Authentication Question

Hi,

I’m having a bit of trouble getting my head around how to do something with
RT.

We currently use RT internally as a helpdesk system, with users
authenticating (either by email or with the web interface) from our AD with
LDAP, however we’ve got a new system coming online which will be public
facing, and we want to handle support for this system through RT.

The problem is I currently have the following flag set in my RT_SiteConfig
to prevent non LDAP users authenticating

Set($AutoCreateNonExternalUsers, 0);

In order to stop users being created when (for example) an external user is
cc’d to an email into one of our internal queues.

What I ideally want to do is restrict most of our queues to ‘LDAP users
only’, but be able to have a ‘public queue’ also - is there any way to do
this within the ExternalAuth extension, without manually adding all of my
LDAP users to a group within the RT system???

Thanks,

Mark

Mark Farrington

Broadcast Engineer

Global Traffic Network UK

Please note: Our office address has now changed to:
Global Traffic Network (UK) Ltd, 5th Floor, 5 Golden Square, London, W1F 9BS

Global Traffic Network (UK) is a limited Company registered in England and Wales. Registered number: 5867987 Registered office: 179 Great Portland Street, London, UK.

Global Traffic Network (UK) Commercial is a limited Company registered in England and Wales. Registered number: 2229296 Registered office: 179 Great Portland Street, London, UK.

This email is intended for the addressee only. If you have received this email in error, then please notify the sender immediately and delete the email without copying, storing or disclosing its contents to any other person.

Copyright of this email and its attachment(s) are the property of Global Traffic Network (UK) and/or Global Traffic Network (UK) Commercial, unless otherwise stated.
This email has been scanned by MessageLabs
and is free of all known viruses and spyware.

In order to stop users being created when (for example) an external
user is cc’d to an email into one of our internal queues.

What I ideally want to do is restrict most of our queues to ‘LDAP
users only’, but be able to have a ‘public queue’ also – is there any
way to do this within the ExternalAuth extension, without manually
adding all of my LDAP users to a group within the RT system???

Keep in mind that RT Users are global (ie, they exist regardless of which queues they can access). I believe you might want to use groups to control access and allow RT to auto-create users in its local database.

Regards.

-lem

Hi!On Montag, 11. Januar 2010 13:07:25 Mark Farrington wrote:

What I ideally want to do is restrict most of our queues to ‘LDAP users
only’, but be able to have a ‘public queue’ also - is there any way to
do this within the ExternalAuth extension, without manually adding all
of my LDAP users to a group within the RT system???

At least at my place, users that are created in the database from LDAP
have
username=uid, realname=cn, email=mail,
hereas users that are autocreated from email have
username=email, realname=name (where possible), email=email.

If that’s similar at your place, you could maybe do some hack to deny
access for users who have an “@” in their username or so? :slight_smile: Or have some
database trigger that does some “fancy stuff”, depending on where the users
come from?

Bye
Tobias

signature.asc (197 Bytes)

Thanks for this Luis,

Is there any way of automatically creating a group containing all LDAP users (so there’s no need to manually add a user to an RT group when they’re created on the LDAP server)?

Mark

Mark Farrington
Broadcast Engineer
Global Traffic Network UK
T : +44 (0) 1865 922102
M: +44 (0) 7919 160160

Staff IT Problems? :: Send your query to the helpdesk http://support-----Original Message-----
From: Luis E. Muñoz [mailto:lem@itverx.com.ve]
Sent: 11 January 2010 12:31
To: Mark Farrington
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Authentication Question

On Mon, 2010-01-11 at 12:07 +0000, Mark Farrington wrote:

In order to stop users being created when (for example) an external
user is cc’d to an email into one of our internal queues.

What I ideally want to do is restrict most of our queues to ‘LDAP
users only’, but be able to have a ‘public queue’ also – is there any
way to do this within the ExternalAuth extension, without manually
adding all of my LDAP users to a group within the RT system???

Keep in mind that RT Users are global (ie, they exist regardless of which queues they can access). I believe you might want to use groups to control access and allow RT to auto-create users in its local database.

Regards.

-lem

Scanned by MessageLabs

Please note: Our office address has now changed to:
Global Traffic Network (UK) Ltd, 5th Floor, 5 Golden Square, London, W1F 9BS

Global Traffic Network (UK) is a limited Company registered in England and Wales. Registered number: 5867987 Registered office: 179 Great Portland Street, London, UK.

Global Traffic Network (UK) Commercial is a limited Company registered in England and Wales. Registered number: 2229296 Registered office: 179 Great Portland Street, London, UK.

This email is intended for the addressee only. If you have received this email in error, then please notify the sender immediately and delete the email without copying, storing or disclosing its contents to any other person.

Copyright of this email and its attachment(s) are the property of Global Traffic Network (UK) and/or Global Traffic Network (UK) Commercial, unless otherwise stated.
This email has been scanned by MessageLabs
and is free of all known viruses and spyware.

I’m using LDAP AD auth with RT and enable following option to 1 to
create auto user.

