2

I have a single organizational unit in AD server for the purpose of integrating many desktop PC's. Now, I have installed Request tracker v 4.0.8 and integrated it with AD server. Now the issue is, I don't want to authenticate all the user who are in the AD server to RT server. I would like only some of them to authenticate to RT server. Condition is, I don't want to create a new organizational unit. I don't want to create separate user for RT within AD server. I would just like to use the single user name for both desktop integration and for RT purpose. How to achieve this?

FELDAP
  • 909
  • 2
  • 10
  • 22

1 Answers1

2

If you used the LDAP module, you can create the query string to limit the users to a specific LDAP group. I did this at $OLDJOB, but I haven't saved the config files so I can't paste a working example here.

Anyway, the line in your RT_SiteConfig.pm file you need to edit is this: 

'filter'                    =>  '(FILTER_STRING)'

in the LDAP segment.

Edit: A second look into the demo RT_SiteConfig.pm caused me to remember that RT is clever enough do this without a combined search for user and memberOf operation. See this lines in the default config file for the LDAP auth module: 

# What is the attribute for the group object that determines membership?
'group_attr'                =>  'GROUP_ATTR',
# What is the attribute of the user entry that should be matched against group_attr above? (Optional; defaults to 'dn')
'group_attr_value'          =>  'GROUP_ATTR_VALUE',
Sven
  • 97,248
  • 13
  • 177
  • 225
  • Thank you. But I'm not using the LDAP module. I'm using this solution: http://serverfault.com/a/462090/147369. Any light? – FELDAP Jan 07 '13 at 05:19
  • Have a look into http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html#reqgroup – Sven Jan 07 '13 at 05:23
  • I have read the documentation you have provided and I'm bit confused which option to use. I would like to authenticate the users who are in the group called "rt_group". How do I add this in config file? I tried various options, but doesn't work or still it authenticates the users irrespective of group they are in. – FELDAP Jan 07 '13 at 06:33
  • Sorry, I've never used mod_auth_ldap on Apache, and certainly not against AD. – Sven Jan 07 '13 at 06:38
  • Got the answer. Help link : http://serverfault.com/questions/269344/how-to-authenticate-users-in-nested-groups-in-apache-ldap . I should use the "Require ldap-group" parameter. – FELDAP Jan 07 '13 at 08:42