<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<font face="Courier New, monospace" size="2">
<div>Hi,</div>
<div> </div>
<div>I have a working instance of RT 3.8.7 running under Apache 2.2.3 on RHEL 5.4. The instance has been set up to authenticate users against Active Directory via RT::Authen::ExternalAuth & LDAP. The LDAP authentication works fine (i.e. users log in with
their AD credentials, and new users get created in RT when ticket requests come in via e-mail.)</div>
<div> </div>
<div>Now I need to implement Single Sign-On, so that the users at MSWin workstation could simply browse to the RT interface without having to type in their username/password again. To do this I’ve followed the instructions outlined at <a href="http://blank.org/memory/output/rt-ad-sso.html"><font color="#0000FF"><u>http://blank.org/memory/output/rt-ad-sso.html</u></font></a>
and at <a href="http://wiki.bestpractical.com/view/NtlmAuthentication"><font color="#0000FF"><u>http://wiki.bestpractical.com/view/NtlmAuthentication</u></font></a>. I’ve also searched around the RT mailing list archives but couldn’t find anything that described
the problem I’m having.</div>
<div><font face="Times New Roman, serif" size="3"> </font></div>
<div>The problem is that RT still presents the login screen when you go to its URL for the first time.</div>
<div><font face="Times New Roman, serif" size="3"> </font></div>
<div>My main questions are:</div>
<div><font face="Times New Roman, serif" size="3"> </font></div>
<ul style="margin-top: 0pt; margin-bottom: 0pt; margin-left: 36pt; ">
<li>Can NTLM & RT::Authen::ExternalAuth co-exist?</li><li>Is there a way to get debugging output from mod_ntlm?</li><li>Are there any additional pointers or advice regarding single sign-on with RT?</li></ul>
<div><font face="Times New Roman, serif" size="3"> </font></div>
<div>Besides this, any input on the issue would be highly appreciated.</div>
<div> </div>
<div>P.S. Here what has been done so far, in a nutshell:</div>
<div><font face="Times New Roman, serif" size="3"> </font></div>
<ul style="margin-top: 0pt; margin-bottom: 0pt; margin-left: 36pt; ">
<li>Compiled and installed mod_ntlm</li><li>Installed User_Local.pm and MailFrom_Local.pm from <a href="http://www2.usit.uio.no/it/rt/modifications/"><font color="#0000FF"><u>http://www2.usit.uio.no/it/rt/modifications/</u></font></a></li><li>Installed Web_Local.pm from <a href="http://blank.org/memory/work/Web_Local.pm"><font color="#0000FF"><u>http://blank.org/memory/work/Web_Local.pm</u></font></a></li><li>Included this snippet in RT_SiteConfig.pm:</li></ul>
<div><font face="Times New Roman, serif" size="3"> </font></div>
<div style="padding-left: 36pt; ">Set($WebExternalAuth , '1');</div>
<div style="padding-left: 36pt; ">Set($WebFallbackToInternalAuth, '1');</div>
<div style="padding-left: 36pt; ">Set($WebExternalGecos , undef);</div>
<div style="padding-left: 36pt; ">Set($WebExternalAuto , '1');</div>
<div style="padding-left: 36pt; "> </div>
<div style="padding-left: 36pt; ">Set($LDAPExternalAuth , '1'); # Enable LDAP auth</div>
<div style="padding-left: 36pt; ">Set($LdapServer , 'mycompanys.ldap.server.com');</div>
<div style="padding-left: 36pt; ">Set($LdapCAFile , undef);</div>
<div style="padding-left: 36pt; ">Set($LdapUser , '<LDAP user>');</div>
<div style="padding-left: 36pt; ">Set($LdapPass , '<LDAP password>');</div>
<div style="padding-left: 36pt; ">Set($LdapAuthStartTLS , '0'); # Need to use TLS or ldaps to check passwords</div>
<div style="padding-left: 36pt; ">Set($LdapAuthBase , 'dc=my,dc=company,dc=com');</div>
<div style="padding-left: 36pt; ">Set($LdapAuthUidAttr , 'sAMAccountName');</div>
<div style="padding-left: 36pt; ">Set($LdapAuthFilter , '(objectClass=user)');</div>
<div style="padding-left: 36pt; ">Set($LdapMailBase , 'dc=my,dc=companymail,dc=com');</div>
