<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 02/04/14 20:44, Jason Batchelor
wrote:<br>
</div>
<blockquote
cite="mid:CANWz5X8-k4_fLorQrpJrQ08DSyq303HeHBBQre+EeruoiWnGyg@mail.gmail.com"
type="cite">
<div dir="ltr">I have been trying for sometime to get AD auth
working correctly on my server. I've managed to get most of the
way there I think but am consistently getting hung up on an
error.
</div>
</blockquote>
<br>
<blockquote
cite="mid:CANWz5X8-k4_fLorQrpJrQ08DSyq303HeHBBQre+EeruoiWnGyg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Set($ExternalSettings, {<br>
</div>
<div> 'My_LDAP' => {<br>
'type' => 'ldap',<br>
'server' => '<a class="moz-txt-link-freetext" href="ldaps://">ldaps://</a><a
moz-do-not-send="true" href="http://example.company.org">example.company.org</a>',<br>
'base' => 'dc=xxxxx,dc=org',<br>
'filter' => '(objectClass=*)',<br>
'd_filter' =>
'(userAccountControl:1.2.840.113556.1.4.803:=2)',<br>
'tls' => 0,<br>
'ssl_version' => 3,<br>
'net_ldap_args' => [ version => 3 ]<br>
},<br>
} );</div>
<br>
</div>
</blockquote>
<br>
Some questions:<br>
- Do you have SSL configured on port tcp/636 for your AD? (It's not
an out-of-the-box option.) We've dropped back to using mandatory TLS
on tcp/389.<br>
- Have you tried using something like ldapsearch to confirm that
your connection parameters are correct?<br>
- IME, AD requires authentication to bind to anything other than the
base scope. Have you omitted this just for the email, or in its
entirety?<br>
<br>
<br>
The following is a configuration that "works for me"<br>
<br>
'type' => 'ldap', <br>
'server' => 'dc.example.org',<br>
'user' => '<a class="moz-txt-link-abbreviated" href="mailto:user@example.org">user@example.org</a>',<br>
'pass' => 'secretpassword',<br>
'base' => 'dc=example,dc=org',<br>
'filter' => '(ObjectClass=User)',<br>
'd_filter' =>
'(userAccountControl:1.2.840.113556.1.4.803:=2)',<br>
'attr_match_list' => [ 'Name', 'EmailAddress', 'displayName'
],<br>
'attr_map' => {<br>
'Name' => 'sAMAccountName',<br>
'EmailAddress' => 'mail', <br>
'Organization' => 'physicalDeliveryOfficeName',<br>
'RealName' => 'cn',<br>
'ExternalAuthId' => 'sAMAccountName',<br>
'Gecos' => 'sAMAccountName',<br>
'WorkPhone' => 'telephoneNumber',<br>
'Address1' => 'streetAddress',<br>
'City' => 'l', <br>
'State' => 'st',<br>
'Zip' => 'postalCode',<br>
'Country' => 'co',<br>
},<br>
# Permit domain prefix on username ("EXAMPLE\user")<br>
# 'ad_domain_prefix' => 'EXAMPLE', # case insensitive<br>
# 'ad_domain_required' => 'no', # { 'yes' | 'no' }<br>
# 'ad_domain_separator' => '\\', # split here <br>
<br>
<br>
Here are some URLs of configurations that according to my notes were
useful at the time<br>
- <a class="moz-txt-link-freetext" href="http://www.gossamer-threads.com/lists/rt/users/109309">http://www.gossamer-threads.com/lists/rt/users/109309</a><br>
- <a class="moz-txt-link-freetext" href="http://requesttracker.wikia.com/wiki/ExternalAuth">http://requesttracker.wikia.com/wiki/ExternalAuth</a><br>
- /opt/rt4/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm<br>
- /root/.cpan/build/RT-Authen-ExternalAuth-0.12-9Em3TJ/README<br>
<br>
Regards,<br>
Chris<br>
</body>
</html>