RT 3.8.7 + Kerberos Authentication + LDAP Authorization

I’ve been trying to figure out how to best configure my RT authentication/authorization.

We are running RT 3.8.7 and use the RT database (MYSQL) to store RT user information (but not passwords).
We have a Kerberos KDC which stores passwords and provides single-sign-on authentication across all of our kerberized systems.

Currently, I am using the following in my RT_Siteconfig.pm:

Set( $WebExternalAuth ,1);
Set( $WebExternalAuto ,1);
Set( $AutoCreate,{ Privileged => 0 });

Apache is configured to use mod_auth_kerb.so for authentication to our KDC, and passes the authentication on to RT. This has been working as designed.

Here is my question:

We also have an LDAP directory with all staff user information and linux system privileges, but it does not contain passwords.

I want to go one step further and configure RT to use our LDAP to determine whether or not a user should be allowed to use RT, and if so, whether or not they should be a privileged or unprivileged user. I’ve done some due diligence, but all googling/wiki’ing seems to point to using EITHER WebExternalAuth (kerberos) OR ExternalAuth (LDAP), but not both in the way I need them to. That is, I want RT to use apache (via the KDC) for authentication, and use LDAP for authorization.

For context, the reason I’m looking into this matter is that we have started using RT to handle postmaster and abuse requests. As a result, our list of unprivileged RT users is growing rapidly since every email AutoCreates a new RT user.

Can anyone provide any assistance or guidance in this matter?
If I’m looking down the wrong road, I’m certainly open to making a turn in the right direction.

Thank you!

Scott Sears

Infrastructure Team | Emma®
800.595.4401 or 615.292.5888
615.292.0777 (fax)

Emma helps organizations everywhere communicate & market in style.
Visit us online at www.myemma.com

P please consider the environment before printing this e-mail