REMOTE_USER, external auth, and email mismatching

hi there,
We are looking at using kerb auth and mod_auth_kerb as our external auth mechanism for RT.

Trouble is… our kerb domain is not the same as people’s email address domain.

We have mumble-thousand users. Hand-populating things is not an option.

So, I was hoping there was potentially a way to do any of the following:

a) automatically drop the @xyz from REMOTE_USER entirely
b) autoconvert the @xyz to @real.domain

c) (least preferable) have the autocreate routines, atomatically fill in @real.domain as the email address

Philip,

We are in the same boat.

Your kerb config can drop the realm part by using the option in your kerb
auth section of the apache config with “KrbLocalUserMapping” set to ON.

In combination with that, we have ldap-import (to pull all the users from
AD), as well as the proper mapping (sAMAccountName ↔ username) when we
import users.

We’ve had instances where someone has managed to send email in from
another system with a different email address, and we just merge those new
accounts in with the ldap imported accounts on a regular basis (doesn’t
happen often).

Thanks,Jok

| Joachim Thuau | IT Systems Engineer - Linux / SpaceX |On 4/26/13 2:35 PM, “Philip Brown” ppb@usc.edu wrote:

hi there,
We are looking at using kerb auth and mod_auth_kerb as our external auth
mechanism for RT.

Trouble is… our kerb domain is not the same as people’s email address
domain.

We have mumble-thousand users. Hand-populating things is not an option.

So, I was hoping there was potentially a way to do any of the following:

a) automatically drop the @xyz from REMOTE_USER entirely
b) autoconvert the @xyz to @real.domain

c) (least preferable) have the autocreate routines, atomatically fill in
@real.domain as the email address

hi there,
We are looking at using kerb auth and mod_auth_kerb as our external auth mechanism for RT.

Trouble is… our kerb domain is not the same as people’s email address domain.

We have mumble-thousand users. Hand-populating things is not an option.

So, I was hoping there was potentially a way to do any of the following:

a) automatically drop the @xyz from REMOTE_USER entirely
b) autoconvert the @xyz to @real.domain

c) (least preferable) have the autocreate routines, atomatically fill in @real.domain as the email address

You can accomplish (b) with these options:
http://bestpractical.com/rt/docs/latest/RT_Config.html#CanonicalizeEmailAddressMatch-CanonicalizeEmailAddressReplace

You can also do more sophisticated munging by writing your own
RT::User::CanonicalizeUserInfo:
http://bestpractical.com/rt/docs/latest/RT/User.html#CanonicalizeUserInfo-HASH-of-ARGS

Or you can take the easy way of (a) by setting the mod_auth_kerb config
option that Jok pointed out earlier.

(arg, outlook.com…)From: rt-users-bounces@lists.bestpractical.com [rt-users-bounces@lists.bestpractical.com] on behalf of Thomas Sibley [trs@bestpractical.com]
Sent: Friday, April 26, 2013 04:38 PM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] REMOTE_USER, external auth, and email mismatching

So, I was hoping there was potentially a way to do any of the following:

a) automatically drop the @xyz from REMOTE_USER entirely
b) autoconvert the @xyz to @real.domain

You can accomplish (b) with these options:
http://bestpractical.com/rt/docs/latest/RT_Config.html#CanonicalizeEmailAddressMatch-CanonicalizeEmailAddressReplace

Thanks for the tip.
I followed the link, but it didnt explicitly give an answer to the following question.
For posterity and the list archive’s sake: does it also work for extern auth?
In other words, when it auto-creates an account, will it rewrite the account name? Or will it just get triggered on actual email that comes in?

a) automatically drop the @xyz from REMOTE_USER entirely
b) autoconvert the @xyz to @real.domain

You can accomplish (b) with these options:
RT Config - RT 5.0.5 Documentation - Best Practical

Thanks for the tip.
I followed the link, but it didnt explicitly give an answer to the following question.
For posterity and the list archive’s sake: does it also work for extern auth?
In other words, when it auto-creates an account, will it rewrite the account name? Or will it just get triggered on actual email that comes in?

It is used during account creation, as well as many other places that
handle email addresses. It doesn’t affect the account Name, just the
account’s Email Address.

If you want to change the name, use one of the two other options I offered.

hi there,
We are looking at using kerb auth and mod_auth_kerb as our external auth mechanism for RT.

… I was hoping there was potentially a way to do any of the following:

a) automatically drop the @xyz from REMOTE_USER entirely
b) autoconvert the @xyz to @real.domain

c) (least preferable) have the autocreate routines, atomatically fill in @real.domain as the email address
You can accomplish (b) with these options:
RT Config - RT 5.0.5 Documentation - Best Practical

You can also do more sophisticated munging by writing your own
RT::User::CanonicalizeUserInfo:
RT::User - RT 5.0.5 Documentation - Best Practical

Or you can take the easy way of (a) by setting the mod_auth_kerb config
option that Jok pointed out earlier.

