Configure RT for Intergration with Active Directory

Hello all.

I’m working with a brand new Request Tracker 4.07 install on Debian 7.0.0 (Wheezy) and I have some very general questions about configuring Request Tracker for integration with Active Directory. I would like our Window clients to be able to access Request Tracker using the SSO functionality of Internet Explorer, have their Request Tracker accounts created and relevant details pulled from Active Directory’s LDAP. The more seamless this is the better.

I have a very basic high-level conceptual understanding of how this is all supposed to fit together but am a bit lost on the specifics. Please bear with me.

If I understand this correctly I need to do three things:

  •      Configure External Authentication for Request Tracker
    
  •      Configure NTLM /SSO, either in Apache via mod_ntlm, mod_ntlm_winbind or mod_pam
    
  •      Configure an LDAP overlay so that authenticated RT users get their  information fields populated with the relevant data
    

External Authentication: http://requesttracker.wikia.com/wiki/ExternalAuthentication

There seem to be two common ways to do this - either use WebExternalAuth which pushes the authentication requirement to Apache or use the RT::Authen::ExternalAuth module and have RT do the authentication directly. Which one should I use? I kind of get the impression that RT::Authen::ExternalAuth is someone what out of date and that WebExternalAuth is the recommend way to handle authentication. Is this correct? What criteria should I use to make the determination between the two methods?

Configure NTLM /SSO, either in Apache via mod_ntlm, mod_ntlm_winbind, mod_kerb or mod_pam

This is really more a question about the RT ecosystem but presuming I’m using WebExternalAuth correctly I then need to use an Apache module so Apache can make the determination as to whether or not a client is authenticated.

Lots of advice points to mod_ntlm, which as far as I can tell does not require Samba and can directly do the NTLM challenge/response. On the other hand it seems like people recommend the use of Samba’s t ntml_auth helper as more up to date way to handle NTLM authentication. I imagine you could also use mod_kerb if you have Kerberos setup or mod_pam if Samba is functioning appropriately.

Again, I’m not really sure what authentication I should have Apache2 attempt to do for my clients nor how to configure the SSO cookies.

LDAP Overlays - http://requesttracker.wikia.com/wiki/LdapSummary

There’s lots of information here but I can’t pick out which stuff is relevant and up to date. The ExternalAuth plug again seems to be popular. The AutoCreateFromExternalUserInfo and AutoCreateAndCanonicalizeUserInfo Wiki page appear to do just what I want but are preferenced by warning saying that they’re out of date.

Where can I find the relevant documentation to pull information about Active Directory Users with LDAP and have it auto-populate their RT user’s fields.

Some assistance in finding the right documentation on how to accomplish Active Directory integration would be very helpful.

Thanks.

Kevin Elliott
Networking Specialist II
Alaska Department of Revenue, ASD-IT
(907) 465-2314

If all are trying to accomplish is utilizing AD as your source of authentication - then you just need the ExtAuth plugin setup. This will allow you enable all of your AD users to authenticate (you can filter against any AD attribute, OU, etc to set parameters from AD).

At the same time you can configure RT to handle all the security configuration and just enable AD authentication. This would allow any AD credential to authenticate, but as a non-privileged user. In this setup you would manage anything RT security related in the RT interface (RT groups, RT group permissions, RT Users, RT Users permission, etc)

We use AD for authentication, and RT’s security to manage what they can do via groups/ or AD groups. It’s the best of both worlds and you don’t have to worry about NTLM/SSO headaches. ExtAuth will feed RT user attributes too out of the box (full name, address, phone, etc.)
-AndyFrom: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Elliott, Kevin C (DOR)
Sent: Friday, June 07, 2013 4:48 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] Configure RT for Intergration with Active Directory

Hello all.

I’m working with a brand new Request Tracker 4.07 install on Debian 7.0.0 (Wheezy) and I have some very general questions about configuring Request Tracker for integration with Active Directory. I would like our Window clients to be able to access Request Tracker using the SSO functionality of Internet Explorer, have their Request Tracker accounts created and relevant details pulled from Active Directory’s LDAP. The more seamless this is the better.

I have a very basic high-level conceptual understanding of how this is all supposed to fit together but am a bit lost on the specifics. Please bear with me.

If I understand this correctly I need to do three things:

  •      Configure External Authentication for Request Tracker
    
  •      Configure NTLM /SSO, either in Apache via mod_ntlm, mod_ntlm_winbind or mod_pam
    
  •      Configure an LDAP overlay so that authenticated RT users get their  information fields populated with the relevant data
    

External Authentication: http://requesttracker.wikia.com/wiki/ExternalAuthentication

There seem to be two common ways to do this - either use WebExternalAuth which pushes the authentication requirement to Apache or use the RT::Authen::ExternalAuth module and have RT do the authentication directly. Which one should I use? I kind of get the impression that RT::Authen::ExternalAuth is someone what out of date and that WebExternalAuth is the recommend way to handle authentication. Is this correct? What criteria should I use to make the determination between the two methods?

Configure NTLM /SSO, either in Apache via mod_ntlm, mod_ntlm_winbind, mod_kerb or mod_pam

This is really more a question about the RT ecosystem but presuming I’m using WebExternalAuth correctly I then need to use an Apache module so Apache can make the determination as to whether or not a client is authenticated.

Lots of advice points to mod_ntlm, which as far as I can tell does not require Samba and can directly do the NTLM challenge/response. On the other hand it seems like people recommend the use of Samba’s t ntml_auth helper as more up to date way to handle NTLM authentication. I imagine you could also use mod_kerb if you have Kerberos setup or mod_pam if Samba is functioning appropriately.

Again, I’m not really sure what authentication I should have Apache2 attempt to do for my clients nor how to configure the SSO cookies.

LDAP Overlays - http://requesttracker.wikia.com/wiki/LdapSummary

There’s lots of information here but I can’t pick out which stuff is relevant and up to date. The ExternalAuth plug again seems to be popular. The AutoCreateFromExternalUserInfo and AutoCreateAndCanonicalizeUserInfo Wiki page appear to do just what I want but are preferenced by warning saying that they’re out of date.

Where can I find the relevant documentation to pull information about Active Directory Users with LDAP and have it auto-populate their RT user’s fields.

Some assistance in finding the right documentation on how to accomplish Active Directory integration would be very helpful.

Thanks.

Kevin Elliott
Networking Specialist II
Alaska Department of Revenue, ASD-IT
(907) 465-2314