[rt-users] RT 3.8 Active Directory integration and single sign-on

Eugene M. Evans EMEvans at heapy.com
Wed Aug 4 22:58:07 EDT 2010

I am trying to accomplish two things:
First, to integrate RT with Active Directory such that an RT user
account will automatically be created in either of the following cases.
   a) when a user first submits a ticket request via email, and
   b) when a user first logs in via the RT web interface
Secondly, Single sign-on, such that once an RT account has been created
an MS-Windows user will not need to enter their password on subsequent
visits to the RT web interface.
I've started by attempting to implement the Auth::ExternalAuth extension
but have been unable to get it working.  I cannot log into the RT web
interface using any account except the root account that has already
been created within RT.  Once in RT as root, I am unable to create a new
user.  I get the error "User could not be created:  Could not set user
I've tried the solution mentioned in this thread  -->
http://www.gossamer-threads.com/lists/rt/users/94218 to get RT to
auto-create users, but to no avail.
Note that when I uncomment the statement "Set($WebExternalAuto,1);" and
restart apache the RT login screen provides no login box in which to
enter a username or a password.  
Any advice would be greatly appreciated.
Below is my RT configuration.
#Begin /opt/rt3/etc/RT_SiteConfig.pm tail
# The following two statements support single sign-on.
# but I have commented them out for now since they are 
# said to conflict with the ExternalAuth extension.
# See http://wiki.bestpractical.com/view/ExternalAuth
<http://wiki.bestpractical.com/view/ExternalAuth> .

# Tell RT to trust the webserver to handle authentication.
# Set($WebExternalAuth, 3);

# If the webserver hands RT a user RT is not
# familiar with, RT should just go ahead and
# create an account.
# Set($WebExternalAuto, 1);
# Include the configuration for the ExternalAuth extension.
Set($AutoCreate,{Privileged => 0});
#End /opt/rt3/etc/RT_SiteConfig.pm
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm in
its entirety.

Set($ExternalAuthPriority,           [ 'Heapy_AD_LDAP' ] );
Set($ExternalInfoPriority,           [ 'Heapy_AD_LDAP' ] );
Set($ExternalServiceUsesSSLorTLS,    0);
Set($AutoCreateNonExternalUsers,     0);
Set($ExternalSettings,      {
                     'Heapy_AD_LDAP'               =>  {
                     'type'                  =>  'ldap',
                     'server'                =>
                     'user'                  =>
                     'pass'                  =>  'the_ldap_password',
                     'base'                  =>
                     'filter'                =>
                     'd_filter'              =>
#                     'tls'                   =>  0,
#                    'ssl_version'           =>  3,
                     'net_ldap_args'         => [    version =>  3
                     'group'                 =>
                     'group_attr'            =>  'member',
                     'attr_match_list'       => [   'Name',
'EmailAddress'   ],
                     'attr_map'              => {   'Name' =>
                                                    'EmailAddress' =>
                                                    'Organization' =>
                                                    'RealName' => 'cn',
                                                    'ExternalAuthId' =>
                                                    'Gecos' =>
                                                    'WorkPhone' =>
                                                    'Address1' =>
                                                    'City' => 'l',
                                                    'State' => 'st',
                                                    'Zip' =>
                                                    'Country' => 'co'
Set(@Plugins, qw(RT::Authen::ExternalAuth));
#End /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20100804/223f6f34/attachment.htm>

More information about the rt-users mailing list