Active Directory/LDAP Auth

Steven_Coutts2 · May 11, 2004, 12:06pm

I have a freshly installed rt3.

I am trying to authenticate to Active Directory to log into the system.

I have set up apache and I can log in using my Active Directory details
and it then shows the log-ing screen for RT.

How can I have RT log me in with these details and create the users if
it does not exist.

I have changed the following in my RT_SiteConfig.pm to allow this -:

Set($WebExternalAuth , 1);
Set($WebExternalAuto , 1);

But I still end up at the RT login screen.

Have searched and searched on google, can anyone give me a hint?

Regards

signature.asc (254 Bytes)

seph1 · May 11, 2004, 12:39pm

But I still end up at the RT login screen.

Have searched and searched on google, can anyone give me a hint?

did you restart apache? (that’s stop and start)

seph

Marco_Marongiu · May 11, 2004, 1:18pm

Steven Coutts wrote:

Have searched and searched on google, can anyone give me a hint?

I had the same problem. Besides restarting apache from the ground up
(i.e.: stop, then start; not restart), close all your browser windows
and restart it fresh.

Let me know if it works.

Cheers
–bronto

Marco Marongiu - Int. IT Services | _
Email: mmarongiu@tiscali.com | _ __ __ __ | _
Phone: +39 070 460 1684 | | \ / | | | _
Fax: +39 070 460 9684 |_| | \ _ [| | | [_]

Stevo · May 11, 2004, 2:16pm

I’ve been trying to get this setup on my RT install and haven’t had any
luck. What LDAP module are you guys using and with that version of Apache??

Also, if anyone who has this working could post the relevant sections of
your httpd.conf file that would be awesome!!!

Thanks

StevoFrom: “Marco Marongiu” bronto@tiscali.com
To: “Steven Coutts” scoutts@bcs.org.uk
Cc: rt-users@lists.bestpractical.com
Sent: Tuesday, May 11, 2004 6:18 AM
Subject: Re: [rt-users] Active Directory/LDAP Auth

Steven Coutts wrote:

Have searched and searched on google, can anyone give me a hint?

I had the same problem. Besides restarting apache from the ground up
(i.e.: stop, then start; not restart), close all your browser windows
and restart it fresh.

Let me know if it works.

Cheers
–bronto

–
Marco Marongiu - Int. IT Services | _
Email: mmarongiu@tiscali.com | _ __ __ __ | _
Phone: +39 070 460 1684 | | \ / | | | _
Fax: +39 070 460 9684 |_| | \ _ [| | | [_]

The rt-users Archives

RT Developer and Administrator training is coming to LA, DC and Frankfurt
this spring and summer.
http://bestpractical.com/services/training.html

Sign up early, as class space is limited.

Josiah_Ritchie · May 11, 2004, 2:29pm

here’s my VirtualHost section. Someone guided me through a little perl
hacking to get AuthenSMB to work. Someone sent me the following pointers
that I put up on my wiki just now:
http://josiah.ritchietribe.net/moniwiki/wiki.php/RTLDAPAuthentication

ServerName rt.localdomain DocumentRoot /opt/rt3/share/html AddDefaultCharset UTF-8

# Added for SMB Authentication

AuthPam_Enabled Off

PerlModule Apache::AuthenSmb
AuthName "Username/Password"
AuthType Basic
PerlSetVar myPDC x.x.x.x
PerlSetVar myBDC x.x.x.x
PerlSetVar MyDomain LocalDomain
PerlAuthenHandler Apache::AuthenSmb
require valid-user

# these four lines apply to Apache2+mod_perl2 only: {{{

PerlSetVar MasonArgsMethod CGI

PerlModule Apache2 Apache::compat

RewriteEngine On

RewriteRule ^(.*)/$ $1/index.html

# }}}

PerlModule Apache::DBI
PerlRequire /opt/rt3/bin/webmux.pl

<Location />
    SetHandler perl-script
    PerlHandler RT::Mason
</Location>

On Tue, 2004-05-11 at 10:16, Stevo wrote:

I’ve been trying to get this setup on my RT install and haven’t had any
luck. What LDAP module are you guys using and with that version of Apache??

Also, if anyone who has this working could post the relevant sections of
your httpd.conf file that would be awesome!!!

Thanks

Stevo

----- Original Message -----
From: “Marco Marongiu” bronto@tiscali.com
To: “Steven Coutts” scoutts@bcs.org.uk
Cc: rt-users@lists.bestpractical.com
Sent: Tuesday, May 11, 2004 6:18 AM
Subject: Re: [rt-users] Active Directory/LDAP Auth

Steven Coutts wrote:

Have searched and searched on google, can anyone give me a hint?

I had the same problem. Besides restarting apache from the ground up
(i.e.: stop, then start; not restart), close all your browser windows
and restart it fresh.

