[rt-users] LDAP + Kerberos + RT

justin m. clayton justincl at u.washington.edu
Fri Nov 22 19:09:01 EST 2002


Thanks for those posts. They were semi-helpful, but I'm still confused.

Is this non-trivial? It seems that managability of RT accounts is one of
these things that everyone would just want.

WebExternalAuth doesn't seem to fix the user management problem, but if I
were just using kerberos + RT accounts and not LDAP, that would be better
than now, I suppose.

I also saw the fix to strip everything right of the @ in the requestor's
email, but I'm not sure that's such a good idea.

Comments?

Justin Clayton
VLSI Research System Administrator
University of Washington
Electrical Engineering Dept
justincl at u.washington.edu
206/543.2523  EE/CSE 307E

On Wed, 20 Nov 2002, Ray Thompson wrote:

> I just happen to ask about this a couple of days ago :-)
> Seph and Harald have a couple of options.  I've tried the first one from the replies listed below without success but that could just be me.  I've e-mailed the author off list for additional help.  I'll post any findings.
>
> My original post:
> http://lists.fsck.com/pipermail/rt-users/2002-November/010897.html
>
>
> Replies and related posts:
> http://lists.fsck.com/pipermail/rt-users/2002-November/010910.html
> http://lists.fsck.com/pipermail/rt-users/2002-November/010901.html
> http://lists.fsck.com/pipermail/rt-devel/2002-May/002349.html
>
> --Ray
>
> -----Original Message-----
> From: rt-users-admin at lists.fsck.com [mailto:rt-users-admin at lists.fsck.com] On Behalf Of justin m. clayton
> Sent: Wednesday, November 20, 2002 6:49 PM
> To: RT Users Mailing List
> Subject: [rt-users] LDAP + Kerberos + RT
>
>
> I'm using RT 2.0.11 and would like to take advantage of the Requestor web interface, but have no desire to maintain a seperate user/passwd list from our otherwise single-sign on system (using openldap+kerberos). I think I can handle setting up mod-auth-kerb on apache to to the authentication bit (though any pointers would be helpful), but there's this other nagging
> problem: anytime a user in RT is autocreated due to ticket submission, the email address gets used as the username. This obviously doesn't match the kerberos principal namespace, but is fixable by an admin going in and changing the username to match. However, I'd like a cleaner solution. I assume that the as-yet undocumented (in RT/FM, anyway) pluggable user metadata features don't fix this, right? Any ideas? Any way to bypass the RT db completely and just use LDAP as the user db, with kerberos as the auth system?
>
> Thanks,
>
> Justin Clayton
> VLSI Research System Administrator
> University of Washington
> Electrical Engineering Dept
> justincl at u.washington.edu
> 206/543.2523  EE/CSE 307E
>
>
> _______________________________________________
> rt-users mailing list
> rt-users at lists.fsck.com http://lists.fsck.com/mailman/listinfo/rt-users
>
> Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm
>
> _______________________________________________
> rt-users mailing list
> rt-users at lists.fsck.com
> http://lists.fsck.com/mailman/listinfo/rt-users
>
> Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm
>




More information about the rt-users mailing list