ExternalAuth for requestors but not privileged users?

RT Users
1

I think this will work, soliciting opinions before I do something stupid, though:

  •      Large group of unprivileged users (i.e. requestors), accessible via LDAP

  •      Small group of privileged users (i.e. staff), NOT in that ldap directory

I create the staff in the local RT user database, and set up ExternalAuth to the LDAP directory. Pass-through feature allows staff to log in and use the system, but everything gets searched for in LDAP first. Right?

-Adam Thompson

mailto:athompso@athompso.net athompso@athompso.net

(204) 291-7950 - direct

(204) 489-6515 - fax

2

I think this will work, soliciting opinions before I do something stupid, though:

  •      Large group of unprivileged users (i.e. requestors), accessible via LDAP

  •      Small group of privileged users (i.e. staff), NOT in that ldap directory

I create the staff in the local RT user database, and set up ExternalAuth to the LDAP
directory. Pass-through feature allows staff to log in and use the system, but everything
gets searched for in LDAP first. Right?

RT-Authen-ExternalAuth falls back to internal auth if the username /
pass doesn’t match in LDAP

-kevin

3

RT-Authen-ExternalAuth falls back to internal auth if the username
/ pass doesn’t match in LDAP

I’m sure I saw something about this a little while ago, but I can’t find
it now. Sorry if this is rehashing old material…

Is there any way to have RT-Authen-ExternalAuth try more than one LDAP
server in a defined order? I’m thinking of something like having it query
Active Directory first for staff, then the LDAP server with all our
customer accounts, finally falling back to local DB for root only?

Thanks,

-Adam Thompson
athompso@athompso.net

4

RT-Authen-ExternalAuth falls back to internal auth if the username
/ pass doesn’t match in LDAP

I’m sure I saw something about this a little while ago, but I can’t find
it now. Sorry if this is rehashing old material…

Is there any way to have RT-Authen-ExternalAuth try more than one LDAP
server in a defined order? I’m thinking of something like having it query
Active Directory first for staff, then the LDAP server with all our
customer accounts, finally falling back to local DB for root only?

Yes. You can give it an array of ldap servers to talk to.

Tim

The Wellcome Trust Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.