LDAP + Kerberos + RT

I’m using RT 2.0.11 and would like to take advantage of the Requestor web
interface, but have no desire to maintain a seperate user/passwd list from
our otherwise single-sign on system (using openldap+kerberos). I think I
can handle setting up mod-auth-kerb on apache to to the authentication
bit (though any pointers would be helpful), but there’s this other nagging
problem: anytime a user in RT is autocreated due to ticket submission, the
email address gets used as the username. This obviously doesn’t match the
kerberos principal namespace, but is fixable by an admin going in and
changing the username to match. However, I’d like a cleaner solution. I
assume that the as-yet undocumented (in RT/FM, anyway) pluggable user
metadata features don’t fix this, right? Any ideas? Any way to bypass the
RT db completely and just use LDAP as the user db, with kerberos as the
auth system?

Thanks,

Justin Clayton
VLSI Research System Administrator
University of Washington
Electrical Engineering Dept
justincl@u.washington.edu
206/543.2523 EE/CSE 307E

I just happen to ask about this a couple of days ago :slight_smile:
Seph and Harald have a couple of options. I’ve tried the first one from the replies listed below without success but that could just be me. I’ve e-mailed the author off list for additional help. I’ll post any findings.

My original post:
http://lists.fsck.com/pipermail/rt-users/2002-November/010897.html

Replies and related posts:
http://lists.fsck.com/pipermail/rt-users/2002-November/010910.html
http://lists.fsck.com/pipermail/rt-users/2002-November/010901.html
http://lists.fsck.com/pipermail/rt-devel/2002-May/002349.html

–Ray-----Original Message-----
From: rt-users-admin@lists.fsck.com [mailto:rt-users-admin@lists.fsck.com] On Behalf Of justin m. clayton
Sent: Wednesday, November 20, 2002 6:49 PM
To: RT Users Mailing List
Subject: [rt-users] LDAP + Kerberos + RT

I’m using RT 2.0.11 and would like to take advantage of the Requestor web interface, but have no desire to maintain a seperate user/passwd list from our otherwise single-sign on system (using openldap+kerberos). I think I can handle setting up mod-auth-kerb on apache to to the authentication bit (though any pointers would be helpful), but there’s this other nagging
problem: anytime a user in RT is autocreated due to ticket submission, the email address gets used as the username. This obviously doesn’t match the kerberos principal namespace, but is fixable by an admin going in and changing the username to match. However, I’d like a cleaner solution. I assume that the as-yet undocumented (in RT/FM, anyway) pluggable user metadata features don’t fix this, right? Any ideas? Any way to bypass the RT db completely and just use LDAP as the user db, with kerberos as the auth system?

Thanks,

Justin Clayton
VLSI Research System Administrator
University of Washington
Electrical Engineering Dept
justincl@u.washington.edu
206/543.2523 EE/CSE 307E

rt-users mailing list
rt-users@lists.fsck.com http://lists.fsck.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm

Thanks for those posts. They were semi-helpful, but I’m still confused.

Is this non-trivial? It seems that managability of RT accounts is one of
these things that everyone would just want.

WebExternalAuth doesn’t seem to fix the user management problem, but if I
were just using kerberos + RT accounts and not LDAP, that would be better
than now, I suppose.

I also saw the fix to strip everything right of the @ in the requestor’s
email, but I’m not sure that’s such a good idea.

Comments?

Justin Clayton
VLSI Research System Administrator
University of Washington
Electrical Engineering Dept
justincl@u.washington.edu
206/543.2523 EE/CSE 307EOn Wed, 20 Nov 2002, Ray Thompson wrote:

I just happen to ask about this a couple of days ago :slight_smile:
Seph and Harald have a couple of options. I’ve tried the first one from the replies listed below without success but that could just be me. I’ve e-mailed the author off list for additional help. I’ll post any findings.

