<div dir="ltr">Generally speaking, it is typical to create an 'LDAP User' for binding, and reading purposes within AD itself.<div><br></div><div>LDAPImport does authenticate against the users in AD. And builds the user records within RT as I have mapped in my example.</div><div><br></div><div>Cronjob to do the import, maybe every 15 minutes. Makes it much easier to use AD groups within RT as well.</div><div><br></div><div><br></div><div>Very dynamic...</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jul 7, 2015 at 4:50 PM, Yan Seiner <span dir="ltr"><<a href="mailto:yan@seiner.com" target="_blank">yan@seiner.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
I'm kicking this back to the list only. I've been going round and
round with this and I have some more information, but still not a
solution.<br>
<br>
ldapsearch works:<br>
<br>
ldapsearch -H <a>ldap://file_print.hpm.net</a> -b "dc=hpm,dc=net" -s sub
"(sAMAccountName=yans)" -D 'HPM\yans' -x -W uid<br>
<br>
But notice that I need to use either 'HPM\yans' for the user or the
older '<a href="mailto:yans@hpm.net" target="_blank">yans@hpm.net</a>' for the system to allow me to bind to the ldap
server. The way we're set up, any user can bind to the server with
valid credentials, but anonymous binds are not allowed.<br>
<br>
But the way ExternalAuth is set up, I have to provide the ldap
userid and password, which in our system would be a real user. <br>
<br>
'user' => 'rt_ldap_username',<br>
'pass' => 'rt_ldap_password',<br>
<br>
Is there any way to get ExternalAuth to use the credentials entered
in the login to bind to the ldap server?<br>
<br>
(As near as I can figure, the LDAPImport extension imports the
userids from ldap, which is not what I need. I need to authenticate
against AD in realtime.)<br>
<br>
--Yan<br>
<br>
<br>
<br>
<div>On 7/7/2015 1:32 PM, Trev wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Sorry about that, review the blog entry I sent you
prior. I do see I did add that plugin, again, it's been a while
since I wrestled with LDAP authentication. So, I threw my
working config with notes, into that blog.
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Jul 7, 2015 at 1:30 PM, Trev <span dir="ltr"><<a href="mailto:trevor@onepost.net" target="_blank">trevor@onepost.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<pre style="font-size:12px;line-height:16.7999992370605px;color:rgb(51,51,51);font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace!important;padding:0px!important;margin-top:0px!important;margin-bottom:0px!important;border:0px!important;background-image:initial!important;background-repeat:initial!important"><div>Use --> Plugin( <span style="color:rgb(223,80,0)"><span>"</span>RT::Extension::LDAPImport<span>"</span></span> );
</div><div>
</div><div>Note the configuration I linked to you prior.</div><div>
</div><div>I had some issues with limited functionality using <span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8000001907349px;line-height:normal;white-space:normal">Plugin('RT::Authen::ExternalAu</span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8000001907349px;line-height:normal;white-space:normal">th').. it's been a while actually, I may not even have had that extension working.</span></div>
</pre>
<pre style="font-size:12px;line-height:16.7999992370605px;color:rgb(51,51,51);font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace!important;padding:0px!important;margin-top:0px!important;margin-bottom:0px!important;border:0px!important;background-image:initial!important;background-repeat:initial!important"></pre>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Jul 7, 2015 at 1:28
PM, Trev <span dir="ltr"><<a href="mailto:trevor@onepost.net" target="_blank"></a><a href="mailto:trevor@onepost.net" target="_blank">trevor@onepost.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">If you mean during the login via RT
Gui -- username is, sAMAccountName. THere
shouldn't be any need to prefix with the domain
as the domain is already be queried.
