RT password fields and logout when using LDAPauth

Hi,

After successfully setting up Apache to LDAP authenticate for RT, we
experience that this solution may not work for our purpose. We want anyway
to use LDAP to sentralize passwords at our university for our internal
users (students and employees). However, I notice that it could be a
security problem when the user cannot use the logout link in RT to
terminate the session. In Internet Explorer, You have to empty the cache.

This option disappears when letting Apache do the authentication through LDAP.
The requestors should use a common terminal to check their requests.

The above solution will work for internal LDAP registered users. But
typically, an University has also external people (guest students,
customers, etc.) which is not registered into the internal university
LDAP server or has a university e-mail address. When they send requests,
their e-mail address will normaly be used as their username by RT. They need to
get a randomized password sent back by RT (as with other ticket systems),
and they need to logon. LDAP authentication of internal users prevent that.

External users also need to change their password, which their not allowed
when LDAP-auth is enabled (that’s also understandable since LDAP-user
passwords are stored centraly). Even so, mail from external users won’t be
accepted by RT, since rt-mailgate sends it to Apache for authentication.

I guess a solution would be to use RT’s main login page, and hack the
internal RT source code handling authentication of users in the database
to also accept LDAP users from a trusted directory server. Someone has
earlier said that RT does not support LDAP, but are there anyone out there
who has hacked the code for this purpose? If not, we are thinking about
doing that. Leting Apache do the authentication is actually not always
desireable.

We have potensialy over 50.000 users (internal and external users). We
have to set up multiple instances as there are descibed at Wiki. Is there
a way to move a request from one instance to another externaly, in the
same way you move a request from one queue to another queue in the same
instance (e.g. not forwarding e-mails)? I’ve heard that it was possible. I
don’t know.

:slight_smile:

regards,
Tomas

Tomas A. P. Olaj, email: tomas.olaj@usit.uio.no, web: folk.uio.no/tomaso
University of Oslo / USIT (Center for Information Technology Services)
System- and Application Management / Applications Management Group

I’m having a bit of trouble following your email, it sounds like you
have many questions.

If RT is using web auth, there’s no logout button. It doesn’t really
make sense, given how the authentication works.

RT has a FallBackToInternalAuth setting (whose exact name I forget)
this would let you use the central LDAP stuff for university people,
and the the RT-only users/passwords for external people.

I’ve seen scrips that will auto-assign a password and mail it to
users. Check the lists archives.

Someone has earlier said that RT does not support LDAP, but are
there anyone out there who has hacked the code for this purpose? If
not, we are thinking about doing that. Leting Apache do the
authentication is actually not always desireable.

I’ve seen LDAP patches that will make RT pull it’s userdb from ldap,
and auth against it. I don’t use them, so I can’t say much about
them. I let apache do the auth.

seph