Recently I have undertaken the task of replacing the company ticketing system. I chose Request Tracker by Best Practical for a variety of reasons, most important to me, being it's flexibility and customization options.
My intent with this write up is to show configuration requirements for successful LDAP syncing and authentication between RT 4.2.4 and Active Directory. I'll also present some of my configurations of other bits and pieces of the overall build.
A couple of quick items as to how this ends up working. The LDAP syncing will sync your user accounts and/or groups. It will not disable or remove accounts, so use AD groups for permission based items as the group sync will add/remove users to/from groups without problem. Although users may not be disabled or deleted within RT, they still will not be able to authenticate as their AD credentials are not active. Bottom line, use AD groups for your permission settings within RT.
My Server Build
My intent with this write up is to show configuration requirements for successful LDAP syncing and authentication between RT 4.2.4 and Active Directory. I'll also present some of my configurations of other bits and pieces of the overall build.
A couple of quick items as to how this ends up working. The LDAP syncing will sync your user accounts and/or groups. It will not disable or remove accounts, so use AD groups for permission based items as the group sync will add/remove users to/from groups without problem. Although users may not be disabled or deleted within RT, they still will not be able to authenticate as their AD credentials are not active. Bottom line, use AD groups for your permission settings within RT.
My Server Build
- CPU x2
- RAM 4G
- Debian 7 'wheezy'
- VMWare
- OS Drive 20G/boot -> 1Gswap -> 4G/ -> remaining
- Data Drive (MySQL) 50GMounted as /database
How to move the database in a few quick steps: - /etc/init.d/mysql stop
- rsync -avx /var/lib/mysql /database
- chown mysql.mysql /database
- mv /var/lib/mysql /var/lib/mysql.old
- vi /etc/mysql/my.cnfchange:
- datadir = /database
- /etc/init.d/mysql start
- Manual Download & Install of RT 4.2.4
Active Directory Assumptions:
- LDAP is available port 389
- You have an account in AD that has READ rights of the domain. This should not be a Domain Administrator account, a typical user/service account with read only permissions. In my example, and in many real world cases, the account name is, in fact ldapreader.
- Variable value: domain_name.com is replaced with your domain name
- You do not need to specify host domain controllers, LDAP generally works fine without needing a specific host to bind to, just a domain (domain.com), in turn ending at a domain controller
RT_Site_Config.pm
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Any configuration directives you include here will override | |
| # RT's default configuration file, RT_Config.pm | |
| # | |
| # To include a directive here, just copy the equivalent statement | |
| # from RT_Config.pm and change the value. We've included a single | |
| # sample value below. | |
| # | |
| # This file is actually a perl module, so you can include valid | |
| # perl code, as well. | |
| # | |
| # The converse is also true, if this file isn't valid perl, you're | |
| # going to run into trouble. To check your SiteConfig file, use | |
| # this command: | |
| # | |
| # perl -c /path/to/your/etc/RT_SiteConfig.pm | |
| # | |
| # You must restart your webserver after making changes to this file. | |
| # You must install Plugins on your own, this is only an example | |
| # of the correct syntax to use when activating them. | |
| # Plugin( "RT::Extension::QuickDelete" ); | |
