[rt-users] HOWTO: Authenticate RT users against Active Directory

Andrew Best abest at rentokilinitial.com.au
Fri Nov 28 00:49:09 EST 2003 

Incoming quick and nasty docs on how to make RT authenticate users against
MS Active Directory.

How to setup RT to Authenticate against AD.
Running on RH 7.3.

Assuming you have RT and Apache up and running okay.

Installed auth_ldap-1.6.0-4.i386.rpm package. (`rpm -ivh
auth_ldap-1.6.0-4.i386.rpm`)

Uncommented the following lines from httpd.conf (usually
/etc/httpd/conf/httpd.conf)

 LoadModule auth_ldap_module   modules/mod_auth_ldap.so
 AddModule auth_ldap.c

Added the following lines to my httpd.conf to the section I wanted to
protect:

Options Indexes FollowSymLinks
AllowOverride None
order allow,deny
allow from all
AuthName "MIS Test AD Lab"
AuthType Basic
AuthLDAPUrl ldap://win2ktest.mistest.internal:389/ou=Head
Office,dc=mistest,dc=internal?sAMAccountName?sub?(objectClass=*)
AuthLDAPBindDN "cn=svc_apache,cn=Users,dc=mistest,dc=internal" # AD wont let
anon users query the directory so we connect to AD using an account we
specify here.
AuthLDAPBindPassword "YOUR_PASSWORD_GOES_HERE"
require valid-user
#require user muquit foo bar "john doe"
#require roomnumber "123 Center Building"
#require filter "(&(telephonenumber=1234)(roomnumber=123))"
#require group cn=rcs,ou=Groups

Where:
"win2ktest.mistest.internal" is the DNS name of my DC.
"389" is the std. LDAP port.
"ou=Head Office" is the OU containing users I want to authentificate. (Note:
I havent yet worked out how to make it authenticate against users in
multiple OU's)

The directives in my httpd.conf for my RT test setup looked like the
following:

<VirtualHost XXX.XXX.XXX.XXX>
    ServerName rt.mistest.internal
    DocumentRoot /home/helpdesk/rt3/share/html
    AddDefaultCharset UTF-8
    PerlModule Apache::DBI
    PerlRequire /home/helpdesk/rt3/bin/webmux.pl
    <Location />
        SetHandler perl-script
        PerlHandler RT::Mason
        Options Indexes FollowSymLinks
        AllowOverride None
        order allow,deny
        allow from all
        AuthName "MIS Test AD Lab"
        AuthType Basic
        AuthLDAPUrl ldap://win2ktest.mistest.internal:389/ou=Head
Office,dc=mistest,dc=internal?sAMAccountName?sub?(objectClass=*)
        AuthLDAPBindDN "cn=svc_apache,cn=Users,dc=mistest,dc=internal"
        AuthLDAPBindPassword "YOUR_PASSWORD_GOES_HERE"
        require valid-user
        #require user muquit foo bar "john doe"
        #require roomnumber "123 Center Building"
        #require filter "(&(telephonenumber=1234)(roomnumber=123))"
        #require group cn=rcs,ou=Groups
    </Location>
</VirtualHost>

Modifed my RT_SiteConfig.pm and added the following entries:

# External Auth Directives.
# If $WebExternalAuth is defined, RT will defer to the environment's
# REMOTE_USER variable.
$WebExternalAuth=1;

# If $WebFallbackToInternalAuth is undefined, the user is allowed a chance
# of fallback to the login screen, even if REMOTE_USER failed.
$WebFallbackToInternalAuth=undef;

# $WebExternalGecos means to match 'gecos' field as the user identity);
# useful with mod_auth_pwcheck and IIS Integrated Windows logon.
$WebExternalGecos=undef;

# $WebExternalAuto will create users under the same name as REMOTE_USER
# upon login, if it's missing in the Users table.
$WebExternalAuto=1;

Ran `apachectl configtest`. It should say things are okay.
Restarted apache (`service httpd stop; service httpd start`)

More information about the rt-users mailing list