I would ideally like the following to work. I think I haven’t seen anything about hooking autocreated users to an LDAP lookup, but…
A user who’s never touched RT sends in a request from their company email. They are autocreated with this email account, and a username matching their sAMAccountName. When they come to RT to log in, the (already working) RT::Auth::ExternalAuth lookup finds their Active Directory info, sees the matching account name and email address, knows it’s the same account, and lets them in if the credentials are correct as per normal LDAP-auth’d login.
Right now, if a user logs in to RT without having ever sent in a request, LDAP auth lets them in and creates their account, and populates with their email, and when they send in a request after login it “knows” via the email that they’re an existing user. So it works in that order. But – as with most users – they send in an email request first, their login fails. They’ve been created as “email@example.com” , then they login via AD credentials – but both the LDAP login and the autocreated user have the same email address attrib, of course, and it barfs. Login fails with a “already a user with that email.”
What’s the cleanest way to get this to work? Users here have gotten a lot of new stuff to deal with lately, and more systems to log in to. I really want them just to be able to use their AD login info for RT, whether or not they’ve mailed in a request before.
Our wheels. Your freedom.