Since I was unable to get the RT External Auth setup working with my Active Directory Environment I have been looking at other solutions in getting my AD users logging into RT. I have seen you can use Apache to handle Authentication but that method really doesn’t look all that attractive to me. I have now seen there is an LDAP import tool that can import users in RT. Can this tool import the users from my Active Directory Server and when they go to login will it look to the LDAP server to validate the users password? Or does it store everything local in the MYSQL Database? In a perfect world I would get the External Auth working but I for the life of me cannot pinpoint the disconnect that is in place. Please any advice on this would be grateful . Thanks.
Jeff
Since I was unable to get the RT External Auth setup working with my Active
Directory Environment
Seems to me that if you can get RT::Extension::LDAPImport to work,
then you’ll have a fighting chance of getting RT::Authen::ExternalAuth
to work as well. Please post to the list your working LDAPImport
config along with your non-working ExternalAuth config.
For me, before I was able to get ExternAuth working, I first had to
figure out how to bind to the LDAP server as a user (by providing that
user’s password). Once I was able to bind using ‘ldapsearch’ from the
Linux command line, configuring ExternAuth was suddenly very easy.
Once you have it set up, ExternalAuth will automatically create/update
internal RT users for the LDAP users it authenticates, according to
the “attr_map” setting.
Since I was unable to get the RT External Auth setup working with my Active Directory
Environment I have been looking at other solutions in getting my AD users logging into RT. I
have seen you can use Apache to handle Authentication but that method really doesn’t look all
that attractive to me. I have now seen there is an LDAP import tool that can import users in
RT. Can this tool import the users from my Active Directory Server and when they go to login
will it look to the LDAP server to validate the users password? Or does it store everything
local in the MYSQL Database? In a perfect world I would get the External Auth working but I
for the life of me cannot pinpoint the disconnect that is in place. Please any advice on this
would be grateful . Thanks.
RT-Extension-LDAPImport imports users and metadata, it does not
import passwords and cannot be used to implement authentication.
-kevin
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Thanks Kevin. I will continue to debug the External Auth road. I am starting to think that it is a permission issue like you have mentioned. I apologize how this has morphed into 2 threads.
Jeff
- PGP Signed by an unknown key
The RT Server itself is bound by LDAP Authentication using libpam-ldap modules. So Active Directory Authentication is defiantly working as I am logging into this machine with my AD creds. It is binding using the same username and password that I have in my RT External Auth config. I haven’t setup the RT-Extension-LDAP module yet. I just wanted to get some insite on how it worked compared to the other. Will this module work standalone or do you have to use it in conjunction with the RT External Auth plugin?
Hi Jeff:
(Be sure to reply to the list)
As Kevin just wrote, LDAPImport is useless for authentication, so you
would only want to use it if you need to get info (not passwords) for
a bunch of users into the RT database all at once. The reason why I
recommended it was that “bind w/password” might be more difficult to
get working than “anonymous bind”, which is what LDAPImport uses. So
LDAPImport might be a stepping stone to ExternAuth.
Just an idea.
Thanks Nathan. I apologize for not seeing that these responses were only directed at you and not the list. Sigh. I will try to find time here shortly to sit down and configure the LDAPImport and see if I have any success getting it doing the right thing. I will post my results. Again, thanks for all your help.
Jeff-----Original Message-----
From: Nathan Cutler [mailto:presnypreklad@gmail.com]
Sent: Tuesday, July 02, 2013 1:30 PM
To: Jeff Solberg
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] RT-Extension-LDAPImport vs RT External Auth plugin modules
The RT Server itself is bound by LDAP Authentication using libpam-ldap modules. So Active Directory Authentication is defiantly working as I am logging into this machine with my AD creds. It is binding using the same username and password that I have in my RT External Auth config. I haven’t setup the RT-Extension-LDAP module yet. I just wanted to get some insite on how it worked compared to the other. Will this module work standalone or do you have to use it in conjunction with the RT External Auth plugin?
Hi Jeff:
(Be sure to reply to the list)
As Kevin just wrote, LDAPImport is useless for authentication, so you would only want to use it if you need to get info (not passwords) for a bunch of users into the RT database all at once. The reason why I recommended it was that “bind w/password” might be more difficult to get working than “anonymous bind”, which is what LDAPImport uses. So LDAPImport might be a stepping stone to ExternAuth.
Just an idea.