I think this will work, soliciting opinions before I do something stupid, though:
Large group of unprivileged users (i.e. requestors), accessible via LDAP
Small group of privileged users (i.e. staff), NOT in that ldap directory
I create the staff in the local RT user database, and set up ExternalAuth to the LDAP directory. Pass-through feature allows staff to log in and use the system, but everything gets searched for in LDAP first. Right?
(204) 291-7950 - direct
(204) 489-6515 - fax