I’m not sure how exactly to phrase this, but I hope I can get my point
across. I don’t have a hack yet, but I’d like to try and set up a
seamless system to do the following:
Using mod_auth_kerb with apache1, I’m currently able to get users to log
in that have never touched RT before. It creates the user, but of course
no email address. I’d like to take their kerberos principal and use it to
formulate a default email address (username@ee.washington.edu). I’d also
like users that are created via web logins to be unpriviledged by default
so that they’d automatically get the self service ui: currently they get
the default home page, even though they have no access to anything.
My only other issue is that if users email in a request, and that system
creates an account for them, the kerb account won’t match (and, in fact,
won’t allow concurrent use of a single email address), and the charade is
over. I really would like to avoid any steps for the admin on a
per-account basis to get this to work.
Is this a pipe dream?
Justin Clayton
VLSI Research System Administrator
University of Washington
Electrical Engineering Dept
justincl@u.washington.edu
206/543.2523 EE/CSE 307E
You didn’t say what version of rt you’re using. This should all be
possible in either rt2 or rt3, I have no idea about rt1. The mechanism
are similar, but slightly different.
Using mod_auth_kerb with apache1, I’m currently able to get users to log
in that have never touched RT before. It creates the user, but of course
no email address. I’d like to take their kerberos principal and use it to
formulate a default email address (username@ee.washington.edu). I’d also
like users that are created via web logins to be unpriviledged by default
so that they’d automatically get the self service ui: currently they get
the default home page, even though they have no access to anything.
This is easy. IIRC you’ll need to modify the autohandler, or whatever
is doing the user creation to specify an email address, and make it
unprivledged.
My only other issue is that if users email in a request, and that system
creates an account for them, the kerb account won’t match (and, in fact,
won’t allow concurrent use of a single email address), and the charade is
over. I really would like to avoid any steps for the admin on a
per-account basis to get this to work.
assuming you can get some sort of lookup system, to match the emails
to principals, you can get rt to use it for email address
canonicolization. (flat files would work, ldap would work, whatever
you can code in perl, will work)