<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w="urn:schemas-microsoft-com:office:word"><head><META content="text/html; charset=utf-8" http-equiv="Content-Type">
<STYLE><!-- /* Style Definitions */ p.0fd6d03f-a51a-45c5-a360-8e3c0de64de5, li.0fd6d03f-a51a-45c5-a360-8e3c0de64de5, div.0fd6d03f-a51a-45c5-a360-8e3c0de64de5, table.0fd6d03f-a51a-45c5-a360-8e3c0de64de5Table {margin:0cm; margin-bottom:.0001pt;} div.Section1 {page:Section1;} --></STYLE>
<META content="text/html; charset=utf-8" HTTP-EQUIV="Content-Type">
<meta content="Microsoft Word 11 (filtered medium)" name=Generator>
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";
color:black;}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
pre
{margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
p.section1, li.section1, div.section1
{mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head><BODY>
<div class=Section1>
<p class=MsoNormal><font color=navy face=Arial size=2><span style='font-size:
10.0pt;font-family:Arial;color:navy'>My config file for LDAP uses this format<o:p></o:p></span></font></p>
<p class=MsoNormal><font color=navy face=Arial size=2><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font color=navy face=Arial size=2><span style='font-size:
10.0pt;font-family:Arial;color:navy'>‘user’ => ‘username@domain’,<o:p></o:p></span></font></p>
<p class=MsoNormal><font color=navy face=Arial size=2><span style='font-size:
10.0pt;font-family:Arial;color:navy'>‘pass’ => ‘password’,<o:p></o:p></span></font></p>
<p class=MsoNormal><font color=navy face=Arial size=2><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div>
<p class=section1><font color=navy face=Arial size=2><span lang=EN-US style='font-size:10.0pt;font-family:Arial;color:navy'>Regards,</span></font><font color=navy><span lang=EN-US style='color:navy'> <br>
</span></font><b><font color=navy face=Tahoma size=2><span lang=EN-US style='font-size:10.0pt;font-family:Tahoma;color:navy;font-weight:bold'>Dan</span></font></b><span lang=EN-US><o:p></o:p></span></p>
</div>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div align=center class=MsoNormal style='text-align:center'><font color=black face="Times New Roman" size=3><span lang=EN-US style='font-size:12.0pt;
color:windowtext'>
<hr align=center size=2 tabindex=-1 width="100%">
</span></font></div>
<p class=MsoNormal><b><font color=black face=Tahoma size=2><span lang=EN-US style='font-size:10.0pt;font-family:Tahoma;color:windowtext;font-weight:bold'>From:</span></font></b><font color=black face=Tahoma size=2><span lang=EN-US style='font-size:10.0pt;
font-family:Tahoma;color:windowtext'> rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] <b><span style='font-weight:
bold'>On Behalf Of </span></b>Wes Modes<br>
<b><span style='font-weight:bold'>Sent:</span></b> January-11-11 1:33 PM<br>
<b><span style='font-weight:bold'>To:</span></b>
rt-users@lists.bestpractical.com<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [rt-users]
ExternalAuth help needed</span></font><font color=black><span lang=EN-US style='color:windowtext'><o:p></o:p></span></font></p>
</div>
<p class=MsoNormal><font color=black face="Times New Roman" size=3><span style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><font color=black face="Times New Roman" size=3><span style='font-size:12.0pt'>As suggested in a thread
in this forum, I connected with ldapsearch with no problem:<o:p></o:p></span></font></p>
<p class=MsoNormal><font color=black face="Courier New" size=3><span style='font-size:12.0pt;font-family:"Courier New"'>[root@rt2]# ldapsearch -x
-LLL -D "cn=admin,dc=ucsc,dc=edu" -W -h dir1.library.ucsc.edu -b
"ou=people,dc=ucsc,dc=edu" uid=wmodes cn telephoneNumber</span></font><br>
<font face="Courier New"><span style='font-family:"Courier New"'>Enter LDAP
Password: </span></font><br>
<font face="Courier New"><span style='font-family:"Courier New"'>dn:
uid=wmodes,ou=people,dc=ucsc,dc=edu</span></font><br>
<font face="Courier New"><span style='font-family:"Courier New"'>cn: Wes Modes</span></font><br>
<font face="Courier New"><span style='font-family:"Courier New"'>telephoneNumber:
831-459-5208</span></font><o:p></o:p></p>
<p class=MsoNormal><font color=black face="Times New Roman" size=3><span style='font-size:12.0pt'>This was run from the server running RT. The DN
and password I'm using to connect is the same here and in the config
file. Now what?<br>
<br>
Wes<br>
<br>
<br>
On 1/11/2011 7:43 AM, Kevin Falcone wrote: <o:p></o:p></span></font></p>
<pre wrap><font color=black face="Courier New" size=2><span style='font-size:10.0pt'>On Mon, Jan 10, 2011 at 06:03:37PM -0800, Wes Modes wrote:<o:p></o:p></span></font></pre>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt' type=cite><pre wrap><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> I am using ExternalAuth to connect RT3.8.8 to LDAP.<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'><o:p> </o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> Detailed documentation seems to be woefully absent, and I've scoured the web and tried the<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> dozens of conflicting suggestions, so I'm turning to y'all.<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'><o:p> </o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> Here's the error I get:<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'><o:p> </o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> [Tue Jan 11 01:41:56 2011] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> Can't bind: LDAP_INVALID_DN_SYNTAX 34<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> (/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:467)<o:p></o:p></span></font></pre></blockquote>
<pre wrap><font color=black face="Courier New" size=2><span style='font-size:10.0pt'><o:p> </o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'>The error seems clear, something in your username or password isn't<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'>valid DN syntax according to your server.<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'><o:p> </o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'>Try connecting using the ldapsearch command line client.