Validating RT users via Active Directory

RT Users
1

Hi all,

I have a request and an opportunity to share.

We currently use RT 2.0.13 but are in the process of migrating to 3.0.X.
At the same time, we’re moving from NT domains to Active Directory, so
I’ve been watching the threads on RT and AD integration closely.

Seems to me that, so far, all I’ve seen is people using LDAP to lookup
user info essentially via the mailgate to populate new users as they
submit requests. This is cool, we’ve been doing something like that
here for over a year with an external directory.

However, what I really want to do is to get users to have a single
login name and password everywhere and so I want to authenticate access
to RT via AD, and not via the password in RT.

I’ve not found anything on Linux which does this directly. Thus my
request is for any info on anything that does.

The opportunity is that I’ve found a way to do it. It’s rather convoluted
as it involves a piece of ASP sitting on an SSL protected IIS server that
acts as a web service to do the authentication for me as I don’t want
passwords
flying over the wire in clear text. I simply call that from
…/rt3/lib/RT/User_Local.pm and voila! AD authenticated users. I’d be
more than happy to post that code here, in all it’s crudeness, if anyone is
interested - unless there’s a better way!

(FWIW - I’ve also got this working on RT2 also).

BTW - our RT3 is running on RH9. Having followed Harald’s lead, it works
perfectly.
RH9, local built perl 5.8.0, local built apache 1.3.28 with mod_perl 1.28.

Regards,
Gary

Get the latest news on SurfControl and our products,
subscribe to our monthly e-newsletter, SurfAdvisory at:
http://surfcontrol.us-hosts.com/sc/subscribe

The information in this email is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this
email by anyone else is unauthorized. If you are not the intended
recipient, any disclosure, copying, distribution or any action taken
or omitted to be taken in reliance on it, is prohibited and may be
unlawful. If you believe that you have received this email in error,
please contact the sender.

2

Seems to me that, so far, all I’ve seen is people using LDAP to lookup
user info essentially via the mailgate to populate new users as they
submit requests. This is cool, we’ve been doing something like that
here for over a year with an external directory.

We are authenticating users with LDAP (OpenLDAP 2.0.x). LDAP forward the
password request to our NT4 (Samba 2.2) domain controler.
This is done the following:

  • SSL protected RT. Done in Apache 1.3, nothing related to
    RT/Authentication. This let us pass password in clear in the SSL tunnel.
  • We use Apache auth_net_ldap module for authentication. Apache ask LDAP
    for user/password matching and if successful, forward the variable
    USER= to RT.
  • RT is set to external authentication so it uses the USER=
    variable to get the user connecting.

This is very simple and works really well. We don’t use the RT password,
only the NT4 password (forwarded from LDAP).

Hope this helps. Ask if you need help on setting that.
AD is the same as LDAP+Kerberos and quite the same as OpenLDAP+NT4
domain. So integrating AD in RT should not be a problem.
Bye.
-jec

However, what I really want to do is to get users to have a single
login name and password everywhere and so I want to authenticate access
to RT via AD, and not via the password in RT.

I’ve not found anything on Linux which does this directly. Thus my
request is for any info on anything that does.

The opportunity is that I’ve found a way to do it. It’s rather convoluted
as it involves a piece of ASP sitting on an SSL protected IIS server that
acts as a web service to do the authentication for me as I don’t want
passwords
flying over the wire in clear text. I simply call that from
…/rt3/lib/RT/User_Local.pm and voila! AD authenticated users. I’d be
more than happy to post that code here, in all it’s crudeness, if anyone is
interested - unless there’s a better way!

(FWIW - I’ve also got this working on RT2 also).

BTW - our RT3 is running on RH9. Having followed Harald’s lead, it works
perfectly.
RH9, local built perl 5.8.0, local built apache 1.3.28 with mod_perl 1.28.

Regards,
Gary

Get the latest news on SurfControl and our products,
subscribe to our monthly e-newsletter, SurfAdvisory at:
http://surfcontrol.us-hosts.com/sc/subscribe

The information in this email is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this
email by anyone else is unauthorized. If you are not the intended
recipient, any disclosure, copying, distribution or any action taken
or omitted to be taken in reliance on it, is prohibited and may be
unlawful. If you believe that you have received this email in error,
please contact the sender.

rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm
Jean-Eric Cuendet
Riskpro Technologies SA
Av du 14 avril 1b, 1020 Renens Switzerland
Principal: +41 21 637 0110 Fax: +41 21 637 01 11
Direct: +41 21 637 0123
E-mail: jean-eric.cuendet@rptec.ch
http://www.rptec.ch

3
  • RT is set to external authentication so it uses the USER=
    variable to get the user connecting.

