<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=us-ascii" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.18928"></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=908004620-06082010><FONT color=#0000ff
size=2 face=Arial>VM,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=908004620-06082010><FONT color=#0000ff
size=2 face=Arial></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=908004620-06082010><FONT size=2
face=Arial><FONT color=#0000ff>>> <FONT size=3 face="Times New Roman">Are
you successful in your effort? << </FONT></FONT></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=908004620-06082010><FONT size=2
face=Arial><FONT color=#0000ff size=3
face="Times New Roman"></FONT></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=908004620-06082010><FONT color=#0000ff
size=2 face=Arial>Not yet. It may be awhile as I have my fingers in a few
pies besides RT.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=908004620-06082010><FONT color=#0000ff
size=2 face=Arial></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=908004620-06082010><FONT
color=#0000ff>>> what is the difference in user creation when RT is
integrated with AD? <<</FONT> </SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=908004620-06082010></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=908004620-06082010><FONT color=#0000ff
size=2 face=Arial>I'm not sure yet. I'm still trying to understand how RT
works. Right now, logged in as root, I can't even manually create a user
in RT at all, let alone have a user automatically imported from Active
Directory. Once I've figured out how to create a user manually, then I'll
learn how to make RT and AD do it for me. </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=908004620-06082010><FONT color=#0000ff
size=2 face=Arial></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=908004620-06082010><FONT color=#0000ff
size=2 face=Arial>What I'm trying to avoid, of course, is having to
manually administer the creation of users and the assignment of rights to each
user. Instead, I want RT to </FONT></SPAN><SPAN
class=908004620-06082010><FONT color=#0000ff size=2 face=Arial>Import the
user accounts from Active Directory, rather than for me as the
administrator to have to create hundreds of user accounts in RT (either up
front, or as people request access), each matching an account we already have in
our Active Directory datastore. As for rights, it looks like I
can assign rights to users by inheritance through roles (eg. Requestor) and
groups. From what I'm reading in the user manual it looks like it can
be done this way. If I'm successful, I should have a set of configuration
files that can be posted to the list to help others accomplish the same
thing. We'll see.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=908004620-06082010><FONT color=#0000ff
size=2 face=Arial></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=908004620-06082010><FONT color=#0000ff
size=2 face=Arial>Best regards,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=908004620-06082010><FONT color=#0000ff
size=2 face=Arial></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=908004620-06082010><FONT color=#0000ff
size=2 face=Arial>Gene Evans</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=908004620-06082010><FONT color=#0000ff
size=2 face=Arial></FONT></SPAN> </DIV><FONT color=#0000ff size=2
face=Arial></FONT><BR>
<DIV dir=ltr lang=en-us class=OutlookMessageHeader align=left>
<HR tabIndex=-1>
<FONT size=2 face=Tahoma><B>From:</B> testwreq wreq [mailto:testwreq@gmail.com]
<BR><B>Sent:</B> Friday, August 06, 2010 2:58 PM<BR><B>To:</B> Eugene M.
Evans<BR><B>Subject:</B> Re: [rt-users] RT 3.8 Active Directory integration and
single sign-on<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV>Hello Gene,</DIV>
<DIV> </DIV>
<DIV>I am looking to accomplish the similar thing. Are you successful in your
effort?</DIV>
<DIV> </DIV>
<DIV>Question: <DEFANGHTML_SPAN
style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin; mso-bidi-font-family: 'Times New Roman'; mso-bidi-theme-font: minor-bidi; mso-themecolor: dark2"><DEFANGHTML_SPAN
style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin; mso-bidi-font-family: 'Times New Roman'; mso-bidi-theme-font: minor-bidi; mso-themecolor: dark2">
<P class=MsoNormal defanghtml_style="MARGIN: 0in 0in 0pt"><DEFANGHTML_SPAN
style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">You
want to integrate RT with Active Directory such that an RT user account will
automatically be created when a user first submits a ticket request via email.
