LDAP Auth

Dax_Kelson · October 3, 2003, 12:34am

Using RT3 I would like have my staff authenticated via my LDAP
directory.

I would like outsiders to get “rt only” accounts.

I would like to use the RT login screen (no external auth).

Any ideas on either of the above?

TIA,

Dax Kelson

Robert_Spier · October 3, 2003, 5:31am

Using RT3 I would like have my staff authenticated via my LDAP
directory.
I would like outsiders to get “rt only” accounts.
I would like to use the RT login screen (no external auth).
Any ideas on either of the above?

Overlay RT::User and use Net::LDAP to do the right thing.

-R

Obando_David_DE_EV · March 18, 2005, 11:09am

Dear all,

-I’m using rt 3.4.1 on a Debian 3.1/sparc system.
-I have an external LDAP server (Windoze AD)
-I want RT to check users against the LDAP server directly

I searched the mailing list archive for days but I still can’t get it
working.

I downloaded
http://download.bestpractical.com/pub/rt/contrib/3.0/LDAP1.0_RT3.tar.gz
and added it to my RT installation. My RT_SiteConfig.pm looks like this:

LDAP Auth

Set($WebExternalAuth , undef);
$LDAPExternalAuth = 1;
$LdapServer=“txlevd1-dct01”;
$LdapUser=“cn=evldap,dc=ev,dc=egmont,dc=com”;
$LdapPass=“xxx”;
$LdapBase=“dc=ev,dc=egmont,dc=com”;
$LdapUidAttr=“sAMAccountName”;
$LdapFilter=“(objectclass=*)”;
$LdapTLS = 1;
#$LdapGroup =“dc=ev,dc=egmont,dc=com”;
#$LdapGroupAttribute = ‘uniqueMember’;
$LdapSSLVersion = 3;

RT does not communicate with my LDAP server (I tcpdumped it), it is
still authenticating against its own DB.

-Is my RT_SiteConfig.pm correct?
-What about the rt-root/html/autohandler? Do I have to put it into
local/html or share/html. When putting it to share/html I received
several errors.

Thank you in advance for any help.

Best regards,
David

Sam_Snow · March 18, 2005, 11:35am

Obando, David DE - EV said:

Dear all,

-I’m using rt 3.4.1 on a Debian 3.1/sparc system.
-I have an external LDAP server (Windoze AD)
-I want RT to check users against the LDAP server directly

I searched the mailing list archive for days but I still can’t get it
working.

I downloaded
download.bestpractical.com/pub/rt/contrib/ gone
and added it to my RT installation. My RT_SiteConfig.pm looks like this:

LDAP Auth

Set($WebExternalAuth , undef);
$LDAPExternalAuth = 1;
$LdapServer=“txlevd1-dct01”;
$LdapUser=“cn=evldap,dc=ev,dc=egmont,dc=com”;
$LdapPass=“xxx”;
$LdapBase=“dc=ev,dc=egmont,dc=com”;
$LdapUidAttr=“sAMAccountName”;
$LdapFilter=“(objectclass=*)”;
$LdapTLS = 1;
#$LdapGroup =“dc=ev,dc=egmont,dc=com”;
#$LdapGroupAttribute = ‘uniqueMember’;
$LdapSSLVersion = 3;

RT does not communicate with my LDAP server (I tcpdumped it), it is
still authenticating against its own DB.

-Is my RT_SiteConfig.pm correct?
-What about the rt-root/html/autohandler? Do I have to put it into
local/html or share/html. When putting it to share/html I received
several errors.

Thank you in advance for any help.

Best regards,
David

An alternate route to take would be to use Winbind out of the samba
package to check emails with your windows domain controller. Works fine
with NT 4, Win 2000, and 2003 servers.

You would then set up external auth via your web server to PAM, which
would check the passwords through winbind.

Sorry I can’t help on the LDAP. I use winbind for checking regular account
passwords, but have not tried external auth with RT (though I have looked
into it some). If you go this route I can help you some with the winbind
and pam config; I am running debian sarge.

