Recommended method for autocreating users with Active Directory and Authen-ExternalAuth

Hi,

My question is in the subject. I see many things (most of them
outdated) in the wiki, but none looks like the one I want.

My problem is simple and IMO should be part of the
RT-Authen-ExternalAuth plugin. This plugin is nice to authenticate
users against an AD, but my AD is huge and I want users to be created
(unprivileged) on the fly, when added as watchers for example. The
problem is that currently their login is the email address and I want
the AD login instead.

I think it’s easy to do, I can develop it but I’m sure something
already exist for this. How do you do this ? Is it planned to be (or
is it already ?!) included in RT-Authen-ExternalAuth ?

Thanks,

PS: I think it’s more or less this :
http://www.zanfur.com/rt3-contrib/AutoCreateFromExternalUserInfo/CurrentUser_Local.pm,
but using RT-Authen-ExternalAuth variables.
L.B.

Hi,

My question is in the subject. I see many things (most of them
outdated) in the wiki, but none looks like the one I want.

My problem is simple and IMO should be part of the
RT-Authen-ExternalAuth plugin. This plugin is nice to authenticate
users against an AD, but my AD is huge and I want users to be created
(unprivileged) on the fly, when added as watchers for example. The
problem is that currently their login is the email address and I want
the AD login instead.

The problem is that RT-Authen-ExternalAuth isn’t tweaking the Name
when canonicalizing user info (it still looks you up by the email
address) and its a bit of work to fix that. I believe Mike has said
that it is the next thing he would like to do with the module, but he
doesn’t know when he will have time.

If you do come up with a patch, please send it along so it can be
considered for inclusion

-kevin

I’m going to think about it, but the problem I see it that email
addresses might not be unique (I mean we can have two AD accounts with
the same email address).

I have already done a script to mass-rename email addresses to AD
logins, because we use AD authentication for a long time and we wanted
to make the users use their AD login instead of their email address.
This script is not linked to the plugin, but I think it might be
useful for some admins. I can upload it on the wiki or maybe it can be
part of an “extras” directory in the plugin package. I have to cleanup
my code and make it generic, but it does the job, I already applied it
successfully on many RT instances.

Don’t you think
http://www.zanfur.com/rt3-contrib/AutoCreateFromExternalUserInfo/CurrentUser_Local.pm
but using RT-Authen-ExternalAuth variables could do the on-the-fly job
? Maybe with some stuff to check duplicates etc…

If you think it doesn’t, can you or Mike point me into the good
direction to (try to) develop it ?

Thanks !
L.B.

LB,

This would be REALLY help for me. I’ve been doing this one user at a
time whenever I get some frre time (which isn’t ofetn). I’d love a copy
of your code. Thanks.

Kenn
LBNLOn 1/14/2010 10:34 AM, L B wrote:

I’m going to think about it, but the problem I see it that email
addresses might not be unique (I mean we can have two AD accounts with
the same email address).

I have already done a script to mass-rename email addresses to AD
logins, because we use AD authentication for a long time and we wanted
to make the users use their AD login instead of their email address.
This script is not linked to the plugin, but I think it might be
useful for some admins. I can upload it on the wiki or maybe it can be
part of an “extras” directory in the plugin package. I have to cleanup
my code and make it generic, but it does the job, I already applied it
successfully on many RT instances.

Don’t you think
http://www.zanfur.com/rt3-contrib/AutoCreateFromExternalUserInfo/CurrentUser_Local.pm
but using RT-Authen-ExternalAuth variables could do the on-the-fly job
? Maybe with some stuff to check duplicates etc…

If you think it doesn’t, can you or Mike point me into the good
direction to (try to) develop it ?

Thanks !

Why bother with that, when you just need to change the attribute you’re
using for the account name. Here’s a sanitized version of my
RT_SiteConfig.pm

Any configuration directives you include here will override

RT’s default configuration file, RT_Config.pm

To include a directive here, just copy the equivalent statement

from RT_Config.pm and change the value. We’ve included a single

sample value below.

This file is actually a Perl module, so you can include valid

Perl code, as well.