RT does this without integration. So, then what is the difference in user
creation when RT is integrated with AD?</DEFANGHTML_SPAN></P>
<P class=MsoNormal defanghtml_style="MARGIN: 0in 0in 0pt"> </P>
<P class=MsoNormal defanghtml_style="MARGIN: 0in 0in 0pt">Regards,
vm</P></DEFANGHTML_SPAN></DEFANGHTML_SPAN><BR></DIV>
<DIV class=gmail_quote>On Thu, Aug 5, 2010 at 9:26 AM, Eugene M. Evans
<DEFANGHTML_SPAN dir=ltr><<A
href="mailto:EMEvans@heapy.com">EMEvans@heapy.com</A>></DEFANGHTML_SPAN>
wrote:<BR>
<BLOCKQUOTE class=gmail_quote
defanghtml_style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex">Mike,<BR><BR>Thankyou
for the reply. Looks like I'll need to dive a bit deeper than<BR>I first
anticipated. I'll post my results.<BR><BR>Sincerely,<BR><BR>Gene
Evans<BR>IT Administrator<BR>Heapy Engineering<BR>937-224-0861
x1404<BR><BR>-----Original Message-----<BR>From: <A
href="mailto:rt-users-bounces@lists.bestpractical.com">rt-users-bounces@lists.bestpractical.com</A><BR>[mailto:<A
href="mailto:rt-users-bounces@lists.bestpractical.com">rt-users-bounces@lists.bestpractical.com</A>]
On Behalf Of<BR><A
href="mailto:rt-users-request@lists.bestpractical.com">rt-users-request@lists.bestpractical.com</A><BR>Sent:
Thursday, August 05, 2010 8:49 AM<BR>To: <A
href="mailto:rt-users@lists.bestpractical.com">rt-users@lists.bestpractical.com</A><BR>Subject:
RT-Users Digest, Vol 77, Issue 20<BR><BR>Send RT-Users mailing list
submissions to<BR> <A
href="mailto:rt-users@lists.bestpractical.com">rt-users@lists.bestpractical.com</A><BR><BR>To
subscribe or unsubscribe via the World Wide Web, visit<BR>
<A
href="http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users"
target=_blank>http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users</A><BR>or,
via email, send a message with subject or body 'help' to<BR>
<A
href="mailto:rt-users-request@lists.bestpractical.com">rt-users-request@lists.bestpractical.com</A><BR><BR>You
can reach the person managing the list at<BR> <A
href="mailto:rt-users-owner@lists.bestpractical.com">rt-users-owner@lists.bestpractical.com</A><BR><BR>When
replying, please edit your Subject line so it is more specific than<BR>"Re:
Contents of RT-Users digest..."<BR><BR><BR>Today's Topics:<BR><BR> 1. RT
3.8 Active Directory integration and single sign-on<BR>
(Eugene M. Evans)<BR> 2. Re: RT 3.8 Active Directory integration
and single sign-on<BR> (Mike
Johnson)<BR><BR><BR>----------------------------------------------------------------------<BR><BR>Message:
1<BR>Date: Wed, 4 Aug 2010 22:58:07 -0400<BR>From: "Eugene M. Evans" <<A
href="mailto:EMEvans@heapy.com">EMEvans@heapy.com</A>><BR>To: <<A
href="mailto:rt-users@lists.bestpractical.com">rt-users@lists.bestpractical.com</A>><BR>Subject:
[rt-users] RT 3.8 Active Directory integration and single<BR>
sign-on<BR>Message-ID:<BR>
<BFA145AA31FEBC449D510ADC62FF513E14A6D5@dayxchng0.heapy.local><BR>Content-Type:
text/plain; charset="us-ascii"<BR><BR>I am trying to accomplish two
things:<BR><BR>First, to integrate RT with Active Directory such that an RT
user<BR>account will automatically be created in either of the following
cases.<BR> a) when a user first submits a ticket request via email,
and<BR> b) when a user first logs in via the RT web
interface<BR><BR>Secondly, Single sign-on, such that once an RT account has
been created<BR>an MS-Windows user will not need to enter their password on
subsequent<BR>visits to the RT web interface.<BR><BR>I've started by
attempting to implement the Auth::ExternalAuth extension<BR>but have been
unable to get it working. I cannot log into the RT web<BR>interface
using any account except the root account that has already<BR>been created
within RT. Once in RT as root, I am unable to create a new<BR>user.
