Hi, I have a working instance of RT 3.8.7 running under Apache 2.2.3 on RHEL 5.4. The instance has been set up to authenticate users against Active Directory via RT::Authen::ExternalAuth & LDAP. The LDAP authentication works fine (i.e. users log in with their AD credentials, and new users get created in RT when ticket requests come in via e-mail.)
Now I need to implement Single Sign-On, so that the users at MSWin workstation could simply browse to the RT interface without having to type in their username/password again. To do this I've followed the instructions outlined at http://blank.org/memory/output/rt-ad-sso.html and at http://wiki.bestpractical.com/view/NtlmAuthentication. I've also searched around the RT mailing list archives but couldn't find anything that described the problem I'm having. The problem is that RT still presents the login screen when you go to its URL for the first time. My main questions are: * Can NTLM & RT::Authen::ExternalAuth co-exist? * Is there a way to get debugging output from mod_ntlm? * Are there any additional pointers or advice regarding single sign-on with RT? Besides this, any input on the issue would be highly appreciated. P.S. Here what has been done so far, in a nutshell: * Compiled and installed mod_ntlm * Installed User_Local.pm and MailFrom_Local.pm from http://www2.usit.uio.no/it/rt/modifications/ * Installed Web_Local.pm from http://blank.org/memory/work/Web_Local.pm * Included this snippet in RT_SiteConfig.pm: Set($WebExternalAuth , '1'); Set($WebFallbackToInternalAuth, '1'); Set($WebExternalGecos , undef); Set($WebExternalAuto , '1'); Set($LDAPExternalAuth , '1'); # Enable LDAP auth Set($LdapServer , 'mycompanys.ldap.server.com'); Set($LdapCAFile , undef); Set($LdapUser , '<LDAP user>'); Set($LdapPass , '<LDAP password>'); Set($LdapAuthStartTLS , '0'); # Need to use TLS or ldaps to check passwords Set($LdapAuthBase , 'dc=my,dc=company,dc=com'); Set($LdapAuthUidAttr , 'sAMAccountName'); Set($LdapAuthFilter , '(objectClass=user)'); Set($LdapMailBase , 'dc=my,dc=companymail,dc=com'); Set($LdapMailFilter , '(objectClass=user)'); Set($LdapMailScope , 'sub'); Set($LdapMailSearchAttr, 'mail'); %RT::LdapMailResultMap = ( 'sAMAccountName' => 'Name', 'mail' => 'EmailAddress', 'cn' => 'RealName', ); * Included this in httpd.conf RT's virtual server section: PerlModule Apache2::compat PerlModule Apache::DBI PerlRequire /opt/rt3/bin/webmux.pl <Directory /opt/rt3/share/html> Order allow,deny Allow from all SetHandler perl-script PerlResponseHandler RT::Mason AuthName "Request Tracker" AuthType NTLM NTLMAuth on NTLMAuthoritative on NTLMDomain MYCOMPANYS_AD_DOMAIN NTLMServer my_companys_dc1 NTLMBackup my_companys_dc2 </Directory> * Restarted Apache * Added our RT URL to IE's "trusted sites" list Again, thanks in advance, Sergey Sergey Gladkovich | UNIX Systems Engineer | (w) 201-743 -4293 | (m) 646-291-7123 Arch Insurance Group Inc. 300 - Plaza Three - 3rd Floor Jersey City NJ 07311 Tel: 201-743-4000, Fax: 201-743-4005 ________________________________ The information contained in this e-mail message may be privileged and confidential information and is intended only for the use of the individual and/or entity identified in the alias address of this message. If the reader of this message is not the intended recipient, or an employee or agent responsible to deliver it to the intended recipient, you are hereby requested not to distribute or copy this communication. If you have received this communication in error, please notify us immediately by telephone or return e-mail and delete the original message from your system.
Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
