Active Directory authentication

Hello RT-users list. I’ve got a request from my manager to integrate
RT’s authentication mechanism (which I believe is handled within the RT
database) with our Active Directory server. Is this at all
possible/advisable? Has anyone heard of a user accomplishing such a
thing before? Thanks for your help!

Joe,

I’m doing lookups and authentication against a windows 2003 AD server
using Jim Meyer’s LDAP overlay:
http://wiki.bestpractical.com/index.cgi?LDAP

-MattFrom: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Joe
Hammerman
Sent: Wednesday, May 03, 2006 1:00 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] Active Directory authentication

Hello RT-users list. I’ve got a request from my manager to integrate
RT’s authentication mechanism (which I believe is handled within the RT
database) with our Active Directory server. Is this at all
possible/advisable? Has anyone heard of a user accomplishing such a
thing before? Thanks for your help!

Really two options, both of which are handled by configuring external
authentication on RT. Mod_auth_ldap, which I couldn’t get to work, your
milage may vary and Apache2::AuthenMSAD perl module, which was much simplier
to install and configure.

Ted Serreyn Phone: 262-432-0260 Fax: 262-432-0232
Serreyn Network Services, LLC http://www.serreyn.com/From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Joe Hammerman
Sent: Wednesday, May 03, 2006 1:00 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] Active Directory authentication

Hello RT-users list. I’ve got a request from my manager to integrate RT’s
authentication mechanism (which I believe is handled within the RT database)
with our Active Directory server. Is this at all possible/advisable? Has
anyone heard of a user accomplishing such a thing before? Thanks for your
help!

I have been able to get authentication via AD working but need to work
around an issue.

In AD…

sAMAccountName = ABC456

mail=jdoe@company.com

As you can see, the users email address is not always
@company.com.

This is a problem now that I want to use rt-mailgate and want to stay
away from users having two accounts in RT… one based on their
sAMAccountName and another based on their e-mail address (which would be
the case if folks create tickets via email and we continue to use
sAMAccountName for the RT username and I grant ‘Everyone’ the right
’CreateTicket’ and allow for the auto-creation of new users).

If want to use people’s email address for their RT username…

  1.  how do I authenticate them against AD with their email address
    

and AD password instead of sAMAccountName and password? Is this
something that would need to be configured/allowed in AD?

  1.  Or, could I have users authenticate against AD with their
    

sAMAccountName but somehow have their username in RT be their email
address?

Thanks in advance.