Autocreated users and ldap auth

RT Users
1

I’m using Authen::ExternalAuth and it seems to be working. If a user
logs in to RT using Active Directory credentials, they get in and get
autocreated.

However, if before RT login, they submit a ticket, they cannot log in:
rt complains that the email address is already in use (AD lookup finds
the email they submitted from) and says it’s in use. I think I’ve
misunderstood: I thought RT would treat identical info as one account,
and LDAP lookup would take precedence. How can I merge them so ldap
lookup is always used, whether they submitted a ticket or not…?

I’m not sure I’m asking this clearly. Should I be turning off the
create-on-ticket-submit functionality to achieve this?

Rob Munsch

IT Administrator

http://www.PhillyCarShare.org http://www.PhillyCarShare.org

Our wheels. Your freedom.

215-730-0988 x131

Robert Munsch.vcf (141 Bytes)

2

I’m using Authen::ExternalAuth and it seems to be working. If a user
logs in to RT using Active Directory credentials, they get in and get
autocreated.

However, if before RT login, they submit a ticket, they cannot log in:
rt complains that the email address is already in use (AD lookup finds
the email they submitted from) and says it’s in use. I think I’ve
misunderstood: I thought RT would treat identical info as one account,
and LDAP lookup would take precedence. How can I merge them so ldap
lookup is always used, whether they submitted a ticket or not…?

I’m not sure I’m asking this clearly. Should I be turning off the
create-on-ticket-submit functionality to achieve this?

I just ran into this myself when setting up our LDAP authentication.
Our problem was that the LDAP server did not actually have the email
address stored, so the username created in RT was the email address. I
had to go in and manually change the usernames of all the accounts with
email addresses in the username field.

What’s the value of ‘attr_match_list’ and ‘attr_map’ in your
RT_SiteConfig.pm file?

3

I’m using Authen::ExternalAuth and it seems to be working. If a user logs in to RT using Active Directory credentials, they get in and get autocreated.

However, if before RT login, they submit a ticket, they cannot log in: rt complains that the email address is already in use (AD lookup finds the email they submitted from) and says it’s in use. I think I’ve misunderstood: I thought RT would treat identical info as one account, and LDAP lookup would take precedence. How can I merge them so ldap lookup is always used, whether they submitted a ticket or not…?

I’m not sure I’m asking this clearly. Should I be turning off the create-on-ticket-submit functionality to achieve this?

I just ran into this myself when setting up our LDAP authentication. Our problem was that the LDAP server did not actually have the email address stored, so the username created in RT was the email address. I had to go in and manually change the usernames of all the accounts with email addresses in the username field.

What’s the value of ‘attr_match_list’ and ‘attr_map’ in your RT_SiteConfig.pm file?

Haven’t altered them from initial values, since it seemed to work at first…

The list of RT attributes that uniquely identify a user

         'attr_match_list'      => [    'Name',

                                        'EmailAddress',

                                   ],

         # The mapping of RT attributes on to LDAP attributes

          'attr_map'             =>  {   'Name' => 'sAMAccountName',

                                               'EmailAddress' => 'mail',

                                               'Organization' => 'physicalDeliveryOfficeName',

                                               'RealName' => 'cn',

                                                'ExternalAuthId' => 'sAMAccountName',

                                                'Gecos' => 'sAMAccountName',

                                                'WorkPhone' => 'telephoneNumber',

                                                'Address1' => 'streetAddress',

                                                'City' => 'l',

                                                'State' => 'st',

                                                'Zip' => 'postalCode',

                                                'Country' => 'co'

Our AD has email values defined. A ticket submitter gets created with account name “name@address,” which of course also becomes that autocreated users’ email address. The user then tries to log in, is checked on AD, their email address is the same, and it tells me “already a user with that email address.” I want to tell it “yes, same person, if credentials match let them in!”

Thanks,

Rob Munsch

IT Administrator

http://www.PhillyCarShare.org http://www.PhillyCarShare.org

Our wheels. Your freedom.

215-730-0988 x131

Robert Munsch.vcf (141 Bytes)