HOWTO: Authenticate RT users against Active Directory

Incoming quick and nasty docs on how to make RT authenticate users against
MS Active Directory.

How to setup RT to Authenticate against AD.
Running on RH 7.3.

Assuming you have RT and Apache up and running okay.

Installed auth_ldap-1.6.0-4.i386.rpm package. (rpm -ivh auth_ldap-1.6.0-4.i386.rpm)

Uncommented the following lines from httpd.conf (usually
/etc/httpd/conf/httpd.conf)

LoadModule auth_ldap_module modules/mod_auth_ldap.so
AddModule auth_ldap.c

Added the following lines to my httpd.conf to the section I wanted to
protect:

Options Indexes FollowSymLinks
AllowOverride None
order allow,deny
allow from all
AuthName "MIS Test AD Lab"
AuthType Basic
AuthLDAPUrl ldap://win2ktest.mistest.internal:389/ou=Head
Office,dc=mistest,dc=internal?sAMAccountName?sub?(objectClass=*)
AuthLDAPBindDN “cn=svc_apache,cn=Users,dc=mistest,dc=internal” # AD wont let
anon users query the directory so we connect to AD using an account we
specify here.
AuthLDAPBindPassword "YOUR_PASSWORD_GOES_HERE"
require valid-user
#require user muquit foo bar “john doe”
#require roomnumber “123 Center Building”
#require filter “(&(telephonenumber=1234)(roomnumber=123))”
#require group cn=rcs,ou=Groups

Where:
“win2ktest.mistest.internal” is the DNS name of my DC.
“389” is the std. LDAP port.
“ou=Head Office” is the OU containing users I want to authentificate. (Note:
I havent yet worked out how to make it authenticate against users in
multiple OU’s)

The directives in my httpd.conf for my RT test setup looked like the
following:

ServerName rt.mistest.internal DocumentRoot /home/helpdesk/rt3/share/html AddDefaultCharset UTF-8 PerlModule Apache::DBI PerlRequire /home/helpdesk/rt3/bin/webmux.pl SetHandler perl-script PerlHandler RT::Mason Options Indexes FollowSymLinks AllowOverride None order allow,deny allow from all AuthName "MIS Test AD Lab" AuthType Basic AuthLDAPUrl ldap://win2ktest.mistest.internal:389/ou=Head Office,dc=mistest,dc=internal?sAMAccountName?sub?(objectClass=*) AuthLDAPBindDN "cn=svc_apache,cn=Users,dc=mistest,dc=internal" AuthLDAPBindPassword "YOUR_PASSWORD_GOES_HERE" require valid-user #require user muquit foo bar "john doe" #require roomnumber "123 Center Building" #require filter "(&(telephonenumber=1234)(roomnumber=123))" #require group cn=rcs,ou=Groups

Modifed my RT_SiteConfig.pm and added the following entries:

External Auth Directives.

If $WebExternalAuth is defined, RT will defer to the environment’s

REMOTE_USER variable.

$WebExternalAuth=1;

If $WebFallbackToInternalAuth is undefined, the user is allowed a chance

of fallback to the login screen, even if REMOTE_USER failed.

$WebFallbackToInternalAuth=undef;

$WebExternalGecos means to match ‘gecos’ field as the user identity);

useful with mod_auth_pwcheck and IIS Integrated Windows logon.

$WebExternalGecos=undef;

$WebExternalAuto will create users under the same name as REMOTE_USER

upon login, if it’s missing in the Users table.

$WebExternalAuto=1;

Ran apachectl configtest. It should say things are okay.
Restarted apache (service httpd stop; service httpd start)