[rt-users] Comprehension Question about LDAP and SSO

Thomas Smith theitsmith at gmail.com
Wed Feb 23 12:25:03 EST 2011


On Wed, Feb 23, 2011 at 9:04 AM, Michael Brown <mbrown at fensystems.co.uk>wrote:

> On Wednesday 23 Feb 2011 15:38:44 john s. wrote:
> > I have an Comprehensive Question about SSO in Relation to LDAP
> >
> > Is it possible with LDAP to get Access on an sso client with an Computer
> in
> > a Network  ( e.g RT) by start the Computer with an network windows logon
> > ..........?
> >
> > Or  i have to do this with ntlm?
>
> You can use Kerberos to do this.  From memory, you need to make sure that
> DNS
> is working perfectly (including reverse lookups), and you will need to
> ensure
> that the browser is prepared to use Kerberos to authenticate against your
> RT
> server.  For IE, this means designating the RT server as part of the
> "Intranet" zone; for Firefox you can use about:config and add the RT server
> to
> network.negotiate-auth.trusted-uris.
>
> On the server side, you want something like this in .htaccess:
>
> AuthType Kerberos
> AuthName "Kerberos Login"
> KrbMethodNegotiate On
> KrbMethodK5Passwd Off
> KrbAuthRealms <insert your Kerberos realm here>
> Krb5KeyTab /etc/httpd/conf/keytab
> Require valid-user
>

You may also need to set AllowOverride in your Apache config to allow some
of these directives to be placed in .htaccess--some configurations have this
set to "none" by default.

    * http://httpd.apache.org/docs/2.2/mod/core.html#allowoverride
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20110223/02c8fad1/attachment.htm>


More information about the rt-users mailing list