We are trying to have RT authenticate to an NT domain
using mod_auth_pam, and would like to have RT accounts
created automatically when a valid NT domain user logs
in through Apache. We do not have the mailgate
configured for incoming email, and will be relying on
the web interface for login.
I am able to authenticate via Apache when a local
Linux account is present, but I have been attempting
to allow NT domain users to login and have an account
created automatically. Winbind is running, and getent
passwd returns all users, but I could use some help
figuring out how to proceed.
From RT_SiteConfig.pm:
Set($WebExternalAuth , 1);
Set($WebFallbackToInternalAuth , undef);
Set($WebExternalGecos , 1);
Set($WebExternalAuto , 1);
Does RT rely on SAMBA or winbindd to create the
account or does RT create the account itself.
When the users are autocreated, how does RT append the
username to the proper suffix to create an email
address ? Is there a setting in config.pm for this ?
If anyone has done this, and can offer any advice, I
would appreciate it.
We are trying to have RT authenticate to an NT domain
using mod_auth_pam, and would like to have RT accounts
created automatically when a valid NT domain user logs
in through Apache. We do not have the mailgate
configured for incoming email, and will be relying on
the web interface for login.
I am able to authenticate via Apache when a local
Linux account is present, but I have been attempting
to allow NT domain users to login and have an account
created automatically. Winbind is running, and getent
passwd returns all users, but I could use some help
figuring out how to proceed.
You don’t need a unix account created for apache to
permit authentication via PAM. For a RedHat based
system, the /etc/pam.d/httpd file can be:
#%PAM-1.0
auth required pam_stack.so service=system-auth
account required pam_permit.so
The ‘auth’ line checks the password and the account line
say allow anything if the authentication succeeds.
However, RT has it’s own user database and you’ll
either have to add the users there or add custom
code to give privileges if domain authentication
succeeds. Something has been posted to do this with
LDAP but I haven’t seen any for SMB.
We are trying to have RT authenticate to an NT domain
using mod_auth_pam, and would like to have RT accounts
created automatically when a valid NT domain user logs
in through Apache.
When the users are autocreated, how does RT append the
username to the proper suffix to create an email
address ? Is there a setting in config.pm for this ?
as was said, you don’t need to try to create local linux accounts for
people. You’ll almost certainly want to overlay the Interfaces/Web
file to redefine WebExternalAutoInfo to something appropriate in your
environment.
I have found that I need to have a Linux account to
authenticate with Apache. Once authenticated, the RT
login screen
will be a “dead” interface unless I create an RT user
with the same userID as the domain account and Linux
account.
I would like to know how to authenticate to the domain
without a linux account, and also how can RT create an
RT user from simply a succesful Apache domain
authentication.
Does autocreate only work when an email comes in ? We
are only going to allow users to input tickets through
the web interface.
I have found that I need to have a Linux account to
authenticate with Apache.
then you’re doing something wrong. try starting simpler, can you
protect a directory of simple html? a test cgi script?
Once authenticated, the RT login screen will be a “dead” interface
unless I create an RT user with the same userID as the domain
account and Linux account.
I’m not sure what you mean. My best guess is that the autocreate stuff
is failing. perhaps WebExternalAutoInfo is doing something, and you
still need to overlay it.
I have found that I need to have a Linux account to
authenticate with Apache.
This is what I have in /etc/pam.d/httpd
auth required /lib/security/pam_smb_auth.so debug
auth required /lib/security/pam_permit.so
^^^^^
Change this to ‘account’ to eliminate the need for a Linux
account (only on the 2nd line). You still need the RT account
or something to autocreate it. I’ve done mine by hand because
most had already been autocreated by email with slighly incorrect
entries before I gave them login permission.