Role based authentication from ldap

Hi

I am just looking into the possibility of Group based authenitication
for RT via an LDAP directory. From what I have read in the LDAP
information on the wiki and in the email lists (see the thread with
subject: [Rt-devel] Proposed Contrib: External (LDAP) user info attr
mapping ) it appears that this is not possible at the moment.

I believe you can authenticate a user against an LDAP directory and
they are then created as an unprivileged user. Adding them to
privileged groups or roles in RT has to be done through the RT
interface. I just wanted to check and confirm that this was the case
or whether I might have missed something.

The reason I am interested is that we are using Plone to build our
intranet and have a group/role structure within that which is exported
to an LDAP directory. We can then use this for authentication against
a Jive Jabber server, Email server and was wondering just how much of
that functionality we could use with RT. I have looked at Plone
Collector NG which is an Issue Management product for Plone that
utilises the workflow and groups from Plone but compared to RT it is
lacking in features and documention so am very interested to see just
how RT can work with LDAP.

Just interested in any comments.

cheers
John

John Habermann
The Wilderness Society
www.wilderness.org.au

Hello!

I am just looking into the possibility of Group based authenitication
for RT via an LDAP directory. From what I have read in the LDAP
information on the wiki and in the email lists (see the thread with
subject: [Rt-devel] Proposed Contrib: External (LDAP) user info attr
mapping ) it appears that this is not possible at the moment.

I’ve just released phase one of the work described in the email thread
you mentioned above; see http://wiki.bestpractical.com/index.cgi?LDAP
for more info about that. I don’t know if it helps you, though; see
below for further comments.

I believe you can authenticate a user against an LDAP directory and
they are then created as an unprivileged user. Adding them to
privileged groups or roles in RT has to be done through the RT
interface. I just wanted to check and confirm that this was the case
or whether I might have missed something.

You are correct as far as I know.

The reason I am interested is that we are using Plone to build our
intranet and have a group/role structure within that which is exported
to an LDAP directory.

I’m unfamiliar with Plone, but I think I get what you’re asking, which
is, “Can RT take its list of group members from LDAP?” and the answer
is, “No, not by default.” It’s something that could be coded (I’ve been
considering how we could use our UNIX groups which are stored in LDAP
similarly), but I don’t believe there’s an existing implementation of
this.

It’d be pretty straightforward to write something which bootstraps a
group from your Plone info, but keeping them in sync would be a
challenge, I think.

Good luck!

–j
Jim Meyer, Geek at Large purp@acm.org