Ldap authentication *Easy Question

Hi, I’m running 3.8.1 on Ubuntu 8.04 with MySQL, apache2, modperl2 and
LDAP. (Had Linux virtual machine running on MS virtual server 2005, but
it was a tad slow (no CPU usage though, weird))

My LDAP config uses the Mike Peachey External Auth method, with the hack
for 3.8.1. My users are prompted for their username and password (from
the RT Self Service page) it uses LDAP to grab their password. It also
creates an account when they first email or when I create an account it
pulls in the AD info. So LDAP works great.

My question is: Can I do more LDAP authentication than I have now? (I
think I have LDAP overlay???) Using an MS domain environment, can the
site grab the users current credentials and pass them through? IE -
pass through authentication? (We do this all the time for IIS sites on
our Intranet)

Thanks for your help, loving RT so far. (Anxiously awaiting the
outbound plaintext to HTML fix )

Also I did have the famed 3.8.1 view a page, prompt for login, view a
page, prompt for login. All I did was the re-do the install and it
worked.

Thanks

Ben

External Auth: http://wiki.bestpractical.com/view/ExternalAuth

3.8.1 Hacks: http://www.gossamer-threads.com/lists/rt/users/77286

The information contained in this communication may be confidential or legally privileged and is intended only for the recipient named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication or its contents is strictly prohibited. If you have received this communication in error, immediately advise the sender and delete the original and any copies from your computer system.

Auch, Benjamin wrote:

Hi, I�m running 3.8.1 on Ubuntu 8.04 with MySQL, apache2, modperl2 and
LDAP. (Had Linux virtual machine running on MS virtual server 2005, but
it was a tad slow (no CPU usage though, weird))

My LDAP config uses the Mike Peachey External Auth method, with the hack
for 3.8.1. My users are prompted for their username and password (from
the RT Self Service page) it uses LDAP to grab their password. It also
creates an account when they first email or when I create an account it
pulls in the AD info. So LDAP works great.

My question is: Can I do more LDAP authentication than I have now? (I
think I have LDAP overlay???) Using an MS domain environment, can the
site grab the users current credentials and pass them through? IE �
pass through authentication? (We do this all the time for IIS sites on
our Intranet)

Difficult one. Certainly no way exists at the moment for pass-through
auth on windows, however you are free to write a way. The closest I got
so far is using Cookies to provide single-sign on for the website RT is
integrated into. Using RT::Authen::ExternalAuth’s ability to
authenticate against a MySQL database and RT::Authen::CookieAuth
together allows users to login to our website and be automatically
logged into RT with the cookie the website provides.

Perhaps that’s somewhere for you to start?

Alternatively, if you’re happy to have users tied to individual
certificates, you can get very effective single sign-on using
certificate authentication and installing a unique certificate in each
user’s browser.

Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com

Thanks for the tips. From searching last night, I found several sites
that appear to use RT and single-sign on, but everything is so outdated.
Plus, any method using NTLM for Microsoft Active Directory will break
using Windows Server 2008 (NTLMv2) (Confirmation anyone?)

Maybe the RT::Authen::ExternalAuth and RT::Authen::CookieAuth is the way
to go. The extra LDAP field mappings and allowed/restricted groups are
nice features.

Helpful links I found. pass through authentication single signon ldap
authentication
http://blank.org/memory/output/rt-ad-sso.html
http://mywheel.net/blog/index.php/mod_ntlm2-on-apache-22x/
http://wiki.bestpractical.com/view/LdapOverlay
http://www.justatheory.com/computers/programming/perl/rt/ldap_auth.html

The information contained in this communication may be confidential or legally privileged and is intended only for the recipient named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication or its contents is strictly prohibited. If you have received this communication in error, immediately advise the sender and delete the original and any copies from your computer system.