[rt-users] Has anyone sucessfully configured LDAP to authenticate against AD with version 4.0.1?
josh.cole
josh.cole at fresno.edu
Mon Aug 29 13:55:09 EDT 2011
I think I am close now. I made those changes to the config. I am receiving an
error when I try to login with my AD credentials. The error is:
[Mon Aug 29 17:35:31 2011] [critical]:
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to
rt.mydomain.local
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:437)
Do I need to specify an ldap port? I did add a username and password to
authenticate.
josh.cole wrote:
>
> Thank you very much for your feedback. I really appreciate it.
>
> Andrew Wagner-4 wrote:
>>
>> Yes, Josh. That is correct. The ExternalAuthen checks all locations
>> for users under the base OU. Either change your specified base in
>> RT_SiteConfig.pm or move the users to the OU that you want RT to search.
>>
>> Andrew Wagner
>> Assistant Network Administrator
>> aawagner at wisc.edu
>> 265-5710
>> Room 370B
>> Wisconsin Center for Education Research (WCER)
>> www.wcer.wisc.edu
>>
>>
>> On 8/29/2011 11:39 AM, josh.cole wrote:
>>> Thank you for your response. So just to make sure I understand, if the
>>> users
>>> I want to be able to authenticate in RT are not in the OU specified it
>>> will
>>> not work? So I should move those users to whatever the OU is that I
>>> specify
>>> in the base?
>>>
>>> Andrew Wagner-4 wrote:
>>>> 1. For group_attr, you want the term to be 'member'. That checks for
>>>> membership in the group.
>>>>
>>>> 2. For your base, you need to choose the next highest level of Active
>>>> Directory beyond where your users are stored. This means you need to
>>>> specify the OU where your users are, not just a random "Users" OU.
>>>>
>>>> Andrew Wagner
>>>> Assistant Network Administrator
>>>> aawagner at wisc.edu
>>>> 265-5710
>>>> Room 370B
>>>> Wisconsin Center for Education Research (WCER)
>>>> www.wcer.wisc.edu
>>>>
>>>>
>>>> On 8/29/2011 11:26 AM, josh.cole wrote:
>>>>> I am trying to make this work. I installed the latest version of
>>>>> ExternalAuth. I am working with Request Tracker for the first time,
>>>>> just
>>>>> upgraded from 3.8.7 to 4.0.1. There are a few things that I think are
>>>>> off
>>>>> but I am not sure what the correct solution is.
>>>>>
>>>>> 1. I am not sure what to use for the group_attr I want to have users
>>>>> in
>>>>> the
>>>>> group Request-Tracker inside of AD be able to authenticate with their
>>>>> credentials when logging into RT and I believe the filter is set
>>>>> correctly
>>>>> other than what needs to be added for the group_attribute. I am not
>>>>> sure
>>>>> what that should be.
>>>>>
>>>>> 2. For my base statement. I am specifying the Users OU but none of my
>>>>> users
>>>>> are in that OU. I am not sure exactly what it's looking for there.
>>>>>
>>>>> Any help is appreciated!
>>>>> ExternalAuth config:
>>>>>
>>>>> I have added the following to my RT_SiteConfig.pm:
>>>>>
>>>>> @RT::MailPlugins = ("RT::Authen::ExternalAuth");
>>>>> Set(@Plugins, qw(RT::Authen::ExternalAuth) );
>>>>> Set($ExternalAuthPriority, [ 'Active_Directory'
>>>>> ]
>>>>> );
>>>>> Set($ExternalInfoPriority, [ 'Active_Directory'
>>>>> ]
>>>>> );
>>>>> Set($AutoCreateNonExternalUsers, 0);
>>>>>
>>>>> Set($ExternalSettings, { 'Active_Directory' => {
>>>>> 'type'
>>>>> => 'ldap',
>>>>> 'auth'
>>>>> => 1,
>>>>> 'info'
>>>>> => 1,
>>>>> 'server'
>>>>> => 'rt.mydomain.local',
>>>>> 'base'
>>>>> => 'OU=Users,DC=mydomain,DC=local',
>>>>> # The filter
>>>>> to
>>>>> use
>>>>> to match RT-Users
>>>>> 'filter'
>>>>> => '(objectclass=person)',
>>>>> # The filter
>>>>> that
>>>>> will only match disabled users
>>>>> 'd_filter'
>>>>> => '(userAccountControl:1.2.840.113556.1.4.803:=2)',
>>>>> # Should we
>>>>> try
>>>>> to
>>>>> use TLS to encrypt connections?
>>>>> 'tls'
>>>>> => 0,
>>>>> # What other
>>>>> args
>>>>> should I pass to Net::LDAP->new($host, at args)?
>>>>>
>>>>> 'net_ldap_args'
>>>>> => [ version => 3 ],
>>>>> # Does
>>>>> authentication depend on group membership? What group name?
>>>>> 'group'
>>>>> => 'Request-Tracker',
>>>>> # What is
>>>>> the
>>>>> attribute for the group object that determines membership?
>>>>>
>>>>> #'group_attr'
>>>>> => 'GROUP_ATTR',
>>>>> ## RT
>>>>> ATTRIBUTE
>>>>> MATCHING SECTION
>>>>> # The list
>>>>> of RT
>>>>> attributes that uniquely identify a user
>>>>>
>>>>> 'attr_match_list'
>>>>> => [ 'ExternalAuthId','EmailAddress' ],
>>>>> # The
>>>>> mapping of
>>>>> RT
>>>>> attributes on to LDAP attributes
>>>>> 'attr_map'
>>>>> => { 'Name' => 'sAMAccountName',
>>>>>
>>>>> 'EmailAddress' => 'mail',
>>>>>
>>>>> 'Organization' => 'physicalDeliveryOfficeName',
>>>>>
>>>>> 'RealName' => 'displayName',
>>>>>
>>>>> 'ExternalAuthId' => 'sAMAccountName',
>>>>>
>>>>> 'Gecos' => 'sAMAccountName',
>>>>>
>>>>> 'WorkPhone' => 'telephoneNumber',
>>>>>
>>>>> 'Address1' => 'streetAddress',
>>>>>
>>>>> 'City' => 'l',
>>>>>
>>>>> 'State' => 'st',
>>>>>
>>>>> 'Zip' => 'postalCode',
>>>>>
>>>>> 'Country' => 'co'
>>>>>
>>>>> }
>>>>> }
>>>>> }
>>>>> );
>>>>>
>>>>
>>>>
>>>> --------
>>>> RT Training Sessions (http://bestpractical.com/services/training.html)
>>>> * Chicago, IL, USA — September 26& 27, 2011
>>>> * San Francisco, CA, USA — October 18& 19, 2011
>>>> * Washington DC, USA — October 31& November 1, 2011
>>>> * Melbourne VIC, Australia — November 28& 29, 2011
>>>> * Barcelona, Spain — November 28& 29, 2011
>>>>
>>
>>
>>
>> --------
>> RT Training Sessions (http://bestpractical.com/services/training.html)
>> * Chicago, IL, USA — September 26 & 27, 2011
>> * San Francisco, CA, USA — October 18 & 19, 2011
>> * Washington DC, USA — October 31 & November 1, 2011
>> * Melbourne VIC, Australia — November 28 & 29, 2011
>> * Barcelona, Spain — November 28 & 29, 2011
>>
>
>
--
View this message in context: http://old.nabble.com/Has-anyone-sucessfully-configured-LDAP-to-authenticate-against-AD-with-version-4.0.1--tp32358024p32358824.html
Sent from the Request Tracker - User mailing list archive at Nabble.com.
More information about the rt-users
mailing list