Migrating to LDAP

Hi List,

I’ve got a question I’m hoping someone here can help me with. I have
an existing installation of RT that I’d like to move to another server
and upgrade. As part of this process, I want to switch to
RT::Authen::ExternAuth for authentication. I’m changing people’s
passwords as part of this. I’ve set up a test system, but I’ve
noticed something kind of odd in its behavior. It seems like people
can authenticate with either their old password or their new. That
is, it seems like both the Users table and the LDAP directory are
being consulted. If the user’s password is correct in either one of
them, the user gets in; but the user has to enter the wrong password
according to both before authentication fails. Have I missed
something? What can I do to make sure that only the LDAP directory
gets used?

Thanks,

James

[…]

RT::Authen::ExternAuth for authentication. I’m changing people’s
passwords as part of this. I’ve set up a test system, but I’ve
noticed something kind of odd in its behavior. It seems like people
can authenticate with either their old password or their new. That
is, it seems like both the Users table and the LDAP directory are
being consulted. If the user’s password is correct in either one of
them, the user gets in; but the user has to enter the wrong password
according to both before authentication fails. Have I missed
something? What can I do to make sure that only the LDAP directory
gets used?

This is (as far as I understand) done by intend. E.g. your “root” user
for RT is likely not in LDAP, so you need to have a local password for
it, otherwise you cannot log into the web interface.

Simply drop all (user) passwords from the user table, and only LDAP will
work (well, until a user sets manually a password in RT again).

Best regards,

Ruediger Riediger

Dr. Ruediger Riediger Sun Microsystems GmbH
CISSP Komturstr. 18a
ITSO-M / SunCERT D-12099 Berlin
mailto:Ruediger.Riediger@Sun.com TZ=ME(S)T [GMT+1/+2]
NOTICE: This email message is for the sole use of the intended
recipient(s) and may contain confidential and privileged information.
Any unauthorized review, use, disclosure or distribution is prohibited.
If you are not the intended recipient, please contact the sender by
reply email and destroy all copies of the original message.
PGP 2048R/3FA46CFF 40EC 5534 AAB0 5955 502B FCE9 85FD DB45 3FA4 6CFF
Registered Office: | VP and Managing Directors:
Sun Microsystems GmbH | Thomas Schroeder
Sonnenallee 1 | Wolfgang Engels
D-85551 Kirchheim-Heimstetten | Dr. Roland Boemer
Commercial Register: |
Local Court of Munich, | Chairman of the Supervisory Board:
HRB 161028 | Martin Haering

[…]

RT::Authen::ExternAuth for authentication. I’m changing people’s
passwords as part of this. I’ve set up a test system, but I’ve
noticed something kind of odd in its behavior. It seems like people
can authenticate with either their old password or their new. That
is, it seems like both the Users table and the LDAP directory are
being consulted. If the user’s password is correct in either one of
them, the user gets in; but the user has to enter the wrong password
according to both before authentication fails. Have I missed
something? What can I do to make sure that only the LDAP directory
gets used?

This is (as far as I understand) done by intend. E.g. your “root” user
for RT is likely not in LDAP, so you need to have a local password for
it, otherwise you cannot log into the web interface.

Simply drop all (user) passwords from the user table, and only LDAP
will
work (well, until a user sets manually a password in RT again).

Thanks for the info, Ruediger. To make sure my understanding is
clear, that’s “wipe out the user passwords from the Users table” and
not “delete all entries from the Users table”, right?

Thanks again,

James