Authentication against LDAP and Authorization against internal db

I am using external authentication against our corporate AD server
successfully, using the RT::Authen::ExternalAuth.

But I like the authorization done against internal db for user account.

Just because a user has a valid AD credential is not enough for him/her to
be able to login to our RT. We like
to manage the login by creating the user account into internal db using the
Web UI.

So we still like the user to use their AD credential and no need to
remember another password, and at the same time
only be able to login if the same username is available in internal db.

Is that possible? Any suggestion/tip is appreciated.

Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

I am using external authentication against our corporate AD server
successfully, using the RT::Authen::ExternalAuth.

But I like the authorization done against internal db for user account.

Just because a user has a valid AD credential is not enough for him/her to
be able to login to our RT. We like
to manage the login by creating the user account into internal db using the
Web UI.

So we still like the user to use their AD credential and no need to remember
another password, and at the same time
only be able to login if the same username is available in internal db.

Is that possible? Any suggestion/tip is appreciated.

Yes, it is possible, but not like you want it to be.

As far as I can see users need AD record anyway, just mark them
somehow in AD and use this marking in ExternalAuth filter.


Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Best regards, Ruslan.

I am using external authentication against our corporate AD server
successfully, using the RT::Authen::ExternalAuth.

But I like the authorization done against internal db for user account.

Just because a user has a valid AD credential is not enough for him/her
to
be able to login to our RT. We like
to manage the login by creating the user account into internal db using
the
Web UI.

So we still like the user to use their AD credential and no need to
remember
another password, and at the same time
only be able to login if the same username is available in internal db.

Is that possible? Any suggestion/tip is appreciated.

Yes, it is possible, but not like you want it to be.

As far as I can see users need AD record anyway, just mark them
somehow in AD and use this marking in ExternalAuth filter.

I have no access to AD. It belongs to corporate group and will not be able
to manage a group.

There is no way to control the Authorization part locally?


Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?


Best regards, Ruslan.

Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

I am using external authentication against our corporate AD server
successfully, using the RT::Authen::ExternalAuth.

But I like the authorization done against internal db for user account.

Just because a user has a valid AD credential is not enough for him/her
to
be able to login to our RT. We like
to manage the login by creating the user account into internal db using
the
Web UI.

So we still like the user to use their AD credential and no need to
remember
another password, and at the same time
only be able to login if the same username is available in internal db.

Is that possible? Any suggestion/tip is appreciated.

Yes, it is possible, but not like you want it to be.

As far as I can see users need AD record anyway, just mark them
somehow in AD and use this marking in ExternalAuth filter.

I have no access to AD. It belongs to corporate group and will not be able
to manage a group.

There is no way to control the Authorization part locally?

Not out of the box. Patch external auth module and add option to avoid
creation of new users.


Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?


Best regards, Ruslan.


Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Best regards, Ruslan.

> > There is no way to control the Authorization part locally?

Not out of the box. Patch external auth module and add option to avoid
creation of new users.

Hi Thomas Sibley,

First of all, thanks a lot for such an excellent module to make the LDAP
authentication so simple.

Is it possible to disable the Authorization part on
RT::Authen::ExternalAuth?

So although authentication is successful, but do not want to authorize the
user to login until there is a local account for her/him. I don’t have
access to
AD to create a separate group for RT user group. So I like to keep the
Authorization
part upto the admin guys of our RT.

Ruslan’s answer is correct. (I read rt-users.)

In the future, please don’t email my CPAN address personally for
support. rt-users is the correct place to discuss Best Practical
written and maintained RT extensions.

Thomas

> > There is no way to control the Authorization part locally?

Not out of the box. Patch external auth module and add option to

avoid

creation of new users.

Hi Thomas Sibley,

First of all, thanks a lot for such an excellent module to make the LDAP
authentication so simple.

Is it possible to disable the Authorization part on
RT::Authen::ExternalAuth?

So although authentication is successful, but do not want to authorize
the
user to login until there is a local account for her/him. I don’t have
access to
AD to create a separate group for RT user group. So I like to keep the
Authorization
part upto the admin guys of our RT.

Ruslan’s answer is correct. (I read rt-users.)

In the future, please don’t email my CPAN address personally for
support. rt-users is the correct place to discuss Best Practical
written and maintained RT extensions.

will do. Thanks for your feedback

Thomas

Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

I am using external authentication against our corporate AD server
successfully, using the RT::Authen::ExternalAuth.

But I like the authorization done against internal db for user
account.

Just because a user has a valid AD credential is not enough for
him/her
to
be able to login to our RT. We like
to manage the login by creating the user account into internal db
using
the
Web UI.

So we still like the user to use their AD credential and no need to
remember
another password, and at the same time
only be able to login if the same username is available in internal
db.

Is that possible? Any suggestion/tip is appreciated.

Yes, it is possible, but not like you want it to be.

As far as I can see users need AD record anyway, just mark them
somehow in AD and use this marking in ExternalAuth filter.

