[rt-users] LDAP authentication best practices

Thomas Smith theitsmith at gmail.com
Tue Oct 4 16:22:24 EDT 2011


Thanks again Ruslan!

I've got this mostly working but I'm missing something and I'm just
not seeing what that is...

Apache auth via LDAP (mod_auth_ldap) is working correctly--the user
gets into RT, but no options are available except "Tickets" (along
with Open, Create, etc, within the Tickets menu). And the new user can
see that they're logged in, "Logged in as user". However, their user
account is not being created within the RT database and their are no
available options for their account (no drop-down for "Logged in as
user") under their login.

I'm seeing these errors when each new user connects to RT.

[Tue Oct  4 20:04:22 2011] [debug]: Attempting to use external auth
service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Tue Oct  4 20:04:22 2011] [debug]: SSO Failed and no user to test
with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Tue Oct  4 20:04:22 2011] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)

If the user already exists, however, login works fine and the user is
able to function as expected in RT.

What am I missing here? I've looked at (and for) the various "auto
create" options but haven't gotten very far with this. WebExternalAuth
and WebExternalAuto are both set to 1.


On Mon, Oct 3, 2011 at 3:19 PM, Ruslan Zakirov <ruz at bestpractical.com> wrote:
> Hi,
>
>
> On Tue, Oct 4, 2011 at 12:14 AM, Thomas Smith <theitsmith at gmail.com> wrote:
>> Thanks Ruslan!
>>
>> Yes, I am looking for SSO. I also left out RT (4.0.2) and Apache
>
> If you need SSO then you should teach your apache to do that. You do
> SSO in apache
> then use WebExternalAuth option so RT pickups user name from apache.
> In combination
> you can use either LDAPImport or ExternalAuth extensions to fetch
> additional info from
> LDAP and keep it up to date in RT.
>
>
>> (2.0.63) versions. This server is currently running on COS 4.8 but
>> will soon be upgraded to 6. I also performed the RT upgrade from 3.8.8
>> last night (not sure if that matters for this question though).
>>
>> On Mon, Oct 3, 2011 at 3:03 PM, Ruslan Zakirov <ruz at bestpractical.com> wrote:
>>> Hi,
>>>
>>> On Mon, Oct 3, 2011 at 11:28 PM, Thomas Smith <theitsmith at gmail.com> wrote:
>>>> Hi,
>>>>
>>>> I'm looking at using LDAP athentication to auth against a Win2k8 R2 AD
>>>> server. I've seen a few different ways to do this on the website and
>>>> through Google-ing but none are consistent and none cover all that I'd
>>>> like to accomplish with this.
>>>>
>>>> What I'd like to do is this:
>>>>
>>>>    * Authenticate users against AD who login through the web
>>>> interface. As part of this authentication (for non-existent RT users),
>>>> create the user's account using their AD username as their RT Username
>>>> and their AD primary SMTP address as their RT Email.
>>>>    * When non-existing users submit a ticket via email, have RT check
>>>> that email against AD and if it find a user associated with that
>>>> email, create a new account using the user's AD username as RT's
>>>> Username and the user's AD email address as RT's Email.
>>>>    * Reject all other requests (and auto creations) for users who
>>>> don't already exist in AD or the local RT user database.
>>>>
>>>> Is it possible to do all of these things?
>>>
>>>
>>> See http://requesttracker.wikia.com/wiki/LDAP
>>>
>>> You didn't say if you need SSO or not.
>>>
>>> To check and add users when they send emails and don't exist in the
>>> system, you need RT::Authen::ExternalAuth. If you need SSO and LDAP is
>>> quite static then you can use apache for SSO and LDAPImport [1] to
>>> periodically import and/or update users.
>>>
>>> [1] http://cpansearch.perl.org/src/FALCONE/RT-Extension-LDAPImport-0.31/README
>>>
>>>
>>>
>>>
>>>
>>>>
>>>> --
>>>> Thomas Smith
>>>> Cell: 602-882-2917
>>>> --------
>>>> RT Training Sessions (http://bestpractical.com/services/training.html)
>>>> *  San Francisco, CA, USA  October 18 & 19, 2011
>>>> *  Washington DC, USA  October 31 & November 1, 2011
>>>> *  Melbourne VIC, Australia  November 28 & 29, 2011
>>>> *  Barcelona, Spain  November 28 & 29, 2011
>>>>
>>>
>>>
>>>
>>> --
>>> Best regards, Ruslan.
>>>
>>
>>
>>
>> --
>> Thomas Smith
>> Cell: 602-882-2917
>>
>
>
>
> --
> Best regards, Ruslan.
>



-- 
Thomas Smith
Cell: 602-882-2917



More information about the rt-users mailing list