[rt-users] LDAP authentication best practices

Kevin Falcone falcone at bestpractical.com
Tue Oct 4 16:37:40 EDT 2011


On Tue, Oct 04, 2011 at 01:22:24PM -0700, Thomas Smith wrote:
> Thanks again Ruslan!
> 
> I've got this mostly working but I'm missing something and I'm just
> not seeing what that is...
> 
> Apache auth via LDAP (mod_auth_ldap) is working correctly--the user
> gets into RT, but no options are available except "Tickets" (along
> with Open, Create, etc, within the Tickets menu). And the new user can
> see that they're logged in, "Logged in as user". However, their user
> account is not being created within the RT database and their are no
> available options for their account (no drop-down for "Logged in as
> user") under their login.

Sounds like users are being created Unprivileged.
Use $AutoCreate in RT_SiteConfig.pm if you wish them to be created
Privileged.  You can search for and make users Privileged from the
user admin pages.  They will not be listed in the list of current
users if they are Unprivilged (but will have records in the Users
table).

-kevin

> I'm seeing these errors when each new user connects to RT.
> 
> [Tue Oct  4 20:04:22 2011] [debug]: Attempting to use external auth
> service: My_LDAP
> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
> [Tue Oct  4 20:04:22 2011] [debug]: SSO Failed and no user to test
> with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
> [Tue Oct  4 20:04:22 2011] [debug]: Autohandler called ExternalAuth.
> Response: (0, No User)
> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
> 
> If the user already exists, however, login works fine and the user is
> able to function as expected in RT.
> 
> What am I missing here? I've looked at (and for) the various "auto
> create" options but haven't gotten very far with this. WebExternalAuth
> and WebExternalAuto are both set to 1.
> 
> 
> On Mon, Oct 3, 2011 at 3:19 PM, Ruslan Zakirov <ruz at bestpractical.com> wrote:
> > Hi,
> >
> >
> > On Tue, Oct 4, 2011 at 12:14 AM, Thomas Smith <theitsmith at gmail.com> wrote:
> >> Thanks Ruslan!
> >>
> >> Yes, I am looking for SSO. I also left out RT (4.0.2) and Apache
> >
> > If you need SSO then you should teach your apache to do that. You do
> > SSO in apache
> > then use WebExternalAuth option so RT pickups user name from apache.
> > In combination
> > you can use either LDAPImport or ExternalAuth extensions to fetch
> > additional info from
> > LDAP and keep it up to date in RT.
> >
> >
> >> (2.0.63) versions. This server is currently running on COS 4.8 but
> >> will soon be upgraded to 6. I also performed the RT upgrade from 3.8.8
> >> last night (not sure if that matters for this question though).
> >>
> >> On Mon, Oct 3, 2011 at 3:03 PM, Ruslan Zakirov <ruz at bestpractical.com> wrote:
> >>> Hi,
> >>>
> >>> On Mon, Oct 3, 2011 at 11:28 PM, Thomas Smith <theitsmith at gmail.com> wrote:
> >>>> Hi,
> >>>>
> >>>> I'm looking at using LDAP athentication to auth against a Win2k8 R2 AD
> >>>> server. I've seen a few different ways to do this on the website and
> >>>> through Google-ing but none are consistent and none cover all that I'd
> >>>> like to accomplish with this.
> >>>>
> >>>> What I'd like to do is this:
> >>>>
> >>>>    * Authenticate users against AD who login through the web
> >>>> interface. As part of this authentication (for non-existent RT users),
> >>>> create the user's account using their AD username as their RT Username
> >>>> and their AD primary SMTP address as their RT Email.
> >>>>    * When non-existing users submit a ticket via email, have RT check
> >>>> that email against AD and if it find a user associated with that
> >>>> email, create a new account using the user's AD username as RT's
> >>>> Username and the user's AD email address as RT's Email.
> >>>>    * Reject all other requests (and auto creations) for users who
> >>>> don't already exist in AD or the local RT user database.
> >>>>
> >>>> Is it possible to do all of these things?
> >>>
> >>>
> >>> See http://requesttracker.wikia.com/wiki/LDAP
> >>>
> >>> You didn't say if you need SSO or not.
> >>>
> >>> To check and add users when they send emails and don't exist in the
> >>> system, you need RT::Authen::ExternalAuth. If you need SSO and LDAP is
> >>> quite static then you can use apache for SSO and LDAPImport [1] to
> >>> periodically import and/or update users.
> >>>
> >>> [1] http://cpansearch.perl.org/src/FALCONE/RT-Extension-LDAPImport-0.31/README
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>>
> >>>> --
> >>>> Thomas Smith
> >>>> Cell: 602-882-2917
> >>>> --------
> >>>> RT Training Sessions (http://bestpractical.com/services/training.html)
> >>>> *  San Francisco, CA, USA  October 18 & 19, 2011
> >>>> *  Washington DC, USA  October 31 & November 1, 2011
> >>>> *  Melbourne VIC, Australia  November 28 & 29, 2011
> >>>> *  Barcelona, Spain  November 28 & 29, 2011
> >>>>
> >>>
> >>>
> >>>
> >>> --
> >>> Best regards, Ruslan.
> >>>
> >>
> >>
> >>
> >> --
> >> Thomas Smith
> >> Cell: 602-882-2917
> >>
> >
> >
> >
> > --
> > Best regards, Ruslan.
> >
> 
> 
> 
> -- 
> Thomas Smith
> Cell: 602-882-2917
> --------
> RT Training Sessions (http://bestpractical.com/services/training.html)
> *  San Francisco, CA, USA  October 18 & 19, 2011
> *  Washington DC, USA  October 31 & November 1, 2011
> *  Barcelona, Spain  November 28 & 29, 2011
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20111004/d0ecb4de/attachment.sig>


More information about the rt-users mailing list