[rt-users] Has anyone sucessfully configured LDAP to authenticate against AD with version 4.0.1?
Andrew Wagner
aawagner at wisc.edu
Mon Aug 29 15:11:05 EDT 2011
I believe that if you specify SSL, Authen-External will automatically
uses port 636 (LDAPS). TLS encryption uses 389. We used TLS as LDAPS
is no longer officially supported.
Is the user you are trying to authenticate with inside your base? Do
you have the correct domain controller specified under server? Do you
have the right domain specified and formatted under base? I assume
you're replacing your domain information with placeholders in your
config and are not actually using rt.mydomain.local.
Andrew Wagner
Assistant Network Administrator
aawagner at wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu
On 8/29/2011 12:55 PM, josh.cole wrote:
> I think I am close now. I made those changes to the config. I am receiving an
> error when I try to login with my AD credentials. The error is:
> [Mon Aug 29 17:35:31 2011] [critical]:
> RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to
> rt.mydomain.local
> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:437)
>
> Do I need to specify an ldap port? I did add a username and password to
> authenticate.
>
>
> josh.cole wrote:
>> Thank you very much for your feedback. I really appreciate it.
>>
>> Andrew Wagner-4 wrote:
>>> Yes, Josh. That is correct. The ExternalAuthen checks all locations
>>> for users under the base OU. Either change your specified base in
>>> RT_SiteConfig.pm or move the users to the OU that you want RT to search.
>>>
>>> Andrew Wagner
>>> Assistant Network Administrator
>>> aawagner at wisc.edu
>>> 265-5710
>>> Room 370B
>>> Wisconsin Center for Education Research (WCER)
>>> www.wcer.wisc.edu
>>>
>>>
>>> On 8/29/2011 11:39 AM, josh.cole wrote:
>>>> Thank you for your response. So just to make sure I understand, if the
>>>> users
>>>> I want to be able to authenticate in RT are not in the OU specified it
>>>> will
>>>> not work? So I should move those users to whatever the OU is that I
>>>> specify
>>>> in the base?
>>>>
>>>> Andrew Wagner-4 wrote:
>>>>> 1. For group_attr, you want the term to be 'member'. That checks for
>>>>> membership in the group.
>>>>>
>>>>> 2. For your base, you need to choose the next highest level of Active
>>>>> Directory beyond where your users are stored. This means you need to
>>>>> specify the OU where your users are, not just a random "Users" OU.
>>>>>
>>>>> Andrew Wagner
>>>>> Assistant Network Administrator
>>>>> aawagner at wisc.edu
>>>>> 265-5710
>>>>> Room 370B
>>>>> Wisconsin Center for Education Research (WCER)
>>>>> www.wcer.wisc.edu
>>>>>
>>>>>
>>>>> On 8/29/2011 11:26 AM, josh.cole wrote:
>>>>>> I am trying to make this work. I installed the latest version of
>>>>>> ExternalAuth. I am working with Request Tracker for the first time,
>>>>>> just
>>>>>> upgraded from 3.8.7 to 4.0.1. There are a few things that I think are
>>>>>> off
>>>>>> but I am not sure what the correct solution is.
>>>>>>
>>>>>> 1. I am not sure what to use for the group_attr I want to have users
>>>>>> in
>>>>>> the
>>>>>> group Request-Tracker inside of AD be able to authenticate with their
>>>>>> credentials when logging into RT and I believe the filter is set
>>>>>> correctly
>>>>>> other than what needs to be added for the group_attribute. I am not
>>>>>> sure
>>>>>> what that should be.
>>>>>>
>>>>>> 2. For my base statement. I am specifying the Users OU but none of my
>>>>>> users
>>>>>> are in that OU. I am not sure exactly what it's looking for there.
>>>>>>
>>>>>> Any help is appreciated!
