[rt-users] RT 4.4.1 LDAP Authentication issue.

Martin Wheldon martin.wheldon at greenhills-it.co.uk
Fri Dec 9 08:44:57 EST 2016


Hi,

Looks like a ldap acl issue, is your ldap search user able to access the 
users mail attribute?

Best Regards

Martin

On 2016-12-09 13:37, Claude EDUMA wrote:
> LDAP logs show that user is retreive, but not bind.
> 
> -----
> 
> SRCH base="o=corp.mycorp.com [2]" scope=2
> filter="(&(objectClass=privperson)(mail=claude.eduma at ext.mycorp.com))"
> attrs="cn mail mail"
> [09/Dec/2016:14:16:47 +0100] conn=9480527 op=2 msgId=3 - RESULT err=0
> tag=101 nentries=1 etime=0
> 
> ----
> 
> Regards.
> 
> 2016-12-09 14:21 GMT+01:00 Claude EDUMA <claudeduma at gmail.com>:
> 
>> Well,
>> 
>> I will try to use user mail for authentication.
>> 
>> here is conf i tested without success :(
>> 
>> -----
>> 
>> Set($ExternalSettings, {
>> 'My_LDAP'       =>  {
>> 'type'             =>  'ldap',
>> 'server'           =>
>> 'ldap://ypmycorpldap.corp.mycorp.com [1]',
>> 'user'             =>
>> 'uid=mycorp-rtir-reader,ou=applicationAccounts,o=corp.mycorp.com
>> [2]',
>> 'pass'             =>
>> 'SikH2mmKLtPi0E4ZYcqldTXAgILVxGVhXWlHBF3o21',
>> 'base'             =>  'o=corp.mycorp.com [2]',
>> 'filter'           =>  '(objectClass=person)',
>> 'tls'              => { verify => "require", cafile =>
>> "/etc/pki/tls/mycorp_CERTIFICATE_CHAIN.crt" },
>> 'net_ldap_args'    => [    version =>  3, debug => 8
>> ],
>> 'attr_match_list'  => [
>> 'Name' ,
>> 'EmailAddress',
>> ],
>> # Import the following properties of the user from LDAP
>> upon
>> # login
>> 'attr_map' => {
>> 'Name'         => 'mail',
>> 'EmailAddress' => 'mail',
>> 'RealName'     => 'cn',
>> }
>> },
>> }
>> );
>> 
>> ---
>> 
>> Regards
>> 
>> 2016-12-09 13:59 GMT+01:00 Martin Wheldon
>> <martin.wheldon at greenhills-it.co.uk>:
>> Hi,
>> 
>> You could either use another unique attribute i.e mail or add
>> another uid to each RT user prefixed by a letter.
>> 
>> dn: uid=123456,dc=my,dc=domain
>> uid: 123456
>> uid: x123456
>> 
>> Best Regards
>> 
>> Martin
>> 
>> On 2016-12-09 12:49, Joop wrote:
>> On 9-12-2016 13:38, Claude EDUMA wrote:
>> Hi Joop,
>> 
>> Thank you for your quick answer.
>> We have tested with non numerical username and result is OK.
>> Well in my organisation we use ldap uid for username. Any suggestion
>> to resolve this issue ?
>> 
>> Please keep the list in the loop.
>> 
>> I think the problem is in the function(s) which load the user info.
>> These functions take a name OR an id and then load the corresponding
>> info. When  usernames are IDs that doesn't work any more. Other than
>> patching all functions which use this I don't see another solution
>> than
>> to change the use of uid as a username, sorry.
>> 
>> Joop
>> 
>> ---------
>> RT 4.4 and RTIR training sessions, and a new workshop day!
>> https://bestpractical.com/training [3]
>> * Los Angeles - January 9-11 2017
>  ---------
> RT 4.4 and RTIR training sessions, and a new workshop day!
> https://bestpractical.com/training [3]
> * Los Angeles - January 9-11 2017
> 
> 
> 
> Links:
> ------
> [1] http://ypmycorpldap.corp.mycorp.com
> [2] http://corp.mycorp.com
> [3] https://bestpractical.com/training



More information about the rt-users mailing list