LDAP authentication and existing users

Joe_Hartley · December 9, 2008, 9:04pm

I’ve been working on using LDAP authentication in our RT 3.6.6
installation using ExternAuth and have gotten quite a way on my own, but
have run into a minor speedbump.

People here have gotten used to submitting tickets to RT via email but
now we want to roll out the self-service interface, and authenticate
against our Active Directory server to log in. The problem I have is
that when RT automatically created the users, the RT username was set to
the email address of the requestor.

Now, I’ve discovered that the user cannot access the self-service
interface unless their username is changed from their email address to
their AD login. Has anyone ever seen a script that would take a list of
email addresses and look up the login name?

Also, does anyone know how I can get RT to use the login name instead of
the email address when it auto-creates a user upon getting a ticket from
a new user via email?

Thanks for any pointers tossed out here - I’m a newbie when it comes to
the world of LDAP and Active Directory!

Joe Hartley | Sr. Linux SysAdmin
Retail Solutions, Inc. (formerly VeriSign RDS)
40 Sharpe Drive
Cranston, RI 02920
joe.hartley@retailsolutions.com
+1 401.824.5040 (o) | +1 401.824.5002 (f)

Rich_West2 · December 10, 2008, 12:50am

With the default settings in
local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm, new users
will get created with their AD account name. At least, that is the way
it behaved for me. The down side was that external users with the same
account name (from a different domain, for example) could not open
tickets because of conflicting names. Once I changed the
’attr_match_list’ to just the EmailAddress, the accounts started getting
created with the email address as the account name.

More than likely, at some point in time, you adjusted the
’attr_match_list’ to only include the email address like so:
‘attr_match_list’ => [‘EmailAddress’ ],

The default is like the following:
‘attr_match_list’ => [ ‘Name’,‘EmailAddress’, ‘RealName’,
‘WorkPhone’, ‘Address2’ ],

However, your users can log in to RT’s interface using their email address.

We’re building for our users, outside of RT, a self-service interface,
complete with forms & faq’s. The forms simply submit email to RT with
all of the right answers filled out.

As far as adjusting the current accounts… yes, that can be scripted.
You’d have to look at the SQL tables to see what needs to be adjusted,
but it is definitely do-able with minimal effort.

-Rich

Joe Hartley wrote:

Joe_Hartley · December 10, 2008, 3:48pm

I feel like I’m heading deeper and deeper down a rathole here…

With the default settings in
local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm, new users
will get created with their AD account name. At least, that is the
way
it behaved for me.

That’ll be brilliant, I’ll have to find someone who hasn’t submitted a
ticket
To try it out!

The down side was that external users with the same
account name (from a different domain, for example) could not open
tickets because of conflicting names. Once I changed the
‘attr_match_list’ to just the EmailAddress, the accounts started
getting
created with the email address as the account name.

More than likely, at some point in time, you adjusted the
‘attr_match_list’ to only include the email address like so:
‘attr_match_list’ => [‘EmailAddress’ ],

I’ve only been hacking at this a couple of days now, the only change was
to
Make “attr_match_list => [‘Name’, ‘EmailAddress’],” which is the new
default.

However, your users can log in to RT’s interface using their email
address.

This is not working for me, but I may be confused as to how it’s
supposed to
work. Example: User John Doe has submitted a ticket in the past via
email.
A user was created in RT with the username, email and real name of
John.Doe@example.com. John was unable to log into RT using his email
address.
The logs show that the error on LDAP authentication is “User not found
or
more than one user found.”

What’s even worse for me is that if John uses his network username to
log in,
he’s successful, but RT creates a new user with the ID, so he doesn’t
see his
tickets, and I can’t change the username on the user account that is the

requestor of the tickets, because now a user with that name exists.

This Active Directory stuff is of the devil, I tell ya!

Thanks for the info, I appreciate it.

Joe_Hartley · December 10, 2008, 5:28pm

To close the thread here, I’ve changed all the RT accounts to use the AD
login name as the username within RT. All’s well with the
authentication, users can see their tickets in the self-service
interface.

On the downside, a new ticket created by an email from a user unknown to
the system did not get created with the AD username, but that’s because
the AD server did not have a value entered for the user’s email, a
side-effect of having an email service that does not use our AD for any
authentication.

Thanks for the help!

Joe Hartley | Sr. Linux SysAdmin
Retail Solutions, Inc. (formerly VeriSign RDS)
40 Sharpe Drive
Cranston, RI 02920
joe.hartley@retailsolutions.com
+1 401.824.5040 (o) | +1 401.824.5002 (f)