Coming in late to the party, but wouldn't apache auth do what you are talking about? Combined with ldapimport, you can import users over ldap, but not groups. Then you can define your group for authorization as you wish within rt.
At that point you should be able to have both internal and AD groups for authz, and 'ldap' for authn. Am I missing something? Jok On Jun 13, 2012, at 8:14 AM, "Asif Iqbal" <[email protected]<mailto:[email protected]>> wrote: On Tue, Jun 12, 2012 at 1:57 PM, Ruslan Zakirov <[email protected]<mailto:[email protected]>> wrote: On Tue, Jun 12, 2012 at 6:35 PM, Asif Iqbal <[email protected]<mailto:[email protected]>> wrote: > On Tue, Jun 12, 2012 at 5:51 AM, Ruslan Zakirov > <[email protected]<mailto:[email protected]>> > wrote: >> >> On Tue, Jun 12, 2012 at 5:38 AM, Asif Iqbal >> <[email protected]<mailto:[email protected]>> wrote: >> > I am using external authentication against our corporate AD server >> > successfully, using the RT::Authen::ExternalAuth. >> > >> > But I like the authorization done against internal db for user account. >> > >> > Just because a user has a valid AD credential is not enough for him/her >> > to >> > be able to login to our RT. We like >> > to manage the login by creating the user account into internal db using >> > the >> > Web UI. >> > >> > So we still like the user to use their AD credential and no need to >> > remember >> > another password, and at the same time >> > only be able to login if the same username is available in internal db. >> > >> > Is that possible? Any suggestion/tip is appreciated. >> >> Yes, it is possible, but not like you want it to be. >> >> As far as I can see users need AD record anyway, just mark them >> somehow in AD and use this marking in ExternalAuth filter. >> > > I have no access to AD. It belongs to corporate group and will not be able > to manage a group. > > There is no way to control the Authorization part locally? Not out of the box. Patch external auth module and add option to avoid creation of new users. So I could just comment this section out to avoid user create as one option? I know, ugly. http://paste.ubuntu.com/1039210/ >> > -- >> > Asif Iqbal >> > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu<http://pgp.mit.edu> >> > A: Because it messes up the order in which people normally read text. >> > Q: Why is top-posting such a bad thing? >> > >> > >> >> >> >> -- >> Best regards, Ruslan. > > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu<http://pgp.mit.edu> > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > > -- Best regards, Ruslan. -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu<http://pgp.mit.edu> A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
