tomas.olaj at usit
Aug 10, 2004, 5:16 AM
Views: 18087
Permalink
|
For our Scandinavian readers I have compiled a short install-note here for
our RT system:
<http://folk.uio.no/tomaso/jobb/rt-spec.html>
I have also got LDAP to work with Apache 2 (distributed with RHES30 which
hasn't the experimental mod_auth_ldap module compiled), and OpenLDAP using
(from ssl.conf) the following module:
# MOD_AUTH_LDAP by Muhammad A Muquit for Apache 2.x versjon 2.12.
#
http://muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html
#
#
AuthAuthoritative On
AuthName "Request Tracker (RT) Saksbehandlingsystemet ved UiO"
AuthType Basic
AuthOnBind On
# Sub_DNou=CIS,ou=People
LDAP_Persistent Off
# Bind_Tries 5
LDAP_Debug On
LDAP_Protocol_Version 3 (our server use TLS/certificate)
LDAP_Deref ALWAYS
LDAP_StartTLS On (our server use TLS/certificate)
# LDAP_CertDbDir path - only available through Netscape's SDK and SSL
configuration
LDAP_Server some-ldap-server.sub.domain
# LDAP_Server some-ldap-test-server.sub.domain - test LDAP server for UiO
LDAP_Port 389
# LDAP_Connect_Timeout 3 - Connect timeout in seconds - only available
using iPlanet SDK
# LDAP_Port 636 - If SSL is on, must specify the LDAP SSL port, usually
636
Base_DN "ou=Users,dc=sub,dc=domain"
# Base_DN "ou=People,dc=sub,dc=domain"
# Base_DN "o=Fox Chase Cancer Center,c=US"
# Bind_DN "uid=admin,o=Fox Chase Cancer Center,c=US"
# Bind_Pass "secret"
UID_Attr uid
# UID_Attr_Alt "mail"
# Group_Attr uniqueMember
SupportNestedGroups On
require valid-user
# require user muquit foo bar "john doe"
# require roomnumber "123 Center Building"
# require filter "(&(telephonenumber=1234)(roomnumber=123))"
# require group cn=rt-saksbehandler,ou=netgroups,dc=sub,dc=domain
# require group cn=rcs,ou=Groups
Our solution is as follows for authentication and authorisation:
1) LDAP for authentication. New users will be created automatically by RT
with their username. Of course, new users sending e-mail to RT will be
created by their e-mail address. That's not wanted, and we are
wondering how others deal with that.
2) In addition, we will not do a ldap dump (export/import) of userinfo
except password to the RT database (in our case a PostgeSQL database),
since we have potensially 10.000s of requestors. Instead we want to
build internally in RT userinfo on the run when we have
incoming requests. So, we need to create some form of a script that
searches through the RT database for username equals an e-mail adresss
or using something that triggers that script when we have incoming
requests to update the RT database with the correct userinfo. As said
before an incomming request creates an user with the e-mail address as
the username. We have our own service called "electronic post office"
which gives info about an user. So we don't need a dump from a LDAP
server or other user administrative system.
--
________________________________________________________________________
Tomas A. P. Olaj, email: tomas.olaj[at]usit.uio.no, web: folk.uio.no/tomaso
University of Oslo / USIT (Center for Information Technology Services)
System- and Application Management / Applications Management Group
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
Be sure to check out the RT wiki at http://wiki.bestpractical.com
|
LDAP solution that works