>>>>>> ExternalAuth config:
>>>>>>
>>>>>> I have added the following to my RT_SiteConfig.pm:
>>>>>>
>>>>>> @RT::MailPlugins = ("RT::Authen::ExternalAuth");
>>>>>> Set(@Plugins, qw(RT::Authen::ExternalAuth) );
>>>>>> Set($ExternalAuthPriority, [ 'Active_Directory'
>>>>>> ]
>>>>>> );
>>>>>> Set($ExternalInfoPriority, [ 'Active_Directory'
>>>>>> ]
>>>>>> );
>>>>>> Set($AutoCreateNonExternalUsers, 0);
>>>>>>
>>>>>> Set($ExternalSettings, { 'Active_Directory' => {
>>>>>> 'type'
>>>>>> => 'ldap',
>>>>>> 'auth'
>>>>>> => 1,
>>>>>> 'info'
>>>>>> => 1,
>>>>>> 'server'
>>>>>> => 'rt.mydomain.local',
>>>>>> 'base'
>>>>>> => 'OU=Users,DC=mydomain,DC=local',
>>>>>> # The filter
>>>>>> to
>>>>>> use
>>>>>> to match RT-Users
>>>>>> 'filter'
>>>>>> => '(objectclass=person)',
>>>>>> # The filter
>>>>>> that
>>>>>> will only match disabled users
>>>>>> 'd_filter'
>>>>>> => '(userAccountControl:1.2.840.113556.1.4.803:=2)',
>>>>>> # Should we
>>>>>> try
>>>>>> to
>>>>>> use TLS to encrypt connections?
>>>>>> 'tls'
>>>>>> => 0,
>>>>>> # What other
>>>>>> args
>>>>>> should I pass to Net::LDAP->new($host, at args)?
>>>>>>
>>>>>> 'net_ldap_args'
>>>>>> => [ version => 3 ],
>>>>>> # Does
>>>>>> authentication depend on group membership? What group name?
>>>>>> 'group'
>>>>>> => 'Request-Tracker',
>>>>>> # What is
>>>>>> the
>>>>>> attribute for the group object that determines membership?
>>>>>>
>>>>>> #'group_attr'
>>>>>> => 'GROUP_ATTR',
>>>>>> ## RT
>>>>>> ATTRIBUTE
>>>>>> MATCHING SECTION
>>>>>> # The list
>>>>>> of RT
>>>>>> attributes that uniquely identify a user
>>>>>>
>>>>>> 'attr_match_list'
>>>>>> => [ 'ExternalAuthId','EmailAddress' ],
>>>>>> # The
>>>>>> mapping of
>>>>>> RT
>>>>>> attributes on to LDAP attributes
>>>>>> 'attr_map'
>>>>>> => { 'Name' => 'sAMAccountName',
>>>>>>
>>>>>> 'EmailAddress' => 'mail',
>>>>>>
>>>>>> 'Organization' => 'physicalDeliveryOfficeName',
>>>>>>
>>>>>> 'RealName' => 'displayName',
>>>>>>
>>>>>> 'ExternalAuthId' => 'sAMAccountName',
>>>>>>
>>>>>> 'Gecos' => 'sAMAccountName',
>>>>>>
>>>>>> 'WorkPhone' => 'telephoneNumber',
>>>>>>
>>>>>> 'Address1' => 'streetAddress',
>>>>>>
>>>>>> 'City' => 'l',
>>>>>>
>>>>>> 'State' => 'st',
>>>>>>
>>>>>> 'Zip' => 'postalCode',
>>>>>>
>>>>>> 'Country' => 'co'
>>>>>>
>>>>>> }
>>>>>> }
>>>>>> }
>>>>>> );
>>>>>>
>>>>>
>>>>> --------
>>>>> RT Training Sessions (http://bestpractical.com/services/training.html)
>>>>> * Chicago, IL, USA — September 26& 27, 2011
>>>>> * San Francisco, CA, USA — October 18& 19, 2011
>>>>> * Washington DC, USA — October 31& November 1, 2011
>>>>> * Melbourne VIC, Australia — November 28& 29, 2011
>>>>> * Barcelona, Spain — November 28& 29, 2011
>>>>>
>>>
>>>
>>> --------
>>> RT Training Sessions (http://bestpractical.com/services/training.html)
>>> * Chicago, IL, USA — September 26& 27, 2011
>>> * San Francisco, CA, USA — October 18& 19, 2011
>>> * Washington DC, USA — October 31& November 1, 2011
>>> * Melbourne VIC, Australia — November 28& 29, 2011
>>> * Barcelona, Spain — November 28& 29, 2011
>>>
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7410 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20110829/08357f19/attachment.bin>
More information about the rt-users
mailing list