[rt-users] RT 3.8 Active Directory integration and single sign-on
Eugene M. Evans
EMEvans at heapy.com
Wed Aug 4 22:58:07 EDT 2010
I am trying to accomplish two things:
First, to integrate RT with Active Directory such that an RT user
account will automatically be created in either of the following cases.
a) when a user first submits a ticket request via email, and
b) when a user first logs in via the RT web interface
Secondly, Single sign-on, such that once an RT account has been created
an MS-Windows user will not need to enter their password on subsequent
visits to the RT web interface.
I've started by attempting to implement the Auth::ExternalAuth extension
but have been unable to get it working. I cannot log into the RT web
interface using any account except the root account that has already
been created within RT. Once in RT as root, I am unable to create a new
user. I get the error "User could not be created: Could not set user
info."
I've tried the solution mentioned in this thread -->
http://www.gossamer-threads.com/lists/rt/users/94218 to get RT to
auto-create users, but to no avail.
Note that when I uncomment the statement "Set($WebExternalAuto,1);" and
restart apache the RT login screen provides no login box in which to
enter a username or a password.
Any advice would be greatly appreciated.
Below is my RT configuration.
#Begin /opt/rt3/etc/RT_SiteConfig.pm tail
...
# The following two statements support single sign-on.
# but I have commented them out for now since they are
# said to conflict with the ExternalAuth extension.
# See http://wiki.bestpractical.com/view/ExternalAuth
<http://wiki.bestpractical.com/view/ExternalAuth> .
# Tell RT to trust the webserver to handle authentication.
# Set($WebExternalAuth, 3);
# If the webserver hands RT a user RT is not
# familiar with, RT should just go ahead and
# create an account.
# Set($WebExternalAuto, 1);
...
# Include the configuration for the ExternalAuth extension.
require
"/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm";
Set($AutoCreate,{Privileged => 0});
1;
#End /opt/rt3/etc/RT_SiteConfig.pm
#Begin
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm in
its entirety.
Set($ExternalAuthPriority, [ 'Heapy_AD_LDAP' ] );
Set($ExternalInfoPriority, [ 'Heapy_AD_LDAP' ] );
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings, {
'Heapy_AD_LDAP' => {
'type' => 'ldap',
'server' =>
'serverxyz.domain.domainSuffix',
'user' =>
'cn=ldap,ou=Services,dc=domain,dc=domainSuffix',
'pass' => 'the_ldap_password',
'base' =>
'dc=domain,dc=domainSuffix',
'filter' =>
'(&(ObjectCategory=User)(ObjectClass=Person))',
'd_filter' =>
'(userAccountControl:1.2.840.113556.1.4.803:=2)',
# 'tls' => 0,
# 'ssl_version' => 3,
'net_ldap_args' => [ version => 3
],
'group' =>
'cn=group,ou=Services,dc=domain,dc=domainSuffix',
'group_attr' => 'member',
'attr_match_list' => [ 'Name',
'EmailAddress' ],
'attr_map' => { 'Name' =>
'sAMAccountName',
'EmailAddress' =>
'mail',
'Organization' =>
'physicalDeliveryOfficeName',
'RealName' => 'cn',
'ExternalAuthId' =>
'sAMAccountName',
'Gecos' =>
'sAMAccountName',
'WorkPhone' =>
'telephoneNumber',
'Address1' =>
'streetAddress',
'City' => 'l',
'State' => 'st',
'Zip' =>
'postalCode',
'Country' => 'co'
}
}
}
);
Set(@Plugins, qw(RT::Authen::ExternalAuth));
1;
#End /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20100804/223f6f34/attachment.htm>
More information about the rt-users
mailing list