RT::Authen::ExternalAuth selectable authentication service?

Hello all,

I was just checking out RT::Authen::ExternalAuth for the first time
after seeing the recent announcements on this list, and found it to be a
useful extension of RT functionality. However, I noticed that it
always attempts to authenticate a user to the external authentication
service(s) before falling back to local authentication. I was wondering
if there was any interest in enhancing it to allow for the selection of
the authentication service on a per-user basis, perhaps based on some
user custom field.

In our RT setup, we have a small number of privileged users who can own
tickets and have accounts in our LDAP directory, but we have a large
number of people who have access only to tickets they requested in RT,
and do not have LDAP accounts. I think it would cut down on unnecessary
traffic to our LDAP server if we could add some functionality to
RT::Authen::ExternalAuth so that it only looks up privileged users in
LDAP and does local authentication for everybody else.

Maybe a user custom field could indicate which authentication service to
use for an account (e.g. LDAP, external DB, local, etc.) rather than the
global $RT::ExternalAuthPriority applying to all users? However, this
could be problematic in allowing users to change which service they
authenticate to.

Would this per-user selectable authentication service functionality be
useful to anyone else, and does anyone have an alternative suggestion
for its implementation other than by using a user custom field? Maybe by
RT group membership (e.g. by creating and populating a “auth_ldap” group
for users to auth to LDAP, and a “auth_db” group for users to auth to an
external DB, etc.)?

  -Bill

William Horka
UNIX Systems Administrator
Harvard-MIT Data Center

That seems like a lot of work to save a couple of very light-weight
LDAP queries. Plus, if anyone changes status, you will need to manually
reset their fields to get them to authenticate correctly. My two cents.

Cheers,
KenOn Wed, Nov 12, 2008 at 01:50:25PM -0500, William J. Horka wrote:

Hello all,

I was just checking out RT::Authen::ExternalAuth for the first time
after seeing the recent announcements on this list, and found it to be a
useful extension of RT functionality. However, I noticed that it
always attempts to authenticate a user to the external authentication
service(s) before falling back to local authentication. I was wondering
if there was any interest in enhancing it to allow for the selection of
the authentication service on a per-user basis, perhaps based on some
user custom field.

In our RT setup, we have a small number of privileged users who can own
tickets and have accounts in our LDAP directory, but we have a large
number of people who have access only to tickets they requested in RT,
and do not have LDAP accounts. I think it would cut down on unnecessary
traffic to our LDAP server if we could add some functionality to
RT::Authen::ExternalAuth so that it only looks up privileged users in
LDAP and does local authentication for everybody else.

Maybe a user custom field could indicate which authentication service to
use for an account (e.g. LDAP, external DB, local, etc.) rather than the
global $RT::ExternalAuthPriority applying to all users? However, this
could be problematic in allowing users to change which service they
authenticate to.

Would this per-user selectable authentication service functionality be
useful to anyone else, and does anyone have an alternative suggestion
for its implementation other than by using a user custom field? Maybe by
RT group membership (e.g. by creating and populating a “auth_ldap” group
for users to auth to LDAP, and a “auth_db” group for users to auth to an
external DB, etc.)?

  -Bill


William Horka
UNIX Systems Administrator
Harvard-MIT Data Center


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Kenneth Marshall wrote:

That seems like a lot of work to save a couple of very light-weight
LDAP queries. Plus, if anyone changes status, you will need to manually
reset their fields to get them to authenticate correctly. My two cents.

To be honest I have to agree. It would require a lot of work and would
save only a small amount of resources and could render RT an
administrative nightmare. Also, the extra lookups required inside RT
would likely reduce the LDAP load at the expense of increasing the load
on the RT server.

Having said that, you are more than welcome to investigate coding it
yourself, I just simply wouldn’t find the time - as it is I’ve yet to
get the chance to confirm the DB authentication in 0.07_01 so as to
release it as stable.

Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com