Login Window (How to not require the @domain.tld after username)

ampletechrefresh · August 10, 2021, 9:59pm

I think I’ve got things working pretty well. I’ve got LDAP login working on my new installation, but it’s requiring the user to login as johndoe@example.com rather than just johndoe at the RT login window.

My RT_SiteConfig.pm has:

Set($LDAPFilter, ‘(&(objectClass=person))’);
Set($LDAPMapping, {Name => ‘userPrincipalName’,
EmailAddress => ‘mail’,
RealName => ‘name’});

Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘filter’ => ‘(objectClass=*)’,
‘attr_match_list’ => [
‘RealName’,
‘EmailAddress’,
],
‘attr_map’ => {
‘Name’ => ‘userPrincipalName’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘name’,
},
},
});

I tried changing out “userPrincipalName” with “name” or “cn” (as the LDAP attribute userPrincipleName does have the whole johndoe@example.com and other attributes like sAMAccountName, name, or cn, are just the johndoe part), but no matter what I’m trying it just stops working with anything other than userPrincipalName in there.

Am I missing something else in the mappings?

knation · August 11, 2021, 12:16pm

If your users already exist in RT and have their whole email as their RT username, than that is what RT will look to log them in as. You can run the rt-ldapimport tool and set the following config:

Set($LDAPUpdateUsers, 1);

Then I’d expect Set($LDAPMapping, {Name => ‘userPrincipalName’, to change the Name field for these users to userPrincipalName

ampletechrefresh · August 11, 2021, 2:51pm

After looking more closely, I found that the RT log was not getting attributes for ‘RealName’ or ‘EmailAddress’ during login:

[debug]: Attempting to use this canonicalization key: RealName
[debug]: No value provided for RT user attribute RealName
[debug]: Attempting to use this canonicalization key: EmailAddress
[debug]: No value provided for RT user attribute EmailAddress

I then added ‘Name’ to the attr_match_list:

            'attr_match_list' => [
                    'RealName',
                    'EmailAddress',
                    'Name',
            ],

Now I am able to login with just the first part of LDAP user names, e.g. “johndoe”.

I only had a couple test users in RT so far (they auto-create on first login of an LDAP user) and was able to manually just edit their usernames while logged in as the root RT user (fixing them as well).

All is now well. Thanks