I have no access to AD. It belongs to corporate group and will not be
able
to manage a group.

There is no way to control the Authorization part locally?

Not out of the box. Patch external auth module and add option to avoid
creation of new users.

So I could just comment this section out to avoid user create as one
option? I know, ugly.

http://paste.ubuntu.com/1039210/


Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?


Best regards, Ruslan.


Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?


Best regards, Ruslan.

Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Coming in late to the party, but wouldn’t apache auth do what you are talking about? Combined with ldapimport, you can import users over ldap, but not groups. Then you can define your group for authorization as you wish within rt.

At that point you should be able to have both internal and AD groups for authz, and ‘ldap’ for authn.

Am I missing something?

Jok

I am using external authentication against our corporate AD server
successfully, using the RT::Authen::ExternalAuth.

But I like the authorization done against internal db for user account.

Just because a user has a valid AD credential is not enough for him/her
to
be able to login to our RT. We like
to manage the login by creating the user account into internal db using
the
Web UI.

So we still like the user to use their AD credential and no need to
remember
another password, and at the same time
only be able to login if the same username is available in internal db.

Is that possible? Any suggestion/tip is appreciated.

Yes, it is possible, but not like you want it to be.

As far as I can see users need AD record anyway, just mark them
somehow in AD and use this marking in ExternalAuth filter.

I have no access to AD. It belongs to corporate group and will not be able
to manage a group.

There is no way to control the Authorization part locally?

Not out of the box. Patch external auth module and add option to avoid
creation of new users.

So I could just comment this section out to avoid user create as one option? I know, ugly.

http://paste.ubuntu.com/1039210/


Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.eduhttp://pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?


Best regards, Ruslan.


Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.eduhttp://pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Best regards, Ruslan.

Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.eduhttp://pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

I am using external authentication against our corporate AD server
successfully, using the RT::Authen::ExternalAuth.

But I like the authorization done against internal db for user
account.

Just because a user has a valid AD credential is not enough for
him/her
to
be able to login to our RT. We like
to manage the login by creating the user account into internal db
using
the
Web UI.

So we still like the user to use their AD credential and no need to
remember
another password, and at the same time
only be able to login if the same username is available in internal
db.

Is that possible? Any suggestion/tip is appreciated.

Yes, it is possible, but not like you want it to be.

As far as I can see users need AD record anyway, just mark them
somehow in AD and use this marking in ExternalAuth filter.

I have no access to AD. It belongs to corporate group and will not be
able
to manage a group.

There is no way to control the Authorization part locally?

Not out of the box. Patch external auth module and add option to avoid
creation of new users.

So I could just comment this section out to avoid user create as one
option? I know, ugly.

http://paste.ubuntu.com/1039210/

This seem to have worked.

http://paste.ubuntu.com/1039233/


Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?


Best regards, Ruslan.


Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?


Best regards, Ruslan.


Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

I am using external authentication against our corporate AD server
successfully, using the RT::Authen::ExternalAuth.

But I like the authorization done against internal db for user
account.

Just because a user has a valid AD credential is not enough for
him/her
to
be able to login to our RT. We like
to manage the login by creating the user account into internal db
using
the
Web UI.

So we still like the user to use their AD credential and no need to
remember
another password, and at the same time
only be able to login if the same username is available in internal
db.

Is that possible? Any suggestion/tip is appreciated.

Yes, it is possible, but not like you want it to be.

As far as I can see users need AD record anyway, just mark them
somehow in AD and use this marking in ExternalAuth filter.

I have no access to AD. It belongs to corporate group and will not be
able
to manage a group.

There is no way to control the Authorization part locally?

Not out of the box. Patch external auth module and add option to avoid
creation of new users.

So I could just comment this section out to avoid user create as one
option? I know, ugly.

http://paste.ubuntu.com/1039210/

This seem to have worked.

http://paste.ubuntu.com/1039233/

fixed some of the comments to reflect the intention

http://paste.ubuntu.com/1039239/


Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read
text.
Q: Why is top-posting such a bad thing?


Best regards, Ruslan.


Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?


Best regards, Ruslan.


Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?


Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

I am using external authentication against our corporate AD server
successfully, using the RT::Authen::ExternalAuth.

But I like the authorization done against internal db for user
account.

Just because a user has a valid AD credential is not enough for
him/her
to
be able to login to our RT. We like
to manage the login by creating the user account into internal db
using
the
Web UI.

So we still like the user to use their AD credential and no need to
remember
another password, and at the same time
only be able to login if the same username is available in
internal db.

Is that possible? Any suggestion/tip is appreciated.

Yes, it is possible, but not like you want it to be.

As far as I can see users need AD record anyway, just mark them
somehow in AD and use this marking in ExternalAuth filter.

I have no access to AD. It belongs to corporate group and will not be
able
to manage a group.

There is no way to control the Authorization part locally?

Not out of the box. Patch external auth module and add option to avoid
creation of new users.

