<div dir="ltr">If you mean during the login via RT Gui -- username is, sAMAccountName. THere shouldn't be any need to prefix with the domain as the domain is already be queried.<div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jul 7, 2015 at 1:24 PM, Yan Seiner <span dir="ltr"><<a href="mailto:yan@seiner.com" target="_blank">yan@seiner.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
What format do you use for the username?<br>
<br>
When I try hpm\yans which should, in theory, work, I get:<br>
<br>
[5367] [Tue Jul 7 17:07:28 2015] [debug]: LDAP Search === Base:
dc=hpm,dc=net == Filter:
(&(objectClass=*)(sAMAccountName=hpm\5cyans)) == Attrs:
sAMAccountName,mail
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)<br>
<br>
Notice the mangled sAMAccountName=hpm\5cyans . If this is what it
is searching for, then we have a problem. :)<span class="HOEnZb"><font color="#888888"><br>
<br>
--Yan</font></span><div><div class="h5"><br>
<br>
<div>On 7/7/2015 11:57 AM, Trev wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>This may help:</div>
<div><br>
</div>
<a href="http://trevthorpe.blogspot.com/2015/01/request-tracker-424-ldap-authentication.html" target="_blank">http://trevthorpe.blogspot.com/2015/01/request-tracker-424-ldap-authentication.html</a><br>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Jul 7, 2015 at 11:24 AM, Yan
Seiner <span dir="ltr"><<a href="mailto:yan@seiner.com" target="_blank">yan@seiner.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I'm coming
back to RT after a few years. I am trying to set up
external auth against our AD server.<br>
<br>
I have a working implementation for mediawiki, so I know
that it's possible on our system. As far as possible I've
duplicated the options from mediawiki/php to rt/perl, but I
am still missing something important as all login attempts
get rejected with a NoUser.<br>
<br>
The only thing that I find different (and I'm searching my
memory from a few years ago when I set up mediawiki) there
is a line where the user name is pre-pended with the domain
for AD:<br>
<br>
$wgLDAPSearchStrings = array( 'HPM' => "HPM\\USER-NAME"
);<br>
<br>
And I can't find anything like that in the RT config.<br>
<br>
Does anyone have a working AD external auth they can share?<br>
<br>
Thanks.<br>
<br>
Here's the logfile snippet:<br>
<br>
[4835] [Tue Jul 7 15:17:14 2015] [debug]: Attempting to use
external auth service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:424)<br>
[4835] [Tue Jul 7 15:17:14 2015] [debug]: Calling
UserExists with $username (yans) and $service (My_LDAP)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:465)<br>
[4835] [Tue Jul 7 15:17:14 2015] [debug]: UserExists
params:<br>
username: yans , service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)<br>
[4835] [Tue Jul 7 15:17:14 2015] [debug]: LDAP Search ===
Base: ou=Staff,dc=hpm,dc=net == Filter:
(&(objectClass=inetOrgPerson)(sAMAccountName=yans)) ==
Attrs:
cn,co,telephoneNumber,l,postalCode,streetAddress,st,sAMAccountName,mail
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)<br>
[4835] [Tue Jul 7 15:17:14 2015] [debug]: User Check Failed
:: ( My_LDAP ) yans User not found
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:483)<br>
[4835] [Tue Jul 7 15:17:14 2015] [debug]: Autohandler
called ExternalAuth. Response: (0, No User)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)<br>
[4835] [Tue Jul 7 15:17:14 2015] [error]: FAILED LOGIN for
yans from 10.10.30.51
(/opt/rt4/sbin/../lib/RT/Interface/Web.pm:810)<br>
<br>
And here's the setup in RTSiteConfig.pm:<br>
<br>
Plugin('RT::Authen::ExternalAuth');<br>
Set($ExternalAuthPriority, [ 'My_LDAP' ]);<br>
Set($ExternalInfoPriority, [ 'My_LDAP' ]);<br>
Set($ExternalSettings, {<br>
'My_LDAP' => {<br>
'type' => 'ldap',<br>
'server' => '<a href="http://file_print.hpm.net" rel="noreferrer" target="_blank">file_print.hpm.net</a>',<br>
# By not passing 'user' and 'pass' we are
using an anonymous<br>
# bind, which some servers to not allow<br>
'base' => 'dc=hpm,dc=net',<br>
'filter' =>
'(objectClass=inetOrgPerson)',<br>
# Users are allowed to log in via email
address or account<br>
# name<br>
'attr_match_list' => [<br>
'Name',<br>
# 'EmailAddress',<br>
],<br>
# Import the following properties of the
user from LDAP upon<br>
# login<br>
'attr_map' => {<br>
'Name' => 'sAMAccountName',<br>
'EmailAddress' => 'mail',<br>
'RealName' => 'cn',<br>
'WorkPhone' => 'telephoneNumber',<br>
'Address1' => 'streetAddress',<br>
'City' => 'l',<br>
'State' => 'st',<br>
'Zip' => 'postalCode',<br>
'Country' => 'co',<br>
},<br>
},<br>
} );<br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>