Browser authentication is typically triggered by an Apache
configuration, so if your goal is to have just RT authentication, you
might compare your Apache configuration with the example in the docs:
https://docs.bestpractical.com/rt/4.4.0/web_deployment.html
On 5/11/16 3:50 AM, Bart Bunting wrote:
Hi everyone,
I have been trying to get external authentication with ldapauth and
ldapimport working on a brand new rt 4.4 from the latest pull of
4.4-trunk.
I have the ldap authentication and rt-ldapimport working correctly
against our ldap server.
The one issue I can not appear to resolve is that I am prompted first
by the browsers authentication prompt and then by the RT login screen.
So you need to enter your authentication credentials twice.
I am hoping to just have the RT login screen, no browser authentication
prompt.
I'm sure it's something simple but I'm pulling my hair out :).
If someone could take a look at my config and tell me where the error is
I'd be eternally grateful:
Here is the section of my rt config.
The first few options are commented out as they are part of previous
attempts to make it work as expected.
#* Authentication
# configure external authentication
#Set($WebRemoteUserAuth, 1);
# check authentication on each request rather than just once
#Set($WebRemoteUserContinuous, 1);
# fall back to rt login if external auth fails.
#Set($WebFallbackToRTLogin, 1);
Set ($ExternalAuth, 1);
Set( $ExternalAuthPriority, ['URSYS_LDAP'] );
Set( $ExternalInfoPriority, ['URSYS_LDAP'] );
# Make users created from LDAP Privileged
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
# Users should still be autocreated by RT as internal users if they
# fail to exist in an external service; this is so requestors (who
# are not in LDAP) can still be created when they email in.
Set($AutoCreateNonExternalUsers, 1);
# LDAP configuration; see RT::Authen::ExternalAuth::LDAP for
# further details and examples
Set($ExternalSettings, {
'URSYS_LDAP' => {
'type' => 'ldap',
'server' => 'ldap.xxxxx,
'base' => 'cn=users,cn=accounts,dc=xxxxxx',
'user' => 'uid=system,cn=sysaccounts,xxxxx',
'pass' => 'xxxxxx',
'filter' => '(&(memberOf=cn=helpdesk-*))',
'attr_match_list' => [
'Name',
],
'attr_map' => {
'Name' => 'uid',
'EmailAddress' => 'mail',
},
},
} );
# * rt-ldapimport configuration
# enable plugin
Plugin( qw(RT::LDAPImport));
Set($LDAPBase,'cn=users,cn=accounts,xxxxx');
Set($LDAPHost,'ldap.xxxxx');
Set($LDAPUser,'uid=system,cn=sysaccounts,xxxxxx');
Set($LDAPPassword,'xxxxxxxx');
Set($LDAPFilter, '(&(memberOf=cn=helpdesk-*))');
Set($LDAPMapping, {Name => 'uid', # required
EmailAddress => 'mail',
RealName => 'cn',
WorkPhone => 'telephoneNumber',
Organization => 'departmentName'});
# create users as privileged
Set($LDAPCreatePrivileged, 1);
# sync Groups from LDAP into RT
Set($LDAPGroupBase, 'cn=accounts,xxxxx');
Set($LDAPGroupFilter, '(&(objectClass=groupofnames)(cn=helpdesk-*))');
Set($LDAPGroupMapping, {Name => 'cn',
Description => 'description',
Member_Attr => 'member',
Member_Attr_Value => 'dn',
});
As above all the ldap stuff appears to work apart from the double
request for authentication.
Kind regards
Bart
---------
RT 4.4 and RTIR Training Sessions https://bestpractical.com/training
* Washington DC - May 23 & 24, 2016