I get the error "User could not be created: Could not set
user<BR>info."<BR><BR>I've tried the solution mentioned in this thread
--><BR><A href="http://www.gossamer-threads.com/lists/rt/users/94218"
target=_blank>http://www.gossamer-threads.com/lists/rt/users/94218</A> to get
RT to<BR>auto-create users, but to no avail.<BR>Note that when I uncomment the
statement "Set($WebExternalAuto,1);" and<BR>restart apache the RT login screen
provides no login box in which to<BR>enter a username or a
password.<BR><BR>Any advice would be greatly appreciated.<BR><BR>Below is my
RT configuration.<BR><BR><BR>#Begin /opt/rt3/etc/RT_SiteConfig.pm tail
...<BR># The following two statements support single sign-on.<BR># but I have
commented them out for now since they are # said to<BR>conflict with the
ExternalAuth extension.<BR># See <A
href="http://wiki.bestpractical.com/view/ExternalAuth"
target=_blank>http://wiki.bestpractical.com/view/ExternalAuth</A><BR><<A
href="http://wiki.bestpractical.com/view/ExternalAuth"
target=_blank>http://wiki.bestpractical.com/view/ExternalAuth</A>>
.<BR><BR># Tell RT to trust the webserver to handle authentication.<BR>#
Set($WebExternalAuth, 3);<BR><BR># If the webserver hands RT a user RT is not
# familiar with, RT should<BR>just go ahead and # create an account.<BR>#
Set($WebExternalAuto, 1);<BR><BR>...<BR># Include the configuration for the
ExternalAuth
extension.<BR>require<BR>"/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm";<BR>Set($AutoCreate,{Privileged
=> 0});<BR><BR>1;<BR>#End
/opt/rt3/etc/RT_SiteConfig.pm<BR><BR><BR><BR><BR>#Begin<BR>/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm
in<BR>its entirety.<BR><BR>Set($ExternalAuthPriority,
[ 'Heapy_AD_LDAP' ] );<BR>Set($ExternalInfoPriority,
[ 'Heapy_AD_LDAP' ]
);<BR>Set($ExternalServiceUsesSSLorTLS,
0);<BR>Set($AutoCreateNonExternalUsers,
0);<BR><BR>Set($ExternalSettings, {<BR>
'Heapy_AD_LDAP'
=> {<BR><BR>
'type'
=> 'ldap',<BR>
'server'
=><BR>'serverxyz.domain.domainSuffix',<BR>
'user'
=><BR>'cn=ldap,ou=Services,dc=domain,dc=domainSuffix',<BR>
'pass'
=>
'the_ldap_password',<BR>
'base'
=><BR>'dc=domain,dc=domainSuffix',<BR><BR>
'filter'
=><BR>'(&(ObjectCategory=User)(ObjectClass=Person))',<BR>
'd_filter'
=><BR>'(userAccountControl:1.2.840.113556.1.4.803:=2)',<BR><BR>#
'tls'
=>
0,<BR>#
'ssl_version' =>
3,<BR><BR>
'net_ldap_args' => [
version => 3<BR>],<BR>
'group'
=><BR>'cn=group,ou=Services,dc=domain,dc=domainSuffix',<BR>
'group_attr'
=> 'member',<BR><BR>
'attr_match_list'
=> [ 'Name',<BR>'EmailAddress'
],<BR>
'attr_map' => {
'Name' =><BR>'sAMAccountName',<BR>
'EmailAddress'
=><BR>'mail',<BR>
'Organization'
=><BR>'physicalDeliveryOfficeName',<BR>
'RealName' => 'cn',<BR>
'ExternalAuthId'
=><BR>'sAMAccountName',<BR>
'Gecos'
=><BR>'sAMAccountName',<BR>
'WorkPhone'
=><BR>'telephoneNumber',<BR>
'Address1'
=><BR>'streetAddress',<BR>
'City' =>
'l',<BR>
'State' => 'st',<BR>
'Zip' =><BR>'postalCode',<BR>
'Country'
=> 'co'<BR>
}<BR>
}<BR>
}<BR>);<BR><BR>Set(@Plugins, qw(RT::Authen::ExternalAuth)); 1;
#End<BR>/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm<BR><BR><BR><BR><BR><BR><BR>--------------
next part --------------<BR>An HTML attachment was
scrubbed...<BR>URL:<BR><<A
href="http://lists.bestpractical.com/pipermail/rt-users/attachments/20100804/223f6f34/attachment-0001.html"
target=_blank>http://lists.bestpractical.com/pipermail/rt-users/attachments/20100804/<BR>223f6f34/attachment-0001.html</A>><BR><BR>------------------------------<BR><BR>Message:
2<BR>Date: Thu, 5 Aug 2010 08:51:28 -0400<BR>From: Mike Johnson <<A
