[rt-users] Comprehension Question about LDAP and SSO
Michael Brown
mbrown at fensystems.co.uk
Wed Feb 23 11:04:37 EST 2011
On Wednesday 23 Feb 2011 15:38:44 john s. wrote:
> I have an Comprehensive Question about SSO in Relation to LDAP
>
> Is it possible with LDAP to get Access on an sso client with an Computer in
> a Network ( e.g RT) by start the Computer with an network windows logon
> ..........?
>
> Or i have to do this with ntlm?
You can use Kerberos to do this. From memory, you need to make sure that DNS
is working perfectly (including reverse lookups), and you will need to ensure
that the browser is prepared to use Kerberos to authenticate against your RT
server. For IE, this means designating the RT server as part of the
"Intranet" zone; for Firefox you can use about:config and add the RT server to
network.negotiate-auth.trusted-uris.
On the server side, you want something like this in .htaccess:
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms <insert your Kerberos realm here>
Krb5KeyTab /etc/httpd/conf/keytab
Require valid-user
and you'll need to populate the keytab file with the appropriate keys.
That will get you as far as having Windows transparently authenticate to the
web server, which will expose the user name to RT via the REMOTE_USER
environment variable. You should then be able to add
Set($WebExternalAuth, 1);
Set($WebExternalAuto, 1);
to your RT_SiteConfig.pm file to instruct RT to trust this authentication.
Hope that helps.
Michael
More information about the rt-users
mailing list