A minor correction, by default that’s REMOTE_USER, not USER. though it
should be overridable in the current RT version.

seph

4

I’m running RT 2.0.15 with mysql.
I’ve successfully done backup/restore, but was curious
about the rt2 database in mysql. I’ve read posts
about this, but my solution is a lot simpler. Am I
missing something? My restored RT functions fine.

To backup the database, I have a cron job that fires
off at night and runs a script which does the
following:

now=/bin/date +%Y.%m.%d.%H.%M

set dump directory

dumpdir=/space/rtdumps
/usr/bin/mysqldump --opt rt2 > $dumpdir/$now.rt2.sql

Then I backup the yyyy.mm.dd.hh.mm.rt2.sql file.

To load this into my newly built/restored RT box, I
simply do:

mysql rt2 < YYYY.MM.DD.HH.MM.rt2.sql

( if restoring into an older RT2, go into the build
directory and ‘make dropdb’ , ‘make install’ ).

And that’s pretty much it. The dump is very fast, and
is done while everything is still running.
Is there anything I’ve missed?

Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

5

Gary Holmes wrote:

However, what I really want to do is to get users to have a single
login name and password everywhere and so I want to authenticate access
to RT via AD, and not via the password in RT.

look for my posts on the subject, I describe the pieces working for me
currently.

6

Hi all,

I am running RT2 with MySQL and Sendmail.

For a long time it has bothered me that when the DB goes down (nearly
never, but you never know) tickets get horked mightily. This happens
because the RT mail-ripper script can’t access the DB, so it just drops the
payload.

Is there a workaround for this? As it stands I just monitor the DB closely
and when it goes down I bring down sendmail on the box, allowing mail to
queue at a backup MX.

Thanks!

~Ben
Ben Browning benb@theriver.com
The River Internet Access Co.
WA Operations Manager
1-877-88-RIVER http://www.theriver.com

7

Hey Ben,

What i did was use a wrapper script (see attached) which detects the
return value of rt-mailgate and sleeps for a specified period of time
and tries again (and again) until success.

Basically, I call the wrapper via procmail (but you prolly could do it
via your /etc/aliases file too):

:0 w
| $HOME/bin/resubmit.pl -t 5 -f 12 -c '/usr/local/rt3/bin/rt-mailgate
–queue MyQueue --action comment --url https://rt.mycompany.com/'On Tue, Aug 12, 2003 at 10:46:54AM -0700, Ben Browning wrote:

Hi all,

I am running RT2 with MySQL and Sendmail.

For a long time it has bothered me that when the DB goes down (nearly
never, but you never know) tickets get horked mightily. This happens
because the RT mail-ripper script can’t access the DB, so it just drops the
payload.

Is there a workaround for this? As it stands I just monitor the DB closely
and when it goes down I bring down sendmail on the box, allowing mail to
queue at a backup MX.

resubmit.pl (1.41 KB)

8

FWIW, RT3 handles things rather differently and things should queue
properly until the message payload is recorded.On Tue, Aug 12, 2003 at 10:46:54AM -0700, Ben Browning wrote:

Hi all,

I am running RT2 with MySQL and Sendmail.

For a long time it has bothered me that when the DB goes down (nearly
never, but you never know) tickets get horked mightily. This happens
because the RT mail-ripper script can’t access the DB, so it just drops the
payload.

Is there a workaround for this? As it stands I just monitor the DB closely
and when it goes down I bring down sendmail on the box, allowing mail to
queue at a backup MX.

Thanks!

~Ben

Ben Browning benb@theriver.com
The River Internet Access Co.
WA Operations Manager
1-877-88-RIVER http://www.theriver.com

rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm

Request Tracker... So much more than a help desk — Best Practical Solutions – Trouble Ticketing. Free.

9

“BB” == Ben Browning benb@theriver.com writes:

BB> never, but you never know) tickets get horked mightily. This happens
BB> because the RT mail-ripper script can’t access the DB, so it just drops the
BB> payload.

What version of RT do you have? Older versions used to fail this way,
but that was fixed a long time ago to fail with a temporary error so
the mail server would queue the mail.

Vivek Khera, Ph.D. Khera Communications, Inc.
Internet: khera@kciLink.com Rockville, MD +1-240-453-8497
AIM: vivekkhera Y!: vivek_khera http://www.khera.org/~vivek/