Let me know if it works.

Cheers
–bronto

Marco_Marongiu · May 11, 2004, 2:42pm

Stevo wrote:

I’ve been trying to get this setup on my RT install and haven’t had
any luck. What LDAP module are you guys using and with that version
of Apache??

I am using mod_auth_ldap on Apache 1.3.29; this module is guaranteed to
work on Apache 2 also, but I don’t know if Mason, and hence RT, is
mod_perl-2-friendly. You should investigate that.

Also, if anyone who has this working could post the relevant sections
of your httpd.conf file that would be awesome!!!

 <Location />
   AuthType Basic
   AuthName 'Authentication Against Activedirectory'
   AuthLDAPEnabled On
   AuthLDAPUrl

ldap://10.39.0.208:3268/OU=something,dc=mydomain,dc=org?sAMAccountName?sub?(&(objectclass=person)(|(sAMAccountName=my_boss)(manager=my_boss_DN)))
AuthLDAPBindDN dn_of_account_used_for_searches
AuthLDAPBindPassword password_of_the_account_above

   Require valid-user
 </Location>

That’s all

Ciao
–bronto

Ruslan_U_Zakirov · May 11, 2004, 2:47pm

Allohha. LDAP guys.

This topic is FAQ now, isn’t it?

May be someone finally share ‘step-by-step’ instructions, configs and
so-so with other on wiki.
http://wiki.bestpractical.com/index.cgi?Plugins
Has broken link to overlay and link to ML archive is broken too.

AuthLDAP good page for it IMHO.

Please, don’t place links on .pm files, better copy&paste it.

		Best regards. Ruslan.

Josiah Ritchie wrote:

Kogami_Bruce · May 11, 2004, 3:23pm

Stevo,

Here’s a sample of our httpd.conf file.
We have Windows 2003 AD and I elected to create a ldap user to authenticate to the DC.

Ldap_auth version: 1.6.0
Apache version: 1.3.29

Good luck,
Bruce

<VirtualHost 172.100.100.100:80>
DocumentRoot /opt/rt3/share/html
ServerName rtserver.subdomain.mydomain.com
AddDefaultCharset UTF-8

PerlModule Apache::DBI
PerlRequire /opt/rt3/bin/webmux.pl
ServerAdmin administrator@mydomain.com

<Location />
   SetHandler perl-script
   PerlHandler RT::Mason
     Options Indexes FollowSymLinks
     AllowOverride None
     order allow,deny
     allow from all
     AuthName "Request Tracker"
     AuthType Basic
     AuthLDAPUrl ldap://dcserver.subdomin.mydomain.com:389/ou=our_ou,dc=subdomain,dc=mydomain,dc=com?sAMAccountName?sub?(objectclass=*)
     #AuthLDAPURL untName
     # need this account and setting because Active Directory
     # does not allow anonymous binding by default
     AuthLDAPBindDN "someldapuser@subdomain.mydomain.com"
     AuthLDAPBindPassword ldapuserpassword
     require valid-user

</Location>

-----Original Message-----
From: Stevo [mailto:checkpoint@ozbergs.com]
Sent: Tuesday, May 11, 2004 7:16 AM
To: Marco Marongiu; Steven Coutts
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Active Directory/LDAP Auth

I’ve been trying to get this setup on my RT install and haven’t had any
luck. What LDAP module are you guys using and with that version of
Apache??

Also, if anyone who has this working could post the relevant sections of
your httpd.conf file that would be awesome!!!

Thanks

Stevo

----- Original Message -----
From: “Marco Marongiu” bronto@tiscali.com
To: “Steven Coutts” scoutts@bcs.org.uk
Cc: rt-users@lists.bestpractical.com
Sent: Tuesday, May 11, 2004 6:18 AM
Subject: Re: [rt-users] Active Directory/LDAP Auth

Steven Coutts wrote:

Have searched and searched on google, can anyone give me a hint?

I had the same problem. Besides restarting apache from the ground up
(i.e.: stop, then start; not restart), close all your browser windows
and restart it fresh.

Let me know if it works.

Cheers
–bronto

–
Marco Marongiu - Int. IT Services | _
Email: mmarongiu@tiscali.com | _ __ __ __ | _
Phone: +39 070 460 1684 | | \ / | | | _
Fax: +39 070 460 9684 |_| | \ _ [| | | [_]

The rt-users Archives

RT Developer and Administrator training is coming to LA, DC and
Frankfurt
this spring and summer.
http://bestpractical.com/services/training.html

Sign up early, as class space is limited.

The rt-users Archives

RT Developer and Administrator training is coming to LA, DC and Frankfurt
this spring and summer.
http://bestpractical.com/services/training.html

Sign up early, as class space is limited.

