[rt-users] LDAP auth: should I still create the users in RT even if I use WebExternalAuth?

Mon Jan 6 09:08:06 EST 2003

On Tue, Dec 24, 2002 at 02:10:47PM +0100,
 Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote 
 a message of 15 lines which said:

> current setup (I will document it one day).

Here it is. You can include it in contrib, on the Web site, whereever.

How I have convinced Request Tracker to use my LDAP directory
Stephane Bortzmeyer
bortzmeyer at eureg.org
2003-01-06
*************************************************************

Warning: this is a documentation of *my* setup. There are many ways to
enable LDAP for Request Tracker (RT).

Background: EUREG <URL:http://www.eureg.org/> uses an LDAP directory
for every user account. All the machines authenticate users against
it. So, if you log in via SSH, authenticate on a private Web page with
Apache, or use RT, you have only one account and one password.

To enable LDAP access from RT, you have to do the following:

1) configure Apache to authenticate against LDAP:

LoadModule auth_ldap_module /usr/lib/apache/1.3/auth_ldap.so

# SSL only, we do not have "weak" and "strong" passwords, every
# password is important! So, we redirect everything on the secure server.
<VirtualHost 192.134.7.250:80>
ServerName rt.eureg.org
SSLDisable
RewriteEngine on
RewriteRule ^/(.*)$ https://rt.eureg.org/$1 [R,L]
</VirtualHost>
# The secure server
<VirtualHost 192.134.7.250:443>
DocumentRoot /local/rt2/WebRT/html
ServerName rt.eureg.org
SSLEnable
# A few RT-specific lines ommitted
<Location />
AuthType Basic
AuthName EUREG
AuthLDAPURL ldap://ldap.eureg.org/ou=People,dc=eureg,dc=eu?uid
require valid-user
</Location>
</VirtualHost>

2) Now, we can tell RT to trust Apache:

# If $WebExternalAuth is defined, RT will defer to the environment's
# REMOTE_USER variable.
$WebExternalAuth = 1;

This way, RT will no longer asks a password. 

3) The above is not sufficient: RT has no real LDAP support, it needs
to find locally, in its own database, the info about an user (wether
he can log in, for instance). We therefore use the rtimportldap script
<URL:http://www.fsck.com/pub/rt/contrib/2.0/> to synchronize RT's
database with LDAP.

Every day, /etc/cron.daily/rtimportldap is run by root. It contains
(be sure to set its mode to 700, there is a LDAP password! Choose a DN
which has only read access):

#!/bin/sh

PATH=${PATH}:/local/sbin:/local/bin
rtimportldap.pl --server ldap.eureg.org \
        --binddn 'cn=backup,dc=eureg,dc=eu' --bindpw verysecret \
        --basedn 'dc=eureg,dc=eu' --groupadd EUreg \
        --filter '(objectClass=posixAccount)' | grep -v 'Updating user'

4) For us, this is all. There is still the issue of
$LookupSenderInExternalDatabase (for the email interface, if you use
it), but I've not configured it yet.