Single Sign-On

I am wondering if anyone has been able to get RT to have SSO possibly
using LDAP auth as well?

I am running RT 3.4.4/Apache2/fastCGI/Oracle 9g with either LDAP auth
using Apache or the LDAP package for RT.
Are there any mods for Apache that can handle this? We use Active
Directory and I would like for users to open the web page and have RT or
some other app check their NT username and pwd, and if it authenticates
with AD, then automatically login to RT with the NT username. There are
possibly 500 users going to use RT and I would like to avoid a huge
admin headache by having SSO w/ LDAP.
Any hints or ideas?

Thanks!
Adam

Single Sign On can be done by using the NTLM module in apache to get the
Login ID from the IE browser. You can use this id to connect to the LDAP
server. The LDAP contribution on the wiki will give you information
about connecting to the LDAP server. I am guessing NTLM module uses
mod-perl , not sure if it will work with fast-cgi.

Ahalya Nathan
Senior Programmer / Analyst
Information Technology, Metropolitan Utilities District
(402) 504-7180 phone

(402) 504-5180 fax`From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Myers,
Adam
Sent: Thursday, October 20, 2005 1:38 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] Single Sign-On

I am wondering if anyone has been able to get RT to have SSO possibly
using LDAP auth as well?

I am running RT 3.4.4/Apache2/fastCGI/Oracle 9g with either LDAP auth
using Apache or the LDAP package for RT.

Are there any mods for Apache that can handle this? We use Active
Directory and I would like for users to open the web page and have RT or
some other app check their NT username and pwd, and if it authenticates
with AD, then automatically login to RT with the NT username. There are
possibly 500 users going to use RT and I would like to avoid a huge
admin headache by having SSO w/ LDAP.

Any hints or ideas?

Thanks!

Adam

By default, when RT auto-creates a user by means of WebExternalAuto,
the user thus created is a very bare shell: the Name and Gecos fields
are filled in with the HTTP username, and everything else is left
blank.

I’m trying to get the user’s email address pre-populated as well. In
our system, it’s a safe bet that username@$RT::Organization is a valid
email address for that user, so I copied share/html/autohandler into
local/html/autohandler, and edited around line 116 to add:

        my ($val, $msg) = $UserObj->Create(
                     %{ref($RT::AutoCreate)
                     %? $RT::AutoCreate :
                     %{}},
                     Name   => $user,
                     Gecos  => $user,
                     EmailAddress  => $user . "\@example.com",
                     );

…but the users are still created with blank EmailAddress fields. Is
there somewhere else I should be trying to do this?

-n

------------------------------------------------------------memory@blank.org
"The internet is the best thing to ever happen to stupidity."
(–James “Kibo” Parry)
http://blank.org/memory/----------------------------------------------------

Single Sign On can be done by using the NTLM module in apache to get the
Login ID from the IE browser. You can use this id to connect to the LDAP
server. The LDAP contribution on the wiki will give you information
about connecting to the LDAP server. I am guessing NTLM module uses
mod-perl , not sure if it will work with fast-cgi.

Anyone know if you can get Apache to attempt automatic authentication
with IE, and if that fails fall back to letting RT do the auth?

-Todd

Single Sign On can be done by using the NTLM module in apache to get
the

Login ID from the IE browser. You can use this id to connect to the
LDAP

server. The LDAP contribution on the wiki will give you information
about connecting to the LDAP server. I am guessing NTLM module uses
mod-perl , not sure if it will work with fast-cgi.

Anyone know if you can get Apache to attempt automatic authentication
with IE, and if that fails fall back to letting RT do the auth?

-Todd

I do this with the LDAP overlay instead of apache.

It attempts LDAP, and then if that fails falls back to RT for auth. It
may actually try RT first, then LDAP. Works though.

But what I want to do is have Apache try passwordless NTLM
witn my IE client, and then if that fails let RT handle
authentication.

-ToddOn Thu, Oct 20, 2005 at 03:48:05PM -0700, Nathan Oyler wrote:

On Thu, Oct 20, 2005 at 01:42:44PM -0500, Nathan, Ahalya wrote:

Single Sign On can be done by using the NTLM module in apache to get
the

Login ID from the IE browser. You can use this id to connect to the
LDAP

server. The LDAP contribution on the wiki will give you information
about connecting to the LDAP server. I am guessing NTLM module uses
mod-perl , not sure if it will work with fast-cgi.

Anyone know if you can get Apache to attempt automatic authentication
with IE, and if that fails fall back to letting RT do the auth?

-Todd

I do this with the LDAP overlay instead of apache.

It attempts LDAP, and then if that fails falls back to RT for auth. It
may actually try RT first, then LDAP. Works though.

