[rt-users] Active Directory authentication (and LDAP stuff)

Sean Perry sean.perry at intransa.com
Mon Dec 8 14:13:54 EST 2003


Erik Spigle wrote:

> I have been searching through the list archives and trying to find more details  on how exactly to make RT3 authenticate
 > against our AD on our Windows 2000 domain.  I have found some good 
information, such as here:
 > http://lists.fsck.com/pipermail/rt-users/2003-July/015262.html and here:
 > http://lists.fsck.com/pipermail/rt-users/2003-June/014988.html but 
I'm still not sure where to begin.
 > I will start with saying that I have no experience whatsoever w/LDAP 
(which I assume I need to use) and
 > integrating apache with LDAP / AD.  I see some information on the 
lists about some apache settings to
 > authenticate externally, as well as the RT_SiteConfig option to make 
sure authentication is external, but
 > a lot of the information is jibberish to me.  Stuff like this makes 
no sense:
> 
> <Directory />
> 	AuthType Basic
> 	AuthName "Request Tracker"
> 	# sAMAccountName is the first.last style user name
> 	AuthLDAPURL = "ldap://my.ldap/dc=3Dmydomain,dc=3Dcom?sAMAccountName"
> 	# need this account and setting because Active Directory
> 	# does not allow anonymous binding by default
> 	AuthLDAPBindDN "dummy.user at mydomain.com"
> 	AuthLDAPBindPassword "asdfg"
> 	AuthLDAPAuthoritative off
> 	require valid-user
> </Directory>
>

go to apache's website, look at auth_ldap's documentation.  The options 
are explained there.  I can explain why a few of them are there though.

The BindDN and Password are there because for LDAP to search the AD it 
must first bind to the AD.  This is because AD by default does not allow 
anonymous viewing/searching.  So I created an account called 'ad.access' 
in keeping with our blah.blah naming scheme with a password of 'asdfg'.
So what happens is LDAP binds as ad.access, looks for whatever the user 
said their name was, if that works it then tries to re-bind with the new 
user name and password.  If this binding works the user is 
authenticated, otherwise they fail.

The LDAP URL is pretty easy to recreate.  Replace dc=mydomain,dc=com 
with whatever your sites domain is.  So if you log into EXAMPLE.COM you 
use dc=example,dc=com.  The part after the question mark is the field 
you search on.  In AD the user's account name is stored in sAMAccountName.

Hope that helps.

Oh yeah, my comment about autohandler.  So once the user is 
authenticated by apache the information is passed on to RT.  RT wants 
users to exist in the database.  So what happens is autohandler runs a 
function to acquire the user's info from LDAP (AD) and uses it to 
generate a user in the DB.  3.0.7 added support for this natively, we 
were hacking it into autohandler before.

> and some of the other stuff I found in that first link mentioned here.  Is there some good RT3 / Active
 > Directory HOWTO out there?  Am I going to have to first thoroughly 
learn how LDAP works?  I'm tying to
 > avoid having to manually enter in about 75+ users into RT3.  We are 
going to use the SelfService part
 > of RT3 for users to fill out requests, and it would be VERY handy if 
we could just keep authentication
 > in sync w/our AD.
> 

I found very little about AD and apache online.  Most of it is in the 
thread you found my post in.

> Any help pointing me where to even being would be MUCH appreciated.  I am kindof on a time critical
 > schedule with this and may have to just roll w/internal RT3 
authenticaion anyway as I know that works
 > and this thing is going to have to roll out soon this week.  I'll 
continue trying to make sense of some
 > examples and information I see in the list archives.
> 





More information about the rt-users mailing list