Thursday, May 23, 2013

Request Tracker: set up external authentication via LDAPS

This is a description of how I set up my Request Tracker instance to use external authentication via LDAPS (LDAP over SSL on port 636).

  1. In the previous installment, I already added the devel:languages:perl repository. Now I install the package containing the RT::Authen::ExternAuth RT extension that will provide the external-authentication-against-LDAP functionality.
    # zypper ref
    # zypper in perl-RT-Authen-ExternalAuth
    # zypper in perl-Net-SSLeay
    # zypper in perl-ldap-ssl
    
  2. I set up SSL on my system (beyond the scope of this blog entry). At the very least, the openssl package should be installed and configured, and my LDAP server's certificates should be present in the /etc/ssl/certs directory.
  3. I tweak my openldap configuration for CA CERT as per this blog entry
  4. I read up on the RT::Authen::ExternalAuth extension (plugin). Here are the principal documentation resources I was able to find:
  5. After reading the documentation and protracted trial and error, I finally came up with the following working configuration (in RT_SiteConfig.pm):
    Set($ExternalServiceUsesSSLorTLS,    1);
    Set($ExternalSettings, { 
                             'MY_LDAP' =>  {
                                'type'            =>  'ldap',
                                'server'          =>  'ldaps://ldap.example.com',
                                'tls'             =>  0,
                                'ssl_version'     =>  3,
                                ...
    
  6. At this point, I fire up request-tracker and am able to log in with my LDAP credentials!

No comments:

Post a Comment