Best method to authenticate with AD

Hi

I need to let RT authenticate users through AD. We have a number of
levels in our AD structure to separate users on geographical and
departmental reasons. On the best practice website I have read that
there are three ways:

  1.   Apache Authentication
    
  2.   Mike Peachey's RT:Authen::ExternalAuth extension
    
  3.   Jim Meyer's User_Local Overlay(Deprecated)
    

Which of the three ways had work for you well and would you recommend?

Kind regards

Gerrit Kilian

DGB (Pty) Ltd

IT Support supervisor

Gerrit Kilian wrote:

Hi

I need to let RT authenticate users through AD. We have a number of
levels in our AD structure to separate users on geographical and
departmental reasons. On the best practice website I have read that
there are three ways:

  1.   Apache Authentication
    
  2.   Mike Peachey�s RT:Authen::ExternalAuth extension
    
  3.   Jim Meyer�s User_Local Overlay(Deprecated)
    

I recommend 2 over 3 because 2 is a complete rewrite of 3 and Jim is
happy that 2 deprecates 3. As for 1, I’ve never done it, but it depends
on whether you just want access authentication, or whether you want user
information to be loaded from an external source.

Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com

im using externalauth in 3.8.1 and it works well with our ldap, but closer integration could be achieved via apache auth against a pam.d stack utilizing kerberos and samba to directly authenticate with your domain controllers. its less expensive for windows.

you could even audit your logins to the RT system through the event viewer.----- Original Message -----
From: Gerrit Kilian GerritK@dgb.co.za
Date: Tuesday, August 26, 2008 2:23
Subject: [rt-users] Best method to authenticate with AD
To: rt-users@lists.bestpractical.com

Hi

I need to let RT authenticate users through AD. We have a number of
levels in our AD structure to separate users on geographical and
departmental reasons. On the best practice website I have read that
there are three ways:

  1.   Apache Authentication
    
  2.   Mike Peachey's 
    

RT:Authen::ExternalAuth extension

  1.   Jim Meyer's User_Local 
    

Overlay(Deprecated)

Which of the three ways had work for you well and would you recommend?

Kind regards

Gerrit Kilian

DGB (Pty) Ltd

IT Support supervisor

Another vote for #2From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Mike
Peachey
Sent: Tuesday, August 26, 2008 4:51 AM
To: Gerrit Kilian; RT Users
Subject: Re: [rt-users] Best method to authenticate with AD

Gerrit Kilian wrote:

Hi

I need to let RT authenticate users through AD. We have a number of
levels in our AD structure to separate users on geographical and
departmental reasons. On the best practice website I have read that
there are three ways:

  1.   Apache Authentication
    
  2.   Mike Peachey's RT:Authen::ExternalAuth extension
    
  3.   Jim Meyer's User_Local Overlay(Deprecated)
    

I recommend 2 over 3 because 2 is a complete rewrite of 3 and Jim is
happy that 2 deprecates 3. As for 1, I’ve never done it, but it depends
on whether you just want access authentication, or whether you want user
information to be loaded from an external source.

Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

I’m using ExternalAuth, it works well and I would recommend it.

I ran into a couple of implementation issues because 1) my AD User
Objects lacked an E-mail address, and 2) many of my users had submitted
tickets via E-mail and had rt accounts autocreated with their RT
username being their E-mail address.

The empty E-mail Addresses in the AD User object causes problems when a
new user sends an E-mail to RT. A user account gets created with
information from AD, but then mailgateway fails to find that user
because the account has a null E-mail address.

This meant that I had to update all my AD user objects, adding in their
E-mail address, and update my procedures for “Adding a User”, but it all
seems good now.

The existing RT autocreated users needed to have their RT Username
updated to match their AD account name (specifically the sAMAccountName)
so that they could login to the RT web interface with the AD account
name and password.

BrianOn Tue, 2008-08-26 at 08:20 +0200, Gerrit Kilian wrote:

Hi

I need to let RT authenticate users through AD. We have a number of
levels in our AD structure to separate users on geographical and
departmental reasons. On the best practice website I have read that
there are three ways:

  1.  Apache Authentication
    
  2.  Mike Peachey’s RT:Authen::ExternalAuth extension
    
  3.  Jim Meyer’s User_Local Overlay(Deprecated)
    

Which of the three ways had work for you well and would you recommend?

Kind regards

Gerrit Kilian

DGB (Pty) Ltd

IT Support supervisor


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Hello Mike

Thank you for your advice. I have decided to go with
RT:Authen::ExternalAuth for AD authentication.

Regards
GerritFrom: Mike Peachey [mailto:mike.peachey@jennic.com]
Sent: 26 August 2008 10:51 AM
To: Gerrit Kilian; RT Users
Subject: Re: [rt-users] Best method to authenticate with AD

Gerrit Kilian wrote:

Hi

I need to let RT authenticate users through AD. We have a number of
levels in our AD structure to separate users on geographical and
departmental reasons. On the best practice website I have read that
there are three ways:

  1.   Apache Authentication
    
  2.   Mike Peachey's RT:Authen::ExternalAuth extension
    
  3.   Jim Meyer's User_Local Overlay(Deprecated)
    

I recommend 2 over 3 because 2 is a complete rewrite of 3 and Jim is
happy that 2 deprecates 3. As for 1, I’ve never done it, but it depends
on whether you just want access authentication, or whether you want user
information to be loaded from an external source.

Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com