| # Plugin( "RT::Extension::CommandByMail" ); | |
| Plugin( "RT::Extension::LDAPImport" ); | |
| # Uncomment for debug | |
| #Set($LogToSyslog, 'debug'); | |
| Set( $DatabaseRequireSSL, '' ); | |
| Set( $DatabaseType, 'mysql' ); | |
| Set( $WebDomain, 'rt.domain_name.com' ); | |
| Set( $WebPort, '80' ); | |
| Set( $rtname, 'DOMAIN_NAME' ); # or whatever you plan to name the site | |
| Set( $CommentAddress, 'rt-comments@domain_name.com' ); | |
| Set( $CorrespondAddress, 'rt-correspondance@domain_name.com' ); | |
| ## DB config | |
| Set( $DatabaseHost, 'localhost' ); | |
| Set( $DatabaseName, 'rt4' ); | |
| Set( $DatabasePassword, 'password' ); | |
| Set( $DatabasePort, '' ); | |
| Set( $DatabaseUser, 'db_user_name' ); | |
| Set( $Organization, '' ); | |
| Set( $OwnerEmail, 'email_address@domain_name.com' ); | |
| Set( $SendmailPath, '/usr/sbin/sendmail' ); | |
| # My server is running on port 443, leaving the port 80 lines as reference | |
| # servername in my instance is 'jamie' with a cname of 'rt' | |
| #Set(@ReferrerWhitelist, qw(rt:80 rt.domain_name.com:80)); | |
| Set(@ReferrerWhitelist, qw(rt.domain_name.com:443)); | |
| ## LDAP Configurations | |
| # LDAP Authentication | |
| Set( @Plugins, qw(RT::Authen::ExternalAuth RT::Extension::LDAPImport)); | |
| ## LDAP USER IMPORT | |
| Set($LDAPCreatePrivileged, 1); | |
| Set($LDAPUpdateUsers, 1); | |
| Set($LDAPHost,'domain_name.com'); | |
| Set($LDAPUser,'domain_name\ldapreader'); | |
| Set($LDAPPassword,'your_ldapreader_password_here'); | |
| #my base OU for users, yours will probably differ | |
| Set($LDAPBase,'ou=users,ou=services,dc=domain_name,dc=com'); | |
| Set($LDAPFilter, '(&(objectClass=person))'); | |
| Set($LDAPMapping, { | |
| Name => 'sAMAccountName', | |
| EmailAddress => 'mail', | |
| Organization => 'department', | |
| RealName => 'cn', | |
| NickName => 'givenName', | |
| ExternalAuthId => 'sAMAccountName', | |
| Gecos => 'sAMAccountName', | |
| WorkPhone => 'telephoneNumber', | |
| MobilePhone => 'mobile', | |
| Address1 => 'streetAddress', | |
| City => 'l', | |
| State => 'st', | |
| Zip => 'postalCode', | |
| Country => 'co' | |
| }); | |
| ## LDAP GROUP IMPORT AND MAPPINGS | |
| Set($LDAPGroupMapping, {Name => 'cn', | |
| Member_Attr => 'member', | |
| Member_Attr_Value => 'dn'}); | |
| #OU/basedn location of groups | |
| Set($LDAPGroupBase, 'ou=groups,dc=domain_name,dc=com'); | |
| # LDAP GROUP FILTERING, Below are 2 examples | |
| #Set($LDAPGroupFilter, 'cn=Information Technology'); | |
| # 2 group import example | |
| Set($LDAPGroupFilter, '(|(cn=Information Technology)(cn=Facilities))'); | |
| ## LDAP Authentication | |
| Set($ExternalAuthPriority, [ 'My_LDAP', | |
| ] | |
| ); | |
| Set($ExternalInfoPriority, [ 'My_LDAP', | |
| ] | |
| ); | |
| Set($ExternalSettings, { | |
| 'My_LDAP' => { | |
| 'type' => 'ldap', | |
| 'server' => 'ldap://domain_name.com', | |
| 'user' => 'domain_name\ldapreader', | |
| 'pass' => 'ldapreader_password', | |
| 'base' => 'ou=users,ou=services,dc=domain_name,dc=com', | |
| 'filter' => '(objectClass=person)', | |
| 'tls' => 0, | |
| 'attr_match_list' => [ | |
| 'Name', | |
| 'EmailAddress', | |
| 'RealName', | |
| ], | |
| 'attr_map' => { | |
| 'Name' => 'sAMAccountName', | |
| 'EmailAddress' => 'mail', | |
| 'Organization' => 'department', | |
| 'RealName' => 'cn', | |
| 'NickName' => 'givenName', | |
| 'ExternalAuthId'=> 'sAMAccountName', | |
| 'Gecos' => 'sAMAccountName', | |
| 'WorkPhone' => 'telephoneNumber', | |
| 'MobilePhone' => 'mobile', | |
| 'Address1' => 'streetAddress', | |
| 'City' => 'l', | |
| 'State' => 'st', | |
| 'Zip' => 'postalCode', | |
| 'Country' => 'co' | |
| }, | |
| }, | |
| } ); | |
| 1; | |
| 1; |
