[rt-users] RT password fields and logout when using LDAPauth

Tomas A. P. Olaj tomas.olaj at usit.uio.no
Fri Aug 20 04:40:03 EDT 2004 

Hi,

After successfully setting up Apache to LDAP authenticate for RT, we
experience that this solution may not work for our purpose. We want anyway
to use LDAP to sentralize passwords at our university for our internal
users (students and employees). However, I notice that it could be a
security problem when the user cannot use the logout link in RT to
terminate the session. In Internet Explorer, You have to empty the cache.

This option disappears when letting Apache do the authentication through LDAP.
The requestors should use a common terminal to check their requests.

The above solution will work for internal LDAP registered users. But
typically, an University has also external people (guest students,
customers, etc.) which is not registered into the internal university
LDAP server or has a university e-mail address. When they send requests,
their e-mail address will normaly be used as their username by RT. They need to
get a randomized password sent back by RT (as with other ticket systems),
and they need to logon. LDAP authentication of internal users prevent that.

External users also need to change their password, which their not allowed
when LDAP-auth is enabled (that's also understandable since LDAP-user
passwords are stored centraly). Even so, mail from external users won't be
accepted by RT, since rt-mailgate sends it to Apache for authentication.

I guess a solution would be to use RT's main login page, and hack the
internal RT source code handling authentication of users in the database
to also accept LDAP users from a trusted directory server. Someone has
earlier said that RT does not support LDAP, but are there anyone out there
who has hacked the code for this purpose? If not, we are thinking about
doing that. Leting Apache do the authentication is actually not always
desireable.

We have potensialy over 50.000 users (internal and external users). We
have to set up multiple instances as there are descibed at Wiki. Is there
a way to move a request from one instance to another externaly, in the
same way you move a request from one queue to another queue in the same
instance (e.g. not forwarding e-mails)? I've heard that it was possible. I
don't know.

:)

regards,
Tomas

-- 
________________________________________________________________________
Tomas A. P. Olaj, email: tomas.olaj at usit.uio.no, web: folk.uio.no/tomaso
 University of Oslo / USIT (Center for Information Technology Services)
   System- and Application Management / Applications Management Group

More information about the rt-users mailing list