[rt-users] NTLM-based Single Sign-On doesn't work - RT continues to present login screen

Gladkovich, Sergey SGladkovich at archinsurance.com
Wed Apr 14 19:47:15 EDT 2010


Hi,

I have a working instance of RT 3.8.7 running under Apache 2.2.3 on RHEL 5.4.  The instance has been set up to authenticate users against Active Directory via RT::Authen::ExternalAuth & LDAP.  The LDAP authentication works fine (i.e. users log in with their AD credentials, and new users get created in RT when ticket requests come in via e-mail.)

Now I need to implement Single Sign-On, so that the users at MSWin workstation could simply browse to the RT interface without having to type in their username/password again.  To do this I've followed the instructions outlined at http://blank.org/memory/output/rt-ad-sso.html and at http://wiki.bestpractical.com/view/NtlmAuthentication.  I've also searched around the RT mailing list archives but couldn't find anything that described the problem I'm having.

The problem is that RT still presents the login screen when you go to its URL for the first time.

My main questions are:

*       Can NTLM & RT::Authen::ExternalAuth co-exist?
*       Is there a way to get debugging output from mod_ntlm?
*       Are there any additional pointers or advice regarding single sign-on with RT?

Besides this, any input on the issue would be highly appreciated.

P.S.  Here what has been done so far, in a nutshell:

*       Compiled and installed mod_ntlm
*       Installed User_Local.pm and MailFrom_Local.pm from http://www2.usit.uio.no/it/rt/modifications/
*       Installed Web_Local.pm from http://blank.org/memory/work/Web_Local.pm
*       Included this snippet in RT_SiteConfig.pm:

Set($WebExternalAuth   , '1');
Set($WebFallbackToInternalAuth, '1');
Set($WebExternalGecos  , undef);
Set($WebExternalAuto   , '1');

Set($LDAPExternalAuth  , '1'); # Enable LDAP auth
Set($LdapServer        , 'mycompanys.ldap.server.com');
Set($LdapCAFile        , undef);
Set($LdapUser          , '<LDAP user>');
Set($LdapPass          , '<LDAP password>');
Set($LdapAuthStartTLS  , '0'); # Need to use TLS or ldaps to check passwords
Set($LdapAuthBase      , 'dc=my,dc=company,dc=com');
Set($LdapAuthUidAttr   , 'sAMAccountName');
Set($LdapAuthFilter    , '(objectClass=user)');
Set($LdapMailBase      , 'dc=my,dc=companymail,dc=com');
Set($LdapMailFilter    , '(objectClass=user)');
Set($LdapMailScope     , 'sub');
Set($LdapMailSearchAttr, 'mail');
%RT::LdapMailResultMap = (
                          'sAMAccountName'        => 'Name',
                          'mail'                  => 'EmailAddress',
                          'cn'                    => 'RealName',
                          );

*       Included this in httpd.conf RT's virtual server section:

   PerlModule Apache2::compat
   PerlModule Apache::DBI

   PerlRequire /opt/rt3/bin/webmux.pl

   <Directory /opt/rt3/share/html>
       Order allow,deny
       Allow from all

       SetHandler perl-script
       PerlResponseHandler RT::Mason

       AuthName "Request Tracker"
       AuthType NTLM
       NTLMAuth on
       NTLMAuthoritative on
       NTLMDomain MYCOMPANYS_AD_DOMAIN
       NTLMServer my_companys_dc1
       NTLMBackup my_companys_dc2
   </Directory>

*       Restarted Apache
*       Added our RT URL to IE's "trusted sites" list


Again, thanks in advance,
Sergey


Sergey Gladkovich | UNIX Systems Engineer | (w) 201-743 -4293 | (m) 646-291-7123
Arch Insurance Group Inc.
300 - Plaza Three - 3rd Floor
Jersey City NJ 07311
Tel: 201-743-4000, Fax: 201-743-4005



  ________________________________
The information contained in this e-mail message may be privileged and confidential information and is intended only for the use of the individual and/or entity identified in the alias address of this message. If the reader of this message is not the intended recipient, or an employee or agent responsible to deliver it to the intended recipient, you are hereby requested not to distribute or copy this communication. If you have received this communication in error, please notify us immediately by telephone or return e-mail and delete the original message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20100414/b49b9296/attachment.htm>


More information about the rt-users mailing list