RT::Authen::ExternalAuth AutoCreate Privileged Users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all,

I’ve done some initial investigation but this doesn’t seem to be so
simple for me to do.

Please can someone assist?

I’m using RT::Authen::ExternalAuth and have the following working:
External auth with LDAP and auto create privileged users if they are
in ‘rt’ group in LDAP.

How can unprivileged users be auto created if they are in LDAP but not
in the ‘rt’ group when they send a mail ticket request so they can login
through self service access?

PS What should the ExternalInfoPriority be set to if no LDAP
lookups for creating new users via RT?

Thanks.

Set( $rtname, ‘...’);
Set($Organization , '
...’);
Set($Timezone , ‘Africa/Johannesburg’);
Set(@Plugins,(qw(Extension::QuickDelete RT::FM RT::Authen::ExternalAuth)));
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
Set($RTAddressRegexp , '^(-)?@
..$’);
Set($LogToSyslog , ‘debug’);
Set($LogToScreen, ‘debug’);
Set($DatabaseType , ‘mysql’);
Set($DatabaseHost , ‘’);
Set($DatabaseRTHost , ‘’);
Set($DatabasePort , ‘’);
Set($DatabaseUser , '’);
Set($DatabasePassword , '
****’);
Set($DatabaseName , '’);
Set($DatabaseRequireSSL , undef);
Set($OwnerEmail , ‘root’);
Set($MaxAttachmentSize , 10000000);
Set($CanonicalizeOnCreate, 0);
Set($AutoCreate, {Privileged => 1});
require
"/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm";

Set($ExternalAuthPriority, [‘My_LDAP’]);
Set($ExternalInfoPriority, [‘My_LDAP’]);
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘’,
‘user’ => ‘’,
‘pass’ => ‘’,
‘base’ => ‘dc=*,dc=,dc=,dc=’,
‘filter’ => '(objectClass=
)’,
‘d_filter’ => ‘(objectClass=FooBarBaz)’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [version => 3],
‘group’ => 'cn=rt,ou=groups,dc=
,dc=
,dc=,dc=
’,
‘group_attr’ => ‘member’,
‘attr_match_list’ => [‘Name’, ‘EmailAddress’],
‘attr_map’ => {‘Name’ => ‘uid’, ‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘uid’, ‘Gecos’ => ‘cn’, ‘EmailAddress’ => ‘mail’}
}
}
);
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMhM+hAAoJEBMzHChmstlqrfsH/3UFar4PQFUBjN3o7pc4iBce
8oOGftGf75+0/CZkVVt3ogOo+JCFWlfpSb21Kh4YKYMUZ2NXRQVWQO6O25iO8u0x
8aL/rkzei98mKCNlkWP6O/lVIiXeTzAHMJgHJpbC207mEcqRFCKToJ61nOnmtU8I
PBZntO+SRK5V/i+WPFk75/ZmAayJ30wZxVZmThjKPPpINSMkP/y5naUAH1aFwuk0
LMg5CcxloOxq0pEFA6PfQGjetk8NEeF6T01ypS8R8+ArQBrBBJYUJkhuPrRjge3o
Dyl9Eb0wE/HwubZBVixSvLoTMFj4tPo+mYHth+cexMyRZf7br6ieWMSSOwYFNzA=
=dkSU
-----END PGP SIGNATURE-----

To read FirstRand Bank’s Disclaimer for this email click on the following address or copy into your Internet browser:
https://www.fnb.co.za/disclaimer.html

If you are unable to access the Disclaimer, send a blank e-mail to
firstrandbankdisclaimer@fnb.co.za and we will send you a copy of the Disclaimer.

I’m just going off memory of what I have read, but can’t you have more
than one LDAP to look up against and have the AutoCreate in the LDAP
portion of the config?

Maybe have one for RT=>Privileged and one for non-RT=>normal autocreate?

-Mark-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Robert
Gabriel
Sent: Monday, September 06, 2010 6:25 AM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] RT::Authen::ExternalAuth AutoCreate [Un]Privileged
Users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all,

I’ve done some initial investigation but this doesn’t seem to be so
simple for me to do.

Please can someone assist?

