 8:51 AM, Thomas Sibley <[email protected]> wrote: > On 10/14/2011 08:44 PM, John Andersen wrote: >> >> Hoping someone can point me to where I am going wrong. I have been >> trolling the wiki, cpan, this list, and Google for the last couple of >> days with no luck so far. Probably something apparent that I'm >> missing..... >> >> I am after the following behavior: >> - A user inside our network and on a machine my company controls >> will be auto-logged in via SSO (mod_auth_kerb) >> - Upon successful SSO login, even if it's a first time login, the >> user info in canonicalized from our LDAP dir (Active Directory) >> - If the user cannot use SSO, the login fails gracefully back to the >> form-based login built in to RT. >> - If the user successfully authenticates via >> RT::Authen::ExternalAuth the user info is again canonicalized even if >> it's a first time login. >> - If an email is received from a requester, the email is looked up >> in LDAP to canonicalize the user info as well. >> - If the email address does NOT exist in the LDAP directory, go >> ahead and create an account anyway using the email address as the >> username. > > You may just want to run with mod_auth_kerb and RT::Extension::LDAPImport > running periodically, cutting RT::Authen::ExternalAuth completely out of the > picture. This does require users can auth with mod_auth_kerb unless you > give them local RT passwords.
Not a bad idea. That would actually work in my situation since getting the users into the database is not time critical. Running LDAPImport daily would probably work just fine. I know it's petty but I was kind of hoping for the form based login from outside the network.... >> The message I get in the RT log (via syslog) when a user logs in with >> SSO seems to indicate that the user variable is not being set and >> passed to the RT::Authen::ExternalAuth extension if I read the error >> right. The odd thing to me, is that while the error says SSO is >> failing, it most definitely is not. The user **is** successfully >> logged in. >> ----- error from syslog --- >> Oct 14 16:41:25 rt RT: Attempting to use external auth service: LDAP_DIR1 >> Oct 14 16:41:25 rt RT: SSO Failed and no user to test with. Nexting >> Oct 14 16:41:25 rt RT: Autohandler called ExternalAuth. Response: (0, No >> User) > > Just a note: ExternalAuth's SSO support is cookie based, not > Apache/mod_auth_* based. It is not trying to do the same SSO as the core RT > option. > > Thomas I did see that. For some reason, I had the idea that even using $WebExternalAuth it would kick off CanonicalizeUserInfo() after logging in, but that doesn't seem to be happening. Or rather, it *does* seem to be happening but it is running it without the username key from mod_auth_kerberos. Thanks again for the info. I will either try your suggestion above or go in another direction. Thanks! -------- RT Training Sessions (http://bestpractical.com/services/training.html) * San Francisco, CA, USA October 18 & 19, 2011 * Washington DC, USA October 31 & November 1, 2011 * Barcelona, Spain November 28 & 29, 2011
