[rt-users] Active Directory authentication (and LDAP stuff)
Sean Perry
sean.perry at intransa.com
Mon Dec 8 14:13:54 EST 2003
Erik Spigle wrote:
> I have been searching through the list archives and trying to find more details on how exactly to make RT3 authenticate
> against our AD on our Windows 2000 domain. I have found some good
information, such as here:
> http://lists.fsck.com/pipermail/rt-users/2003-July/015262.html and here:
> http://lists.fsck.com/pipermail/rt-users/2003-June/014988.html but
I'm still not sure where to begin.
> I will start with saying that I have no experience whatsoever w/LDAP
(which I assume I need to use) and
> integrating apache with LDAP / AD. I see some information on the
lists about some apache settings to
> authenticate externally, as well as the RT_SiteConfig option to make
sure authentication is external, but
> a lot of the information is jibberish to me. Stuff like this makes
no sense:
>
> <Directory />
> AuthType Basic
> AuthName "Request Tracker"
> # sAMAccountName is the first.last style user name
> AuthLDAPURL = "ldap://my.ldap/dc=3Dmydomain,dc=3Dcom?sAMAccountName"
> # need this account and setting because Active Directory
> # does not allow anonymous binding by default
> AuthLDAPBindDN "dummy.user at mydomain.com"
> AuthLDAPBindPassword "asdfg"
> AuthLDAPAuthoritative off
> require valid-user
> </Directory>
>
go to apache's website, look at auth_ldap's documentation. The options
are explained there. I can explain why a few of them are there though.
The BindDN and Password are there because for LDAP to search the AD it
must first bind to the AD. This is because AD by default does not allow
anonymous viewing/searching. So I created an account called 'ad.access'
in keeping with our blah.blah naming scheme with a password of 'asdfg'.
So what happens is LDAP binds as ad.access, looks for whatever the user
said their name was, if that works it then tries to re-bind with the new
user name and password. If this binding works the user is
authenticated, otherwise they fail.
The LDAP URL is pretty easy to recreate. Replace dc=mydomain,dc=com
with whatever your sites domain is. So if you log into EXAMPLE.COM you
use dc=example,dc=com. The part after the question mark is the field
you search on. In AD the user's account name is stored in sAMAccountName.
Hope that helps.
Oh yeah, my comment about autohandler. So once the user is
authenticated by apache the information is passed on to RT. RT wants
users to exist in the database. So what happens is autohandler runs a
function to acquire the user's info from LDAP (AD) and uses it to
generate a user in the DB. 3.0.7 added support for this natively, we
were hacking it into autohandler before.
> and some of the other stuff I found in that first link mentioned here. Is there some good RT3 / Active
> Directory HOWTO out there? Am I going to have to first thoroughly
learn how LDAP works? I'm tying to
> avoid having to manually enter in about 75+ users into RT3. We are
going to use the SelfService part
> of RT3 for users to fill out requests, and it would be VERY handy if
we could just keep authentication
> in sync w/our AD.
>
I found very little about AD and apache online. Most of it is in the
thread you found my post in.
> Any help pointing me where to even being would be MUCH appreciated. I am kindof on a time critical
> schedule with this and may have to just roll w/internal RT3
authenticaion anyway as I know that works
> and this thing is going to have to roll out soon this week. I'll
continue trying to make sense of some
> examples and information I see in the list archives.
>
More information about the rt-users
mailing list