href="mailto:mike.johnson@nosm.ca">mike.johnson@nosm.ca</A>><BR>To: <A
href="mailto:rt-users@lists.bestpractical.com">rt-users@lists.bestpractical.com</A><BR>Subject:
Re: [rt-users] RT 3.8 Active Directory integration and single<BR>
sign-on<BR>Message-ID:<BR> <<A
href="mailto:AANLkTin4a4uuw-Q_wb4FXi9YDnATSN2OvyiuadodueU-@mail.gmail.com">AANLkTin4a4uuw-Q_wb4FXi9YDnATSN2OvyiuadodueU-@mail.gmail.com</A>><BR>Content-Type:
text/plain; charset="iso-8859-1"<BR><BR>b) should be done easily using
ExternalAuth. when I say easily, I mean,<BR>as soon as you get
ExternalAuth working, b is done.... but it did take<BR>me almost a week to
figure out my issues(a spelling mistake in the<BR>config
file<BR>:'()<BR><BR>a) sounds like you want ExternalAuth with AutoCreate
Privleged=>0 set,<BR>but you'd also need to tweak the RT system.<BR><BR>The
problem with just doing the above, if someone has already sent an<BR>email to
your system prior to attempting to login, their email address<BR>generates a
user in RT. That user has username = email address, as well<BR>as email
address filled out too. Then when they go to login,<BR>ExternalAuth
pulls the user's email address from LDAP and attempts to<BR>create the user
with that email address, however that email address<BR>already exists on the
autocreated user from the email they sent in.. so<BR>the create user
fails.<BR><BR>Ken Marshall shared something on the listserv of a way to fix
this, but<BR>I haven't got it working yet(I'm new to perl, still
learning)<BR><BR><BR>He edited the spot in RT that runs everytime an email
address is found.<BR>>From reading the code, I believe his changes makes
the<BR>CanonicalizeEmailAddress subroutine connect to your LDAP and pull
the<BR>LDAP info in (as defined in ExternalAuth's config) instead of
just<BR>creating a user using the email address alone.<BR><BR>What I mean is,
RT out of the box, when an email comes in, the
unedited<BR>CanonicalizeEmailAddress sub does pretty much nothing but a
word<BR>substitution(based on a config file setting), but Ken's version
actually<BR>connects to LDAP and pulls the real name, the username,
etc.<BR><BR>The way Ken explained it to me, it should not only fix old
accounts that<BR>already exist, but ensure all new accounts work correctly as
well.<BR><BR>Below is the code, also search the listserv for my post
about<BR>workarounds while waiting for ExternalAuth 0.09.<BR><BR>Good
luck!<BR>Mike<BR>***Ken's code below***<BR><BR>sub CanonicalizeEmailAddress
{<BR> my $self = shift;<BR> my $email = shift;<BR> # Leave
some addresses intact<BR> if ( $email =~ /[\w-]+\@<A
href="http://mysafe1.rice.edu/" target=_blank>mysafe1.rice.edu</A>$/ )
{<BR> return ($email);<BR> }<BR> if ( $email
=~ /[\w-]+\@<A href="http://mysafe2.rice.edu/"
target=_blank>mysafe2.rice.edu</A>$/ ) {<BR> return
($email);<BR> }<BR> # Example: the following rule would treat all
email<BR> # coming from a subdomain as coming from second level
domain<BR> # <A href="http://foo.com/"
target=_blank>foo.com</A><BR> if ( my $match =
RT->Config->Get('CanonicalizeEmailAddressMatch')<BR>and<BR>
my $replace =
RT->Config->Get('CanonicalizeEmailAddressReplace')<BR>)<BR>
{<BR> $email =~ s/$match/$replace/gi;<BR>
}<BR> $email .= '@<A href="http://rice.edu/" target=_blank>rice.edu</A>'
if ($email =~ /^[\w-]+$/);<BR> #<BR> # Now we should have an Email
address that is of the form<BR><A
href="mailto:addr@rice.edu">addr@rice.edu</A><BR> # Use LDAP to map this
to the primary vanity Email alias.<BR> my $params = ( Name =>
undef,<BR>
