[rt-users] LDAP authentication best practices

Ruslan Zakirov ruz at bestpractical.com
Mon Oct 3 18:03:01 EDT 2011


On Mon, Oct 3, 2011 at 11:28 PM, Thomas Smith <theitsmith at gmail.com> wrote:
> Hi,
> I'm looking at using LDAP athentication to auth against a Win2k8 R2 AD
> server. I've seen a few different ways to do this on the website and
> through Google-ing but none are consistent and none cover all that I'd
> like to accomplish with this.
> What I'd like to do is this:
>    * Authenticate users against AD who login through the web
> interface. As part of this authentication (for non-existent RT users),
> create the user's account using their AD username as their RT Username
> and their AD primary SMTP address as their RT Email.
>    * When non-existing users submit a ticket via email, have RT check
> that email against AD and if it find a user associated with that
> email, create a new account using the user's AD username as RT's
> Username and the user's AD email address as RT's Email.
>    * Reject all other requests (and auto creations) for users who
> don't already exist in AD or the local RT user database.
> Is it possible to do all of these things?

See http://requesttracker.wikia.com/wiki/LDAP

You didn't say if you need SSO or not.

To check and add users when they send emails and don't exist in the
system, you need RT::Authen::ExternalAuth. If you need SSO and LDAP is
quite static then you can use apache for SSO and LDAPImport [1] to
periodically import and/or update users.

[1] http://cpansearch.perl.org/src/FALCONE/RT-Extension-LDAPImport-0.31/README

> --
> Thomas Smith
> Cell: 602-882-2917
> --------
> RT Training Sessions (http://bestpractical.com/services/training.html)
> *  San Francisco, CA, USA  October 18 & 19, 2011
> *  Washington DC, USA  October 31 & November 1, 2011
> *  Melbourne VIC, Australia  November 28 & 29, 2011
> *  Barcelona, Spain  November 28 & 29, 2011

Best regards, Ruslan.

More information about the rt-users mailing list