RT::Authen::ExternalAuth::LDAP - using email address as username

Ian_Miller · June 7, 2017, 11:40am

Hi,

I’d understood that it would be possible to authenticate users against LDAP, using their email address (LDAP ‘mail’ attribute) as the username. This is useful for us as we have some external people who need access to the RT instance, but most people are in Active Directory.

Here’s the relevant part of RT_SiteConfig.pm

        'attr_match_list' => [
            'EmailAddress',
            'Name',

        ],
        'attr_map' => {
            'Name' => 'userPrincipalName',
            'EmailAddress' => 'mail',
            'RealName' => 'cn',
            'ExternalAuthId' => 'sAMAccountName',
            'Gecos' => 'sAMAccountName',
            'WorkPhone' => 'telephoneNumber',
            'City' => 'l',
            'State' => 'st',
            'Zip' => 'postalCode',
            'Country' => 'co'
        },

This doesn’t work as I’d hoped. I’ve turned the debug level up in RT, and it looks like the filter for UPN is being added, despite the config above. See this log (some details anon’ed)

Jun 7 10:45:33 rt1 RT: [14354] UserExists params:#012username: carolsmith@nosuchdomain.org , service: My_LDAP (/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)
Jun 7 10:45:33 rt1 RT: [14354] LDAP Search === Base: ou=Staff,#012ou=NSLC People,dc=anotherdomain,dc=ac,dc=uk == Filter: (&(&(objectCategory=person)(objectClass=user))(userPrincipalName=carolsmith@nosuchdomain.org)) == Attrs: l,co,sAMAccountName,telephoneNumber,userPrincipalName,postalCode,cn,sAMAccountName,mail,st (/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)
Jun 7 10:45:33 rt1 RT: [14354] User Check Failed :: ( My_LDAP ) carolsmith@nosuchdomain.org User not found (/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:483)
Jun 7 10:45:33 rt1 RT: [14354] Autohandler called ExternalAuth. Response: (0, No User) (/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
Jun 7 10:45:33 rt1 RT: [14354] FAILED LOGIN for carolsmith@nosuchdomain.org from 10.10.4.213

Our problem is that for 95% of users UPN is the same as email address. The 5% where it differs are important external partners. I can’t change the UPN to match at the moment. I suppose I can ask them to use UPN as their login, but need to know that a more elegant solution isn’t possible first.

Martin_Wheldon · June 7, 2017, 12:02pm

Hi Ian,

I think you need the following:

    'attr_map' => {

           'Name' => 'mail',

        'EmailAddress' => 'mail',
        'RealName' => 'cn',
        'ExternalAuthId' => 'sAMAccountName',
        'Gecos' => 'sAMAccountName',
        'WorkPhone' => 'telephoneNumber',
        'City' => 'l',
        'State' => 'st',
        'Zip' => 'postalCode',
        'Country' => 'co'
    },

Best Regards

Martin