EmailAddress => undef);<BR> my $ldap = new
Net::LDAP($RT::LdapServer)<BR> or
$RT::Logger->critical("CanonicalizeEmailAddress: Cannot connect<BR>to
LDAP\n"),<BR> return ($email);<BR> my $mesg =
$ldap->bind();<BR> if ($mesg->code != LDAP_SUCCESS) {<BR>
$RT::Logger->critical("CanonicalizeEmailAddress: Unable to bind
to<BR>$RT::LdapServer: ",<BR>
ldap_error_name($mesg->code), "\n");<BR> return
($email);<BR> }<BR> # First check to see if the E-mail address
uniquely characterizes the<BR> # user. If so, update the information
with the LDAP query results.<BR> my $filter =
"(mailAlternateAddress=$email)";<BR> $mesg = $ldap->search(base
=> $RT::LdapBase,<BR>
filter => $filter,<BR>
attrs => [ $RT::LdapMailAttr ]);<BR> if ($mesg->code !=
LDAP_SUCCESS and $mesg->code !=<BR>LDAP_PARTIAL_RESULTS) {<BR>
$RT::Logger->critical("Unable to search in LDAP:
",<BR>ldap_error_name($mesg->code), "\n");<BR> return
($email);<BR> }<BR> # The search succeeded with just one
match<BR> if ($mesg->count == 1) {<BR> $email =
($mesg->first_entry->get_value($RT::LdapMailAttr))[0];<BR>
}<BR> $mesg = $ldap->unbind();<BR> if ($mesg->code !=
LDAP_SUCCESS) {<BR> $RT::Logger->critical("Could not unbind
from LDAP: ",<BR>ldap_error_name($mesg->code), "\n");<BR> }<BR>
undef $ldap;<BR> undef $mesg;<BR> return ($email);<BR>}<BR><BR>You
will also need these somewhere ahead of there use:<BR>use Net::LDAP;<BR>use
Net::LDAP::Constant qw(LDAP_SUCCESS LDAP_PARTIAL_RESULTS);
use<BR>Net::LDAP::Util qw (ldap_error_name); use Net::LDAP::Filter; We
have<BR>them at the top under "use strict".<BR><BR>On Wed, Aug 4, 2010 at
10:58 PM, Eugene M. Evans <<A
href="mailto:EMEvans@heapy.com">EMEvans@heapy.com</A>><BR>wrote:<BR><BR>>
I am trying to accomplish two things:<BR>><BR>> First, to
integrate RT with Active Directory such that an RT user<BR>> account will
automatically be created in either of the following<BR>cases.<BR>>
a) when a user first submits a ticket request via email, and<BR>>
b) when a user first logs in via the RT web
interface<BR>><BR>> Secondly, Single sign-on, such that once an RT
account has been<BR>> created an MS-Windows user will not need to enter
their password on<BR>> subsequent visits to the RT web
interface.<BR>><BR>> I've started by attempting to implement the
Auth::ExternalAuth<BR>> extension but have been unable to get it working.
I cannot log into<BR>> the RT web interface using any account except
the root account that<BR>> has already been created within RT. Once
in RT as root, I am unable<BR>> to create a new user. I get the error
"*User could not be created:<BR>Could not set user info*."<BR>><BR>>
I've tried the solution mentioned in this thread --><BR>> <A
href="http://www.gossamer-threads.com/lists/rt/users/94218"
target=_blank>http://www.gossamer-threads.com/lists/rt/users/94218</A> to get
RT to<BR>> auto-create users, but to no avail.<BR>> Note that when I
uncomment the statement "Set($WebExternalAuto,1);"<BR>> and restart apache
the RT login screen provides no login box in which<BR>> to enter a username
or a password.<BR>><BR>> Any advice would be greatly
appreciated.<BR>><BR>> Below is my RT
configuration.<BR>><BR>><BR>> #Begin /opt/rt3/etc/RT_SiteConfig.pm
tail ...<BR>> # The following two statements support single
sign-on.<BR>> # but I have commented them out for now since they are # said
to<BR>> conflict with the ExternalAuth extension.<BR>> # See <A
href="http://wiki.bestpractical.com/view/ExternalAuth"
target=_blank>http://wiki.bestpractical.com/view/ExternalAuth</A>.<BR>><BR>>
