[rt-users] Authen::ExternalAuth not connecting to LDAP
Josiah Philipsen
jphilipsen at georgefox.edu
Fri Jul 24 11:03:19 EDT 2015
I have 3 instances of RT running right now. 2 old ones running RT 3.8.7 and
a new one running 4.2.10. Everything on 3.8.7 is running on Ubuntu 10.0.4
and working well. We are transitioning to 14.0.4 and upgrading RT at the
same time.
I will try to make this obvious and to the point. Below is my RT_Site
Config and a few perl modules that I have installed to confirm this should
be working. I have turned on all debugging logs and the only error I can
find is Login Failed for user ....
I can connect and bind with multiple users including the one used in the
script below using ldapsearch.
Thank you all in advance for any help that you may provide and I look
forward to getting this to work.
Thanks,
Josiah
*RT_SiteConfig.pm*
(I have commented out the new things that I have tried, but the original
items are what we use on the 3.8.7 servers that work.)
# You must install Plugins on your own, this is only an example
# of the correct syntax to use when activating them:
# Plugin( "RT::Extension::SLA" );
Plugin('RT::Authen::ExternalAuth');
### LDAP Configuration ###
Set ( $ExternalAuthPriority, [ 'GFU_LDAP' ] );
Set ( $ExternalInfoPriority, [ 'GFU_LDAP' ] );
# Users created from LDAP should be Privileged; this is a core RT
# option. Additionally, this is the 4.2 name for the option; for RT
# 4.0, is it named $AutoCreate See the core RT documentation at
# http://docs.bestpractical.com/RT_Config#UserAutocreateDefaultsOnLogin
# for for further details.
#Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
# If this is set to true, then the relevant packages will
# be loaded to use SSL/TLS connections. At the moment,
# this just means "use Net::SSLeay;"
Set($ExternalServiceUsesSSLorTLS, 1);
# If this is set to 1, then users should be autocreated by RT
# as internal users if they fail to authenticate from an
# external service.
Set($AutoCreateNonExternalUsers, 1);
Set($ExternalSettings, {
'GFU_LDAP' => {
'type' => 'ldap',
'server' => 'myldapserver',
# 'server' => 'ldaps://myldapserver'
# 'use_ldaps' => 1,
'user' => 'CN=***,OU=***,
DC=***,DC=****,DC=***',
'pass' => '*****',
'base' => 'DC=****,DC=****,DC=***',
'filter' => '(objectClass=user)',
# The filter that will only match disabled users
'd_filter' =>
'(userAccountControl:1.2.840.113556.1.4.803:=2)',
# Should we try to use TLS to encrypt connections?
'tls' => 0,
# 'tls' => {verify => "require",
capath => "/etc/ldap/cacerts/cert.pem" },
# SSL Version to provide to Net::SSLeay *if* using SSL
'ssl_version' => 3,
# What other args should I pass to
Net::LDAP->new($host, at args)?
'net_ldap_args' => [ version => 3, port =>
636 ],
# 'net_ldap_args' => [ version => 3 ],
# Does authentication depend on group membership? What
group name?
'group' => 'CN=All Users,OU=Shared
Mail Groups,DC=campus,DC=georgefox,DC=edu',
# What is the attribute for the group object that
determines membership?
'group_attr' => 'member',
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you *can* specify.. I recommend
reducing this
# to just the Name and EmailAddress to save encountering
problems later.
'attr_match_list' => [ 'Name',
'EmailAddress',
],
# The mapping of RT attributes on to LDAP attributes
'attr_map' => { 'Name' =>
'sAMAccountName',
'EmailAddress' =>
'mail',
'ExternalAuthId' =>
'sAMAccountName',
'Gecos' =>
'sAMAccountName',
}
}
}
);
*Perl Modules:*
This is perl 5, version 18, subversion 2 (v5.18.2) built for
x86_64-linux-gnu-thread-multi
Net::SSLeay is up to date (1.70).
Net::LDAP is up to date (0.65).
Net::LDAPS is up to date (0.06).
Crypt::SSLeay is up to date (0.72).
I installed RT::Authen::ExternalAuth with cpan and with sudo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20150724/cfe25fc8/attachment.htm>
More information about the rt-users
mailing list