<div><br>
</div>
<div><br>
</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Jul 7, 2015
at 1:24 PM, Yan Seiner <span dir="ltr"><<a href="mailto:yan@seiner.com" target="_blank"></a><a href="mailto:yan@seiner.com" target="_blank">yan@seiner.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
What format do you use for the
username?<br>
<br>
When I try hpm\yans which should, in
theory, work, I get:<br>
<br>
[5367] [Tue Jul 7 17:07:28 2015]
[debug]: LDAP Search === Base:
dc=hpm,dc=net == Filter:
(&(objectClass=*)(sAMAccountName=hpm\5cyans))
== Attrs: sAMAccountName,mail
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)<br>
<br>
Notice the mangled
sAMAccountName=hpm\5cyans . If this
is what it is searching for, then we
have a problem. :)<span><font color="#888888"><br>
<br>
--Yan</font></span>
<div>
<div><br>
<br>
<div>On 7/7/2015 11:57 AM, Trev
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>This may help:</div>
<div><br>
</div>
<a href="http://trevthorpe.blogspot.com/2015/01/request-tracker-424-ldap-authentication.html" target="_blank">http://trevthorpe.blogspot.com/2015/01/request-tracker-424-ldap-authentication.html</a><br>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Tue, Jul 7, 2015 at 11:24
AM, Yan Seiner <span dir="ltr"><<a href="mailto:yan@seiner.com" target="_blank"></a><a href="mailto:yan@seiner.com" target="_blank">yan@seiner.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I'm
coming back to RT after a
few years. I am trying to
set up external auth
against our AD server.<br>
<br>
I have a working
implementation for
mediawiki, so I know that
it's possible on our
system. As far as
possible I've duplicated
the options from
mediawiki/php to rt/perl,
but I am still missing
something important as all
login attempts get
rejected with a NoUser.<br>
<br>
The only thing that I find
different (and I'm
searching my memory from a
few years ago when I set
up mediawiki) there is a
line where the user name
is pre-pended with the
domain for AD:<br>
<br>
$wgLDAPSearchStrings =
array( 'HPM' =>
"HPM\\USER-NAME" );<br>
<br>
And I can't find anything
like that in the RT
config.<br>
<br>
Does anyone have a working
AD external auth they can
share?<br>
<br>
Thanks.<br>
<br>
Here's the logfile
snippet:<br>
<br>
[4835] [Tue Jul 7
15:17:14 2015] [debug]:
Attempting to use external
auth service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:424)<br>
[4835] [Tue Jul 7
15:17:14 2015] [debug]:
Calling UserExists with
$username (yans) and
$service (My_LDAP)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:465)<br>
[4835] [Tue Jul 7
15:17:14 2015] [debug]:
UserExists params:<br>
username: yans , service:
My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)<br>
[4835] [Tue Jul 7
15:17:14 2015] [debug]:
LDAP Search === Base:
ou=Staff,dc=hpm,dc=net ==
Filter:
(&(objectClass=inetOrgPerson)(sAMAccountName=yans))
== Attrs:
cn,co,telephoneNumber,l,postalCode,streetAddress,st,sAMAccountName,mail
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)<br>
[4835] [Tue Jul 7
15:17:14 2015] [debug]:
User Check Failed :: (
My_LDAP ) yans User not
found
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:483)<br>
[4835] [Tue Jul 7
15:17:14 2015] [debug]:
Autohandler called
ExternalAuth. Response:
(0, No User)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)<br>
[4835] [Tue Jul 7
15:17:14 2015] [error]:
FAILED LOGIN for yans from
10.10.30.51
(/opt/rt4/sbin/../lib/RT/Interface/Web.pm:810)<br>
<br>
And here's the setup in
RTSiteConfig.pm:<br>
<br>
Plugin('RT::Authen::ExternalAuth');<br>
Set($ExternalAuthPriority,
[ 'My_LDAP' ]);<br>
Set($ExternalInfoPriority,
[ 'My_LDAP' ]);<br>
Set($ExternalSettings, {<br>
'My_LDAP'
=> {<br>
'type'
=> 'ldap',<br>
'server'
=> '<a href="http://file_print.hpm.net" rel="noreferrer" target="_blank">file_print.hpm.net</a>',<br>
# By not
passing 'user' and 'pass'
we are using an anonymous<br>
# bind,
which some servers to not
allow<br>
'base'
=> 'dc=hpm,dc=net',<br>
'filter'
=>
'(objectClass=inetOrgPerson)',<br>
# Users
are allowed to log in via
email address or account<br>
# name<br>
'attr_match_list'
=> [<br>
'Name',<br>
#
'EmailAddress',<br>
],<br>
# Import
the following properties
of the user from LDAP upon<br>
# login<br>
'attr_map'
=> {<br>
'Name' =>
'sAMAccountName',<br>
'EmailAddress' =>
'mail',<br>
'RealName' => 'cn',<br>
'WorkPhone' =>
'telephoneNumber',<br>
'Address1' =>
'streetAddress',<br>
'City' => 'l',<br>
'State' => 'st',<br>
'Zip'
=>
'postalCode',<br>
'Country' => 'co',<br>
},<br>
},<br>
} );<br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</blockquote></div><br></div>