Well, I’m back, now that I’ve had more time to follow up :slight_smile:

I have tried out using the KrbLocalUser tweak, and run into problems.
The email field does not get filled out on autocreate of an account.

I then attempted to do the fallback suggested via

CanonicalizeEmailAddressMatch

after removing the KrbLocalUser from my apache configs.
however, the replace did not seem to have any effect. I’m still getting
logged in as
user@KERB.my.com
rather than user@my.com

for the record, I’m using a match string of
‘@.*.my.com$’

and replace of
@my.com

it’s kinda odd that I cant seem to google any sample RT_Config.pm files
for this’

I have use the LDAPImport extension to pull all my users out of AD into
RT. I even submitted a patch on the cpan bug tracker to add a feature to
“automatically grant rights” to some groups based on LDAP queries.

(and you’ll probably need to “merge” the users that you have now into
their imported equivalent)

Thanks,
Jok

| Joachim Thuau | IT Systems Engineer - Linux / SpaceX |On 5/14/13 1:41 PM, “Philip Brown” ppb@usc.edu wrote:

On 04/26/13 04:38 PM, Thomas Sibley wrote:

On 04/26/2013 02:35 PM, Philip Brown wrote:

hi there,
We are looking at using kerb auth and mod_auth_kerb as our external
auth mechanism for RT.

… I was hoping there was potentially a way to do any of the
following:

a) automatically drop the @xyz from REMOTE_USER entirely
b) autoconvert the @xyz to @real.domain

c) (least preferable) have the autocreate routines, atomatically fill
in @real.domain as the email address
You can accomplish (b) with these options:

RT Config - RT 5.0.5 Documentation - Best Practical
ddressMatch-CanonicalizeEmailAddressReplace

You can also do more sophisticated munging by writing your own
RT::User::CanonicalizeUserInfo:

RT::User - RT 5.0.5 Documentation - Best Practical
-HASH-of-ARGS

Or you can take the easy way of (a) by setting the mod_auth_kerb config
option that Jok pointed out earlier.

Well, I’m back, now that I’ve had more time to follow up :slight_smile:

I have tried out using the KrbLocalUser tweak, and run into problems.
The email field does not get filled out on autocreate of an account.

I then attempted to do the fallback suggested via

CanonicalizeEmailAddressMatch

after removing the KrbLocalUser from my apache configs.
however, the replace did not seem to have any effect. I’m still getting
logged in as
user@KERB.my.com
rather than user@my.com

for the record, I’m using a match string of
‘@.*.my.com$’

and replace of
@my.com

it’s kinda odd that I cant seem to google any sample RT_Config.pm files
for this’


RT Training in Seattle, June 19-20: http://bestpractical.com/training

Err… thanks, but that’s not what I’m looking for.
For one thing, even if I got permission to do that (which I wont), we have 40,000 users in ldap.
I dont actually WANT all of them in the rt database.
particularly since we have a 15,000 user/year churn rate.From: Jok Thuau [JThuau@spacex.com]
Sent: Tuesday, May 14, 2013 05:36 PM
To: Philip Brown; rt-users@lists.bestpractical.com
Subject: Re: [rt-users] REMOTE_USER, external auth, and email mismatching

I have use the LDAPImport extension to pull all my users out of AD into
RT. I even submitted a patch on the cpan bug tracker to add a feature to
“automatically grant rights” to some groups based on LDAP queries.

(and you’ll probably need to “merge” the users that you have now into
their imported equivalent)

Thanks,
Jok

| Joachim Thuau | IT Systems Engineer - Linux / SpaceX |

Err… thanks, but that’s not what I’m looking for.
For one thing, even if I got permission to do that (which I wont), we have 40,000 users in ldap.
I dont actually WANT all of them in the rt database.
particularly since we have a 15,000 user/year churn rate.

I’m never quite sure why people do that (import then-stale
data from LDAP/AD which is the dynamic source of truth for the
information on the network). There must be some use case that
I am just not aware of, but I definitely don’t get it.

it’s kinda odd that I cant seem to google any sample
RT_Config.pm files for this

Well, here’s where I asked the community to share what works:

http://lists.bestpractical.com/pipermail/rt-users/2012-February/075085.html

And here’s 1 (of 2) contributions I got and submitted, still sitting
in a github pull request that has not been merged after 1+ years:

That was the “water testing” and end of my contributions to RT,
as a failed experiment. I didn’t bother submitting the 2nd
config contribution I got based on the above.