Not sure if this fits for you, but we do this sort of thing with mod_perl.
Our authentication handler (a Perl module) has logic to first try a Radius
server, and then a database of people who registered via the Internet. To
get Apache to fall back to RT, you might need a combination of two RT config
settings: WebExternal Auth (to let Apache try the authent), along with
WebFallBackToInternalAuth, to let RT try if the first one fails. Haven’t
tried this, but it looks promising.On 10/20/05, Todd Chapman todd@chaka.net wrote:

But what I want to do is have Apache try passwordless NTLM
witn my IE client, and then if that fails let RT handle
authentication.

-Todd

On Thu, Oct 20, 2005 at 03:48:05PM -0700, Nathan Oyler wrote:

On Thu, Oct 20, 2005 at 01:42:44PM -0500, Nathan, Ahalya wrote:

Single Sign On can be done by using the NTLM module in apache to get
the

Login ID from the IE browser. You can use this id to connect to the
LDAP

server. The LDAP contribution on the wiki will give you information
about connecting to the LDAP server. I am guessing NTLM module uses
mod-perl , not sure if it will work with fast-cgi.

Anyone know if you can get Apache to attempt automatic authentication
with IE, and if that fails fall back to letting RT do the auth?

-Todd

I do this with the LDAP overlay instead of apache.

It attempts LDAP, and then if that fails falls back to RT for auth. It
may actually try RT first, then LDAP. Works though.


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Be sure to check out the RT Wiki at http://wiki.bestpractical.com

Buy your copy of our new book, RT Essentials, today!

Download a free sample chapter from http://rtbook.bestpractical.com

By using the Apache2::AuthenNTLM/ Apache::AuthenNTLM Authentication
Handler you can do that. The NTLM gives the username and domain name
from the IE client.

Ahalya Nathan
Senior Programmer / Analyst
Information Technology, Metropolitan Utilities District
(402) 504-7180 phone
(402) 504-5180 faxFrom: Todd Chapman [mailto:todd@chaka.net]
Sent: Thursday, October 20, 2005 10:30 PM
To: Nathan Oyler
Cc: Nathan, Ahalya; rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Single Sign-On

But what I want to do is have Apache try passwordless NTLM
witn my IE client, and then if that fails let RT handle
authentication.

-Todd

Single Sign On can be done by using the NTLM module in apache to
get
the

Login ID from the IE browser. You can use this id to connect to
the
LDAP

server. The LDAP contribution on the wiki will give you
information

about connecting to the LDAP server. I am guessing NTLM module
uses

mod-perl , not sure if it will work with fast-cgi.

Anyone know if you can get Apache to attempt automatic
authentication

with IE, and if that fails fall back to letting RT do the auth?

-Todd

I do this with the LDAP overlay instead of apache.

It attempts LDAP, and then if that fails falls back to RT for auth. It
may actually try RT first, then LDAP. Works though.

Yes, but if the NTLM authentication fails can Apache let
the user in anyway so that RT can handle the auth?On Fri, Oct 21, 2005 at 08:18:58AM -0500, Nathan, Ahalya wrote:

By using the Apache2::AuthenNTLM/ Apache::AuthenNTLM Authentication
Handler you can do that. The NTLM gives the username and domain name
from the IE client.

Ahalya Nathan
Senior Programmer / Analyst
Information Technology, Metropolitan Utilities District
(402) 504-7180 phone
(402) 504-5180 fax

-----Original Message-----
From: Todd Chapman [mailto:todd@chaka.net]
Sent: Thursday, October 20, 2005 10:30 PM
To: Nathan Oyler
Cc: Nathan, Ahalya; rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Single Sign-On

But what I want to do is have Apache try passwordless NTLM
witn my IE client, and then if that fails let RT handle
authentication.

-Todd

On Thu, Oct 20, 2005 at 03:48:05PM -0700, Nathan Oyler wrote:

On Thu, Oct 20, 2005 at 01:42:44PM -0500, Nathan, Ahalya wrote:

Single Sign On can be done by using the NTLM module in apache to
get
the

Login ID from the IE browser. You can use this id to connect to
the
LDAP

server. The LDAP contribution on the wiki will give you
information

about connecting to the LDAP server. I am guessing NTLM module
uses

mod-perl , not sure if it will work with fast-cgi.

Anyone know if you can get Apache to attempt automatic
authentication

with IE, and if that fails fall back to letting RT do the auth?

-Todd

I do this with the LDAP overlay instead of apache.

It attempts LDAP, and then if that fails falls back to RT for auth. It
may actually try RT first, then LDAP. Works though.

I am guessing you may have to change the NTLM program for that.From: Todd Chapman [mailto:todd@chaka.net]
Sent: Fri 10/21/2005 9:33 AM
To: Nathan, Ahalya
Cc: Nathan Oyler; rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Single Sign-On

Yes, but if the NTLM authentication fails can Apache let
the user in anyway so that RT can handle the auth?