[rt-users] Active Directory and RT
Thomas Sibley
trs at bestpractical.com
Fri May 24 17:57:36 EDT 2013
On 05/24/2013 02:40 PM, davidneudorfer wrote:
> 'attr_match_list' => [
> 'Name',
> 'EmailAddress',
> 'RealName',
> ],
First things first, remove RealName from the config above. It should be
removed from the example configs as it's a misleading example.
"attr_match_list" are properties that in combination uniquely identify a
user; by including RealName, you're telling RT that a user's real name
may never change (such as not being provided, or differing slightly).
https://metacpan.org/source/TSIBLEY/RT-Authen-ExternalAuth-0.15/etc/RT_SiteConfig.pm#L128
Glenn's suggestions are also good.
Second, note these lines:
> [Fri May 24 21:31:20 2013] [debug]: LDAP Search === Base:
> ou=lb,DC=office,DC=lbox,DC=com == Scope: base == Filter: (member=CN=David
> Neudorfer,OU=lb,DC=office,DC=lbox,DC=com) == Attrs: dn
> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:256)
> [Fri May 24 21:31:20 2013] [debug]: LDAP group membership check returned 0
> results
> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:285)
> [Fri May 24 21:31:20 2013] [info]: My_LDAP AUTH FAILED: david.neudorfer
This is why auth fails: RT didn't find the logging in user as a member
of the group you specified that users must be a member of.
I suspect you're running into the issue that the group check is done as
the logging in user rather than the service user (cn=thisisauser in your
sample). The group check happens after the rebind to check the provided
password. There's an open bug about this because it should be made
configurable: https://rt.cpan.org/Ticket/Display.html?id=69500
More information about the rt-users
mailing list