# Tell RT to trust the webserver to handle authentication.<BR>> #
Set($WebExternalAuth, 3);<BR>> # If the webserver hands RT a user RT is not
# familiar with, RT<BR>> should just go ahead and # create an
account.<BR>> # Set($WebExternalAuto, 1);<BR>><BR>> ...<BR>> #
Include the configuration for the ExternalAuth extension.<BR>>
require<BR>>
"/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm";<BR>>
Set($AutoCreate,{Privileged => 0});<BR>><BR>> 1;<BR>> #End
/opt/rt3/etc/RT_SiteConfig.pm<BR>><BR>><BR>><BR>><BR>>
#Begin<BR>>
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm<BR>> in
its entirety.<BR>><BR>> Set($ExternalAuthPriority,
[ 'Heapy_AD_LDAP' ] );<BR>> Set($ExternalInfoPriority,
[ 'Heapy_AD_LDAP' ] );<BR>>
Set($ExternalServiceUsesSSLorTLS, 0);<BR>>
Set($AutoCreateNonExternalUsers, 0);<BR>><BR>>
Set($ExternalSettings, {<BR>>
'Heapy_AD_LDAP'
=> {<BR>><BR>>
'type'
=>
'ldap',<BR>>
'server'
=><BR>> 'serverxyz.domain.domainSuffix',<BR>>
'user'
=><BR>'cn=ldap,ou=Services,dc=<BR>>
domain,dc=domainSuffix',<BR>>
'pass'
=> 'the_ldap_password',<BR>>
'base'
=>
'dc=domain,dc=<BR>> domainSuffix',<BR>><BR>>
'filter'
=><BR>>
'(&(ObjectCategory=User)(ObjectClass=Person))',<BR>>
'd_filter'
=><BR>>
'(userAccountControl:1.2.840.113556.1.4.803:=2)',<BR>><BR>> #
'tls'
=> 0,<BR>>
#
'ssl_version' =>
3,<BR>><BR>>
'net_ldap_args' => [
version =><BR>> 3
],<BR>>
'group'
=><BR>'cn=group,ou=Services,dc=<BR>> domain,dc=domainSuffix',<BR>>
'group_attr' =>
'member',<BR>><BR>>
'attr_match_list' =>
[ 'Name',<BR>> 'EmailAddress' ],<BR>>
'attr_map'
=> { 'Name' =><BR>>
'sAMAccountName',<BR>>
'EmailAddress'
=><BR>> 'mail',<BR>>
'Organization'
=><BR>> 'physicalDeliveryOfficeName',<BR>>
'RealName' =><BR>'cn',<BR>>
'ExternalAuthId'<BR>> => 'sAMAccountName',<BR>>
'Gecos' =><BR>> 'sAMAccountName',<BR>>
'WorkPhone' =><BR>> 'telephoneNumber',<BR>>
'Address1' =><BR>> 'streetAddress',<BR>>
'City' => 'l',<BR>>
'State'
=> 'st',<BR>>
'Zip'
=><BR>'postalCode',<BR>>
'Country' =>
'co'<BR>>
}<BR>>
}<BR>>
}<BR>> );<BR>><BR>> Set(@Plugins,
qw(RT::Authen::ExternalAuth)); 1; #End<BR>>
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm<BR>><BR>><BR>><BR>><BR>><BR>><BR>>
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.<BR>>
Buy a copy at <A href="http://rtbook.bestpractical.com/"
target=_blank>http://rtbook.bestpractical.com</A><BR>><BR><BR><BR><BR>--<BR>Mike
Johnson<BR>Datatel Programmer/Analyst<BR>Northern Ontario School of
Medicine<BR>955 Oliver Road<BR>Thunder Bay, ON P7B 5E1<BR>Phone: (807)
766-7331<BR>Email: <A
href="mailto:mike.johnson@nosm.ca">mike.johnson@nosm.ca</A><BR>--------------
next part --------------<BR>An HTML attachment was
scrubbed...<BR>URL:<BR><<A
href="http://lists.bestpractical.com/pipermail/rt-users/attachments/20100805/193b2e31/attachment.html"
target=_blank>http://lists.bestpractical.com/pipermail/rt-users/attachments/20100805/<BR>193b2e31/attachment.html</A>><BR><BR>------------------------------<BR><BR>_______________________________________________<BR>RT-Users
mailing list<BR><A
href="mailto:RT-Users@lists.bestpractical.com">RT-Users@lists.bestpractical.com</A><BR><A
href="http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users"
target=_blank>http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users</A><BR><BR><BR>End
of RT-Users Digest, Vol 77, Issue
20<BR>****************************************<BR><BR>Discover RT's hidden
secrets with RT Essentials from O'Reilly Media.<BR>Buy a copy at <A
href="http://rtbook.bestpractical.com/"
target=_blank>http://rtbook.bestpractical.com</A><BR></BLOCKQUOTE></DIV><BR></BODY></HTML>