[rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please

Mathew Snyder mathew.snyder at gmail.com
Thu Oct 17 16:50:20 EDT 2013 

I found another thread that indicated that the solution to the second
problem was to add @domain to the end of the username. That just reverted
to the previous list of errors with a couple new ones.

Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $_[1] in join
or string at /usr/local/share/perl5/Log/Dispatch.pm line 42.
Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $service in
hash element at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 611.
Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value in string eq
at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 613.
Oct 17 16:47:50 zen-rt RT: [24673]
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
EmailAddress: , Gecos: user, Name: user, Privileged:
Oct 17 16:47:50 zen-rt RT: [24673] Couldn't create user user: Could not set
user info
Oct 17 16:47:50 zen-rt RT: [24673] FAILED LOGIN for user from
192.168.236.102


-Mathew

"When you do things right, people won't be sure you've done anything at
all." - God; Futurama

"We'll get along much better once you accept that you're wrong and neither
am I." - Me


On Thu, Oct 17, 2013 at 4:39 PM, Mathew Snyder <mathew.snyder at gmail.com>wrote:

> I didn't know the OU until a few moments ago so I only entered
> "cn=user,dc=example,dc=com". That did seem to make a difference. However,
> I'm still not able to log in. Perhaps for other reasons, though:
>
> Oct 17 16:33:11 zen-rt RT: [24525]
> RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind:
> LDAP_INVALID_CREDENTIALS 49
> Oct 17 16:33:11 zen-rt RT: [24525] FAILED LOGIN for example\user from
> 192.168.236.102
>
> I know I'm entering my username and password correctly and have again
> tried just the username, example\username, and example.com\username. I'm
> wondering if the LDAP_INVALID_CREDENTIALS error is because of the missing
> OU. I do know it now, but how do I enter an OU that has two words? I was
> told it is example.com/Special Accounts.
>
> -Mathew
>
> "When you do things right, people won't be sure you've done anything at
> all." - God; Futurama
>
> "We'll get along much better once you accept that you're wrong and
> neither am I." - Me
>
>
> On Thu, Oct 17, 2013 at 4:27 PM, Jeff Solberg <jsolberg at intrepidls.com>wrote:
>
>>  For your ‘server’ try using IP rather than hostname.****
>>
>> Second for the ‘user’ field try using the DN name for your AD Binding
>> user…{cn=some_user,ou=some_ou,dc=some_domain,dc=com****
>>
>> ** **
>>
>> Hope this helps..****
>>
>> ** **
>>
>> Jeff****
>>
>> ** **
>>
>> ** **
>>
>> ** **
>>
>> *From:* rt-users-bounces at lists.bestpractical.com [mailto:
>> rt-users-bounces at lists.bestpractical.com] *On Behalf Of *Mathew Snyder
>> *Sent:* Thursday, October 17, 2013 1:19 PM
>> *To:* rt-users at lists.bestpractical.com
>> *Subject:* [rt-users] I need help with the RT-Authen-ExternalAuth LDAP
>> settings, please****
>>
>> ** **
>>
>> These are the settings I've started with:****
>>
>> ** **
>>
>> Set($ExternalSettings, {****
>>
>>     'AD'       =>  {****
>>
>>         'type'                      =>  'ldap',****
>>
>>         'server'                    =>  'domain_controller.example.com',*
>> ***
>>
>>         'base'                      =>  'dc=example,dc=com',****
>>
>>         'user'                      =>  'rtuser',****
>>
>>         'pass'                      =>  '********',****
>>
>>         'filter'                    =>  '(ObjectClass=*)',****
>>
>>         'tls'                       =>  0,****
>>
>>         'ssl_version'               =>  3,****
>>
>>         'net_ldap_args'             => [    version =>  3   ],****
>>
>>         'attr_match_list' => [****
>>
>>             'EmailAddress',****
>>
>>         ],****
>>
>>         'attr_map' => {****
>>
>>             'Name' => 'sAMAccountName',****
>>
>>             'EmailAddress' => 'mail',****
>>
>>             'RealName' => 'cn',****
>>
>>         },****
>>
>> ** **
>>
>> They aren't working. Whenever someone attempts an initial login with just
>> their username (which should create their RT account) the following error
>> is logged:****
>>
>> Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string
>> eq at
>> /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
>> line 613.****
>>
>> Oct 17 15:02:29 zen-rt RT: [23131]
>> RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
>> EmailAddress: , Gecos: user, Name: user, Privileged:****
>>
>> Oct 17 16:14:01 zen-rt RT: [24382] Couldn't create user user: Could not
>> set user info****
>>
>> Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from
>> 192.168.236.102****
>>
>> ** **
>>
>> When initial logins are attempted with either example\username or
>> example.com\username only the FAILED LOGIN line is displayed.****
>>
>> ** **
>>
>> We also have our Openfire Jabber server authenticating successfully.
>> Those settings are****
>>
>> ldap.autoFollowAliasReferrals = true****
>>
>> ldap.autoFollowReferrals = false****
>>
>> ldap.baseDN = dc=example,dc=com****
>>
>> ldap.connectionPoolEnabled = true****
>>
>> ldap.debugEnabled = false****
>>
>> ldap.emailField = mail****
>>
>> ldap.encloseDNs = true****
>>
>> ldap.groupDescriptionField = description****
>>
>> ldap.groupMemberField = member****
>>
>> ldap.groupNameField = cn****
>>
>> ldap.groupSearchFilter = (objectClass=group)****
>>
>> ldap.host = domain_controller.example.com****
>>
>> ldap.ldapDebugEnabled = false****
>>
>> ldap.nameField = cn****
>>
>> ldap.port = 389****
>>
>> ldap.searchFilter = (objectClass=*)****
>>
>> ldap.usernameField = sAMAccountName****
>>
>> ** **
>>
>> ** **
>>
>> I know they don't match up exactly in terms of what Openfire calls the
>> settings vs. what RT does, but I'm hoping someone can help me sort out what
>> should be plugged in where on the RT side. For example, I don't know what
>> the group_attr or group_attr_value setting should contain (if anything) in
>> the RT_SiteConfig.pm file. Basically, anything from the "group" settings.
>> ****
>>
>> ** **
>>
>> -Mathew
>>
>> "When you do things right, people won't be sure you've done anything at
>> all." - God; Futurama****
>>
>> ** **
>>
>> "We'll get along much better once you accept that you're wrong and
>> neither am I." - Me****
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20131017/6e6da984/attachment.htm>

More information about the rt-users mailing list