[rt-users] RT & mysql / LDAP Auth

Tue May 18 03:57:24 EDT 2010

>-----Original Message-----
>From: Mike Peachey [mailto:mike.peachey at jennic.com]
>Sent: 14 May 2010 10:33
>To: Julian Grunnell; rt-users at lists.bestpractical.com
>Subject: Re: [rt-users] RT & mysql / LDAP Auth
>
>Julian Grunnell wrote:
>
>> Right, thanks - that makes sense now. I misunderstood the use of this
>> and thought you had to define ALL the authentication methods you
>wanted
>> to use. So I have removed the MySQL section completely from the
config
>> and tried again with different results. Using my LDAP credentials I
>> still get "Your username or password is incorrect" BUT RT has created
>me
>> as a user, the "Let this user be granted rights" box is unchecked and
>> I'm NOT a member of any Groups. The logs created when this was done
>are:
>
>1. It found you and loaded your information from LDAP just as it
should.
>2. ExternalAuth cannot currently add you to any internal RT groups
based
>on LDAP information, this must be done in the RT administration panels.
>3. If you want LDAP users to be automatically assigned "Let this user
be
>granted rights" then you may do so with this config setting:
>  Set($AutoCreate, {Privileged => 1});
>Otherwise it will need setting manually along with group membership.
>
>
>The only thing that is now failing for you is authentication and the
>reason is now obvious:
>
>Your config
>#######################################################################
># Does authentication depend on group membership? What group name?
>'group'  =>  'GROUP_NAME',
># What is the attribute for the group object that determines
membership?
>'group_attr'  =>  'GROUP_ATTR',
>#######################################################################
>
>Your log
>#######################################################################
>[Fri May 14 08:22:42 2010]
>
>[critical]:
>
>Search for (GROUP_ATTR=CN=Julian
>Grunnell,OU=Technical,OU=Users,OU=Leeds,OU=Webfusion,OU=Hosting,OU=Corp
,
>DC=internal,DC=hosteurope,DC=com)
>
>
>failed: LDAP_INVALID_DN_SYNTAX 34
>
>#######################################################################
>
>You have told ExternalAuth that all ldap users must be in an ldap group
>named GROUP_NAME and that in order to confirm that the users are a
>member of that group, the members should be in the GROUP_ATTR attribute
>of that group.
>
>If you simply comment out group and group_attr it should work fine. If
>in future you wish to restrict access by group, ensure the group name
is
>specified in full ldap dn form.
>--
[>] 
Thanks Mike - appreciate your help with this, made the changes you
suggest and it works a treat now. Now to look at the script that can
convert to ldap style logins.

Julian.