The converse is also true, if this file isn’t valid Perl, you’re

going to run into trouble. To check your SiteConfig file, use

this command:

perl -c /path/to/your/etc/RT_SiteConfig.pm

Set($rtname, ‘minervanetworks.com’);
Set($Organization, “minervanetworks.com”);
Set($Timezone, ‘US/Pacific’);
Set($WebPath, “/rt3”);
Set($WebPort, 443);
Set($WebDomain, ‘rt.minervanetworks.com’);
Set($WebBaseURL, ‘https://’ . RT->Config->Get(‘WebDomain’) . ‘:’ .
RT->Config->Get(‘WebPort’));
Set($WebURL, RT->Config->Get(‘WebBaseURL’) . RT->Config->Get(‘WebPath’) .
"/");
Set($WebImagesURL, RT->Config->Get(‘WebPath’) . “/NoAuth/images/”);
Set($WebImagesURL , $WebPath . “/images/”); # need this for below
Set($LogoURL, “https://rt.minervanetworks.com/Home_Logo.jpg”);
Set($LogoLinkURL, ‘https://www.minervanetworks.com/’);
Set($LogoAltText, “Minerva Networks”);
Set($AutoLogoff, 30);
Set($EnableReminders,1);
Set($LogToSyslog, ‘info’);
Set($LogDir, ‘/var/log’);
Set($LogToFileNamed, “rt.log”);
Set($LogToFile, ‘info’);
Set($NotifyActor, 1);
Set($OwnerEmail , ‘XXXXXXXX@minervanetworks.com’);
Set(@Plugins, qw(RT::Authen::ExternalAuth RT::FM));
Set($LDAPHost, ‘HOSTNAME.DOMAIN.TLD’);
Set($LDAPUser, ‘cn=BINDUSER,dc=DOMAIN,dc=TLD’);
Set($LDAPPassword, ‘PASSWORD’);
Set($LDAPBase, ‘dc=minervanetworks,dc=com’);
Set($LDAPFilter, ‘(&(objectClass=user))’);
Set($LDAPMapping, {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
}
);
Set($LDAPGroupName,‘Employees’);
Set($LDAPUpdateUsers,1);
Set($ExternalAuthPriority, [‘My_LDAP’]);
Set($ExternalInfoPriority, [‘My_LDAP’]);
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);
Set(
$ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘auth’ => 1,
‘info’ => 1,
‘server’ => ‘HOSTNAME.DOMAIN.TLD’,
‘user’ => ‘cn=BINDUSER,dc=DOMAIN,dc=TLD’,
‘pass’ => ‘PASSWORD’,
‘base’ => ‘dc=DOMAIN,dc=TLD’,
‘filter’ => ‘(objectClass=*)’,
‘d_filter’ => ‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
‘tls’ => 0,
‘net_ldap_args’ => [ version => 3 ],
‘attr_match_list’ => [ ‘Name’, ‘EmailAddress’, ‘RealName’ ],
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
}
}
}
);

1;On 1/14/10 11:49 AM, “Ken Crocker” kfcrocker@lbl.gov wrote:

LB,

This would be REALLY help for me. I’ve been doing this one user at a
time whenever I get some frre time (which isn’t ofetn). I’d love a copy
of your code. Thanks.

Kenn
LBNL

On 1/14/2010 10:34 AM, L B wrote:

I’m going to think about it, but the problem I see it that email
addresses might not be unique (I mean we can have two AD accounts with
the same email address).

I have already done a script to mass-rename email addresses to AD
logins, because we use AD authentication for a long time and we wanted
to make the users use their AD login instead of their email address.
This script is not linked to the plugin, but I think it might be
useful for some admins. I can upload it on the wiki or maybe it can be
part of an “extras” directory in the plugin package. I have to cleanup
my code and make it generic, but it does the job, I already applied it
successfully on many RT instances.

Don’t you think
http://www.zanfur.com/rt3-contrib/AutoCreateFromExternalUserInfo/CurrentUser_
Local.pm
but using RT-Authen-ExternalAuth variables could do the on-the-fly job
? Maybe with some stuff to check duplicates etc…

If you think it doesn’t, can you or Mike point me into the good
direction to (try to) develop it ?

Thanks !


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

2010 RT Training Sessions!
San Francisco, CA, USA - Feb 22 & 23
Dublin, Ireland - Mar 15 & 16
Boston, MA, USA - April 5 & 6
Washington DC, USA - Oct 25 & 26

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Gary L. Greene, Jr.
IT Operations
Minerva Networks, Inc.
Cell: (650) 704-6633
Phone: (408) 240-1239

I’m going to think about it, but the problem I see it that email
addresses might not be unique (I mean we can have two AD accounts with
the same email address).

