Monday, January 19, 2015

Request Tracker 4.2.4 - 4.2.9 - LDAP Authentication and Synchronization


  Recently I have undertaken the task of replacing the company ticketing system. I chose Request Tracker by Best Practical for a variety of reasons, most important to me, being it's flexibility and customization options.

  My intent with this write up is to show configuration requirements for successful LDAP syncing and authentication between RT 4.2.4 and Active Directory.  I'll also present some of my configurations of other bits and pieces of the overall build.

  A couple of quick items as to how this ends up working. The LDAP syncing will sync your user accounts and/or groups. It will not disable or remove accounts, so use AD groups for permission based items as the group sync will add/remove users to/from groups without problem. Although users may not be disabled or deleted within RT, they still will not be able to authenticate as their AD credentials are not active. Bottom line, use AD groups for your permission settings within RT.

My Server Build
  • CPU x2
  • RAM 4G
  • Debian 7 'wheezy'
  • VMWare
    • OS Drive 20G
      /boot  -> 1G
      swap  -> 4G
      /         -> remaining
    • Data Drive (MySQL) 50G
      Mounted as /database
      How to move the database in a few quick steps:
      • /etc/init.d/mysql stop
      • rsync -avx /var/lib/mysql /database
      • chown mysql.mysql /database
      • mv /var/lib/mysql /var/lib/mysql.old
      • vi /etc/mysql/my.cnf
        change:
        • datadir = /database
      • /etc/init.d/mysql start
  • Manual Download & Install of RT 4.2.4
Active Directory Assumptions:
  • LDAP is available port 389
  • You have an account in AD that has READ rights of the domain. This should not be a Domain Administrator account, a typical user/service account with read only permissions. In my example, and in many real world cases, the account name is, in fact ldapreader.
  • Variable value: domain_name.com is replaced with your domain name
  • You do not need to specify host domain controllers, LDAP generally works fine without needing a specific host to bind to, just a domain (domain.com), in turn ending at a domain controller
RT_Site_Config.pm

No comments:

Post a Comment