Set User Password

Kurt_Engle · January 12, 2011, 9:16pm

I am wanting to use the Internal RT user database as well as an External LDAP database for user authentication. I have the LDAP side of things working properly. I also have the ability to create users using the RT WebUI. However, there is no option for setting a password for the newly created user. I am unable to login as the newly created users with a ‘blank’ password or a password of ‘password’.

Why is there no option in the WebUI when creating a user to enter a password in my setup? I was under the impression that RT would fall back to internal auth if a user was not found in the External LDAP database. My log files do not indicate any such action.

From RT_Siteconfig.pm:
Set($DatabaseType, ‘mysql’);
Set($DatabaseHost, ‘localhost’);
Set($DatabaseRTHost, ‘localhost’);
Set($DatabaseUser, ‘’);
…
Set($ExternalAuthPriority, [‘My_LDAP’]);
Set($ExternalInfoPriority, [‘My_LDAP’]);
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreate, 1);
Set($AutoCreateNonExternalUsers, 1);
…

Kurt Engle

John_Alberts · January 12, 2011, 10:58pm

I am wanting to use the Internal RT user database as well as an
External LDAP database for user authentication.

The only way I’ve found to do this is to temporarily disable LDAP auth,
add the users I want and set their password, and then re-enable LDAP
auth. One side effect, if the user you added does exist in LDAP, the
user can use either the LDAP password or the password you gave them to
login.

Not sure if there is a better way to do this, but I couldn’t find any
‘official’ way to layer authentication and I only need to add a couple
special users for automation purposes, so what I did worked for me.

John Alberts
Hosted Services
Exlibris USA
john.alberts@exlibrisgroup.com

Kevin_Falcone · January 12, 2011, 11:11pm

I am wanting to use the Internal RT user database as well as an
External LDAP database for user authentication.

The only way I’ve found to do this is to temporarily disable LDAP auth,
add the users I want and set their password, and then re-enable LDAP
auth. One side effect, if the user you added does exist in LDAP, the
user can use either the LDAP password or the password you gave them to
login.

Not sure if there is a better way to do this, but I couldn’t find any
‘official’ way to layer authentication and I only need to add a couple
special users for automation purposes, so what I did worked for me.

RT-Authen-ExternalAuth hides the password boxes using css if the
current user doesn’t have a password, since it can’t ask you to type
in your password before changing the user’s password. Does it work if
you’re logged in as the root user?

-kevin

Kurt_Engle · January 13, 2011, 5:18pm

Yes, the password change box does appear when I login as ‘root’. I am able to set passwords for local users as the ‘root’ user.

Interesting though, when I login to RT as myself via LDAP with ‘SuperUser’ rights, I do not see the password boxes for any users other than myself. So, I went ahead and entered a password for my account and made it that same as my LDAP retrieved password. Now, I can see password boxes for all of my users and can make changes to their passwords. Which is what I want.

But, can someone explain the logic of the credentials checking process that is followed here? Is RT using my LDAP retrieved password or is it using an internal password in this process? If I change my password internal to RT and make it different than my LDAP retrieved password they both work and appear to be the same user. So it seems that a user’s account, if it is external, can have and external and internal password.

Kurt EngleFrom: “Kevin Falcone” falcone@bestpractical.com
To: rt-users@lists.bestpractical.com
Sent: Wednesday, January 12, 2011 3:11:45 PM
Subject: Re: [rt-users] Set User Password

I am wanting to use the Internal RT user database as well as an
External LDAP database for user authentication.

The only way I’ve found to do this is to temporarily disable LDAP auth,
add the users I want and set their password, and then re-enable LDAP
auth. One side effect, if the user you added does exist in LDAP, the
user can use either the LDAP password or the password you gave them to
login.

Not sure if there is a better way to do this, but I couldn’t find any
‘official’ way to layer authentication and I only need to add a couple
special users for automation purposes, so what I did worked for me.

RT-Authen-ExternalAuth hides the password boxes using css if the
current user doesn’t have a password, since it can’t ask you to type
in your password before changing the user’s password. Does it work if
you’re logged in as the root user?

-kevin

Kevin_Falcone · January 13, 2011, 5:49pm

But, can someone explain the logic of the credentials checking process that is followed here?
Is RT using my LDAP retrieved password or is it using an internal password in this process? If

Internal

I change my password internal to RT and make it different than my LDAP retrieved password they
both work and appear to be the same user.

RT will let you log in with your LDAP or your internal password since
RT-Authen-ExternalAuth falls back

So it seems that a user’s account, if it is
external, can have and external and internal password.

Correct.

The reason RT-Authen-ExternalAuth actually hides password boxes is so
that users who can change their preferences don’t try to change their
password internally since they won’t be changing their LDAP password
and might be surprised when they went to log into something else that
uses LDAP and it was different from what they changed in RT

-kevin