[rt-users] Has anyone sucessfully configured LDAP to authenticate against AD with version 4.0.1?

josh.cole josh.cole at fresno.edu
Mon Aug 29 12:39:12 EDT 2011


Thank you for your response. So just to make sure I understand, if the users
I want to be able to authenticate in RT are not in the OU specified it will
not work? So I should move those users to whatever the OU is that I specify
in the base?

Andrew Wagner-4 wrote:
> 
> 1.  For group_attr, you want the term to be 'member'.  That checks for 
> membership in the group.
> 
> 2.  For your base, you need to choose the next highest level of Active 
> Directory beyond where your users are stored.  This means you need to 
> specify the OU where your users are, not just a random "Users" OU.
> 
> Andrew Wagner
> Assistant Network Administrator
> aawagner at wisc.edu
> 265-5710
> Room 370B
> Wisconsin Center for Education Research (WCER)
> www.wcer.wisc.edu
> 
> 
> On 8/29/2011 11:26 AM, josh.cole wrote:
>> I am trying to make this work. I installed the latest version of
>> ExternalAuth. I am working with Request Tracker for the first time, just
>> upgraded from 3.8.7 to 4.0.1. There are a few things that I think are off
>> but I am not sure what the correct solution is.
>>
>> 1. I am not sure what to use for the group_attr I want to have users in
>> the
>> group Request-Tracker inside of AD be able to authenticate with their
>> credentials when logging into RT and I believe the filter is set
>> correctly
>> other than what needs to be added for the group_attribute. I am not sure
>> what that should be.
>>
>> 2. For my base statement. I am specifying the Users OU but none of my
>> users
>> are in that OU. I am not sure exactly what it's looking for there.
>>
>> Any help is appreciated!
>> ExternalAuth config:
>>
>> I have added the following to my RT_SiteConfig.pm:
>>
>> @RT::MailPlugins = ("RT::Authen::ExternalAuth");
>> Set(@Plugins, qw(RT::Authen::ExternalAuth) );
>> Set($ExternalAuthPriority,  [   'Active_Directory'
>>                              ]
>> );
>> Set($ExternalInfoPriority,  [ 'Active_Directory'
>>                              ]
>> );
>> Set($AutoCreateNonExternalUsers,    0);
>>
>> Set($ExternalSettings,      {   'Active_Directory'       =>   {   'type'
>> =>   'ldap',
>>                                                          'auth'
>> =>   1,
>>                                                          'info'
>> =>   1,
>>                                                          'server'
>> =>   'rt.mydomain.local',
>>                                                          'base'
>> =>   'OU=Users,DC=mydomain,DC=local',
>>                                                          # The filter to
>> use
>> to match RT-Users
>>                                                          'filter'
>> =>   '(objectclass=person)',
>>                                                          # The filter
>> that
>> will only match disabled users
>>                                                          'd_filter'
>> =>   '(userAccountControl:1.2.840.113556.1.4.803:=2)',
>>                                                          # Should we try
>> to
>> use TLS to encrypt connections?
>>                                                          'tls'
>> =>   0,
>>                                                          # What other
>> args
>> should I pass to Net::LDAP->new($host, at args)?
>>                                                          'net_ldap_args'
>> =>  [    version =>   3   ],
>>                                                          # Does
>> authentication depend on group membership? What group name?
>>                                                          'group'
>> =>   'Request-Tracker',
>>                                                          # What is the
>> attribute for the group object that determines membership?
>>                                                          #'group_attr'
>> =>   'GROUP_ATTR',
>>                                                          ## RT ATTRIBUTE
>> MATCHING SECTION
>>                                                          # The list of RT
>> attributes that uniquely identify a user
>>                                                         
>> 'attr_match_list'
>> =>  [   'ExternalAuthId','EmailAddress' ],
>>                                                          # The mapping of
>> RT
>> attributes on to LDAP attributes
>>                                                          'attr_map'
>> =>   {   'Name' =>  'sAMAccountName',
>>
>> 'EmailAddress' =>  'mail',
>>
>> 'Organization' =>  'physicalDeliveryOfficeName',
>>
>> 'RealName' =>  'displayName',
>>
>> 'ExternalAuthId' =>  'sAMAccountName',
>>
>> 'Gecos' =>  'sAMAccountName',
>>
>> 'WorkPhone' =>  'telephoneNumber',
>>
>> 'Address1' =>  'streetAddress',
>>
>> 'City' =>  'l',
>>
>> 'State' =>  'st',
>>
>> 'Zip' =>  'postalCode',
>>
>> 'Country' =>  'co'
>>
>> }
>>                                                      }
>>                                  }
>> );
>>
> 
> 
>  
> --------
> RT Training Sessions (http://bestpractical.com/services/training.html)
> *  Chicago, IL, USA — September 26 & 27, 2011
> *  San Francisco, CA, USA — October 18 & 19, 2011
> *  Washington DC, USA — October 31 & November 1, 2011
> *  Melbourne VIC, Australia — November 28 & 29, 2011
> *  Barcelona, Spain — November 28 & 29, 2011
> 

-- 
View this message in context: http://old.nabble.com/Has-anyone-sucessfully-configured-LDAP-to-authenticate-against-AD-with-version-4.0.1--tp32358024p32358276.html
Sent from the Request Tracker - User mailing list archive at Nabble.com.




More information about the rt-users mailing list