This E-mail is confidential. It should not be read, copied, disclosed or used by any person other than the intended recipient. Unauthorized use, disclosure or copying by whatever medium is strictly prohibited and may be unlawful. If you have received this E-mail in error, please contact the sender immediately and delete the E-mail from your system.

Senoner_Samuel · May 11, 2004, 3:38pm

What you did is all right.
If you can log in with your credentials it’s ok, so you don’t have to do any changes on httpd.conf
Anyway it could be a problem that this settings are not applied because you need to stop and restart apache, or clear mason cache.
Or you need to close your browser session.

One thing you have to remember in httpd.con is that noauth should be excluded from authentication, so you don’t have problems with mails and so on.

Samuel-----Original Message-----
From: Steven Coutts [mailto:scoutts@bcs.org.uk]
Sent: Tuesday,11 May,2004 14:07
To: rt-users@lists.bestpractical.com
Subject: [rt-users] Active Directory/LDAP Auth

I have a freshly installed rt3.

I am trying to authenticate to Active Directory to log into the system.

I have set up apache and I can log in using my Active Directory details and it then shows the log-ing screen for RT.

How can I have RT log me in with these details and create the users if it does not exist.

I have changed the following in my RT_SiteConfig.pm to allow this -:

Set($WebExternalAuth , 1);
Set($WebExternalAuto , 1);

But I still end up at the RT login screen.

Have searched and searched on google, can anyone give me a hint?

Regards

Stevo · May 11, 2004, 6:05pm

Here’s another stupid question… where do I get ldap_auth from?From: “Kogami, Bruce” bkogami@randmcnally.com
To: “Stevo” checkpoint@ozbergs.com
Cc: rt-users@lists.bestpractical.com
Sent: Tuesday, May 11, 2004 8:23 AM
Subject: RE: [rt-users] Active Directory/LDAP Auth

Stevo,

Here’s a sample of our httpd.conf file.
We have Windows 2003 AD and I elected to create a ldap user to
authenticate to the DC.

Ldap_auth version: 1.6.0
Apache version: 1.3.29

Good luck,
Bruce

<VirtualHost 172.100.100.100:80>
DocumentRoot /opt/rt3/share/html
ServerName rtserver.subdomain.mydomain.com
AddDefaultCharset UTF-8
PerlModule Apache::DBI
PerlRequire /opt/rt3/bin/webmux.pl
ServerAdmin administrator@mydomain.com

<Location />
   SetHandler perl-script
   PerlHandler RT::Mason
     Options Indexes FollowSymLinks
     AllowOverride None
     order allow,deny
     allow from all
     AuthName "Request Tracker"
     AuthType Basic
     AuthLDAPUrl

ldap://dcserver.subdomin.mydomain.com:389/ou=our_ou,dc=subdomain,dc=mydomain
,dc=com?sAMAccountName?sub?(objectclass=*)

     #AuthLDAPURL untName
     # need this account and setting because Active Directory
     # does not allow anonymous binding by default
     AuthLDAPBindDN "someldapuser@subdomain.mydomain.com"
     AuthLDAPBindPassword ldapuserpassword
     require valid-user

</Location>
-----Original Message-----
From: Stevo [mailto:checkpoint@ozbergs.com]
Sent: Tuesday, May 11, 2004 7:16 AM
To: Marco Marongiu; Steven Coutts
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Active Directory/LDAP Auth

I’ve been trying to get this setup on my RT install and haven’t had any
luck. What LDAP module are you guys using and with that version of
Apache??

Also, if anyone who has this working could post the relevant sections of
your httpd.conf file that would be awesome!!!

Thanks

Stevo

----- Original Message -----
From: “Marco Marongiu” bronto@tiscali.com
To: “Steven Coutts” scoutts@bcs.org.uk
Cc: rt-users@lists.bestpractical.com
Sent: Tuesday, May 11, 2004 6:18 AM
Subject: Re: [rt-users] Active Directory/LDAP Auth

Steven Coutts wrote:

Have searched and searched on google, can anyone give me a hint?

I had the same problem. Besides restarting apache from the ground up
(i.e.: stop, then start; not restart), close all your browser windows
and restart it fresh.

Let me know if it works.

Cheers
–bronto

–
Marco Marongiu - Int. IT Services | _
Email: mmarongiu@tiscali.com | _ __ __ __ | _
Phone: +39 070 460 1684 | | \ / | | | _
Fax: +39 070 460 9684 |_| | \ _ [| | |
[_]

The rt-users Archives

RT Developer and Administrator training is coming to LA, DC and
Frankfurt
this spring and summer.
http://bestpractical.com/services/training.html

Sign up early, as class space is limited.

The rt-users Archives

RT Developer and Administrator training is coming to LA, DC and
Frankfurt
this spring and summer.
http://bestpractical.com/services/training.html

Sign up early, as class space is limited.

