[rt-users] Validating RT users via Active Directory

Fri Aug 8 07:19:49 EDT 2003

> Seems to me that, so far, all I've seen is people using LDAP to lookup
> user info essentially via the mailgate to populate new users as they
> submit requests. This is cool, we've been doing something like that 
> here for over a year with an external directory.

We are authenticating users with LDAP (OpenLDAP 2.0.x). LDAP forward the
password request to our NT4 (Samba 2.2) domain controler.
This is done the following:
- SSL protected RT. Done in Apache 1.3, nothing related to
RT/Authentication. This let us pass password in clear in the SSL tunnel.
- We use Apache auth_net_ldap module for authentication. Apache ask LDAP
for user/password matching and if successful, forward the variable
USER=<user> to RT.
- RT is set to external authentication so it uses the USER=<user>
variable to get the user connecting.

This is very simple and works really well. We don't use the RT password,
only the NT4 password (forwarded from LDAP).

Hope this helps. Ask if you need help on setting that.
AD is the same as LDAP+Kerberos and quite the same as OpenLDAP+NT4
domain. So integrating AD in RT should not be a problem.
Bye.
-jec

> 
> However, what I really want to do is to get users to have a single
> login name and password everywhere and so I want to authenticate access
> to RT via AD, and not via the password in RT.
> 
> I've not found anything on Linux which does this directly. Thus my
> request is for any info on anything that does.
> 
> The opportunity is that I've found a way to do it. It's rather convoluted
> as it involves a piece of ASP sitting on an SSL protected IIS server that
> acts as a web service to do the authentication for me as I don't want
> passwords
> flying over the wire in clear text. I simply call that from
> .../rt3/lib/RT/User_Local.pm and voila! AD authenticated users. I'd be
> more than happy to post that code here, in all it's crudeness, if anyone is
> interested - unless there's a better way!
> 
> (FWIW - I've also got this working on RT2 also).
> 
> BTW - our RT3 is running on RH9. Having followed Harald's lead, it works
> perfectly.
> RH9, local built perl 5.8.0, local built apache 1.3.28 with mod_perl 1.28.
> 
> Regards,
> Gary
> 
> Get the latest news on SurfControl and our products,
> subscribe to our monthly e-newsletter, SurfAdvisory at:
> http://surfcontrol.us-hosts.com/sc/subscribe
> 
> *********************************************************************
> The information in this email is confidential and may be legally
> privileged. It is intended solely for the addressee. Access to this
> email by anyone else is unauthorized. If you are not the intended
> recipient, any disclosure, copying, distribution or any action taken
> or omitted to  be taken in reliance on it, is prohibited and may be
> unlawful. If you believe that you have received this email in error,
> please contact the sender.
> *********************************************************************
> 
> _______________________________________________
> rt-users mailing list
> rt-users at lists.fsck.com
> http://lists.fsck.com/mailman/listinfo/rt-users
> 
> Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm
-- 
Jean-Eric Cuendet
Riskpro Technologies SA
Av du 14 avril 1b, 1020 Renens Switzerland
Principal: +41 21 637 0110  Fax: +41 21 637 01 11
Direct: +41 21 637 0123
E-mail: jean-eric.cuendet at rptec.ch
http://www.rptec.ch
--------------------------------------------------------