Yep, this is one of the complications. You’d have to canonicalize it
back to the user currently in RT based on username

I have already done a script to mass-rename email addresses to AD
logins, because we use AD authentication for a long time and we wanted
to make the users use their AD login instead of their email address.
This script is not linked to the plugin, but I think it might be
useful for some admins. I can upload it on the wiki or maybe it can be
part of an “extras” directory in the plugin package. I have to cleanup
my code and make it generic, but it does the job, I already applied it
successfully on many RT instances.

Don’t you think
http://www.zanfur.com/rt3-contrib/AutoCreateFromExternalUserInfo/CurrentUser_Local.pm
but using RT-Authen-ExternalAuth variables could do the on-the-fly job
? Maybe with some stuff to check duplicates etc…

I’ve not read this code enough to know how it would integrate with
RT-Authen-ExternalAuth, and I’m not likely to have time to go digging
through it anytime this month unfortunately :frowning:

-kevin

Why bother with that, when you just need to change the attribute you’re
using for the account name. Here’s a sanitized version of my
RT_SiteConfig.pm

If this works for email creation of AD users, fantastic.
I’ve heard many reports of it not working

-kevin

Gary,

Thanks. I’ll look that over. We use LDAP as well, so this might make it
all easier. Thanks.

Kenn
LBNLOn 1/14/2010 12:17 PM, Gary Greene wrote:

Why bother with that, when you just need to change the attribute you’re
using for the account name. Here’s a sanitized version of my
RT_SiteConfig.pm

Any configuration directives you include here will override

RT’s default configuration file, RT_Config.pm

To include a directive here, just copy the equivalent statement

from RT_Config.pm and change the value. We’ve included a single

sample value below.

This file is actually a Perl module, so you can include valid

Perl code, as well.

The converse is also true, if this file isn’t valid Perl, you’re

going to run into trouble. To check your SiteConfig file, use

this command:

perl -c /path/to/your/etc/RT_SiteConfig.pm

Set($rtname, ‘minervanetworks.com’);
Set($Organization, “minervanetworks.com”);
Set($Timezone, ‘US/Pacific’);
Set($WebPath, “/rt3”);
Set($WebPort, 443);
Set($WebDomain, ‘rt.minervanetworks.com’);
Set($WebBaseURL, ‘https://’ . RT->Config->Get(‘WebDomain’) . ‘:’ .
RT->Config->Get(‘WebPort’));
Set($WebURL, RT->Config->Get(‘WebBaseURL’) . RT->Config->Get(‘WebPath’) .
"/");
Set($WebImagesURL, RT->Config->Get(‘WebPath’) . “/NoAuth/images/”);
Set($WebImagesURL , $WebPath . “/images/”); # need this for below
Set($LogoURL, “https://rt.minervanetworks.com/Home_Logo.jpg”);
Set($LogoLinkURL, ‘https://www.minervanetworks.com/’);
Set($LogoAltText, “Minerva Networks”);
Set($AutoLogoff, 30);
Set($EnableReminders,1);
Set($LogToSyslog, ‘info’);
Set($LogDir, ‘/var/log’);
Set($LogToFileNamed, “rt.log”);
Set($LogToFile, ‘info’);
Set($NotifyActor, 1);
Set($OwnerEmail , ‘XXXXXXXX@minervanetworks.com’);
Set(@Plugins, qw(RT::Authen::ExternalAuth RT::FM));
Set($LDAPHost, ‘HOSTNAME.DOMAIN.TLD’);
Set($LDAPUser, ‘cn=BINDUSER,dc=DOMAIN,dc=TLD’);
Set($LDAPPassword, ‘PASSWORD’);
Set($LDAPBase, ‘dc=minervanetworks,dc=com’);
Set($LDAPFilter, ‘(&(objectClass=user))’);
Set($LDAPMapping, {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
}
);
Set($LDAPGroupName,‘Employees’);
Set($LDAPUpdateUsers,1);
Set($ExternalAuthPriority, [‘My_LDAP’]);
Set($ExternalInfoPriority, [‘My_LDAP’]);
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);
Set(
$ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘auth’ => 1,
‘info’ => 1,
‘server’ => ‘HOSTNAME.DOMAIN.TLD’,
‘user’ => ‘cn=BINDUSER,dc=DOMAIN,dc=TLD’,
‘pass’ => ‘PASSWORD’,
‘base’ => ‘dc=DOMAIN,dc=TLD’,
‘filter’ => ‘(objectClass=*)’,
‘d_filter’ => ‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
‘tls’ => 0,
‘net_ldap_args’ => [ version => 3 ],
‘attr_match_list’ => [ ‘Name’, ‘EmailAddress’, ‘RealName’ ],
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
}
}
}
);

