RT 3.8 and Kerberos SSO


I try to authenticate my users with Kerberos. In my RT_SiteConfig.pm, I
have :

Set($ExternalInfoPriority, [ ‘LDAP_DEPTINFO_ST’, ‘LDAP_Luke’,
‘LDAP_Wesson’ ]);
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);
Set($AutoCreate, {Privileged => 1});
Set($LogToFile, ‘debug’);
Set($LogToFileNamed, ‘rt.log’);
Set($WebExternalAuth, ‘1’);
Set($WebFallbackToInternalAuth , ‘1’);
Set($WebExternalGecos, undef);
Set($WebExternalAuto, ‘1’);
#Set($LdapMailSearchAttr, ‘mail’);

Set($ExternalAuthPriority, [ MY_LDAP’ ]);

Set($ExternalSettings, {
‘MY_LDAP’ => {
‘type’ => ‘ldap’,

When a user send a message, RT create his account in database. Great :slight_smile:

My problem : now, I can’t connect to RT (Web interface) with my account
which is already created. I get this :

Cannot create user : Name in use

Any ideas ?



Are you using apache mod_kerb_auth for authentication? (webexternalauth
seems to suggest you do).

I believe that if you do that, by default, the “login” of the user will be
the kerberos principal used, including the realm. Ldap and/or the mail
gateway might not get the same value (depending on your mapping). Since
the email address has to be unique, if the “remote_user” doesn’t match the
name the rt username, it won’t work (creating 2 users with the same email
address is not possible, if I’m not mistaken)

One thing you can do is add to your apache config the following directive:
“KrbLocalUserMapping On”. That will set “REMOTE_USER” to just the username
part of the principal (no realm). That should make it match between the
two (kern and ldap)

I hope this puts you on the right track…

| Joachim Thuau | Linux Systems Administrator / SpaceX |
| Cell: 310-890-7937 | Office: 310-363-6153 |