[rt-users] Has anyone sucessfully configured LDAP to authenticate against AD with version 4.0.1?
Andrew Wagner
aawagner at wisc.edu
Mon Aug 29 12:41:58 EDT 2011
Yes, Josh. That is correct. The ExternalAuthen checks all locations
for users under the base OU. Either change your specified base in
RT_SiteConfig.pm or move the users to the OU that you want RT to search.
Andrew Wagner
Assistant Network Administrator
aawagner at wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu
On 8/29/2011 11:39 AM, josh.cole wrote:
> Thank you for your response. So just to make sure I understand, if the users
> I want to be able to authenticate in RT are not in the OU specified it will
> not work? So I should move those users to whatever the OU is that I specify
> in the base?
>
> Andrew Wagner-4 wrote:
>> 1. For group_attr, you want the term to be 'member'. That checks for
>> membership in the group.
>>
>> 2. For your base, you need to choose the next highest level of Active
>> Directory beyond where your users are stored. This means you need to
>> specify the OU where your users are, not just a random "Users" OU.
>>
>> Andrew Wagner
>> Assistant Network Administrator
>> aawagner at wisc.edu
>> 265-5710
>> Room 370B
>> Wisconsin Center for Education Research (WCER)
>> www.wcer.wisc.edu
>>
>>
>> On 8/29/2011 11:26 AM, josh.cole wrote:
>>> I am trying to make this work. I installed the latest version of
>>> ExternalAuth. I am working with Request Tracker for the first time, just
>>> upgraded from 3.8.7 to 4.0.1. There are a few things that I think are off
>>> but I am not sure what the correct solution is.
>>>
>>> 1. I am not sure what to use for the group_attr I want to have users in
>>> the
>>> group Request-Tracker inside of AD be able to authenticate with their
>>> credentials when logging into RT and I believe the filter is set
>>> correctly
>>> other than what needs to be added for the group_attribute. I am not sure
>>> what that should be.
>>>
>>> 2. For my base statement. I am specifying the Users OU but none of my
>>> users
>>> are in that OU. I am not sure exactly what it's looking for there.
>>>
>>> Any help is appreciated!
>>> ExternalAuth config:
>>>
>>> I have added the following to my RT_SiteConfig.pm:
>>>
>>> @RT::MailPlugins = ("RT::Authen::ExternalAuth");
>>> Set(@Plugins, qw(RT::Authen::ExternalAuth) );
>>> Set($ExternalAuthPriority, [ 'Active_Directory'
>>> ]
>>> );
>>> Set($ExternalInfoPriority, [ 'Active_Directory'
>>> ]
>>> );
>>> Set($AutoCreateNonExternalUsers, 0);
>>>
>>> Set($ExternalSettings, { 'Active_Directory' => { 'type'
>>> => 'ldap',
>>> 'auth'
>>> => 1,
>>> 'info'
>>> => 1,
>>> 'server'
>>> => 'rt.mydomain.local',
>>> 'base'
>>> => 'OU=Users,DC=mydomain,DC=local',
>>> # The filter to
>>> use
>>> to match RT-Users
>>> 'filter'
>>> => '(objectclass=person)',
>>> # The filter
>>> that
>>> will only match disabled users
>>> 'd_filter'
>>> => '(userAccountControl:1.2.840.113556.1.4.803:=2)',
>>> # Should we try
>>> to
>>> use TLS to encrypt connections?
>>> 'tls'
>>> => 0,
>>> # What other
>>> args
>>> should I pass to Net::LDAP->new($host, at args)?
>>> 'net_ldap_args'
>>> => [ version => 3 ],
>>> # Does
>>> authentication depend on group membership? What group name?
>>> 'group'
>>> => 'Request-Tracker',
>>> # What is the
>>> attribute for the group object that determines membership?
>>> #'group_attr'
>>> => 'GROUP_ATTR',
>>> ## RT ATTRIBUTE
>>> MATCHING SECTION
>>> # The list of RT
>>> attributes that uniquely identify a user
>>>
>>> 'attr_match_list'
>>> => [ 'ExternalAuthId','EmailAddress' ],
>>> # The mapping of
>>> RT
>>> attributes on to LDAP attributes
>>> 'attr_map'
>>> => { 'Name' => 'sAMAccountName',
>>>
>>> 'EmailAddress' => 'mail',
>>>
>>> 'Organization' => 'physicalDeliveryOfficeName',
>>>
>>> 'RealName' => 'displayName',
>>>
>>> 'ExternalAuthId' => 'sAMAccountName',
>>>
>>> 'Gecos' => 'sAMAccountName',
>>>
>>> 'WorkPhone' => 'telephoneNumber',
>>>
>>> 'Address1' => 'streetAddress',
>>>
>>> 'City' => 'l',
>>>
>>> 'State' => 'st',
>>>
>>> 'Zip' => 'postalCode',
>>>
>>> 'Country' => 'co'
>>>
>>> }
>>> }
>>> }
>>> );
>>>
>>
>>
>> --------
>> RT Training Sessions (http://bestpractical.com/services/training.html)
>> * Chicago, IL, USA — September 26& 27, 2011
>> * San Francisco, CA, USA — October 18& 19, 2011
>> * Washington DC, USA — October 31& November 1, 2011
>> * Melbourne VIC, Australia — November 28& 29, 2011
>> * Barcelona, Spain — November 28& 29, 2011
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7410 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20110829/49397661/attachment.bin>
More information about the rt-users
mailing list