AutoCreateNonExternalUsers 1

I have a uestion if I have user exist in LDAP then why RT creation new
auto user for them ? How could I fix them ?

Thanks,
SatishOn Jan 11, 2010, at 7:07 AM, “Mark Farrington” <mark.farrington@gtn.uk.com wrote:

AutoCreateNonExternalUsers

I used the ldapimport RT::Extension::LDAPImport and I didn’t set anything specific to a group, but on import it did create a group called imported from ldap (something like that) and imported all of my ldap users into that group.From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Mark Farrington
Sent: Monday, January 11, 2010 7:53 AM
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Authentication Question

Thanks for this Luis,

Is there any way of automatically creating a group containing all LDAP users (so there’s no need to manually add a user to an RT group when they’re created on the LDAP server)?

Mark

Mark Farrington
Broadcast Engineer
Global Traffic Network UK
T : +44 (0) 1865 922102
M: +44 (0) 7919 160160

Staff IT Problems? :: Send your query to the helpdesk http://support

Ok,

I’ve been giving this some thought, and I think what I need to do is the
following.

. Allow non-LDAP users to be auto-created (this I can do)

. Either Add LDAP users automatically to a group (which users that
are autocreated internally are not) or using some condition which is the
case with LDAP users and not with other users (such as no @ in username)

. Restrict queues to certain groups (this I can also do)

So what I need is a way to add users to groups when they are created based
on certain conditions being true.

Does anyone have any idea how to do this? (the domain name in the email
address would do the job)

Cheers,

Mark

Mark Farrington

Broadcast Engineer

Global Traffic Network UK

Please note: Our office address has now changed to:
Global Traffic Network (UK) Ltd, 5th Floor, 5 Golden Square, London, W1F 9BS

Global Traffic Network (UK) is a limited Company registered in England and Wales. Registered number: 5867987 Registered office: 179 Great Portland Street, London, UK.

Global Traffic Network (UK) Commercial is a limited Company registered in England and Wales. Registered number: 2229296 Registered office: 179 Great Portland Street, London, UK.

This email is intended for the addressee only. If you have received this email in error, then please notify the sender immediately and delete the email without copying, storing or disclosing its contents to any other person.

Copyright of this email and its attachment(s) are the property of Global Traffic Network (UK) and/or Global Traffic Network (UK) Commercial, unless otherwise stated.
This email has been scanned by MessageLabs
and is free of all known viruses and spyware.

. Either Add LDAP users automatically to a group (which users that are autocreated
internally are not) or using some condition which is the case with LDAP users and not with
other users (such as no @ in username)

The easiest solution for this may be adding the feature to
RT-Authen-ExternalAuth because RT doesn’t have easy “On User Create”
hooks.

It is mostly a matter of stealing code from LDAPImport and adding it
cleanly to ExternalAuth

-kevin

Ok,

I’ve got somewhere with this following falcone’s advice.

If it’s any use to anyone else, I added the following to ExternalAuth.pm (mostly borrowed from the LDAPImport Extension) - it’s creating a group based on the name of the Auth service in RTSiteConfig and adding the user to it.

It needs some debug added (as there currently is none) - but if it can be of use to anyone feel free to borrow it.

M*

Added By MRF

Creates Groups based on $service

my $rt_group = RT::Group->new($RT::SystemUser);

$rt_group->LoadUserDefinedGroup( $service );
unless ($rt_group->Id) {
    my ($gp_id,$gp_msg) = $rt_group->CreateUserDefinedGroup( Name => $service );
    unless ($gp_id) {
        #$self->_error("Can't create group $group_name [$msg]")
    }
}

#group already exists (or does now) - so we can add user to it

#Adds Users to groups

#my $principal = $UserObj->PrincipalObj;
 if ($rt_group->HasMember($session->{'CurrentUser'})) {
    #$self->_debug($user->Name . " already a member of " . $group->Name);
    return;
	 }

$rt_group->AddMember($session->{'CurrentUser'}->Id);
Snip

Mark Farrington
Broadcast Engineer
Global Traffic Network UK

Please note: Our office address has now changed to:
Global Traffic Network (UK) Ltd, 5th Floor, 5 Golden Square, London, W1F 9BS

Global Traffic Network (UK) is a limited Company registered in England and Wales. Registered number: 5867987 Registered office: 179 Great Portland Street, London, UK.

Global Traffic Network (UK) Commercial is a limited Company registered in England and Wales. Registered number: 2229296 Registered office: 179 Great Portland Street, London, UK.

This email is intended for the addressee only. If you have received this email in error, then please notify the sender immediately and delete the email without copying, storing or disclosing its contents to any other person.

Copyright of this email and its attachment(s) are the property of Global Traffic Network (UK) and/or Global Traffic Network (UK) Commercial, unless otherwise stated.
This email has been scanned by MessageLabs
and is free of all known viruses and spyware.

Ok,

I’ve got somewhere with this following falcone’s advice.

Jason

If you have time to turn this into a patch and send it along to
bug-RT-Authen-ExternalAuth at rt.cpan.org it’d make it a lot easier
for us to see in context and try to include it in a future release.

-kevin