[rt-users] LDAP integration works great EXCEPT group membership test

RT Lists lists_rt at amnesiamachine.com
Fri Feb 29 14:59:36 EST 2008


Good day all!

I've set up LDAP integration on a fresh RT 3.6.6 install to authenticate
with our Windows 2003 Active Directory, as per
http://wiki.bestpractical.com/view/LDAP.  It seems to be working quite
nicely (including authentication and user record field population), with one
exception: enabling group membership checks breaks things.

These are the lines for our LDAP group settings in RT_SiteConfig.pm:

# If you set these, only members of this group can auth via LDAP
Set($LdapGroup, 'cn=RT,ou=ITST,ou=Everyone,dc=domain,dc=tld');
Set($LdapGroupAttr, 'uniqueMember');

The group RT in the OU ITST in the OU Everyone in the AD root definitely
exists.  It contains users that can log in just fine if those lines are
commented out and RT is restarted.  When we try to log in with these
settings uncommented, the web interface says "Error: Your username or
password is incorrect" and we get these lines in the debug logs:

Feb 29 12:32:26 stilgar RT: RT::User::CanonicalizeUserInfo  called by
RT::User /var/www/rt/local/lib/RT/User_Local.pm 628 with: Name: rttestuser
Feb 29 12:32:26 stilgar RT: RT::User::LookupExternalUserInfo called with
baseDN "dc=domain,dc=tld" and filter "sAMAccountName=rttestuser" by RT::User
/var/www/rt/local/lib/RT/User_Local.pm 404
Feb 29 12:32:26 stilgar RT: RT::User::CanonicalizeEmailAddress : called with
"rttestuser at domain.tld" by RT::User /var/www/rt/local/lib/RT/User_Local.pm
413
Feb 29 12:32:26 stilgar RT: RT::User::LookupExternalUserInfo called with
baseDN "dc=domain,dc=tld" and filter "mail=rttestuser at domain.tld" by
RT::User /var/www/rt/local/lib/RT/User_Local.pm 343
Feb 29 12:32:26 stilgar RT: FOUND OK
Feb 29 12:32:26 stilgar RT: UPDATED user rttestuser from LDAP
Feb 29 12:32:26 stilgar RT: RT::User::CanonicalizeUserInfo  called by
RT::User /var/www/rt/local/lib/RT/User_Local.pm 628 with: Name: rttestuser
Feb 29 12:32:26 stilgar RT: RT::User::LookupExternalUserInfo called with
baseDN "dc=domain,dc=tld" and filter "sAMAccountName=rttestuser" by RT::User
/var/www/rt/local/lib/RT/User_Local.pm 404
Feb 29 12:32:26 stilgar RT: RT::User::CanonicalizeEmailAddress : called with
"rttestuser at domain.tld" by RT::User /var/www/rt/local/lib/RT/User_Local.pm
413
Feb 29 12:32:26 stilgar RT: RT::User::LookupExternalUserInfo called with
baseDN "dc=domain,dc=tld" and filter "mail=rttestuser at domain.tld" by
RT::User /var/www/rt/local/lib/RT/User_Local.pm 343
Feb 29 12:32:26 stilgar RT: FOUND OK
Feb 29 12:32:26 stilgar RT: UPDATED user rttestuser from LDAP
Feb 29 12:32:26 stilgar RT: Trying LDAP authentication
Feb 29 12:32:26 stilgar RT: RT::User::IsLDAPPassword Found LDAP DN:
CN=rttestuser,OU=ITST,OU=Everyone,DC=domain,dc=tld
Feb 29 12:32:26 stilgar RT: RT::User::IsLDAPPassword AUTH FAILED: rttestuser

Additional LDAP settings in RT_SiteConfig.pm:

Set($LdapServer, 'dc.domain.tld');
Set($LdapBase, 'dc=domain,dc=tld');
Set($LdapFilter, '(objectclass=*)');
Set($LdapUser, 'cn=ldapuser,ou=ITST,ou=Everyone,dc=domain,dc=tld');
Set($LdapPass, 'passwordgoeshere');

I've been banging my head against the wall on this for a while and am
starting to run out of ideas.  If any of you fine folks can offer a
suggestion, it would be highly appreciated :)

-Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20080229/1d347bec/attachment.htm>


More information about the rt-users mailing list