Questions about ExternalAuth

Hi,

I have a few questions about the ExternalAuth plugin, I’m thinking of
implementing it but I’d like to know a few things before I start:

  • Will the plugin ensure that only LDAP users can login? (I’m assuming
    yes)
  • What happens if just a random LDAP user logs into RT? Will he/she be
    marked as privileged, or will they simply go to the SelfService portal?
    • I’m hoping the last + thus that a random LDAP user won’t have any
      rights until I define them inside RT)=.
  • What happens when a new requestor sends an e-mail, by default RT
    creates an unprivileged user but what I’d want is that RT only creates that
    user inside its own database (not inside the LDAP). Is this how
    ExternalAuth works or will ExternalAuth try to create that user inside the
    LDAP?
  • When I only us the LDAP for authentication, do I need to configure the
    RT MySQL database as well for information or is the DB configuration only
    required for extra databases outside RT’s own database?

I wasn’t able to get the above answers in the documentation, even though I
expect the answers to be pretty straight forward. I just want to make sure
that I understand the plugin correctly before I start testing it, if
ExternalAuth does things differently from what I’m hoping then I might have
to look into WebExternalAuth instead (though I’m leaving that one as a last
resort).

Thanks in advance for replying :slight_smile:

– Bart

 * Will the plugin ensure that only LDAP users can login? (I'm assuming yes)

There’s a configuration option to control who can log in.
You will always be able to log in as a non-disabled internal RT user
if the user has a password set (such as the root user).

 * What happens if just a random LDAP user logs into RT? Will he/she be marked as privileged,
   or will they simply go to the SelfService portal?

This is configurable by you using $AutoCreate.
Also, you can limit which LDAP users can log in by writing an
appropriate filter.

      * I'm hoping the last + thus that a random LDAP user won't have any rights until I
        define them inside RT)=.

 * What happens when a new requestor sends an e-mail, by default RT creates an unprivileged
   user but what I'd want is that RT only creates that user inside its own database (not
   inside the LDAP). Is this how ExternalAuth works or will ExternalAuth try to create that
   user inside the LDAP?

ExternalAuth will never attempt to create a user in your external LDAP
server.

 * When I only us the LDAP for authentication, do I need to configure the RT MySQL database
   as well for information or is the DB configuration only required for extra databases
   outside RT's own database?

Do no attempt to configure RT::Authen::ExternalAuth to authenticate
against RT’s internal database. It automatically falls back to
internal auth.

I wasn’t able to get the above answers in the documentation, even though I expect the answers
to be pretty straight forward. I just want to make sure that I understand the plugin correctly
before I start testing it, if ExternalAuth does things differently from what I’m hoping then I
might have to look into WebExternalAuth instead (though I’m leaving that one as a last
resort).

WebExternalAuth works quite differently, as it relies on your web
server config.

It would be great to see a patch to the documentations now that you
have these answers.

-kevin

Thanks for the answers :slight_smile:

I’ll give it a go in our testing environment and see if I can make
something out of it.

As for documentation, there are allot of things that I’ve documented for
myself. I just need to find some time to submit them to the wiki.

– Bart

Op 27 november 2011 02:03 schreef Kevin Falcone
falcone@bestpractical.comhet volgende:> On Thu, Nov 24, 2011 at 09:14:26AM +0100, Bart wrote:

 * Will the plugin ensure that only LDAP users can login? (I'm

assuming yes)

There’s a configuration option to control who can log in.
You will always be able to log in as a non-disabled internal RT user
if the user has a password set (such as the root user).

 * What happens if just a random LDAP user logs into RT? Will he/she

be marked as privileged,

   or will they simply go to the SelfService portal?

This is configurable by you using $AutoCreate.
Also, you can limit which LDAP users can log in by writing an
appropriate filter.

      * I'm hoping the last + thus that a random LDAP user won't

have any rights until I

        define them inside RT)=.

 * What happens when a new requestor sends an e-mail, by default RT

creates an unprivileged

   user but what I'd want is that RT only creates that user inside

its own database (not

   inside the LDAP). Is this how ExternalAuth works or will

ExternalAuth try to create that

   user inside the LDAP?

ExternalAuth will never attempt to create a user in your external LDAP
server.

 * When I only us the LDAP for authentication, do I need to

configure the RT MySQL database

   as well for information or is the DB configuration only required

for extra databases

   outside RT's own database?

Do no attempt to configure RT::Authen::ExternalAuth to authenticate
against RT’s internal database. It automatically falls back to
internal auth.

I wasn’t able to get the above answers in the documentation, even
though I expect the answers
to be pretty straight forward. I just want to make sure that I
understand the plugin correctly
before I start testing it, if ExternalAuth does things differently
from what I’m hoping then I
might have to look into WebExternalAuth instead (though I’m leaving
that one as a last
resort).

WebExternalAuth works quite differently, as it relies on your web
server config.

It would be great to see a patch to the documentations now that you
have these answers.

-kevin


RT Training Sessions (http://bestpractical.com/services/training.html)

  • Barcelona, Spain — November 28 & 29, 2011