My original post:
http://lists.fsck.com/pipermail/rt-users/2002-November/010897.html

Replies and related posts:
http://lists.fsck.com/pipermail/rt-users/2002-November/010910.html
http://lists.fsck.com/pipermail/rt-users/2002-November/010901.html
http://lists.fsck.com/pipermail/rt-devel/2002-May/002349.html

–Ray

-----Original Message-----
From: rt-users-admin@lists.fsck.com [mailto:rt-users-admin@lists.fsck.com] On Behalf Of justin m. clayton
Sent: Wednesday, November 20, 2002 6:49 PM
To: RT Users Mailing List
Subject: [rt-users] LDAP + Kerberos + RT

I’m using RT 2.0.11 and would like to take advantage of the Requestor web interface, but have no desire to maintain a seperate user/passwd list from our otherwise single-sign on system (using openldap+kerberos). I think I can handle setting up mod-auth-kerb on apache to to the authentication bit (though any pointers would be helpful), but there’s this other nagging
problem: anytime a user in RT is autocreated due to ticket submission, the email address gets used as the username. This obviously doesn’t match the kerberos principal namespace, but is fixable by an admin going in and changing the username to match. However, I’d like a cleaner solution. I assume that the as-yet undocumented (in RT/FM, anyway) pluggable user metadata features don’t fix this, right? Any ideas? Any way to bypass the RT db completely and just use LDAP as the user db, with kerberos as the auth system?

Thanks,

Justin Clayton
VLSI Research System Administrator
University of Washington
Electrical Engineering Dept
justincl@u.washington.edu
206/543.2523 EE/CSE 307E


rt-users mailing list
rt-users@lists.fsck.com http://lists.fsck.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm


rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm

Thanks for those posts. They were semi-helpful, but I’m still confused.

Is this non-trivial? It seems that managability of RT accounts is one of
these things that everyone would just want.

WebExternalAuth doesn’t seem to fix the user management problem, but if I
were just using kerberos + RT accounts and not LDAP, that would be better
than now, I suppose.

I also saw the fix to strip everything right of the @ in the requestor’s
email, but I’m not sure that’s such a good idea.

Comments?

Justin Clayton

I agree with Justin, but unfortunately I’m not in a position to offer any
resources (time or money) to address this issue. For now, I’m just
offering e-mail access to the RT system for most of my users, while only 2
of us actually access the web interface with usernames & passwords.

Graham Freeman
Manager of Information Technology
Far Western Anthropological Research Group, Inc.
+1 530 756 3941
graham@farwestern.com

I agree with Justin, but unfortunately I’m not in a position to offer any
resources (time or money) to address this issue. For now, I’m just
offering e-mail access to the RT system for most of my users, while only 2
of us actually access the web interface with usernames & passwords.

My main motivation for providing the web interface is my users’
predilection to not keep their ticket stubs around, then not being able to
ping for the status of their ticket.

Justin Clayton
VLSI Research System Administrator
University of Washington
Electrical Engineering Dept
justincl@u.washington.edu
206/543.2523 EE/CSE 307EOn Fri, 22 Nov 2002, Graham Freeman wrote:

On Fri, 22 Nov 2002, justin m. clayton wrote:

Thanks for those posts. They were semi-helpful, but I’m still confused.

Is this non-trivial? It seems that managability of RT accounts is one of
these things that everyone would just want.

WebExternalAuth doesn’t seem to fix the user management problem, but if I
were just using kerberos + RT accounts and not LDAP, that would be better
than now, I suppose.

I also saw the fix to strip everything right of the @ in the requestor’s
email, but I’m not sure that’s such a good idea.

Comments?

Justin Clayton

Thanks for those posts. They were semi-helpful, but I’m still confused.

Is this non-trivial? It seems that managability of RT accounts is one of
these things that everyone would just want.

WebExternalAuth doesn’t seem to fix the user management problem, but if I
were just using kerberos + RT accounts and not LDAP, that would be better
than now, I suppose.

I also saw the fix to strip everything right of the @ in the requestor’s
email, but I’m not sure that’s such a good idea.

Comments?

I agree with Justin, but unfortunately I’m not in a position to offer any
resources (time or money) to address this issue. For now, I’m just
offering e-mail access to the RT system for most of my users, while only 2
of us actually access the web interface with usernames & passwords.

I’m confused about what you two are confused about.

RT will easily get it’s authentication from apache (by default, it
takes whatever’s in $REMOTE_USER, the normal cgi username variable) and
accepts. By default, RT requires all web users to exist. (doesn’t
autocreate)

There are patches that will autocreate externally authenticated web
users. There are also patches that will take web auth from somewhere
other than $REMOTE_USER. There’s even stuff in contrib that will
recurse over LDAP, and create RT users from it.

That should be more than enough pieces to do whatever it is you’re
trying to do. As I’ve said, what I’ve done, is set my apache up to
authenticate users, and set my RT up to autocreate users using the
information apache presents to RT. You could just as easily autocreate
all authenticated users with data from LDAP.

seph

PS: this is all for the current stable RT 2.0.x line. the new beta RT
3.x stuff, will be slightly different.