I’m using RT::Authen::ExternalAuth and have the following working:
External auth with LDAP and auto create privileged users if they are
in ‘rt’ group in LDAP.

How can unprivileged users be auto created if they are in LDAP but not
in the ‘rt’ group when they send a mail ticket request so they can login
through self service access?

PS What should the ExternalInfoPriority be set to if no LDAP
lookups for creating new users via RT?

Thanks.

Set( $rtname, ‘...’);
Set($Organization , '
...’);
Set($Timezone , ‘Africa/Johannesburg’);
Set(@Plugins,(qw(Extension::QuickDelete RT::FM
RT::Authen::ExternalAuth)));
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
Set($RTAddressRegexp , '^(-)?@
..$’);
Set($LogToSyslog , ‘debug’);
Set($LogToScreen, ‘debug’);
Set($DatabaseType , ‘mysql’);
Set($DatabaseHost , ‘’);
Set($DatabaseRTHost , ‘’);
Set($DatabasePort , ‘’);
Set($DatabaseUser , '’);
Set($DatabasePassword , '
****’);
Set($DatabaseName , '’);
Set($DatabaseRequireSSL , undef);
Set($OwnerEmail , ‘root’);
Set($MaxAttachmentSize , 10000000);
Set($CanonicalizeOnCreate, 0);
Set($AutoCreate, {Privileged => 1});
require
"/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm";

Set($ExternalAuthPriority, [‘My_LDAP’]);
Set($ExternalInfoPriority, [‘My_LDAP’]);
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘’,
‘user’ => ‘’,
‘pass’ => ‘’,
‘base’ => ‘dc=*,dc=,dc=,dc=’,
‘filter’ => '(objectClass=
)’,
‘d_filter’ => ‘(objectClass=FooBarBaz)’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [version => 3],
‘group’ => 'cn=rt,ou=groups,dc=
,dc=
,dc=,dc=
’,
‘group_attr’ => ‘member’,
‘attr_match_list’ => [‘Name’, ‘EmailAddress’],
‘attr_map’ => {‘Name’ => ‘uid’, ‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘uid’, ‘Gecos’ => ‘cn’, ‘EmailAddress’ => ‘mail’}
}
}
);
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMhM+hAAoJEBMzHChmstlqrfsH/3UFar4PQFUBjN3o7pc4iBce
8oOGftGf75+0/CZkVVt3ogOo+JCFWlfpSb21Kh4YKYMUZ2NXRQVWQO6O25iO8u0x
8aL/rkzei98mKCNlkWP6O/lVIiXeTzAHMJgHJpbC207mEcqRFCKToJ61nOnmtU8I
PBZntO+SRK5V/i+WPFk75/ZmAayJ30wZxVZmThjKPPpINSMkP/y5naUAH1aFwuk0
LMg5CcxloOxq0pEFA6PfQGjetk8NEeF6T01ypS8R8+ArQBrBBJYUJkhuPrRjge3o
Dyl9Eb0wE/HwubZBVixSvLoTMFj4tPo+mYHth+cexMyRZf7br6ieWMSSOwYFNzA=
=dkSU
-----END PGP SIGNATURE-----

To read FirstRand Bank’s Disclaimer for this email click on the
following address or copy into your Internet browser:
https://www.fnb.co.za/disclaimer.html

If you are unable to access the Disclaimer, send a blank e-mail to
firstrandbankdisclaimer@fnb.co.za and we will send you a copy of the
Disclaimer.

RT Training in Washington DC, USA on Oct 25 & 26 2010
Last one this year – Learn how to get the most out of RT!

CONFIDENTIALITY NOTICE: The information contained in this email message, including any attachments, may be
privileged, confidential and otherwise protected from disclosure. If the reader of this message is not the
intended recipient, you are hereby notified that any use, dissemination, distribution or copying of this
message, including any attachments, is strictly prohibited. If you have received this email message in
error, please notify the sender by reply email and delete/destroy the email message, including attachments,
and any copies thereof. Although we have taken precautions to minimize the risk of transmitting viruses via
email and attachments thereto, we do not guarantee that either is virus-free, and we accept no liability for
any damages sustained as a result of any such viruses.

