Unless you’re authenticating against a custom mysql database, there is
no need to tell RT::Authen::ExternalAuth about RT’s internal database
It sounds like you want to tell RT::Authen::ExternalAuth to only use
your LDAP configuration.
RT will fall back to internal auth if RT::Authen::ExternalAuth fails
to authenticate you against LDAP
Although you want to be careful about that; we got bitten by it. For
some reason, it several very old accounts in our RT database had a
default password set in the MySQL database, and people found that if
they could still use that password and get in. I personally think
that’s a bug in the code, and I’ve changed it in our installation to
the following logic, which makes more sense to me:
- If the account exists in the external source, then check
authentication against that source, and let the user in if appropriate.
- If the user provides the wrong password to the external account,
immediately reject the login
- If the user does not exist within the external source, only then
fall back to internal authentication.
The Wellcome Trust Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.