Hi Jim, Thanks for the quick reply.
I should have included my apache virtualhost config: Here it is for reference. I did have ldap auth working at one point but it is totally commented out in the config. Apache is apache2 2.4.18-2ubuntu3 amd64 debian Xenial LTS # ************************************ # Vhost template in module puppetlabs-apache # Managed by Puppet # ************************************ <VirtualHost *:80> ServerName helpdesk.in.urnet.com.au ## Vhost docroot DocumentRoot "/opt/rt4/share/html" ## Alias declarations for resources outside the DocumentRoot AliasMatch /NoAuth/images/ "/opt/rt4/share/html/NoAuth/images/" ## Directories, there should at least be a declaration for /opt/rt4/share/html <Directory "/opt/rt4/share/html"> Options Indexes FollowSymLinks MultiViews AllowOverride None Require all granted </Directory> ## Logging ErrorLog "/var/log/apache2/helpdesk.in.urnet.com.au_error.log" ServerSignature Off CustomLog "/var/log/apache2/helpdesk.in.urnet.com.au_access.log" combined ## Custom fragment AddDefaultCharset UTF-8 ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/ DocumentRoot "/opt/rt4/share/html" <Location /> # bart: disabled for now until we move towards SSO # AuthType Basic # AuthName "Ursys LDAP" # AuthBasicProvider ldap # AuthLDAPURL ldap://ldap.xxxx:389/cn=accounts,xxxx?uid?sub # AuthLDAPBindDN uid=system,cn=sysaccounts,xxx # AuthLDAPBindPassword xxxxx # Require ldap-group cn=noc,cn=groups,xxxxxx Require all granted Options +ExecCGI AddHandler fcgid-script fcgi </location> </VirtualHost> Is there anything wrong with that, it pritty much mirrors the config described in the documentation. If there is a better way of doing things other than mod_fastcgi I'm open to trying that. Kind regards Bart Jim Brandt <jbra...@bestpractical.com> writes: > Browser authentication is typically triggered by an Apache > configuration, so if your goal is to have just RT authentication, you > might compare your Apache configuration with the example in the docs: > > https://docs.bestpractical.com/rt/4.4.0/web_deployment.html > > On 5/11/16 3:50 AM, Bart Bunting wrote: >> >> >> Hi everyone, >> >> I have been trying to get external authentication with ldapauth and >> ldapimport working on a brand new rt 4.4 from the latest pull of >> 4.4-trunk. >> >> I have the ldap authentication and rt-ldapimport working correctly >> against our ldap server. >> >> The one issue I can not appear to resolve is that I am prompted first >> by the browsers authentication prompt and then by the RT login screen. >> So you need to enter your authentication credentials twice. >> >> I am hoping to just have the RT login screen, no browser authentication >> prompt. >> >> I'm sure it's something simple but I'm pulling my hair out :). >> >> If someone could take a look at my config and tell me where the error is >> I'd be eternally grateful: >> >> Here is the section of my rt config. >> >> The first few options are commented out as they are part of previous >> attempts to make it work as expected. >> >> #* Authentication >> # configure external authentication >> >> #Set($WebRemoteUserAuth, 1); >> # check authentication on each request rather than just once >> #Set($WebRemoteUserContinuous, 1); >> >> # fall back to rt login if external auth fails. >> #Set($WebFallbackToRTLogin, 1); >> >> Set ($ExternalAuth, 1); >> Set( $ExternalAuthPriority, ['URSYS_LDAP'] ); >> Set( $ExternalInfoPriority, ['URSYS_LDAP'] ); >> >> # Make users created from LDAP Privileged >> Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } ); >> >> # Users should still be autocreated by RT as internal users if they >> # fail to exist in an external service; this is so requestors (who >> # are not in LDAP) can still be created when they email in. >> Set($AutoCreateNonExternalUsers, 1); >> >> # LDAP configuration; see RT::Authen::ExternalAuth::LDAP for >> # further details and examples >> Set($ExternalSettings, { >> 'URSYS_LDAP' => { >> 'type' => 'ldap', >> 'server' => 'ldap.xxxxx, >> 'base' => 'cn=users,cn=accounts,dc=xxxxxx', >> 'user' => 'uid=system,cn=sysaccounts,xxxxx', >> 'pass' => 'xxxxxx', >> 'filter' => '(&(memberOf=cn=helpdesk-*))', >> 'attr_match_list' => [ >> 'Name', >> ], >> 'attr_map' => { >> 'Name' => 'uid', >> 'EmailAddress' => 'mail', >> }, >> }, >> } ); >> >> # * rt-ldapimport configuration >> # enable plugin >> Plugin( qw(RT::LDAPImport)); >> >> Set($LDAPBase,'cn=users,cn=accounts,xxxxx'); >> Set($LDAPHost,'ldap.xxxxx'); >> Set($LDAPUser,'uid=system,cn=sysaccounts,xxxxxx'); >> Set($LDAPPassword,'xxxxxxxx'); >> Set($LDAPFilter, '(&(memberOf=cn=helpdesk-*))'); >> Set($LDAPMapping, {Name => 'uid', # required >> EmailAddress => 'mail', >> RealName => 'cn', >> WorkPhone => 'telephoneNumber', >> Organization => 'departmentName'}); >> # create users as privileged >> Set($LDAPCreatePrivileged, 1); >> >> # sync Groups from LDAP into RT >> Set($LDAPGroupBase, 'cn=accounts,xxxxx'); >> Set($LDAPGroupFilter, '(&(objectClass=groupofnames)(cn=helpdesk-*))'); >> Set($LDAPGroupMapping, {Name => 'cn', >> Description => 'description', >> Member_Attr => 'member', >> Member_Attr_Value => 'dn', >> }); >> >> As above all the ldap stuff appears to work apart from the double >> request for authentication. >> >> >> >> Kind regards >> Bart >> > --------- > RT 4.4 and RTIR Training Sessions https://bestpractical.com/training > * Washington DC - May 23 & 24, 2016 Bart -- Bart Bunting - URSYS PH: 02 87452811 Mbl: 0409560005 --------- RT 4.4 and RTIR Training Sessions https://bestpractical.com/training * Washington DC - May 23 & 24, 2016