<div style="padding-left: 36pt; ">Set($LdapMailFilter , '(objectClass=user)');</div>
<div style="padding-left: 36pt; ">Set($LdapMailScope , 'sub');</div>
<div style="padding-left: 36pt; ">Set($LdapMailSearchAttr, 'mail');</div>
<div style="padding-left: 36pt; ">%RT::LdapMailResultMap = (</div>
<div style="padding-left: 36pt; "> 'sAMAccountName' => 'Name',</div>
<div style="padding-left: 36pt; "> 'mail' => 'EmailAddress',</div>
<div style="padding-left: 36pt; "> 'cn' => 'RealName',</div>
<div style="padding-left: 36pt; "> );</div>
<div><font face="Times New Roman, serif" size="3"> </font></div>
<ul style="margin-top: 0pt; margin-bottom: 0pt; margin-left: 36pt; ">
<li>Included this in httpd.conf RT’s virtual server section:</li></ul>
<div style="padding-left: 36pt; "><font face="Times New Roman, serif" size="3"><br>
<font face="Courier New, monospace" size="2"> PerlModule Apache2::compat</font></font></div>
<div style="padding-left: 36pt; "> PerlModule Apache::DBI</div>
<div style="padding-left: 36pt; "> </div>
<div style="padding-left: 36pt; "> PerlRequire /opt/rt3/bin/webmux.pl</div>
<div style="padding-left: 36pt; "> </div>
<div style="padding-left: 36pt; "> <Directory /opt/rt3/share/html></div>
<div style="padding-left: 36pt; "> Order allow,deny</div>
<div style="padding-left: 36pt; "> Allow from all</div>
<div style="padding-left: 36pt; "> </div>
<div style="padding-left: 36pt; "> SetHandler perl-script</div>
<div style="padding-left: 36pt; "> PerlResponseHandler RT::Mason</div>
<div style="padding-left: 36pt; "> </div>
<div style="padding-left: 36pt; "> AuthName "Request Tracker"</div>
<div style="padding-left: 36pt; "> AuthType NTLM</div>
<div style="padding-left: 36pt; "> NTLMAuth on</div>
<div style="padding-left: 36pt; "> NTLMAuthoritative on</div>
<div style="padding-left: 36pt; "> NTLMDomain MYCOMPANYS_AD_DOMAIN</div>
<div style="padding-left: 36pt; "> NTLMServer my_companys_dc1</div>
<div style="padding-left: 36pt; "> NTLMBackup my_companys_dc2</div>
<div style="padding-left: 36pt; "> </Directory><br>
</div>
<ul style="margin-top: 0pt; margin-bottom: 0pt; margin-left: 36pt; ">
<li>Restarted Apache</li><li>Added our RT URL to IE’s “trusted sites” list</li></ul>
<div><font face="Times New Roman, serif" size="3"> </font></div>
<div><font face="Times New Roman, serif" size="3"> </font></div>
<div>Again, thanks in advance,</div>
<div>Sergey</div>
<div><font face="Times New Roman, serif" size="3"> </font></div>
<a name="_MailAutoSig"></a>
<div style="margin-top: 5pt; margin-bottom: 5pt; "><font face="Verdana, sans-serif" size="1">Sergey Gladkovich | UNIX Systems Engineer | (w) 201-743 -4293 | (m) 646-291-7123</font></div>
<div style="margin-top: 5pt; margin-bottom: 5pt; "><font face="Verdana, sans-serif" size="1">Arch Insurance Group Inc.<br>
300 - Plaza Three - 3rd Floor<br>
Jersey City NJ 07311<br>
Tel: 201-743-4000, Fax: 201-743-4005</font></div>
<div><font face="Times New Roman, serif" size="3"> </font></div>
<div><font face="Times New Roman, serif" size="3"><br>
</font></div>
<div><font face="Times New Roman, serif" size="3"><u> ________________________________ </u></font></div>
<div><font face="Arial, sans-serif" size="1" color="#808080">The information contained in this e-mail message may be privileged and confidential information and is intended only for the use of the individual and/or entity identified in the alias address of
this message. If the reader of this message is not the intended recipient, or an employee or agent responsible to deliver it to the intended recipient, you are hereby requested not to distribute or copy this communication. If you have received this communication
in error, please notify us immediately by telephone or return e-mail and delete the original message from your system.<br>
</font></div>
</font>
</body>
</html>