I have a working instance of RT 3.8.7 running under Apache 2.2.3 on RHEL 5.4. The instance has been set up to authenticate users against Active Directory via RT::Authen::ExternalAuth & LDAP. The LDAP authentication works fine (i.e. users log in with their AD credentials, and new users get created in RT when ticket requests come in via e-mail.)
Now I need to implement Single Sign-On, so that the users at MSWin workstation could simply browse to the RT interface without having to type in their username/password again. To do this I’ve followed the instructions outlined at http://blank.org/memory/output/rt-ad-sso.html and at http://wiki.bestpractical.com/view/NtlmAuthentication. I’ve also searched around the RT mailing list archives but couldn’t find anything that described the problem I’m having.
The problem is that RT still presents the login screen when you go to its URL for the first time.
My main questions are:
Can NTLM & RT::Authen::ExternalAuth co-exist?
Is there a way to get debugging output from mod_ntlm?
Are there any additional pointers or advice regarding single sign-on with RT?
Besides this, any input on the issue would be highly appreciated.
P.S. Here what has been done so far, in a nutshell:
Compiled and installed mod_ntlm
Installed User_Local.pm and MailFrom_Local.pm from http://www2.usit.uio.no/it/rt/modifications/
Installed Web_Local.pm from http://blank.org/memory/work/Web_Local.pm
Included this snippet in RT_SiteConfig.pm:
Set($WebExternalAuth , ‘1’);
Set($WebExternalGecos , undef);
Set($WebExternalAuto , ‘1’);
Set($LDAPExternalAuth , ‘1’); # Enable LDAP auth
Set($LdapServer , ‘mycompanys.ldap.server.com’);
Set($LdapCAFile , undef);
Set($LdapUser , ‘’);
Set($LdapPass , ‘’);
Set($LdapAuthStartTLS , ‘0’); # Need to use TLS or ldaps to check passwords
Set($LdapAuthBase , ‘dc=my,dc=company,dc=com’);
Set($LdapAuthUidAttr , ‘sAMAccountName’);
Set($LdapAuthFilter , ‘(objectClass=user)’);
Set($LdapMailBase , ‘dc=my,dc=companymail,dc=com’);
Set($LdapMailFilter , ‘(objectClass=user)’);
Set($LdapMailScope , ‘sub’);
%RT::LdapMailResultMap = (
‘sAMAccountName’ => ‘Name’,
‘mail’ => ‘EmailAddress’,
‘cn’ => ‘RealName’,
Included this in httpd.conf RT's virtual server section:
Allow from all
SetHandler perl-script PerlResponseHandler RT::Mason AuthName "Request Tracker" AuthType NTLM NTLMAuth on NTLMAuthoritative on NTLMDomain MYCOMPANYS_AD_DOMAIN NTLMServer my_companys_dc1 NTLMBackup my_companys_dc2
Added our RT URL to IE's "trusted sites" list
Again, thanks in advance,
Sergey Gladkovich | UNIX Systems Engineer | (w) 201-743 -4293 | (m) 646-291-7123
Arch Insurance Group Inc.
300 - Plaza Three - 3rd Floor
Jersey City NJ 07311
Tel: 201-743-4000, Fax: 201-743-4005
The information contained in this e-mail message may be privileged and confidential information and is intended only for the use of the individual and/or entity identified in the alias address of this message. If the reader of this message is not the intended recipient, or an employee or agent responsible to deliver it to the intended recipient, you are hereby requested not to distribute or copy this communication. If you have received this communication in error, please notify us immediately by telephone or return e-mail and delete the original message from your system.