[rt-users] LDAP authentication..

Tue Nov 29 11:35:20 EST 2005

Hi - Thanks aagin for all your help - I'm crawling along :)  I do have
a whack more questions if you have the stomach for it..

> Well, that seems like a pretty straightfoward error: user_local.pm is
> trying to perform an ldap bind, and failing.

Yes - I am now an LDAP error expert :) I have a chart of errors on my
desk in front of me for troubleshooting...

> Can you manually use a tool like ldapsearch to bind and search with
> the same username/password you're providing to RT?

Our apache config authenticates by ldap to allow access to the root of
the web server - using these credentials and using CN as the unique
identifier - successfully... so I have to expect these to be correct.

>
> > Set($LdapAuthUidAttr,           'cn');
>
> Urk, this is almost certainly wrong.  I say "almost", because I've
> never used the Novell Directory Server here, but what you're looking
> for here is your LDAP schema's equivilant to a unix/posix "uid"
> attribute.  In an ActiveDirectory server, that would be
> "sAMAaccountNAme".  I believe most OpenLDAP and SunONE/Netscape LDAP
> servers use "username", although don't quote me on that. :

we want teh behaviour to be people using their 'account' name (the
first part of their email address) as the login - and from all
indicators, it does look to be CN in novell ldap - this is mapped to
CN in our tree - which IS the users account name (mine returns
cn=sdaniels,ou=people,o=ourcorp) successfully when authenticating by
ldap through apache to SEE the web pages

>
> > Set($LdapMailSearchAttr,        'mail');
>
> You'll want to make sure that 'mail' is, in fact, the attribute name
> in your schema for the user's email address.
>
> > %RT::LdapMailResultMap = (
> >         'cn'                    => 'Name',
> >         'mail'                  => 'EmailAddress',
> >         'cn'                    => 'RealName',
> >         );
>
> The first use of 'cn' there is almost certainly wrong: cn should map
> to RealName, but something else, probably 'uid' or 'username' will map
> to the Name field.

I think it's clear I dont understand the process that these variables
are used for - but if I am trying to define what piece of data I want
used for their username in rt - it should be cn to match their
username in Novell netware.

The whole mod is a little unclear to me in it's function, though what
I read about it's behaviour is definately what i want in the end - I'm
just still not sure how to get there - the example configs everyone
has sent have been helpful in improving my understanding - but dont
offer me a working example in my environment.

THanks again to all for your help thus far - I hope to hear back from you!

Cheers,

Sean Daniels