[rt-users] AD External Authentication

Thomas Sibley trs at bestpractical.com
Wed May 15 19:21:08 EDT 2013


Pretty straightforward, with one caveat.

On 05/14/2013 12:12 PM, MacKillip, Scott wrote:
> If the user has an account in RT (set up by an RT administrator) they
> should still have the same functionality, just authentication is
> coming from AD and not the internal RT database.
> 
> If the user does not have an account in AD they should be denied
> access.
> 
> If the user does not have an account in RT, they should be directed
> to the self-service pages.

You can't access the self service pages without at least an unprivileged
RT account.  With $AutoCreateNonExternalUsers set to 0, users who can
auth with AD but don't have an RT account will have one automatically
created.  Users without an AD account will be denied all access.

> If the user does have an account in RT, they should not notice any 
> difference after installing the AD Authentication module.
> 
> Given the above requirements, will the following steps accomplish
> this?
> 
> 1.      Install RT::Authen::ExternalAuth
> 2.      Configure same to use LDAP
> 3.      Set $WebExternalAuth to 0 in RT_SiteConfig.pm

$WebExternalAuth already defaults to off, and while unfortunately named,
does not refer to RT::Authen::ExternalAuth.  It would be better named
$WebRemoteUser, as it will be in RT 4.2, since it uses the REMOTE_USER
that your webserver is expected to set when enabled.

Short version: step 3 is unnecessary.

> 4.      Set $AutoCreateNonExternalUsers to 0 (I don’t want to create
> any account in RT unless I do it myself)

Note that this means RT also won't accept email from addresses which
aren't in your configured AD.  This is because all addresses must have
an RT account of some sort, usually autocreated as unprivileged (without
a password, so unable to login).



More information about the rt-users mailing list