[rt-users] RT-External Auth & RT 4.0
Guy Baxter
GBaxter at blackpoolsixth.ac.uk
Tue Jun 7 06:22:04 EDT 2011
Hi,
I've replicated our production setup and upgraded it to 4.0 without a
problem. I've now thrown External Auth into the mix (new install via
cpan), and I'm having mixed results.
We have 2 directory systems - Open Directory (openldap) and Active
Directory
AD authenticates fine, but OD just will not authenticate at all.
Here's my RT_SiteConfig.pm
Set($rtname, 'ourdomain');
Set($Organization , "ourdomain");
Set($WebPort, 80);# + ($< * 7274) % 32766 + ($< && 1024));
Set($WebDomain, 'rt2.ourdomain' );
my $port = RT->Config->Get('WebPort');
Set($WebBaseURL,
($port == 443? 'https': 'http') .'://'
. RT->Config->Get('WebDomain')
. ($port != 80 && $port != 443? ":$port" : '')
);
Set($MaxAttachmentSize , 10000000);
Set($MailCommand , 'sendmail');
Set($SendmailArguments , "-oi -t");
Set($CorrespondAddress , 'Request_Tracker');
Set($CommentAddress , 'Request_Tracker_Comment');
Set($HomePageRefreshInterval, 60);
Set(@Plugins,qw(RT::Authen::ExternalAuth));
Set($ExternalAuthPriority, [ 'My_AD',
'My_OD'
]
);
Set($ExternalInfoPriority, [ 'My_AD',
'My_OD'
]
);
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings, {
'My_OD' => { ## ODMaster
# The type of
service (db/ldap/cookie)
'type'
=> 'ldap',
# The server
hosting the service
'server'
=> 'osxmaster.b6fc.ac.uk',
# The LDAP search
base
'base'
=> 'cn=users,dc=osxmaster,dc=b6fc,dc=ac,dc=uk',
#
# ALL FILTERS MUST
BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU **MUST**
SPECIFY A filter AND A d_filter!!
#
# The filter to
use to match RT-Users
'filter'
=> '(description=staff)',
# A catch-all
example filter: '(objectClass=*)'
#
# The filter that
will only match disabled users
'd_filter'
=> '(description=parent)',
# A catch-none
example d_filter: '(objectClass=FooBarBaz)'
#
# Should we try to
use TLS to encrypt connections?
#'tls'
=> 0,
# SSL Version to
provide to Net::SSLeay *if* using SSL
#'ssl_version'
=> 3,
# What other args
should I pass to Net::LDAP->new($host, at args)?
#'net_ldap_args'
=> [ version => 3 ],
# Does
authentication depend on group membership? What group name?
#'group'
=> 'GROUP_NAME',
# What is the
attribute for the group object that determines membership?
#'group_attr'
=> 'GROUP_ATTR',
## RT ATTRIBUTE
MATCHING SECTION
# The list of RT
attributes that uniquely identify a user
# This example shows what you *can* specify.. I recommend reducing
this
# to just the Name
and EmailAddress to save encountering problems later.
'attr_match_list'
=> [ 'Name',
'EmailAddress',
],
# The mapping of
RT attributes on to LDAP attributes
'attr_map'
=> { 'Name' => 'cn',
'EmailAddress' => 'mail',
}
},
'My_AD' => { ## ADMaster
# The type of
service (db/ldap/cookie)
'type'
=> 'ldap',
# The server
hosting the service
'server'
=> 'admaster.b6fc.ac.uk',
##
SERVICE-SPECIFIC SECTION
# If you can bind
to your LDAP server anonymously you should
# remove the user
and pass config lines, otherwise specify them here:
#
# The username RT
should use to connect to the LDAP server
'user'
=> 'blanked',
# The password RT
should use to connect to the LDAP server
'pass'
=> 'blanked',
#
# The LDAP search
base
'base'
=> 'OU=Staff,DC=b6fc,DC=ac,DC=uk',
#
# ALL FILTERS MUST
BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU **MUST**
SPECIFY A filter AND A d_filter!!
#
# The filter to
use to match RT-Users
'filter'
=> '(description=staff)',
# A catch-all
example filter: '(objectClass=*)'
#
# The filter that
will only match disabled users
'd_filter'
=> '(scriptPath=student.bat)',
# A catch-none
example d_filter: '(objectClass=FooBarBaz)'
#
# Should we try to
use TLS to encrypt connections?
#'tls'
=> 0,
# SSL Version to
provide to Net::SSLeay *if* using SSL
#'ssl_version'
=> 3,
# What other args
should I pass to Net::LDAP->new($host, at args)?
#'net_ldap_args'
=> [ version => 3 ],
# Does
authentication depend on group membership? What group name?
#'group'
=> 'All Staff'
# What is the
attribute for the group object that determines membership?
#'group_attr'
=> 'GROUP_ATTR',
## RT ATTRIBUTE
MATCHING SECTION
# The list of RT
attributes that uniquely identify a user
# This example shows what you *can* specify.. I recommend reducing
this
# to just the Name
and EmailAddress to save encountering problems later.
'attr_match_list'
=> [ 'Name',
'EmailAddress',
],
# The mapping of
RT attributes on to LDAP attributes
'attr_map'
=> { 'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
}
}
}
#Set(@Plugins,(qw(Extension::QuickDelete RT::FM)));
);
1;
AD users log in, but then do not show up in the users section so I can't
assign them permissions.
OD users fail to log in with "Your username or password is incorrect"
The message in the log is: [Tue Jun 7 10:09:10 2011] [error]: Couldn't
create user Staffuser: Name in use
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129)
The name is not in use however - anyone got any ideas?
Thanks.
Regards,
Guy
This email and any attachments are confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email and its attachments, you must take no action based upon them, nor must you copy or show them to anyone. Please contact the sender if you believe you have received this email in error. Emails are not secure and cannot be guaranteed to be free of errors or viruses. It is your responsibility to scan emails and attachments for viruses before opening them.
Any views or opinions expressed are solely those of the author and do not necessarily represent those of The Blackpool Sixth Form College.
#####################################################################################
Scanned by MailMarshal - Marshal's comprehensive email content security solution.
Download a free evaluation of MailMarshal at www.marshal.com
#####################################################################################
More information about the rt-users
mailing list