1;

On 1/14/10 11:49 AM, “Ken Crocker” kfcrocker@lbl.gov wrote:

LB,

This would be REALLY help for me. I’ve been doing this one user at a
time whenever I get some frre time (which isn’t ofetn). I’d love a copy
of your code. Thanks.

Kenn
LBNL

On 1/14/2010 10:34 AM, L B wrote:

I’m going to think about it, but the problem I see it that email
addresses might not be unique (I mean we can have two AD accounts with
the same email address).

I have already done a script to mass-rename email addresses to AD
logins, because we use AD authentication for a long time and we wanted
to make the users use their AD login instead of their email address.
This script is not linked to the plugin, but I think it might be
useful for some admins. I can upload it on the wiki or maybe it can be
part of an “extras” directory in the plugin package. I have to cleanup
my code and make it generic, but it does the job, I already applied it
successfully on many RT instances.

Don’t you think
http://www.zanfur.com/rt3-contrib/AutoCreateFromExternalUserInfo/CurrentUser_
Local.pm
but using RT-Authen-ExternalAuth variables could do the on-the-fly job
? Maybe with some stuff to check duplicates etc…

If you think it doesn’t, can you or Mike point me into the good
direction to (try to) develop it ?

Thanks !


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

2010 RT Training Sessions!
San Francisco, CA, USA - Feb 22 & 23
Dublin, Ireland - Mar 15 & 16
Boston, MA, USA - April 5 & 6
Washington DC, USA - Oct 25 & 26

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

I’ll try Ken’s tip and let you know the results.

I’ll also reply to this this thread with my script (probably end of)
next week once it’s cleaned up.
LBOn Thu, Jan 14, 2010 at 10:14 PM, Ken Crocker kfcrocker@lbl.gov wrote:

Gary,

Thanks. I’ll look that over. We use LDAP as well, so this might make it all
easier. Thanks.

Kenn
LBNL

On 1/14/2010 12:17 PM, Gary Greene wrote:

Why bother with that, when you just need to change the attribute you’re
using for the account name. Here’s a sanitized version of my
RT_SiteConfig.pm

Any configuration directives you include here will override

RT’s default configuration file, RT_Config.pm

To include a directive here, just copy the equivalent statement

from RT_Config.pm and change the value. We’ve included a single

sample value below.

This file is actually a Perl module, so you can include valid

Perl code, as well.

The converse is also true, if this file isn’t valid Perl, you’re

going to run into trouble. To check your SiteConfig file, use

this command:

