<html>
<head>
<style>
.sw_message P{margin:0px;padding:0px;}
.sw_message {FONT-SIZE: 12pt;FONT-FAMILY:Tahoma,Arial,Helvetica,sans-serif;background:white;}
</style>
</head>
<body class="sw_message">
I'm trying to setup LDAP through the RT-Authen-ExternalAuth plugin.<br><br>I have gotten far enough to login as a user via LDAP but I want to restrict login's to a specific group within my Windows AD. I can't seem to get that part working. I know its something I'm doing wrong but I'm not seeing what it is.<br><br>So, what I want is to allow users within a group "CSER" to be able to login and create tickets. I want another group "ITAdmin" to be equivalent to the RTAdmin. How do I set this up?<br><br>Here is my current configuration:<br><br>Set( $rtname, 'XXXXXX.ca');<br>Set($LogToFileNamed, "/var/tmp/rt3.error");<br>Set($LogToFile, 'debug');<br>Set($ExternalAuthPriority,['My_LDAP']);<br>Set($ExternalInfoPriority,['My_LDAP']);<br>Set(@Plugins,qw(RT::Authen::ExternalAuth));<br>Set($ExternalSettings, {<br> 'My_LDAP' => { ## GENERIC SECTION<br> # The type of service (db/ldap/cookie) <br> 'type' => 'ldap',<br> 'auth' => 1,<br> 'info' => 1,<br> # The server hosting the service<br> 'server' => 'XXX.XXX.XXX.XXX',<br> # The username RT should use to connect to the LDAP server <br> 'user' => 'XXXXXX',<br> # The password RT should use to connect to the LDAP server<br> 'pass' => 'XXXXXX',<br> 'base' => 'XXXXXX',<br> 'filter' => '(objectClass=Person)',<br> # A catch-all example filter: '(objectClass=*)'<br> #<br> # The filter that will only match disabled users<br> 'd_filter' => '(userAccountConrol:1.2.840.113556.1.4.803:=2)',<br> # Should we try to use TLS to encrypt connections?<br> 'tls' => 0,<br> # SSL Version to provide to Net::SSLeay *if* using SSL<br> 'ssl_version' => 3,<br> # What other args should I pass to Net::LDAP->new($host,@args)?<br> 'net_ldap_args' => [ version => 3 ],<br> # Does authentication depend on group membership? What group name?<br> 'group' => 'CSER',<br> # What is the attribute for the group object that determines membership?<br> 'group_attr' => '',<br> 'attr_match_list' => [ 'Name',<br> 'EmailAddress',<br> ],<br> 'attr_map' => { 'Name' => 'sAMAccountName',<br> 'EmailAddress' => 'mail',<br> }<br> }<br> }<br>);<br>1;<br><br>With the above configuration I am able to login after I get an error because of the blank group_attr. What exactly is supposed to be there? Every attempt to put something there causes the login to fail. Sample debug follows:<br><br>[Mon Jun 1 19:20:27 2009] [debug]: RT's GnuPG libraries couldn't successfully read your configured GnuPG home directory (/opt/rt3/var/data/gpg). PGP support has been disabled (/opt/rt3/bin/../lib/RT/Config.pm:339)<br>[Mon Jun 1 19:20:32 2009] [debug]: Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)<br>[Mon Jun 1 19:20:32 2009] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)<br>[Mon Jun 1 19:20:32 2009] [debug]: Calling UserExists with $username (gagel) and $service (My_LDAP) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)<br>[Mon Jun 1 19:20:32 2009] [debug]: UserExists params:<br>username: gagel , service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)<br>[Mon Jun 1 19:20:32 2009] [debug]: LDAP Search === Base: ou=XXXXX=ca == Filter: (&(objectClass=Person)(sAMAccountName=XXXXX)) == Attrs: mail,sAMAccountName (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)<br>[Mon Jun 1 19:20:32 2009] [debug]: Password validation required for service - Executing... (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)<br>[Mon Jun 1 19:20:32 2009] [debug]: Trying external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)<br>[Mon Jun 1 19:20:32 2009] [debug]: LDAP Search === Base: ou=XXXXXX=ca == Filter: (&(sAMAccountName=XXXXX)(objectClass=Person)) == Attrs: dn (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)<br>[Mon Jun 1 19:20:32 2009] [debug]: Found LDAP DN: CN=XXXX,OU=XXXXXX=ca (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)<br>[Mon Jun 1 19:20:32 2009] [debug]: RT's GnuPG libraries couldn't successfully read your configured GnuPG home directory (/opt/rt3/var/data/gpg). PGP support has been disabled (/opt/rt3/bin/../lib/RT/Config.pm:339)<br>[Mon Jun 1 19:20:32 2009] [debug]: Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)<br>[Mon Jun 1 19:20:32 2009] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)<br>[Mon Jun 1 19:20:32 2009] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)<br>[Mon Jun 1 19:20:32 2009] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)<br><br>What am I doing wrong?<br><br>Kevin W. Gagel<br>Network Administrator<br>Local 5448<br>My blog:<br>http://mail.cnc.bc.ca/blogs/gagel<br>My shared files:<br>http://mail.cnc.bc.ca/users/gagel<br><br><br>
</body></html>