This E-mail is confidential. It should not be read, copied, disclosed or
used by any person other than the intended recipient. Unauthorized use,
disclosure or copying by whatever medium is strictly prohibited and may be
unlawful. If you have received this E-mail in error, please contact the
sender immediately and delete the E-mail from your system.

Senoner_Samuel · May 12, 2004, 6:21am

There are many modules, search in google or apache homepage, here an example:

http://www.rudedog.org/auth_ldap/

If you have debian you just need to apt-cache search ldap or auth_ldap and find the name of the package.

SAmuel

Jonathan_Chen · May 14, 2004, 3:45pm

This might be dumb question. I am wondering if adding LDAP will automatically create users on RT or it will act like a regular workstation where there is a LOCAL account and then there is a NETWORK account on a Windows machine.From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Kogami, Bruce
Sent: Tuesday, May 11, 2004 8:23 AM
To: Stevo
Cc: rt-users@lists.bestpractical.com
Subject: RE: [rt-users] Active Directory/LDAP Auth

Stevo,

Here’s a sample of our httpd.conf file.
We have Windows 2003 AD and I elected to create a ldap user to authenticate to the DC.

Ldap_auth version: 1.6.0
Apache version: 1.3.29

Good luck,
Bruce

<VirtualHost 172.100.100.100:80>
DocumentRoot /opt/rt3/share/html
ServerName rtserver.subdomain.mydomain.com
AddDefaultCharset UTF-8

PerlModule Apache::DBI
PerlRequire /opt/rt3/bin/webmux.pl
ServerAdmin administrator@mydomain.com

<Location />
   SetHandler perl-script
   PerlHandler RT::Mason
     Options Indexes FollowSymLinks
     AllowOverride None
     order allow,deny
     allow from all
     AuthName "Request Tracker"
     AuthType Basic
     AuthLDAPUrl ldap://dcserver.subdomin.mydomain.com:389/ou=our_ou,dc=subdomain,dc=mydomain,dc=com?sAMAccountName?sub?(objectclass=*)
     #AuthLDAPURL untName
     # need this account and setting because Active Directory
     # does not allow anonymous binding by default
     AuthLDAPBindDN "someldapuser@subdomain.mydomain.com"
     AuthLDAPBindPassword ldapuserpassword
     require valid-user

</Location>

-----Original Message-----
From: Stevo [mailto:checkpoint@ozbergs.com]
Sent: Tuesday, May 11, 2004 7:16 AM
To: Marco Marongiu; Steven Coutts
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Active Directory/LDAP Auth

I’ve been trying to get this setup on my RT install and haven’t had any
luck. What LDAP module are you guys using and with that version of
Apache??

Also, if anyone who has this working could post the relevant sections of
your httpd.conf file that would be awesome!!!

Thanks

Stevo

----- Original Message -----
From: “Marco Marongiu” bronto@tiscali.com
To: “Steven Coutts” scoutts@bcs.org.uk
Cc: rt-users@lists.bestpractical.com
Sent: Tuesday, May 11, 2004 6:18 AM
Subject: Re: [rt-users] Active Directory/LDAP Auth

Steven Coutts wrote:

Have searched and searched on google, can anyone give me a hint?

I had the same problem. Besides restarting apache from the ground up
(i.e.: stop, then start; not restart), close all your browser windows
and restart it fresh.

Let me know if it works.

Cheers
–bronto

–
Marco Marongiu - Int. IT Services | _
Email: mmarongiu@tiscali.com | _ __ __ __ | _
Phone: +39 070 460 1684 | | \ / | | | _
Fax: +39 070 460 9684 |_| | \ _ [| | | [_]

The rt-users Archives

RT Developer and Administrator training is coming to LA, DC and
Frankfurt
this spring and summer.
http://bestpractical.com/services/training.html

Sign up early, as class space is limited.

The rt-users Archives

RT Developer and Administrator training is coming to LA, DC and Frankfurt
this spring and summer.
http://bestpractical.com/services/training.html

Sign up early, as class space is limited.

This E-mail is confidential. It should not be read, copied, disclosed or used by any person other than the intended recipient. Unauthorized use, disclosure or copying by whatever medium is strictly prohibited and may be unlawful. If you have received this E-mail in error, please contact the sender immediately and delete the E-mail from your system.
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

RT Developer and Administrator training is coming to LA, DC and Frankfurt this spring and summer.
http://bestpractical.com/services/training.html

Sign up early, as class space is limited.

This electronic mail message contains information belonging to PaymentOne, which may be confidential and/or legal privileged. The information is intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, printing, copying, distribution, or the taking of any action in reliance on the contents of this electronically mailed information is strictly prohibited. If you receive this message in error, please immediately notify us by electronic mail and delete this message.

Senoner_Samuel · May 17, 2004, 9:05am

If you set up in your config in RT that a user is created automatically it is.

Samuel