I have been reading the postings about RT-Authen-ExternalAuth
but am confused on what appears to be some conflicting setup
information.
I am using:
RT 3.8.2
RT-Authen-ExternalAuth 0.08
I would like to use LDAP for authentication and information first,
and that part seems to work OK.
But I also would like to:
- add LOCAL users to RT internal DB (i.e; test and test-admin type
accounts) - NOT autocreate a new RT account, if we receive an email from
a user that is unknown in local RT or LDAP. - NOT make multiple accounts for a user’s multiple email aliases.
(Our ldap contains several email addresses for each user (uid) )
When I try to add a local account through the Web(using Root,
Configuration->Users->Create). I receive the error “Name in Use”
The username I am trying to create is NOT in existence, but the email
for that new account IS.
My error_log shows:
[Tue Jun 2 17:45:21 2009] [debug]: User Check Failed :: ( My_LDAP ) root User not found (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:318)
[Tue Jun 2 17:45:21 2009] [debug]: Autohandler called ExternalAuth. Response: (0, No User)
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[Tue Jun 2 17:45:21 2009] [info]: Successful login for root from 168.7.56.227 (/usr/site/rt-3.8/PROD/share/html/autohandler:276)
[Tue Jun 2 17:46:40 2009] [debug]: /ServiceUpdate/Elements/Header calls old style callback, use $m->callback (/usr/site/rt-3.8/PROD/share/html/Elements/Callback:51)
[Tue Jun 2 17:46:40 2009] [crit]: HasRight called with no valid object (/usr/site/rt-3.8/PROD/bin/…/lib/RT/Principal_Overlay.pm:322)
[Tue Jun 2 17:51:36 2009] [debug]: RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User /opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm 20 with: Address1: , Address2: , AuthSystem: , City: , Comments: Admin Authority Level Account for RT, ContactInfoSystem: , Country: , Disabled: 0, EmailAddress: smcclure@rice.edu, EmailEncoding: , ExternalAuthId: , ExternalContactInfoId: , FreeformContactInfo: , Gecos: , HomePhone: , Lang: en, MobilePhone: , Name: smcclure-admin, NickName: Smcclure-Admin,
Organization: , PagerPhone: , Privileged: 1, RealName: Susan McClure, Signature: , State: ,
WebEncoding: , WorkPhone: , Zip: (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:450)
[Tue Jun 2 17:51:36 2009] [debug]: Attempting to get user info using this external service: My_LDAP (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:458)
[Tue Jun 2 17:51:36 2009] [debug]: Attempting to use this canonicalization key: Name (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472)
[Tue Jun 2 17:51:36 2009] [debug]: LDAP Search === Base: ou=People,dc=rice,dc=edu == Filter: (&(objectclass=)(uid=smcclure-admin)) == Attrs: Houston,cn,TX,mail,gecos,postalAddress,postalCode,telephoneNumber,uid,physicalDeliveryOfficeName,uid (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:195)
[Tue Jun 2 17:51:36 2009] [debug]: Attempting to use this canonicalization key: EmailAddress (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472)
[Tue Jun 2 17:51:36 2009] [debug]: LDAP Search === Base: ou=People,dc=rice,dc=edu == Filter: (&(objectclass=)(mail=smcclure@rice.edu)) == Attrs: Houston,cn,TX,mail,gecos,postalAddress,postalCode,telephoneNumber,uid,physicalDeliveryOfficeName,uid (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:195)
[Tue Jun 2 17:51:36 2009] [info]: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning
Address1: 6100 Main Street, Address2: , AuthSystem: , City: , Comments: Admin Authority Level Account for RT, ContactInfoSystem: , Country: , Disabled: 0, EmailAddress: smcclure@rice.edu, EmailEncoding: , ExternalAuthId: smcclure, ExternalContactInfoId: , FreeformContactInfo: , Gecos: , HomePhone: , Lang: en, MobilePhone: , Name: smcclure, NickName: Smcclure-Admin,
Organization: 222 Mudd Building, PagerPhone: , Privileged: 1, RealName: McClure, Susan, Signature: , State: , WebEncoding: , WorkPhone: 713-348-4852, Zip: 77005 (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
My Current RT_SiteConfig.pm for LDAP and External Auth has
Set(@Plugins,qw(RT::FM RT::IR RT::Authen::ExternalAuth …
and for LDAP
special options for various plugins
Authen::ExternalAuth
Set($ExternalAuthPriority, [‘My_LDAP’] );
Set($ExternalInfoPriority, [‘My_LDAP’] );
Set($ExternalServiceUsesSSLorTLS, 1);
Set($ExternalSettings, {
‘My_LDAP’ => { ## GENERIC
SECTION
‘type’
=> ‘ldap’,
‘server’
=> ‘ldap.rice.edu’,
‘user’
=> ‘cn=requesttracker,ou=Service Accounts,dc=rice,dc=edu’,
… etc etc …
…
And the LDAP Attributes mappings:
RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user # This example shows what you *can* specify.. I recommend reducing this # to just the Name and EmailAddress to save encountering problems later. 'attr_match_list' => [ 'Name', 'EmailAddress', 'RealName', 'WorkPhone', 'Address2' ], # The mapping of RT attributes on to LDAP attributes 'attr_map' => { 'Name' => 'uid', 'EmailAddress' => 'mail', 'Organization' => 'physicalDeliveryOfficeName', 'RealName' => 'cn', 'ExternalAuthId' => 'uid', 'Gecos' => 'gecos', 'WorkPhone' => 'telephoneNumber', 'Address1' => 'postalAddress', 'City' => 'Houston', 'State' => 'TX', 'Zip' => 'postalCode' } } }
);
Looking at all the postings, I am afraid that if I add:
==> Set($AutoCreateNonExternalUsers, 1);
That I will automatically MAKE a new account for users that send email
or authenticate in some way other than being in our LDAP.
Can someone clarify the different options to help me get the
setup I want please?
Thanks
Susie McClure
smcclure@rice.edu
smcclure.vcf (166 Bytes)