[rt-users] AD domains with RT::Authen::ExternalAuth

[Chris Davies]

At the moment using RT::Authen::ExternAuth for LDAP authentication to Active Directory it's not possible to use DOMAIN\user syntax. This is at odds with much of the other (Windows based) infrastructure we use, and it confuses our users. Until recently we've been trying to mitigate the issue with a message that reminds people to omit the domain part, but it's not a clean solution and has been bugging me.

Examples:

    "OTHERDOMAIN\user" - fails if DOMAIN is required but does not match



    'ad_domain_prefix' => 'DOMAIN',    # is case insensitive
    'ad_domain_required' => 'no',    # { 'yes' | 'no' }





Chris

I've finally got around to making some changes to RT::Authen::ExternalAuth that allows me to define the Windows domain. This isn't a true Forest/Trust model but it's sufficient for us. The change is, I believe, backwards compatible with existing installations as the domain can be an optional component. "DOMAIN\user" - succeeds if DOMAIN is required and matches, and user is authenticated in LDAP "user" - succeeds if DOMAIN is optional, and user is authenticated in LDAP "DOMAIN\otheruser" - fails if DOMAIN matches, but otheruser is not authenticated in LDAP In order to support this I've added three new configuration elements in RT_Site_Config.pm, settable per LDAP configuration section: 'ad_domain_separator' => '\\', # split domain\user with this character Are the patches something that would be useful to share here? I've tried emailing the contact in the RT::Authen::ExternalAuth but heard nothing back.

smime.p7s
Description: S/MIME Cryptographic Signature