RT-LDAP Authentication Redux

Cheers.

The previus mails due to the answers begins to be a mess, by the way I am
going to Redux the request:

  • I had installed RT 3.2.2 in a Fedora 3 box, with Apache 2 and MySQL

  • I had an external LDAP server, which stores among others fields the mail
    addresses - passwords.

  • I want that the RT checks user/passwords against the LDAP server
    directly, not delegating in the Apache.

  • The mail address is UID in the LDAP :-).

  • I had put the following lines in my RT_SiteConfig, there is no need to
    use passwords for binding to our internal LDAP :
    Set($WebExternalAuth , undef);
    $LDAPExternalAuth = 1; # will enable LDAP-Auth
    $LdapServer=“ldap.mydomain.com”; # LDAP server for authentication
    $LdapUser=""; # user name for binding
    $LdapPass=""; # password for binding
    $LdapBase=“ou=Inte,dc=mydomain,dc=com”; # search base
    $LdapUidAttr=“uid”; # attribute for RT user name
    $LdapFilter="(objectclass=*)"; # additional filter

  • I had created (copy of Ruediger Riediger´s one) a file for LDAP Overlay
    called User_Local.pm as I had found in varius request, following the
    recomendations of
    http://wiki.bestpractical.com/index.cgi?CleanlyCustomizeRT I had put this
    file in both routes RTroot/local/lib/RT/ and RTroot/lib/RT.

  • I had installed the CPAN modules Net::LDAP and Net::SSLeay. But we do not
    need TLS communications at least for the moment.

After all, RT seems to authenticate users against his own DB, there is not
activities nor communications between RT server and LDAP server.

My mainly requests are:

Is the LDAP activated with the lines put above? If yes in which part of
RT_SiteConfig it should to live?
What should be the value of Set($WebExternalAuth (I wonder that It should
be undef) ?
Where should live User_Local.pm and whith what attributes?
What about /usr/local/rt3/local/html/autohandler, Should It be modified?
Is TLS communications mandatory for this authentication?

Thanks in advance and mainly to Steve and Ruediger Riediger for his kindly
and quickly answers.

Best regards.

I have tested LDAP auth with 3.2.2 and now testing it with 3.4.0. Hope
that I can answer you questions.

Francisco Javier Mart�nez Martinez wrote:

Cheers.

The previus mails due to the answers begins to be a mess, by the way I
am going to Redux the request:

  • I had installed RT 3.2.2 in a Fedora 3 box, with Apache 2 and MySQL

  • I had an external LDAP server, which stores among others fields the
    mail addresses - passwords.

  • I want that the RT checks user/passwords against the LDAP server
    directly, not delegating in the Apache.

  • The mail address is UID in the LDAP :-).

  • I had put the following lines in my RT_SiteConfig, there is no need to
    use passwords for binding to our internal LDAP :

    Set($WebExternalAuth , undef);
    $LDAPExternalAuth = 1; # will enable LDAP-Auth
    $LdapServer=“ldap.mydomain.com”; # LDAP server for authentication
    $LdapUser=""; # user name for binding
    $LdapPass=""; # password for binding
    $LdapBase=“ou=Inte,dc=mydomain,dc=com”; # search base
    $LdapUidAttr=“uid”; # attribute for RT user name
    $LdapFilter="(objectclass=*)"; # additional filter

  • I had created (copy of Ruediger Riediger�s one) a file for LDAP
    Overlay called User_Local.pm as I had found in varius request, following
    the recomendations of
    http://wiki.bestpractical.com/index.cgi?CleanlyCustomizeRT I had put
    this file in both routes RTroot/local/lib/RT/ and RTroot/lib/RT.

  • I had installed the CPAN modules Net::LDAP and Net::SSLeay. But we do
    not need TLS communications at least for the moment.

After all, RT seems to authenticate users against his own DB, there is
not activities nor communications between RT server and LDAP server.
If you are using the module from
http://www.justatheory.com/computers/programming/perl/rt/User_Local.pm.ldap,
users will be authenticated against RT’s DB if the password matched.

If you are using the module from
http://download.bestpractical.com/pub/rt/contrib/3.0/LDAP1.0_RT3.tar.gz,
users will be authenticated against LDAP ONLY if their passwords are
never set in RT’s DB(i.e. password = ‘NO-PASSWORD’).

My mainly requests are:

Is the LDAP activated with the lines put above? If yes in which part of
RT_SiteConfig it should to live?
What should be the value of Set($WebExternalAuth (I wonder that It
should be undef) ?
You should leave it as undef.

Where should live User_Local.pm and whith what attributes?
I just put it inside <path_to_rt3>/lib/RT and it works.

What about /usr/local/rt3/local/html/autohandler, Should It be modified?
I never use it.

Is TLS communications mandatory for this authentication?
No.