[rt-users] LDAP authentication best practices

Thomas Smith theitsmith at gmail.com
Tue Oct 4 23:54:51 EDT 2011


On Tue, Oct 4, 2011 at 8:42 PM, Thomas Smith <theitsmith at gmail.com> wrote:
> Thanks Kevin! That setting worked!
>
> On Tue, Oct 4, 2011 at 1:37 PM, Kevin Falcone <falcone at bestpractical.com> wrote:
>> On Tue, Oct 04, 2011 at 01:22:24PM -0700, Thomas Smith wrote:
>>> Thanks again Ruslan!
>>>
>>> I've got this mostly working but I'm missing something and I'm just
>>> not seeing what that is...
>>>
>>> Apache auth via LDAP (mod_auth_ldap) is working correctly--the user
>>> gets into RT, but no options are available except "Tickets" (along
>>> with Open, Create, etc, within the Tickets menu). And the new user can
>>> see that they're logged in, "Logged in as user". However, their user
>>> account is not being created within the RT database and their are no
>>> available options for their account (no drop-down for "Logged in as
>>> user") under their login.
>>
>> Sounds like users are being created Unprivileged.
>> Use $AutoCreate in RT_SiteConfig.pm if you wish them to be created
>> Privileged.  You can search for and make users Privileged from the
>> user admin pages.  They will not be listed in the list of current
>> users if they are Unprivilged (but will have records in the Users
>> table).
>
> Discovered another issue... This one isn't strictly RT-related, I don't think.
>
> The email gateway is no longer working. When I configured Apache auth,
> I had to do it at the /opt/rt4 level--otherwise, RT would display the
> login page without the option to login and SSO wouldn't work. Now the
> mail gateway is unable to insert new tickets into the database as the
> area it's trying to access is password protected. Are there any
> best-practices for lifting the security off of this one directory
> (NoAuth only, right?) while maintaining SSO on the remainder of the
> system? Every time I exclude this directory from authentication, SSO
> breaks.

Sorry, here are the errors I'm seeing in the maillog regarding rt-mailgate.

Oct  4 20:53:14 hostname postfix/local[12080]: 82FEA7BDE5:
to=<helpdesk at hostname.domain.tld>,
orig_to=<helpdesk at hostname.domain.tld>, relay=local, delay=18072,
status=deferred (temporary failure. Command output: An Error Occurred
=================  401 Authorization Required )
Oct  4 20:53:14 hostname postfix/local[12079]: 0DDC943BD1:
to=<helpdesk at hostname.domain.tld>,
orig_to=<helpdesk at hostname.domain.tld>, relay=local, delay=19194,
status=deferred (temporary failure. Command output: An Error Occurred
=================  401 Authorization Required )



More information about the rt-users mailing list