[rt-users] LDAP Integration in RT
Randy Thompson
rthompson at handmark.com
Thu Apr 26 18:44:13 EDT 2007
All,
I'm having some LDAP woes with RT. I've followed the instructions from
- New Installs - This is a new installation of rt-3.6.3
Here are the instructions I've followed:
Installation is very straightforward if you haven't installed any
previous LDAP auth/info implementations and don't currently have a
User_Local.pm.
1. Copy the code from LdapUserLocalOverlay
<http://wiki.bestpractical.com/index.cgi?LdapUserLocalOverlay> into
${RTHOME}/local/lib/RT/User_Local.pm (if it doesn't exist, create it)
2. Copy the config settings from LdapSiteConfigSettings
<http://wiki.bestpractical.com/index.cgi?LdapSiteConfigSettings> into
${RTHOME}/etc/RT_SiteConfig.pm (I'd put it at the end, but it shouldn't
matter)
3. Customize the configuration settings; pay careful attention to
LdapAttrMap <http://wiki.bestpractical.com/index.cgi?LdapAttrMap>, which
is a hash reference to map RT's attributes to the appropriate fields of
your LDAP schema. *It's very unlikely that the LdapAttrMap
<http://wiki.bestpractical.com/index.cgi?LdapAttrMap> shown in
LdapSiteConfigSettings
<http://wiki.bestpractical.com/index.cgi?LdapSiteConfigSettings> will
work for you without customization! In particular, ActiveDirectory
<http://wiki.bestpractical.com/index.cgi?ActiveDirectory> users should
map:*
Name => 'sAMAccountName'
If your LDAP server does not allow anonymous binding, $LdapUser
<http://wiki.bestpractical.com/index.cgi?LdapUser> and $LdapPass
<http://wiki.bestpractical.com/index.cgi?LdapPass> should be set to the
appropriate DN and password for intial connection.
4. Optionally, copy the code from LdapAutocreateAuthCallback
<http://wiki.bestpractical.com/index.cgi?LdapAutocreateAuthCallback>
into ${RTHOME}/local/html/Callbacks/LDAP/autohandler/Auth (most likely
this doesn't exist, so create it)
5. If you haven't already done so, you will need to install the Perl
Net::LDAP module from CPAN. ( perl -MCPAN -eshell ; install Net::LDAP ).
6. Stop your RT instance (e.g., /sbin/service httpd stop ) and
CleanMasonCache
<http://wiki.bestpractical.com/index.cgi?CleanMasonCache> then start the
web server back up.
Here's what I've done, so far:
I've installed Net::LDAP module, set the $AuthMethod for LDAP only -
Internal is disabled. Existing internal users still authenticate.
Added the relevant pieces to /opt/rt3/etc/RT_SiteConfig.pm for LDAP
support from http://wiki.bestpractical.com/index.cgi?LdapOverlay
Configured the parameters for $LdapServer, $LdapBase, $LdapFilter
Enabled debugging (aware of the passwords getting logged - using a test
account), but that only tells me that it didn't work. Any way to set
this for more output?
Copied User_Local.pm into /opt/rt3/local/lib
Stopped and restarted Apache after making changes and cleared the
/opt/rt3/var/mason_data/obj/*, as needed.
Sample from rt.log contains:
[Thu Apr 26 22:12:23 2007] [error]: FAILED LOGIN for jsamples from
<ip-address> (/opt/rt3/share/html/autohandler:249)
I can't see anything from the RT side or the LDAP side;
/var/log/ldap.log shows nothing out of the ordinary; they're not even
talking to each other from what I can tell.
Relevant software
Web server: Apache 2.0.54
RT version: 3.6.3
Perl version: 5.8.7
OS: Linux
LDAP: OpenLDAP 2.2.28
I've been through some of the archives (it's late in the day), but
haven't had any luck. Any help or advice is greatly appreciated!
Best regards,
Randy Thompson
More information about the rt-users
mailing list