Sam

Stephane_Bortzmeyer1 · March 18, 2005, 12:20pm

a message of 180 lines which said:

-I’m using rt 3.4.1 on a Debian 3.1/sparc system.

Me too.

-I have an external LDAP server (Windoze AD)

Me too (but it is OpenLDAP on another Debian)

-I want RT to check users against the LDAP server directly

It works for me.

I downloaded
download.bestpractical.com/pub/rt/contrib/ gone
and added it to my RT installation.

Were did you add it? On your Debian box, you should have:

% find /usr/local/share/request-tracker3 -type f
/usr/local/share/request-tracker3/lib/RT/EmailParser_Local.pm
/usr/local/share/request-tracker3/lib/RT/User_Local.pm
/usr/local/share/request-tracker3/lib/RT/Interface/Email/Auth/MailFrom_Local.pm
/usr/local/share/request-tracker3/lib/RT/Interface/Email_Local.pm
/usr/local/share/request-tracker3/html/autohandler
…

-What about the rt-root/html/autohandler? Do I have to put it into
local/html or share/html.

Read /usr/share/doc/request-tracker3/INSTALL.Debian.gz:

LOCAL MODIFICATIONS

[…]

If you do intend to change the look and feel of the site by editing
the HTML::Mason files you should, of course, do this in the
/usr/local/share/request-tracker3/html/ tree to avoid losing your
precious changes on upgrade of the Debian package.

Russell_Mosemann · March 18, 2005, 12:39pm

I downloaded
download.bestpractical.com/pub/rt/contrib/ gone

Perhaps you missed the several posts about an update I made available that
includes authentication through SMB and the ability to choose the order
and authentication type.

http://www.mosemann.com/software/LDAPSMB1.2_RT3.tar.gz

Russell Mosemann, Ph.D. * Computing Services * Concordia University, Nebraska
Audience: “Is hell really hot?”
Magic 8-ball: “Yes, but it’s a dry heat.” - Comic Strip Live

Christopher_Peter_We · April 3, 2005, 1:57pm

Hi Russell,

Just downloaded this code.

I have RT-3.2.2 running. I know you tested it on 3.4.1. Can you foresee
any issues running it on 3.2.2.
I’m curious, I have samba running in ADS mode and kerberos auth. Are you
doing the same at your end?

Oh, Now we have a choice of using Apache, samba, ldap. Any ideas on the
advantages disadvantage of each?

Russell Mosemann wrote:>On Fri, 18 Mar 2005, Obando, David DE - EV wrote:

I downloaded
download.bestpractical.com/pub/rt/contrib/ gone

Perhaps you missed the several posts about an update I made available that
includes authentication through SMB and the ability to choose the order
and authentication type.

http://www.mosemann.com/software/LDAPSMB1.2_RT3.tar.gz

Russell Mosemann, Ph.D. * Computing Services * Concordia University, Nebraska
Audience: “Is hell really hot?”
Magic 8-ball: “Yes, but it’s a dry heat.” - Comic Strip Live

The rt-users Archives

RT Administrator and Developer training is coming to your town soon! (Boston, San Francisco, Austin, Sydney) Contact training@bestpractical.com for details.

Be sure to check out the RT Wiki at http://wiki.bestpractical.com

cpwe.vcf (268 Bytes)

Russell_Mosemann · April 3, 2005, 3:12pm

I have RT-3.2.2 running. I know you tested it on 3.4.1. Can you foresee
any issues running it on 3.2.2.

I don’t know if it will work on 3.2.2 or what changes you might have to
make.

I’m curious, I have samba running in ADS mode and kerberos auth. Are you
doing the same at your end?

We are not currently running Samba.

Oh, Now we have a choice of using Apache, samba, ldap. Any ideas on the
advantages disadvantage of each?

It depends on what works for you. All of our user information is in LDAP.
For those who don’t have passwords in LDAP, we authorize against SMB. I
like the idea of RT handling authorization. Others prefer using Apache,
because they can choose and configure Apache modules to do the work. RT
doesn’t require “extra” code in that case.

Russell Mosemann, Ph.D. * Computing Services * Concordia University, Nebraska
“A lazy electrical engineer takes the path of least resistance.”