<div dir="ltr">I too was going down this path. What ended up working for me is creating local accounts on rt first, then ldap authentication worked.<br>The other problem I ran into is the "give permissions for everyone to create ticket" error when this plugin was activated. Double checked all permissions, and ensured that everyone could create a ticket for the given queue and had no luck.<br>
<br>For now I've rolled back the use of the plugin and I am just using local accounts :(<br><br>-a<br><br><div class="gmail_quote">On Wed, Oct 15, 2008 at 4:17 PM, Rich West <span dir="ltr"><<a href="mailto:Rich.West@wesmo.com">Rich.West@wesmo.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">I'm going down the route of integrating a new RT 3.8.1 install in to a<br>
Windows 2003 Active Directory environment, and after going through the<br>
wiki web of information, I found that the "proper" method is now<br>
RT::Authen::ExternalAuth. That was, unfortunately, after I tried<br>
several other methods. :(<br>
<br>
Anyhow, I saw a couple of postings on the list (specifically:<br>
<a href="http://lists.bestpractical.com/pipermail/rt-users/2008-July/052959.html" target="_blank">http://lists.bestpractical.com/pipermail/rt-users/2008-July/052959.html</a>),<br>
and managed to get things configured, but not functioning. :(<br>
<br>
I am able to successfully ldapsearch :<br>
ldapsearch -LLL -x -D "CN=Administrator,OU=IT<br>
Department,OU=Users,DC=ourdomain,DC=local" -w ourpasswd -h<br>
ad.ourdomain.local "(objectClass=Person)" -b "dc=ourdomain,dc=local"<br>
<br>
And I tried a couple of different variants for searching with command<br>
line success: (objectClass=*), (sAMAccountName=user)<br>
<br>
However, I cannot seem to get it to work for RT. I'm getting "Your<br>
username or password is incorrect" after only a few seconds of<br>
processing. Probably the thing preventing me from debugging this<br>
further is.. well.. I'm not sure how to turn up the volume on the<br>
debugging. The most I am seeing in the logs is the login failure.<br>
<br>
Any ideas?<br>
<br>
Thanks!<br>
-Rich<br>
<br>
<br>
<br>
RT_SiteConfig.pm contains:<br>
# The order in which the services defined in ExternalSettings<br>
# should be used to authenticate users. User is authenticated<br>
# if successfully confirmed by any service - no more services<br>
# are checked.<br>
Set($ExternalAuthPriority, [ 'My_LDAP'<br>
]<br>
);<br>
<br>
# The order in which the services defined in ExternalSettings<br>
# should be used to get information about users. This includes<br>
# RealName, Tel numbers etc, but also whether or not the user<br>
# should be considered disabled.<br>
# Once user info is found, no more services are checked.<br>
Set($ExternalInfoPriority, [<br>
'My_LDAP'<br>
]<br>
);<br>
<br>
# If this is set to true, then the relevant packages will<br>
# be loaded to use SSL/TLS connections. At the moment,<br>
# this just means "use Net::SSLeay;"<br>
Set($ExternalServiceUsesSSLorTLS, 0);<br>
<br>
# If this is set to 1, then users should be autocreated by RT<br>
# as internal users if they fail to authenticate from an<br>
# external service.<br>
Set($AutoCreateNonExternalUsers, 1);<br>
<br>
# These are the full settings for each external service as a HashOfHashes<br>
# Note that you may have as many external services as you wish. They will<br>
# be checked in the order specified in the Priority directives above.<br>
# e.g.<br>
#<br>
Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP','Other-DB']);<br>
#<br>
Set($ExternalSettings, {<br>
# AN EXAMPLE LDAP SERVICE<br>
'My_LDAP' => { ## GENERIC SECTION<br>
# The type of service (db/ldap/cookie)<br>
'type' => 'ldap',<br>
# Should the service be used for authentication?<br>
'auth' => 1,<br>
# Should the service be used for information?<br>
'info' => 1,<br>
# The server hosting the service<br>
'server' => 'ad.ourdomain.local',<br>
## SERVICE-SPECIFIC SECTION<br>
# If you can bind to your LDAP server anonymously you<br>
should<br>
# remove the user and pass config lines, otherwise<br>
specify them here:<br>
#<br>
# The username RT should use to connect to the LDAP server<br>
'user' => 'CN=Administrator,OU=IT<br>
Department,OU=Users,DC=ourdomain,DC=local',<br>
# The password RT should use to connect to the LDAP server<br>
'pass' => 'ourpasswd',<br>
#<br>
# The LDAP search base<br>
'base' => 'dc=ourdomain,dc=local',<br>
# The filter to use to match RT-Users<br>
'filter' => '(objectclass=Person)',<br>
# The filter that will only match disabled users<br>
# 'd_filter' =><br>
'(serAccountControl:1.2.840.113556.1.4.803:=2)',<br>
'd_filter' =><br>
'(&(objectCategory=person)(objectClass=user)<br>
(userAccountControl:1.2.840.113556.1.4.803:=2))',<br>
# Should we try to use TLS to encrypt connections?<br>
'tls' => 0,<br>
# What other args should I pass to<br>
Net::LDAP->new($host,@args)?<br>
'net_ldap_args' => [ version => 3 ],<br>
# Does authentication depend on group membership? What<br>
group name?<br>
'group' => '',<br>
# What is the attribute for the group object that<br>
determines membership?<br>
'group_attr' => '',<br>
## RT ATTRIBUTE MATCHING SECTION<br>
# The list of RT attributes that uniquely identify a user<br>
'attr_match_list' => [ 'Name',<br>
'EmailAddress',<br>
'RealName',<br>
'WorkPhone',<br>
'Address2'<br>
],<br>
# The mapping of RT attributes on to LDAP attributes<br>
'attr_map' => { 'Name' =><br>
'sAMAccountName',<br>
'EmailAddress' =><br>
'mail',<br>
'Organization' =><br>
'physicalDeliveryOfficeName',<br>
'RealName' => 'cn',<br>
'ExternalAuthId' =><br>
'sAMAccountName',<br>
'Gecos' =><br>
'sAMAccountName',<br>
'WorkPhone' =><br>
'telephoneNumber',<br>
'Address1' =><br>
'streetAddress',<br>
'City' => 'l',<br>
'State' => 'st',<br>
'Zip' => 'postalCode',<br>
'Country' => 'co'<br>
}<br>
}<br>
}<br>
);<br>
1;<br>
<br>
_______________________________________________<br>
<a href="http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users" target="_blank">http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users</a><br>
<br>
Community help: <a href="http://wiki.bestpractical.com" target="_blank">http://wiki.bestpractical.com</a><br>
Commercial support: <a href="mailto:sales@bestpractical.com">sales@bestpractical.com</a><br>
<br>
<br>
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.<br>
Buy a copy at <a href="http://rtbook.bestpractical.com" target="_blank">http://rtbook.bestpractical.com</a><br>
</blockquote></div><br></div>