<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'><o:p> </o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'>-kevin<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'><o:p> </o:p></span></font></pre>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt' type=cite><pre wrap><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> Here's the LDAP section from my RT_Authen-ExternalAuth.pm<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'><o:p> </o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> 'My_LDAP' => {<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> ## GENERIC SECTION<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> # The type of service (db/ldap/cookie)<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> 'type' => 'ldap',<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> # The server hosting the service<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> 'server' => 'dir1.library.ucsc.edu',<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> ## SERVICE-SPECIFIC SECTION<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> # If you can bind to your LDAP server anonymously you should<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> # remove the user and pass config lines, otherwise specify them here:<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> #<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> # The username RT should use to connect to the LDAP server<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> 'user' => 'cn=admin,dc=ucsc,dc=edu',<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> # The password RT should use to connect to the LDAP server<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> 'pass' => 'PASSWORD',<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> #<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> # The LDAP search base<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> 'base' => 'ou=people,dc=ucsc,dc=edu',<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> #<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> # YOU **MUST** SPECIFY A filter AND A d_filter!!<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> #<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> # The filter to use to match RT-Users<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> 'filter' => '(objectClass=person)',<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> # A catch-all example filter: '(objectClass=*)'<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> #<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> # The filter that will only match disabled users<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> 'd_filter' => '(objectClass=FooBarBaz)',<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> # A catch-none example d_filter: '(objectClass=FooBarBaz)'<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> #<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> # Should we try to use TLS to encrypt connections?<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> 'tls' => 0,<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> # SSL Version to provide to Net::SSLeay *if* using SSL<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> 'ssl_version' => 3,<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> # What other args should I pass to Net::LDAP->new($host,@args)?<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> 'net_ldap_args' => [ version => 3 ],<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> # Does authentication depend on group membership? What group name?<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> 'group' => 'staff',<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> # What is the attribute for the group object that determines membership?<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> 'group_attr' => 'ou=group,dc=ucsc,dc=edu',<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> ## RT ATTRIBUTE MATCHING SECTION<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> # The list of RT attributes that uniquely identify a user<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'><o:p> </o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> # This example shows what you *can* specify.. I recommend reducing this<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'><o:p> </o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> # to just the Name and EmailAddress to save encountering problems later.<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> 'attr_match_list' => [ 'Name',<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> 'EmailAddress',<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> ],<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> # The mapping of RT attributes on to LDAP attributes<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> 'attr_map' => { 'Name' => 'uid',<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> 'EmailAddress' => 'mail',<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> 'RealName' => 'cn',<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> 'ExternalAuthId' => 'uid',<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> 'Gecos' => 'gecos',<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> 'WorkPhone' => 'telephoneNumber',<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> }<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'><o:p> </o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> },<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'><o:p> </o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> What more do you need to know to help me get this working?<o:p></o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'><o:p> </o:p></span></font></pre><pre><font color=black face="Courier New" size=2><span style='font-size:10.0pt'> Wes<o:p></o:p></span></font></pre></blockquote>
</div>
</div>
<FONT COLOR="silver" FACE="Verdana" SIZE="1">
<P CLASS="0fd6d03f-a51a-45c5-a360-8e3c0de64de5"><FONT FACE="Tahoma"><SPAN LANG="EN-CA"></SPAN></FONT> </P>
<P CLASS="0fd6d03f-a51a-45c5-a360-8e3c0de64de5"><FONT FACE="Tahoma"><SPAN LANG="EN-CA"><STRONG><U>This document (or software if applicable) may contain data whose export/transfer/disclosure is restricted by U.S. or Canadian law. Dissemination may require an export license or other authorization.</U></STRONG></SPAN></FONT></P>
<P><STRONG>CONFIDENTIALITY NOTICE:</STRONG> The information in this message, as well as any attachments, previous e-mail messages and /or any links provided herein, is Proprietary/Confidential information belonging to Raytheon ELCAN Optical Technologies, and its affiliates, and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error.</P>
<P><STRONG>WARNING:</STRONG> Malicious code including viruses can be transmitted via email. Although Raytheon ELCAN Optical Technologies has taken reasonable precautions to ensure no malicious code is present in this email, non-encrypted electronic transmissions cannot be guaranteed to be secure or error-free as information could be intercepted and manipulated therefore Raytheon ELCAN Optical Technologies does not accept any responsibility for any loss or damage arising from the use of this email or attachments.</P>
<P> </P><SPAN></SPAN></FONT><FONT SIZE="+0"></FONT></BODY></HTML>