[rt-users] Problems with external auth and double prompting for authentication

Jim Brandt jbrandt at bestpractical.com
Wed May 11 08:58:29 EDT 2016


Browser authentication is typically triggered by an Apache 
configuration, so if your goal is to have just RT authentication, you 
might compare your Apache configuration with the example in the docs:

https://docs.bestpractical.com/rt/4.4.0/web_deployment.html

On 5/11/16 3:50 AM, Bart Bunting wrote:
>
>
> Hi everyone,
>
> I have been trying to get external authentication with ldapauth and
> ldapimport working on a brand new rt 4.4 from the latest pull of
> 4.4-trunk.
>
> I have the ldap authentication and rt-ldapimport working correctly
> against our ldap server.
>
> The one issue I can not appear to resolve is that I am prompted first
> by the browsers authentication prompt and then by the RT login screen.
> So you need to enter your authentication credentials twice.
>
> I am hoping to just have the RT login screen, no browser authentication
> prompt.
>
> I'm sure it's something simple but I'm pulling my hair out :).
>
> If someone could take a look at my config and tell me where the error is
> I'd be eternally grateful:
>
> Here is the section of my rt config.
>
> The first few options are commented out as they are part of previous
> attempts to make it work as expected.
>
> #* Authentication
> # configure external authentication
>
> #Set($WebRemoteUserAuth, 1);
> # check authentication on each request rather than just once
> #Set($WebRemoteUserContinuous, 1);
>
> # fall back to rt login if external auth fails.
> #Set($WebFallbackToRTLogin, 1);
>
> Set ($ExternalAuth, 1);
> Set( $ExternalAuthPriority, ['URSYS_LDAP'] );
> Set( $ExternalInfoPriority, ['URSYS_LDAP'] );
>
> # Make users created from LDAP Privileged
> Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
>
> # Users should still be autocreated by RT as internal users if they
> # fail to exist in an external service; this is so requestors (who
> # are not in LDAP) can still be created when they email in.
> Set($AutoCreateNonExternalUsers, 1);
>
> # LDAP configuration; see RT::Authen::ExternalAuth::LDAP for
> # further details and examples
> Set($ExternalSettings, {
>     'URSYS_LDAP'       =>  {
> 	'type'             =>  'ldap',
> 	    'server'           =>  'ldap.xxxxx,
> 	    'base'             =>  'cn=users,cn=accounts,dc=xxxxxx',
> 	    'user' => 'uid=system,cn=sysaccounts,xxxxx',
> 	    'pass' => 'xxxxxx',
> 	    'filter' => '(&(memberOf=cn=helpdesk-*))',
> 	    'attr_match_list'  => [
> 		'Name',
> 	    ],
> 	    'attr_map' => {
> 		'Name' => 'uid',
> 		'EmailAddress' => 'mail',
> 	    },
> 	},
>     } );
>
> # * rt-ldapimport configuration
> # enable plugin
> Plugin( qw(RT::LDAPImport));
>
> Set($LDAPBase,'cn=users,cn=accounts,xxxxx');
> Set($LDAPHost,'ldap.xxxxx');
> Set($LDAPUser,'uid=system,cn=sysaccounts,xxxxxx');
> Set($LDAPPassword,'xxxxxxxx');
> Set($LDAPFilter, '(&(memberOf=cn=helpdesk-*))');
> Set($LDAPMapping, {Name         => 'uid', # required
> 		   EmailAddress => 'mail',
> 		   RealName     => 'cn',
> 		   WorkPhone    => 'telephoneNumber',
> 		   Organization => 'departmentName'});
> # create users as privileged
>   Set($LDAPCreatePrivileged, 1);
>
> # sync Groups from LDAP into RT
> Set($LDAPGroupBase, 'cn=accounts,xxxxx');
> Set($LDAPGroupFilter, '(&(objectClass=groupofnames)(cn=helpdesk-*))');
> Set($LDAPGroupMapping, {Name               => 'cn',
> 			Description               => 'description',
> 			Member_Attr        => 'member',
> 			Member_Attr_Value  => 'dn',
> });
>
> As above all the ldap stuff appears to work apart from the double
> request for authentication.
>
>
>
> Kind regards
> Bart
>



More information about the rt-users mailing list