[rt-users] LDAP + Kerberos + RT

seph seph at commerceflow.com
Fri Nov 22 23:33:59 EST 2002


> > Thanks for those posts. They were semi-helpful, but I'm still confused.
> > 
> > Is this non-trivial? It seems that managability of RT accounts is one of
> > these things that everyone would just want.
> > 
> > WebExternalAuth doesn't seem to fix the user management problem, but if I
> > were just using kerberos + RT accounts and not LDAP, that would be better
> > than now, I suppose.
> > 
> > I also saw the fix to strip everything right of the @ in the requestor's
> > email, but I'm not sure that's such a good idea.
> > 
> > Comments?
> 
> 
> I agree with Justin, but unfortunately I'm not in a position to offer any
> resources (time or money) to address this issue.  For now, I'm just
> offering e-mail access to the RT system for most of my users, while only 2
> of us actually access the web interface with usernames & passwords.

I'm confused about what you two are confused about.

RT will easily get it's authentication from apache (by default, it
takes whatever's in $REMOTE_USER, the normal cgi username variable) and
accepts. By default, RT requires all web users to exist. (doesn't
autocreate)

There are patches that will autocreate externally authenticated web
users. There are also patches that will take web auth from somewhere
other than $REMOTE_USER. There's even stuff in contrib that will
recurse over LDAP, and create RT users from it.

That should be more than enough pieces to do whatever it is you're
trying to do. As I've said, what I've done, is set my apache up to
authenticate users, and set my RT up to autocreate users using the
information apache presents to RT. You could just as easily autocreate
all authenticated users with data from LDAP. 

seph

PS: this is all for the current stable RT 2.0.x line. the new beta RT
3.x stuff, will be slightly different.



More information about the rt-users mailing list