|

»

»

»

Request Tracker - User

RT::Authen::ExternalAuth selectable authentication service?

View: New views

3 Messages — Rating Filter: Alert me

	RT::Authen::ExternalAuth selectable authentication service? by William J. Horka :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hello all, I was just checking out RT::Authen::ExternalAuth for the first time after seeing the recent announcements on this list, and found it to be a useful extension of RT functionality. However, I noticed that it always attempts to authenticate a user to the external authentication service(s) before falling back to local authentication. I was wondering if there was any interest in enhancing it to allow for the selection of the authentication service on a per-user basis, perhaps based on some user custom field. In our RT setup, we have a small number of privileged users who can own tickets and have accounts in our LDAP directory, but we have a large number of people who have access only to tickets they requested in RT, and do not have LDAP accounts. I think it would cut down on unnecessary traffic to our LDAP server if we could add some functionality to RT::Authen::ExternalAuth so that it only looks up privileged users in LDAP and does local authentication for everybody else. Maybe a user custom field could indicate which authentication service to use for an account (e.g. LDAP, external DB, local, etc.) rather than the global $RT::ExternalAuthPriority applying to all users? However, this could be problematic in allowing users to change which service they authenticate to. Would this per-user selectable authentication service functionality be useful to anyone else, and does anyone have an alternative suggestion for its implementation other than by using a user custom field? Maybe by RT group membership (e.g. by creating and populating a "auth_ldap" group for users to auth to LDAP, and a "auth_db" group for users to auth to an external DB, etc.)? -Bill -- William Horka UNIX Systems Administrator Harvard-MIT Data Center _______________________________________________ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sales@... Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
	Re: RT::Authen::ExternalAuth selectable authentication service? by Kenneth Marshall-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message That seems like a lot of work to save a couple of very light-weight LDAP queries. Plus, if anyone changes status, you will need to manually reset their fields to get them to authenticate correctly. My two cents. Cheers, Ken On Wed, Nov 12, 2008 at 01:50:25PM -0500, William J. Horka wrote: > Hello all, > > I was just checking out RT::Authen::ExternalAuth for the first time > after seeing the recent announcements on this list, and found it to be a > useful extension of RT functionality. However, I noticed that it > always attempts to authenticate a user to the external authentication > service(s) before falling back to local authentication. I was wondering > if there was any interest in enhancing it to allow for the selection of > the authentication service on a per-user basis, perhaps based on some > user custom field. > > In our RT setup, we have a small number of privileged users who can own > tickets and have accounts in our LDAP directory, but we have a large > number of people who have access only to tickets they requested in RT, > and do not have LDAP accounts. I think it would cut down on unnecessary > traffic to our LDAP server if we could add some functionality to > RT::Authen::ExternalAuth so that it only looks up privileged users in > LDAP and does local authentication for everybody else. > > Maybe a user custom field could indicate which authentication service to > use for an account (e.g. LDAP, external DB, local, etc.) rather than the > global $RT::ExternalAuthPriority applying to all users? However, this > could be problematic in allowing users to change which service they > authenticate to. > > Would this per-user selectable authentication service functionality be > useful to anyone else, and does anyone have an alternative suggestion > for its implementation other than by using a user custom field? Maybe by > RT group membership (e.g. by creating and populating a "auth_ldap" group > for users to auth to LDAP, and a "auth_db" group for users to auth to an > external DB, etc.)? > > -Bill > > -- > William Horka > UNIX Systems Administrator > Harvard-MIT Data Center > _______________________________________________ > http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users > > Community help: http://wiki.bestpractical.com > Commercial support: sales@... > > > Discover RT's hidden secrets with RT Essentials from O'Reilly Media. > Buy a copy at http://rtbook.bestpractical.com > _______________________________________________ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sales@... Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
	Re: RT::Authen::ExternalAuth selectable authentication service? by Mike Peachey :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Kenneth Marshall wrote: > That seems like a lot of work to save a couple of very light-weight > LDAP queries. Plus, if anyone changes status, you will need to manually > reset their fields to get them to authenticate correctly. My two cents. To be honest I have to agree. It would require a lot of work and would save only a small amount of resources and could render RT an administrative nightmare. Also, the extra lookups required inside RT would likely reduce the LDAP load at the expense of increasing the load on the RT server. Having said that, you are more than welcome to investigate coding it yourself, I just simply wouldn't find the time - as it is I've yet to get the chance to confirm the DB authentication in 0.07_01 so as to release it as stable. -- Kind Regards, __________________________________________________ Mike Peachey, IT Tel: +44 114 281 2655 Fax: +44 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK Comp Reg No: 3191371 - Registered In England http://www.jennic.com __________________________________________________ _______________________________________________ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sales@... Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com

LightInTheBox - Buy quality products at wholesale price!