Gabriel,

Try removing the group ‘rt’. Then use “filter” to accept a broader range of
LDAP users (we use division codes). Then you can use the autocreate
"Privileged" setting. That way anyone who passes the LDAP test will be
autocreated as “Privileged” users. that’s my best guess.

Kenn
LBNLOn Mon, Sep 6, 2010 at 4:25 AM, Robert Gabriel rgabriel@fnb.co.za wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all,

I’ve done some initial investigation but this doesn’t seem to be so
simple for me to do.

Please can someone assist?

I’m using RT::Authen::ExternalAuth and have the following working:
External auth with LDAP and auto create privileged users if they are
in ‘rt’ group in LDAP.

How can unprivileged users be auto created if they are in LDAP but not
in the ‘rt’ group when they send a mail ticket request so they can login
through self service access?

PS What should the ExternalInfoPriority be set to if no LDAP
lookups for creating new users via RT?

Thanks.

Set( $rtname, ‘...’);
Set($Organization , '
...’);
Set($Timezone , ‘Africa/Johannesburg’);
Set(@Plugins,(qw(Extension::QuickDelete RT::FM RT::Authen::ExternalAuth)));
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
Set($RTAddressRegexp , '^(-)?@
..$’);
Set($LogToSyslog , ‘debug’);
Set($LogToScreen, ‘debug’);
Set($DatabaseType , ‘mysql’);
Set($DatabaseHost , ‘’);
Set($DatabaseRTHost , ‘’);
Set($DatabasePort , ‘’);
Set($DatabaseUser , '’);
Set($DatabasePassword , '
****’);
Set($DatabaseName , '’);
Set($DatabaseRequireSSL , undef);
Set($OwnerEmail , ‘root’);
Set($MaxAttachmentSize , 10000000);
Set($CanonicalizeOnCreate, 0);
Set($AutoCreate, {Privileged => 1});
require
"/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm";

Set($ExternalAuthPriority, [‘My_LDAP’]);
Set($ExternalInfoPriority, [‘My_LDAP’]);
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘’,
‘user’ => ‘’,
‘pass’ => ‘’,
‘base’ => ‘dc=*,dc=,dc=,dc=’,
‘filter’ => '(objectClass=
)’,
‘d_filter’ => ‘(objectClass=FooBarBaz)’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [version => 3],
‘group’ => 'cn=rt,ou=groups,dc=
,dc=
,dc=,dc=
’,
‘group_attr’ => ‘member’,
‘attr_match_list’ => [‘Name’, ‘EmailAddress’],
‘attr_map’ => {‘Name’ => ‘uid’, ‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘uid’, ‘Gecos’ => ‘cn’, ‘EmailAddress’ => ‘mail’}
}
}
);
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMhM+hAAoJEBMzHChmstlqrfsH/3UFar4PQFUBjN3o7pc4iBce
8oOGftGf75+0/CZkVVt3ogOo+JCFWlfpSb21Kh4YKYMUZ2NXRQVWQO6O25iO8u0x
8aL/rkzei98mKCNlkWP6O/lVIiXeTzAHMJgHJpbC207mEcqRFCKToJ61nOnmtU8I
PBZntO+SRK5V/i+WPFk75/ZmAayJ30wZxVZmThjKPPpINSMkP/y5naUAH1aFwuk0
LMg5CcxloOxq0pEFA6PfQGjetk8NEeF6T01ypS8R8+ArQBrBBJYUJkhuPrRjge3o
Dyl9Eb0wE/HwubZBVixSvLoTMFj4tPo+mYHth+cexMyRZf7br6ieWMSSOwYFNzA=
=dkSU
-----END PGP SIGNATURE-----

To read FirstRand Bank’s Disclaimer for this email click on the following
address or copy into your Internet browser:
https://www.fnb.co.za/disclaimer.html

If you are unable to access the Disclaimer, send a blank e-mail to
firstrandbankdisclaimer@fnb.co.za and we will send you a copy of the
Disclaimer.

RT Training in Washington DC, USA on Oct 25 & 26 2010
Last one this year – Learn how to get the most out of RT!