Can we prevent RT from using an email address as username when auto-creating new users who email our RT instance?
Methods I’ve thought of trying to accomplish this in RT:
A. Drop the domain portion–e.g. “@contoso.com” --from the email when assigning as username
B. Try to pull the users info via LDAP import based on email
C. Simply leave the username blank
Does anyone know how I could configure RT to accomplish one of these options?
Reasons: If a user emails RT before logging in, it appears that RT automatically creates a user with both the username and email fields matching the From: address.
The problem for us is that this breaks Self Service access, because our users login via SSO, and are redirected to SelfService, but it fails with an error because the SSO username does not include the “@domain” portion of the email that RT assigns as the username.
The I expect the usual approach would be to run rt-ldapimport on a regular basis. You can configure which LDAP field is used for the username in RT. The email address in LDAP is imported and used for matching inbound email.
I considered that, but it appears that RT checks every name in the ldap user directory against its internal database. Since our rt db only has a few thousand users (of which most are already up to date), and the ldap directory count is several 100,000s, that means we’re checking all those addresses just to find a couple matches. That took about 30 minutes when I ran a test, and I’m concerned that the SysAdmin in charge of LDAP will block my rt server for excessive requests if I made it a regular scheduled process.
If RT was able to only check the rt users created in a certain time range, I’d do it in a second.
If you did want to go down the route of sync’ing to LDAP, you may want a custom importer which only searches for users that already exist in RT, or that are within a group in LDAP. But given the idea of sync’ing was to have the users pre-exist in RT, it may not be a good route to follow.
Perhaps you could have something in RT which when new email is received, looks up non-existing users in LDAP and uses the username found there? I’m not sure if RT already has this functionality available or not.
What about doing it the opposite way? Map the RT Name field to LDAP mail field for everybody. That way, the autocreated accounts are already correct.
That requires renaming everybody which already has an account, but it’s simple to do with SQL: UPDATE Users SET Name=EmailAddress WHERE EmailAddress != '';
You could then allow signing in by providing either the Name or the EmailAddress (maybe store the account name on RealName for lookups via attr_match_list?).
Right now, our SSO matches against the ‘username’, which does not include the ‘@domain.name’. So making the change you suggest would break SSO authentication since the RT name ‘user@domain.name’ wouldn’t match the SSO ‘user’ designation.
In order to make that work, I’d also need to change the Shibboleth SSO configuration so that it authenticates users using the full email@domain.name. But I don’t know where to change that at present?
