RT3.8.1-Custom Login Requires Code Changes?

I’ve been tasked with finding a way to login to our RT system by
validating our cookies against a local database and then submitting a
valid user name as a login token to RT. The object is to write a single
sign on plugin that validates against a secure database for a large
number of diverse applications.

RT has facilities to query LDAP and DBI databases with ExternalAuth and
it also has the ability to read a cookie and validate it against a
database of users and user IDs with CookieAuth but it doesn’t seem to
have a method for allowing me do to my own user validation and then
simply submitting a user name as a valid login token. RT retains the
power of the query for user validation. (Correct?)

I think in order to do this I will need to do some major Mason-ary work
and before I propose a project of that size to my customer, I wanted to
get confirmation that this is the only way to get RT to follow our local
login model.

Thanks in advance,

Edward Bryan
Oregon State University

Edward Bryan wrote:

I’ve been tasked with finding a way to login to our RT system by
validating our cookies against a local database and then submitting a
valid user name as a login token to RT. The object is to write a single
sign on plugin that validates against a secure database for a large
number of diverse applications.

RT has facilities to query LDAP and DBI databases with ExternalAuth and
it also has the ability to read a cookie and validate it against a
database of users and user IDs with CookieAuth but it doesn’t seem to
have a method for allowing me do to my own user validation and then
simply submitting a user name as a valid login token. RT retains the
power of the query for user validation. (Correct?)

I think in order to do this I will need to do some major Mason-ary work
and before I propose a project of that size to my customer, I wanted to
get confirmation that this is the only way to get RT to follow our local
login model.

TBH CookieAuth is a fantastic example of how to “build your own” and
although it’s not totally clear what you’re looking for I don’t think
you’d have to veer far from it.

The whole validation path is quite simple… you put in an Auth callback
that runs whatever code you want it to when a user first vists and you
can call any other methods you want at the same time, and all you need
to have a logged in user is to put a user in the $session variable.

If you want to do your own changes to validation of an actual password,
you just gotta override isPassword in the USer object using a
User_Vendor.pm or User_Local.pm.

I can advise better if you can clarify a little what your intended
result is.
Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com

Mike Peachey wrote:

Edward Bryan wrote:

I’ve been tasked with finding a way to login to our RT system by
validating our cookies against a local database and then submitting a
valid user name as a login token to RT. The object is to write a
single sign on plugin that validates against a secure database for a
large number of diverse applications.

RT has facilities to query LDAP and DBI databases with ExternalAuth
and it also has the ability to read a cookie and validate it against
a database of users and user IDs with CookieAuth but it doesn’t seem
to have a method for allowing me do to my own user validation and
then simply submitting a user name as a valid login token. RT retains
the power of the query for user validation. (Correct?)

I think in order to do this I will need to do some major Mason-ary
work and before I propose a project of that size to my customer, I
wanted to get confirmation that this is the only way to get RT to
follow our local login model.

TBH CookieAuth is a fantastic example of how to “build your own” and
although it’s not totally clear what you’re looking for I don’t
think you’d have to veer far from it.

The whole validation path is quite simple… you put in an Auth
callback that runs whatever code you want it to when a user first
vists and you can call any other methods you want at the same time,
and all you need to have a logged in user is to put a user in the
$session variable.

If you want to do your own changes to validation of an actual
password, you just gotta override isPassword in the USer object using
a User_Vendor.pm or User_Local.pm.

I can advise better if you can clarify a little what your intended
result is.

Kind Regards,


Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com


Thanks for the quick reply. I’m sorry I wasn’t more clear in my original
post.

We have an single-sign-on application that validates all our users with
their first login to any application we run. Then, as they move from one
app to another, they are transparently validated by the SSO module at
every login. We just added RT and I’ve been asked to write the SSO
module that will allow already-validated-on-our-system users to step
around the RT login page and go straight to the RT “at a glance” page.

What I thought I understood from ExternalAuth and CookieAuth and the
many posts around implementing them, is that users go to the RT login
page and enter their names and passwords but that RT uses ~Auth
callbacks to query a remote database, either LDAP or another DBI type,
that then validates RT users. I’ve been asked to spare our users the
trouble of typing in a name and password if possible.

The closest answer I found was an “autologin” post from 2003 in which
the response was that it couldn’t be done without sending the password
in clear text as part of the url.

So I think the answer to my question is that I need to modify the source
code around logging. Then again, I’m not the expert here.

Thanks for your help.