[rt-users] LDAP solution that works

Tomas A. P. Olaj tomas.olaj at usit.uio.no
Tue Aug 10 08:16:14 EDT 2004 

For our Scandinavian readers I have compiled a short install-note here for
our RT system:

<http://folk.uio.no/tomaso/jobb/rt-spec.html>

I have also got LDAP to work with Apache 2 (distributed with RHES30 which
hasn't the experimental mod_auth_ldap module compiled), and OpenLDAP using
(from ssl.conf) the following module:

# MOD_AUTH_LDAP by Muhammad A Muquit for Apache 2.x versjon 2.12.
#
http://muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html
#
#
AuthAuthoritative On
AuthName "Request Tracker (RT) Saksbehandlingsystemet ved UiO"
AuthType Basic
AuthOnBind On
# Sub_DNou=CIS,ou=People
LDAP_Persistent Off
# Bind_Tries 5
LDAP_Debug On
LDAP_Protocol_Version 3 (our server use TLS/certificate)
LDAP_Deref ALWAYS
LDAP_StartTLS On (our server use TLS/certificate)
# LDAP_CertDbDir path - only available through Netscape's SDK and SSL
configuration
LDAP_Server some-ldap-server.sub.domain
# LDAP_Server some-ldap-test-server.sub.domain - test LDAP server for UiO
LDAP_Port 389
# LDAP_Connect_Timeout 3 - Connect timeout in seconds - only available
using iPlanet SDK
# LDAP_Port 636 - If SSL is on, must specify the LDAP SSL port, usually
636
Base_DN "ou=Users,dc=sub,dc=domain"
# Base_DN "ou=People,dc=sub,dc=domain"
# Base_DN "o=Fox Chase Cancer Center,c=US"
# Bind_DN "uid=admin,o=Fox Chase Cancer Center,c=US"
# Bind_Pass "secret"
UID_Attr uid
# UID_Attr_Alt "mail"
# Group_Attr uniqueMember
SupportNestedGroups On
require valid-user
# require user muquit foo bar "john doe"
# require roomnumber "123 Center Building"
# require filter "(&(telephonenumber=1234)(roomnumber=123))"
# require group cn=rt-saksbehandler,ou=netgroups,dc=sub,dc=domain
# require group cn=rcs,ou=Groups

Our solution is as follows for authentication and authorisation:

1) LDAP for authentication. New users will be created automatically by RT
   with their username. Of course, new users sending e-mail to RT will be
   created by their e-mail address. That's not wanted, and we are
   wondering how others deal with that.

2) In addition, we will not do a ldap dump (export/import) of userinfo
   except password to the RT database (in our case a PostgeSQL database),
   since we have potensially 10.000s of requestors. Instead we want to
   build internally in RT userinfo on the run when we have
   incoming requests. So, we need to create some form of a script that
   searches through the RT database for username equals an e-mail adresss
   or using something that triggers that script when we have incoming
   requests to update the RT database with the correct userinfo. As said
   before an incomming request creates an user with the e-mail address as
   the username. We have our own service called "electronic post office"
   which gives info about an user. So we don't need a dump from a LDAP
   server or other user administrative system.

-- 
________________________________________________________________________
Tomas A. P. Olaj, email: tomas.olaj at usit.uio.no, web: folk.uio.no/tomaso
 University of Oslo / USIT (Center for Information Technology Services)
   System- and Application Management / Applications Management Group

More information about the rt-users mailing list