So I could just comment this section out to avoid user create as one
option? I know, ugly.

http://paste.ubuntu.com/1039210/

This seem to have worked.

http://paste.ubuntu.com/1039233/

fixed some of the comments to reflect the intention

http://paste.ubuntu.com/1039239/

What page to modify to let user know to login with their AD account going
forward?


Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read
text.
Q: Why is top-posting such a bad thing?


Best regards, Ruslan.


Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?


Best regards, Ruslan.


Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?


Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?


Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

I am using external authentication against our corporate AD server
successfully, using the RT::Authen::ExternalAuth.

But I like the authorization done against internal db for user
account.

Just because a user has a valid AD credential is not enough for
him/her
to
be able to login to our RT. We like
to manage the login by creating the user account into internal db
using
the
Web UI.

So we still like the user to use their AD credential and no need
to
remember
another password, and at the same time
only be able to login if the same username is available in
internal db.

Is that possible? Any suggestion/tip is appreciated.

Yes, it is possible, but not like you want it to be.

As far as I can see users need AD record anyway, just mark them
somehow in AD and use this marking in ExternalAuth filter.

I have no access to AD. It belongs to corporate group and will not
be able
to manage a group.

There is no way to control the Authorization part locally?

Not out of the box. Patch external auth module and add option to avoid
creation of new users.

So I could just comment this section out to avoid user create as one
option? I know, ugly.

http://paste.ubuntu.com/1039210/

This seem to have worked.

http://paste.ubuntu.com/1039233/

fixed some of the comments to reflect the intention

http://paste.ubuntu.com/1039239/

What page to modify to let user know to login with their AD account going
forward?

well copied the Elements/Login to local and made the following change.
Hopefully it won’t break anything.

http://paste.ubuntu.com/1039396/


Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read
text.
Q: Why is top-posting such a bad thing?


Best regards, Ruslan.


Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?


Best regards, Ruslan.


Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?


Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?


Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?


Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

I am using external authentication against our corporate AD server
successfully, using the RT::Authen::ExternalAuth.

But I like the authorization done against internal db for user
account.

Just because a user has a valid AD credential is not enough for
him/her
to
be able to login to our RT. We like
to manage the login by creating the user account into internal db
using
the
Web UI.

So we still like the user to use their AD credential and no need to
remember
another password, and at the same time
only be able to login if the same username is available in
internal db.

Is that possible? Any suggestion/tip is appreciated.

Yes, it is possible, but not like you want it to be.

As far as I can see users need AD record anyway, just mark them
somehow in AD and use this marking in ExternalAuth filter.

I have no access to AD. It belongs to corporate group and will not be
able
to manage a group.

There is no way to control the Authorization part locally?

Not out of the box. Patch external auth module and add option to avoid
creation of new users.

So I could just comment this section out to avoid user create as one
option? I know, ugly.

http://paste.ubuntu.com/1039210/

This seem to have worked.

http://paste.ubuntu.com/1039233/

fixed some of the comments to reflect the intention

http://paste.ubuntu.com/1039239/

I am getting this error after applying RT::Authen::ExternalAuth, and
patched to disable the “user creation
part”. This is the patch I applied http://paste.ubuntu.com/1039239/ .

[Sat Jun 16 04:03:50 2012] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Comments:
Autocreated on ticket submission, Disabled: , EmailAddress:
service@example.com, Name: service@example.com, Password: , Privileged: ,
RealName: Service Example
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:633)
[Sat Jun 16 04:03:50 2012] [crit]: User creation failed in mailgateway:
Could not set user info (/opt/rt3/bin/…/lib/RT/Interface/Email.pm:244)
[Sat Jun 16 04:03:50 2012] [warning]: Couldn’t load user ’
service@example.com’.giving up
(/opt/rt3/bin/…/lib/RT/Interface/Email.pm:806)
[Sat Jun 16 04:03:50 2012] [crit]: User ‘service@example.com’ could not be
loaded in the mail gateway (/opt/rt3/bin/…/lib/RT/Interface/Email.pm:244)
[Sat Jun 16 04:03:51 2012] [error]: RT could not load a valid user, and
RT’s configuration does not allow
for the creation of a new user for this email (service@example.com).
You might need to grant ‘Everyone’ the right ‘CreateTicket’ for the
queue support. (/opt/rt3/bin/…/lib/RT/Interface/Email.pm:244)
[Sat Jun 16 04:03:51 2012] [error]: RT could not load a valid user, and
RT’s configuration does not allow
for the creation of a new user for your email.
(/opt/rt3/bin/…/lib/RT/Interface/Email.pm:244)
[Sat Jun 16 04:03:51 2012] [error]: Could not record email: Could not load
a valid user (/opt/rt3/share/html/REST/1.0/NoAuth/mail-gateway:75)

While I definitely don’t want to create a user account while user trying to
login, I am not sure if it is hurting
mailgateway. Will anyone still be able to create a ticket through email
after applying the external auth
module (patched version)?

Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?