perl -c /path/to/your/etc/RT_SiteConfig.pm

Set($rtname, ‘minervanetworks.com’);
Set($Organization, “minervanetworks.com”);
Set($Timezone, ‘US/Pacific’);
Set($WebPath, “/rt3”);
Set($WebPort, 443);
Set($WebDomain, ‘rt.minervanetworks.com’);
Set($WebBaseURL, ‘https://’ . RT->Config->Get(‘WebDomain’) . ‘:’ .
RT->Config->Get(‘WebPort’));
Set($WebURL, RT->Config->Get(‘WebBaseURL’) . RT->Config->Get(‘WebPath’) .
"/");
Set($WebImagesURL, RT->Config->Get(‘WebPath’) . “/NoAuth/images/”);
Set($WebImagesURL , $WebPath . “/images/”); # need this for below
Set($LogoURL, “https://rt.minervanetworks.com/Home_Logo.jpg”);
Set($LogoLinkURL, ‘https://www.minervanetworks.com/’);
Set($LogoAltText, “Minerva Networks”);
Set($AutoLogoff, 30);
Set($EnableReminders,1);
Set($LogToSyslog, ‘info’);
Set($LogDir, ‘/var/log’);
Set($LogToFileNamed, “rt.log”);
Set($LogToFile, ‘info’);
Set($NotifyActor, 1);
Set($OwnerEmail , ‘XXXXXXXX@minervanetworks.com’);
Set(@Plugins, qw(RT::Authen::ExternalAuth RT::FM));
Set($LDAPHost, ‘HOSTNAME.DOMAIN.TLD’);
Set($LDAPUser, ‘cn=BINDUSER,dc=DOMAIN,dc=TLD’);
Set($LDAPPassword, ‘PASSWORD’);
Set($LDAPBase, ‘dc=minervanetworks,dc=com’);
Set($LDAPFilter, ‘(&(objectClass=user))’);
Set($LDAPMapping, {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
}
);
Set($LDAPGroupName,‘Employees’);
Set($LDAPUpdateUsers,1);
Set($ExternalAuthPriority, [‘My_LDAP’]);
Set($ExternalInfoPriority, [‘My_LDAP’]);
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);
Set(
$ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘auth’ => 1,
‘info’ => 1,
‘server’ => ‘HOSTNAME.DOMAIN.TLD’,
‘user’ => ‘cn=BINDUSER,dc=DOMAIN,dc=TLD’,
‘pass’ => ‘PASSWORD’,
‘base’ => ‘dc=DOMAIN,dc=TLD’,
‘filter’ => ‘(objectClass=*)’,
‘d_filter’ => ‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
‘tls’ => 0,
‘net_ldap_args’ => [ version => 3 ],
‘attr_match_list’ => [ ‘Name’, ‘EmailAddress’, ‘RealName’ ],
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
}
}
}
);

1;

On 1/14/10 11:49 AM, “Ken Crocker” kfcrocker@lbl.gov wrote:

LB,

This would be REALLY help for me. I’ve been doing this one user at a
time whenever I get some frre time (which isn’t ofetn). I’d love a copy
of your code. Thanks.

Kenn
LBNL

On 1/14/2010 10:34 AM, L B wrote:

I’m going to think about it, but the problem I see it that email
addresses might not be unique (I mean we can have two AD accounts with
the same email address).

I have already done a script to mass-rename email addresses to AD
logins, because we use AD authentication for a long time and we wanted
to make the users use their AD login instead of their email address.
This script is not linked to the plugin, but I think it might be
useful for some admins. I can upload it on the wiki or maybe it can be
part of an “extras” directory in the plugin package. I have to cleanup
my code and make it generic, but it does the job, I already applied it
successfully on many RT instances.

Don’t you think
http://www.zanfur.com/rt3-contrib/AutoCreateFromExternalUserInfo/CurrentUser_
Local.pm
but using RT-Authen-ExternalAuth variables could do the on-the-fly job
? Maybe with some stuff to check duplicates etc…

If you think it doesn’t, can you or Mike point me into the good
direction to (try to) develop it ?

Thanks !


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

2010 RT Training Sessions!
San Francisco, CA, USA - Feb 22 & 23
Dublin, Ireland - Mar 15 & 16
Boston, MA, USA - April 5 & 6
Washington DC, USA - Oct 25 & 26

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

L.B.

I tried what Ken said, and it didn’t work on my login because of this
code in the RT-External-Authen plugin :

ExternalAuth/LDAP.pm : line 230
[…]
} else {
# If there’s only one match, we’re good; more than one and
# we don’t know which is the right one so we skip it.
if ($ldap_msg->count == 1) {
my $entry = $ldap_msg->first_entry();
[…]

I had two sAMAccountName returned because my AD account with my email
address has one normal sAMAccountName, and another admin one (in the
same AD entry).

To make it work, I modified the ldap filter :
Set($EmailCompletionLdapFilter,
"(&(objectclass=organizationalPerson)(!(sAMAccountName=admin*)))");

This filter will match my sAMAccountName but not the one starting with
"admin" (replace this filter in your config). (Be careful of regular
users having a login matching this string)

Once I had only one and only one sAMAccountName, I disabled my current
account (changed all the values insided), I sent an email to my RT in
debug mode and here my new account got created with the AD login.

If a developer of this plugin read this, I think it would be nice to
add a $RT::Logger->info at this step in the code…
L.B.

Here is a script to convert old email address account names to LDAP/AD
account names.

http://wiki.bestpractical.com/view/rt_logins_email2ldap

L.B.

If a developer of this plugin read this, I think it would be nice to
add a $RT::Logger->info at this step in the code…

If you can provide a patch, I’d be happy to look at applying it

-kevin