RT-Users Digest, Vol 70, Issue 29

Unless you’re authenticating against a custom mysql database, there is
no need to tell RT::Authen::ExternalAuth about RT’s internal database

It sounds like you want to tell RT::Authen::ExternalAuth to only use
your LDAP configuration.

RT will fall back to internal auth if RT::Authen::ExternalAuth fails
to authenticate you against LDAP

Although you want to be careful about that; we got bitten by it. For
some reason, it several very old accounts in our RT database had a
default password set in the MySQL database, and people found that if
they could still use that password and get in. I personally think
that’s a bug in the code, and I’ve changed it in our installation to
the following logic, which makes more sense to me:

  1. If the account exists in the external source, then check
    authentication against that source, and let the user in if appropriate.
  2. If the user provides the wrong password to the external account,
    immediately reject the login
  3. If the user does not exist within the external source, only then
    fall back to internal authentication.


The Wellcome Trust Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.