External Authentication Patch Set

RT Users
1

Folks,

I’ve completed the framework I deemed necessary to allow for external
authentication. I believe that in order to defer an external
authentication service you want to verify new users against that
authentication service before adding them to the system. This patch set
does that for automatic additions via incoming requests. It does not,
however, protect against an administrator directly adding a user via the
RT admin interfaces (CLI or web). These files were modified as follows:

  • etc/config.pm
    added $WebExternalAuth - require external auth
    added $IncomingUserMatch - attempt external user
    verification
    added $ForceIncomingUserMatch - require external user
    verification

  • WebRT/html/autohandler
    require REMOTE_USER if $WebExternalAuth is defined

  • bin/rt-mailgate
    corrected bug in order of ErrorsTo and CurrentUser
    initialization
    Expanded MailError subroutine to handle any loglevel
    error defaulting to critical
    Added hook in GetCurrentUser subroutine for matching
    incoming request user with external data source
    Added code to handle policy to require incoming user
    match. Makes assertion that a template called
    AutoRejectRequest should exist

These changes are all based upon the 2.0.0 release. Please let me know
what you think. I’ll include in the next day or so an example for external
user matching. This patch set was written per Jesse’s challenge of 6/28/01
in the thread “Re: [rt-users] RT2 and External Auth?” Enjoy!

Regards,
Christian

Christian Gilmore
Infrastructure & Tools Team Lead
Web & Multimedia Development
IBM Software Group

diffs.tar (11.5 KB)

2

Folks,

I’ve completed the framework I deemed necessary to allow for external
authentication. I believe that in order to defer an external
authentication service you want to verify new users against that
authentication service before adding them to the system. This patch set
does that for automatic additions via incoming requests. It does not,
however, protect against an administrator directly adding a user via the
RT admin interfaces (CLI or web). These files were modified as follows:

  • etc/config.pm
    added $WebExternalAuth - require external auth
    added $IncomingUserMatch - attempt external user
    verification
    added $ForceIncomingUserMatch - require external user
    verification

  • WebRT/html/autohandler
    require REMOTE_USER if $WebExternalAuth is defined

  • bin/rt-mailgate
    corrected bug in order of ErrorsTo and CurrentUser
    initialization
    Expanded MailError subroutine to handle any loglevel
    error defaulting to critical
    Added hook in GetCurrentUser subroutine for matching
    incoming request user with external data source
    Added code to handle policy to require incoming user
    match. Makes assertion that a template called
    AutoRejectRequest should exist

These changes are all based upon the 2.0.0 release. Please let me know
what you think. I’ll include in the next day or so an example for external
user matching.

Regards,
Christian

Christian Gilmore
Infrastructure & Tools Team Lead
Web & Multimedia Development
IBM Software Group

diffs.tar (11.5 KB)

3

I’ve updated the framework with the following modifications. Attached are
the requisite diffs.

  • bin/rt-mailgate
    Corrected bug that disallowed user creation
    even if the user was found externally

  • WebRT/html/User/Prefs.html

  • WebRT/html/SelfService/Prefs.html

  • WebRT/html/Admin/Users/Modify.html
    Removed password update ability if $WebExternalAuth
    is defined

Regards,
Christian

Christian Gilmore
Infrastructure & Tools Team Lead
Web & Multimedia Development
IBM Software Group

rt-diffs.tar (16 KB)

4

Hi Christian,

You’ve posted a message here a few weeks ago, talking about an example
LDAP authentication you will do / have done.
Do you think you will be able to post these diff’s here ?
I’m very interested in this work because I have to do exactly the same
here…
If I can help out somewhere, just tell me !

Thanks a lot,

RolandOn Thu, 12 Jul 2001, Christian Gilmore wrote:

I’ve updated the framework with the following modifications. Attached are
the requisite diffs.

  • bin/rt-mailgate
    Corrected bug that disallowed user creation
    even if the user was found externally

  • WebRT/html/User/Prefs.html

  • WebRT/html/SelfService/Prefs.html

  • WebRT/html/Admin/Users/Modify.html
    Removed password update ability if $WebExternalAuth
    is defined

Regards,
Christian

Christian Gilmore
Infrastructure & Tools Team Lead
Web & Multimedia Development
IBM Software Group

5

Roland,

I’ve been thinking of holding off on providing an example until I see how
Jesse integrates the diffs. Speaking of which, Jesse, I’ve a couple more
on this topic to provide. I’ll send them directly to you.

Regards,
Christian