[rt-users] RT-LDAP Authentication Redux

Stephen Fung stephen at hknet.com
Thu Feb 3 02:16:57 EST 2005


I have tested LDAP auth with 3.2.2 and now testing it with 3.4.0. Hope 
that I can answer you questions.

Francisco Javier Martínez Martinez wrote:

> Cheers.
> 
> The previus mails due to the answers begins to be a mess, by the way I 
> am going to Redux the request:
> 
> - I had installed RT 3.2.2 in a Fedora 3 box, with Apache 2 and MySQL
> - I had an external LDAP server, which stores among others fields the 
> mail addresses - passwords.
> - I want that the RT checks user/passwords against the LDAP server 
> directly, not delegating in the Apache.
> - The mail address is UID in the LDAP :-).
> - I had put the following lines in my RT_SiteConfig, there is no need to 
> use passwords for binding to  our internal LDAP :
> 
>     Set($WebExternalAuth , undef); 
>     $LDAPExternalAuth = 1;          # will enable LDAP-Auth 
>     $LdapServer="ldap.mydomain.com";     # LDAP server for authentication 
>     $LdapUser="";                   # user name for binding 
>     $LdapPass="";                   # password for binding 
>     $LdapBase="ou=Inte,dc=mydomain,dc=com";      # search base 
>     $LdapUidAttr="uid";             # attribute for RT user name 
>     $LdapFilter="(objectclass=*)";  # additional filter 
> 
> - I had created (copy of Ruediger Riediger´s one) a file for LDAP 
> Overlay called User_Local.pm as I had found in varius request, following 
> the recomendations of 
> http://wiki.bestpractical.com/index.cgi?CleanlyCustomizeRT I had put 
> this file in both routes RTroot/local/lib/RT/ and  RTroot/lib/RT.
> 
> - I had installed the CPAN modules Net::LDAP and Net::SSLeay. But we do 
> not need TLS communications at least for the moment.
> 
> After all, RT seems to authenticate users against his own DB, there is 
> not activities nor communications between RT server and LDAP server.
If you are using the module from 
http://www.justatheory.com/computers/programming/perl/rt/User_Local.pm.ldap, 
  users will be authenticated against RT's DB if the password matched.

If you are using the module from 
http://download.bestpractical.com/pub/rt/contrib/3.0/LDAP1.0_RT3.tar.gz, 
users will be authenticated against LDAP ONLY if their passwords are 
never set in RT's DB(i.e. password = '*NO-PASSWORD*').

> 
> My mainly requests are:
> 
> Is the LDAP activated with the lines put above? If yes in which part of 
> RT_SiteConfig it should to live?
> What should be the value of Set($WebExternalAuth (I wonder that It 
> should be undef) ?
You should leave it as undef.

> Where should live User_Local.pm and whith what attributes?
I just put it inside <path_to_rt3>/lib/RT and it works.

> What about /usr/local/rt3/local/html/autohandler, Should It be modified?
I never use it.

> Is TLS communications mandatory for this authentication?
No.

> 
> Thanks in advance and mainly to Steve and Ruediger Riediger for his 
> kindly and quickly answers.
> 
> Best regards.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
> 
> RT Administrator and Developer training is coming to your town soon! (Boston, San Francisco, Austin, Sydney) Contact training at bestpractical.com for details.
> 
> Be sure to check out the RT Wiki at http://wiki.bestpractical.com



More information about the rt-users mailing list