At the moment using RT::Authen::ExternAuth for LDAP authentication to
Active Directory it’s not possible to use DOMAIN\user syntax. This is at
odds with much of the other (Windows based) infrastructure we use, and
it confuses our users. Until recently we’ve been trying to mitigate the
issue with a message that reminds people to omit the domain part, but
it’s not a clean solution and has been bugging me.
I’ve finally got around to making some changes to
RT::Authen::ExternalAuth that allows me to define the Windows domain.
This isn’t a true Forest/Trust model but it’s sufficient for us. The
change is, I believe, backwards compatible with existing installations
as the domain can be an optional component.
Examples:
“DOMAIN\user” - succeeds if DOMAIN is required and matches, and
user is authenticated in LDAP
"user" - succeeds if DOMAIN is optional, and user is authenticated
in LDAP
"OTHERDOMAIN\user" - fails if DOMAIN is required but does not match
"DOMAIN\otheruser" - fails if DOMAIN matches, but otheruser is not
authenticated in LDAP
In order to support this I’ve added three new configuration elements in
RT_Site_Config.pm, settable per LDAP configuration section:
‘ad_domain_prefix’ => ‘DOMAIN’, # is case insensitive
’ad_domain_required’ => ‘no’, # { ‘yes’ | ‘no’ }
‘ad_domain_separator’ => ‘\’, # split domain\user with this
character
Are the patches something that would be useful to share here? I’ve tried
emailing the contact in the RT::Authen::ExternalAuth but heard nothing back.
Chris
smime.p7s (3.66 KB)