Here’s someone else’s code contribution from 1+ years ago to
allow secure LDAP:

crickets

Contributing elsewhere.

Well, lets try a simpler, hopefully easier to tackle subject line :slight_smile:

lets say I have autocreate turned on. And accounts get created just fine
when someone authenticates via web. … however, the autocreated
account name will be just the username. no @my.com

What’s the best way to get the email field set, with @my.com added, when
the account is autocreated?

It would be an interesting scrip, but I believe you would be able to
update the user from a “on create” scrip, and update that one user’s email
from ldap. That being said, that’s not something that is canned, I don’t
think. (please someone correct me if I’m wrong)

Thanks,
Jok
| Joachim Thuau | IT Systems Engineer - Linux / SpaceX |On 5/15/13 2:08 PM, “Philip Brown” ppb@usc.edu wrote:

Well, lets try a simpler, hopefully easier to tackle subject line :slight_smile:

lets say I have autocreate turned on. And accounts get created just fine
when someone authenticates via web. … however, the autocreated
account name will be just the username. no @my.com

What’s the best way to get the email field set, with @my.com added, when
the account is autocreated?


RT Training in Seattle, June 19-20: http://bestpractical.com/training

I then attempted to do the fallback suggested via

CanonicalizeEmailAddressMatch

after removing the KrbLocalUser from my apache configs.
however, the replace did not seem to have any effect. I’m still getting
logged in as
user@KERB.my.com
rather than user@my.com

for the record, I’m using a match string of
‘@.*.my.com$’

and replace of
@my.com

You may be mistaking the user name for the email address. Without a
separate Name, RT often assigns the email address as the name. This may
happen before canonicalization in some cases. Can you verify the email
addresses aren’t being canonicalized? If not, there may be an
interaction with existing users, but I wouldn’t expect that necessarily.

If the email address is canonicalized, but the name is still the
uncanonicalized form, I’d suggest looking at this piece from my original
mail:

You can also do more sophisticated munging by writing your own
RT::User::CanonicalizeUserInfo:

http://bestpractical.com/rt/docs/latest/RT/User.html#CanonicalizeUserInfo-HASH-of-ARGS

Well, here’s where I asked the community to share what works:

[rt-users] Call for ExternalAuth configurations!

And here’s 1 (of 2) contributions I got and submitted, still sitting
in a github pull request that has not been merged after 1+ years:

contrib directory + 1 example from community so far by jblaine · Pull Request #2 · bestpractical/rt-authen-externalauth · GitHub

That was the “water testing” and end of my contributions to RT,
as a failed experiment. I didn’t bother submitting the 2nd
config contribution I got based on the above.

I just responded to your PR. Thanks for pointing it out again. We
manage a lot of repos and only use github for publishing public mirrors
and receiving PRs. Sometimes this means PRs slip through the cracks if
no one prods us. That is to say: if anyone thinks they’re owed a
response on a PR or patch or any other contribution, please do pipe up
to get our attention again.

I’m sorry your contributing experience was lousy.

Here’s someone else’s code contribution from 1+ years ago to
allow secure LDAP:

Add LDAPS capability to RT::Authen::ExternalAuth by gdickinson · Pull Request #1 · bestpractical/rt-authen-externalauth · GitHub

That is an unnecessary change, and should have been closed long ago.
I’ve now done so. The simple solution is specifying a server of
“ldaps://example.com” instead of just “example.com”.

It would be an interesting scrip, but I believe you would be able to
update the user from a “on create” scrip, and update that one user’s email
from ldap.

other than I want this to be “from account name”, not “from ldap”, this
sounds fine.:]

but… isnt an “on create” script, related to ticket creation, not
user creation?

It would be an interesting scrip, but I believe you would be able to
update the user from a “on create” scrip, and update that one user’s email
from ldap.

other than I want this to be “from account name”, not “from ldap”,
this sounds fine.:]

As mentioned earlier by my colleague, you can use
http://bestpractical.com/rt/docs/latest/RT/User.html#CanonicalizeUserInfo-HASH-of-ARGS
to massage the user data during creation. It used to be quite common
to glue together a few snippets of CanonicalizeUserInfo along with
WebCanonicalizeInfo in order to set up user information after creation
during login. These days I almost never use those hooks because
people just pull from AD.

but… isnt an “on create” script, related to ticket creation, not
user creation?

It is.

-kevin

As mentioned earlier by my colleague, you can use
RT::User - RT 5.0.5 Documentation - Best Practical
to massage the user data during creation.

Thanks for the reference. However… that particular link seems to
merely “reference” that the capability exists somehow. I cant’ fathom
how to use it.
Could you point me to any examples of how to actually use it, please?