[rt-users] LDAP authentication..

Nathan J. Mehl rtusers at memory.blank.org
Tue Nov 29 09:30:02 EST 2005 

In the immortal words of TeleMole (telemole at gmail.com):
> That is recitified - now the only success I am having is getting as
> far as attemtping to authenticate to the webserver - entering
> credentials in the window - then getting a failure message - my web
> log shows the following :
> 
> Mon Nov 28 15:15:33 2005] [error] [client 192.75.12.248] FastCGI:
> server "/opt/rt3/bin/mason_handler.fcgi" stderr: [Mon Nov 28 20:15:33
> 2005] [critical]: IsLdapPassword: Cannot bind to LDAP:  retval= 48  
> LDAP_INAPPROPRIATE_AUTH (/opt/rt3/lib/RT/User_Local.pm:382)

Well, that seems like a pretty straightfoward error: user_local.pm is
trying to perform an ldap bind, and failing.

Can you manually use a tool like ldapsearch to bind and search with
the same username/password you're providing to RT?

> Set($LdapUser,                  'cn=ldap_proxy,o=ourcorp');
> #Set($LdapPass,                 '');

Question the first: is "cn=ldap_proxy,o=ourcorp", with no password,
actually a DN that can bind and search?

> #Set($LdapAuthBase,             "o=ourcorp");

You probably want to actually set $LdapAuthBase to something
reasonable here, just so that every search doesn't have to traverse
the whoel tree.

> Set($LdapAuthUidAttr,           'cn');

Urk, this is almost certainly wrong.  I say "almost", because I've
never used the Novell Directory Server here, but what you're looking
for here is your LDAP schema's equivilant to a unix/posix "uid"
attribute.  In an ActiveDirectory server, that would be
"sAMAaccountNAme".  I believe most OpenLDAP and SunONE/Netscape LDAP
servers use "username", although don't quote me on that. :)

> #Set($LdapAuthFilter,           '(objectClass=user)');
> #Set($LdapMailBase,             'cn=Users,dc=ourcorp,dc=ca');
> #Set($LdapMailFilter,           '(objectClass=user)');

Again, probably best to set up filters here, just to keep the results
tree manageable.

> Set($LdapMailSearchAttr,        'mail');

You'll want to make sure that 'mail' is, in fact, the attribute name
in your schema for the user's email address.

> %RT::LdapMailResultMap = (
>         'cn'                    => 'Name',
>         'mail'                  => 'EmailAddress',
>         'cn'                    => 'RealName',
>         );

The first use of 'cn' there is almost certainly wrong: cn should map
to RealName, but something else, probably 'uid' or 'username' will map
to the Name field.

-n

------------------------------------------------------<memory at blank.org>
"You've got to hand it to postmodernism: no other literary movement in
history ever spread so much boredom in the name of playfulness."
                                                          (--B.R. Myers)
<http://blank.org/memory/>----------------------------------------------

More information about the rt-users mailing list