[rt-users] LDAP authentication best practices

Ruslan Zakirov ruz at bestpractical.com
Mon Oct 3 18:19:35 EDT 2011


Hi,


On Tue, Oct 4, 2011 at 12:14 AM, Thomas Smith <theitsmith at gmail.com> wrote:
> Thanks Ruslan!
>
> Yes, I am looking for SSO. I also left out RT (4.0.2) and Apache

If you need SSO then you should teach your apache to do that. You do
SSO in apache
then use WebExternalAuth option so RT pickups user name from apache.
In combination
you can use either LDAPImport or ExternalAuth extensions to fetch
additional info from
LDAP and keep it up to date in RT.


> (2.0.63) versions. This server is currently running on COS 4.8 but
> will soon be upgraded to 6. I also performed the RT upgrade from 3.8.8
> last night (not sure if that matters for this question though).
>
> On Mon, Oct 3, 2011 at 3:03 PM, Ruslan Zakirov <ruz at bestpractical.com> wrote:
>> Hi,
>>
>> On Mon, Oct 3, 2011 at 11:28 PM, Thomas Smith <theitsmith at gmail.com> wrote:
>>> Hi,
>>>
>>> I'm looking at using LDAP athentication to auth against a Win2k8 R2 AD
>>> server. I've seen a few different ways to do this on the website and
>>> through Google-ing but none are consistent and none cover all that I'd
>>> like to accomplish with this.
>>>
>>> What I'd like to do is this:
>>>
>>>    * Authenticate users against AD who login through the web
>>> interface. As part of this authentication (for non-existent RT users),
>>> create the user's account using their AD username as their RT Username
>>> and their AD primary SMTP address as their RT Email.
>>>    * When non-existing users submit a ticket via email, have RT check
>>> that email against AD and if it find a user associated with that
>>> email, create a new account using the user's AD username as RT's
>>> Username and the user's AD email address as RT's Email.
>>>    * Reject all other requests (and auto creations) for users who
>>> don't already exist in AD or the local RT user database.
>>>
>>> Is it possible to do all of these things?
>>
>>
>> See http://requesttracker.wikia.com/wiki/LDAP
>>
>> You didn't say if you need SSO or not.
>>
>> To check and add users when they send emails and don't exist in the
>> system, you need RT::Authen::ExternalAuth. If you need SSO and LDAP is
>> quite static then you can use apache for SSO and LDAPImport [1] to
>> periodically import and/or update users.
>>
>> [1] http://cpansearch.perl.org/src/FALCONE/RT-Extension-LDAPImport-0.31/README
>>
>>
>>
>>
>>
>>>
>>> --
>>> Thomas Smith
>>> Cell: 602-882-2917
>>> --------
>>> RT Training Sessions (http://bestpractical.com/services/training.html)
>>> *  San Francisco, CA, USA  October 18 & 19, 2011
>>> *  Washington DC, USA  October 31 & November 1, 2011
>>> *  Melbourne VIC, Australia  November 28 & 29, 2011
>>> *  Barcelona, Spain  November 28 & 29, 2011
>>>
>>
>>
>>
>> --
>> Best regards, Ruslan.
>>
>
>
>
> --
> Thomas Smith
> Cell: 602-882-2917
>



-- 
Best regards, Ruslan.



More information about the rt-users mailing list