<div dir="ltr">Generally speaking, it is typical to create an 'LDAP User' for binding, and reading purposes within AD itself.<div><br></div><div>LDAPImport does authenticate against the users in AD. And builds the user records within RT as I have mapped in my example.</div><div><br></div><div>Cronjob to do the import, maybe every 15 minutes. Makes it much easier to use AD groups within RT as well.</div><div><br></div><div><br></div><div>Very dynamic...</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jul 7, 2015 at 4:50 PM, Yan Seiner <span dir="ltr"><<a href="mailto:yan@seiner.com" target="_blank">yan@seiner.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    I'm kicking this back to the list only.  I've been going round and
    round with this and I have some more information, but still not a
    solution.<br>
    <br>
    ldapsearch works:<br>
    <br>
     ldapsearch -H <a>ldap://file_print.hpm.net</a> -b "dc=hpm,dc=net" -s sub
    "(sAMAccountName=yans)" -D 'HPM\yans' -x -W uid<br>
    <br>
    But notice that I need to use either 'HPM\yans' for the user or the
    older '<a href="mailto:yans@hpm.net" target="_blank">yans@hpm.net</a>' for the system to allow me to bind to the ldap
    server.  The way we're set up, any user can bind to the server with
    valid credentials, but anonymous binds are not allowed.<br>
    <br>
    But the way ExternalAuth is set up, I have to provide the ldap
    userid and password, which in our system would be a real user. <br>
    <br>
                'user'                      =>  'rt_ldap_username',<br>
                'pass'                      =>  'rt_ldap_password',<br>
    <br>
    Is there any way to get ExternalAuth to use the credentials entered
    in the login to bind to the ldap server?<br>
    <br>
    (As near as I can figure, the LDAPImport extension imports the
    userids from ldap, which is not what I need.  I need to authenticate
    against AD in realtime.)<br>
    <br>
    --Yan<br>
    <br>
    <br>
    <br>
    <div>On 7/7/2015 1:32 PM, Trev wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">Sorry about that, review the blog entry I sent you
        prior. I do see I did add that plugin, again, it's been a while
        since I wrestled with LDAP authentication. So, I threw my
        working config with notes, into that blog.
        <div><br>
        </div>
        <div><br>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Tue, Jul 7, 2015 at 1:30 PM, Trev <span dir="ltr"><<a href="mailto:trevor@onepost.net" target="_blank">trevor@onepost.net</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="ltr">
              <pre style="font-size:12px;line-height:16.7999992370605px;color:rgb(51,51,51);font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace!important;padding:0px!important;margin-top:0px!important;margin-bottom:0px!important;border:0px!important;background-image:initial!important;background-repeat:initial!important"><div>Use -->   Plugin( <span style="color:rgb(223,80,0)"><span>"</span>RT::Extension::LDAPImport<span>"</span></span> );
</div><div>
</div><div>Note the configuration I linked to you prior.</div><div>
</div><div>I had some issues with limited functionality using <span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8000001907349px;line-height:normal;white-space:normal">Plugin('RT::Authen::ExternalAu</span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8000001907349px;line-height:normal;white-space:normal">th').. it's been a while actually, I may not even have had that extension working.</span></div>
</pre>
              <pre style="font-size:12px;line-height:16.7999992370605px;color:rgb(51,51,51);font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace!important;padding:0px!important;margin-top:0px!important;margin-bottom:0px!important;border:0px!important;background-image:initial!important;background-repeat:initial!important"></pre>
            </div>
            <div>
              <div>
                <div class="gmail_extra"><br>
                  <div class="gmail_quote">On Tue, Jul 7, 2015 at 1:28
                    PM, Trev <span dir="ltr"><<a href="mailto:trevor@onepost.net" target="_blank"></a><a href="mailto:trevor@onepost.net" target="_blank">trevor@onepost.net</a>></span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div dir="ltr">If you mean during the login via RT
                        Gui --  username is, sAMAccountName. THere
                        shouldn't be any need to prefix with the domain
                        as the domain is already be queried.
                        <div><br>
                        </div>
                        <div><br>
                        </div>
                      </div>
                      <div>
                        <div>
                          <div class="gmail_extra"><br>
                            <div class="gmail_quote">On Tue, Jul 7, 2015
                              at 1:24 PM, Yan Seiner <span dir="ltr"><<a href="mailto:yan@seiner.com" target="_blank"></a><a href="mailto:yan@seiner.com" target="_blank">yan@seiner.com</a>></span>
                              wrote:<br>
                              <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                <div bgcolor="#FFFFFF" text="#000000">
                                  What format do you use for the
                                  username?<br>
                                  <br>
                                  When I try hpm\yans which should, in
                                  theory, work, I get:<br>
                                  <br>
                                  [5367] [Tue Jul  7 17:07:28 2015]
                                  [debug]: LDAP Search ===  Base:
                                  dc=hpm,dc=net == Filter:
                                  (&(objectClass=*)(sAMAccountName=hpm\5cyans))
                                  == Attrs: sAMAccountName,mail
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)<br>
                                  <br>
                                  Notice the mangled
                                  sAMAccountName=hpm\5cyans .  If this
                                  is what it is searching for, then we
                                  have a problem.   :)<span><font color="#888888"><br>
                                      <br>
                                      --Yan</font></span>
                                  <div>
                                    <div><br>
                                      <br>
                                      <div>On 7/7/2015 11:57 AM, Trev
                                        wrote:<br>
                                      </div>
                                      <blockquote type="cite">
                                        <div dir="ltr">
                                          <div>This may help:</div>
                                          <div><br>
                                          </div>
                                          <a href="http://trevthorpe.blogspot.com/2015/01/request-tracker-424-ldap-authentication.html" target="_blank">http://trevthorpe.blogspot.com/2015/01/request-tracker-424-ldap-authentication.html</a><br>
                                          <div><br>
                                          </div>
                                          <div><br>
                                          </div>
                                        </div>
                                        <div class="gmail_extra"><br>
                                          <div class="gmail_quote">On
                                            Tue, Jul 7, 2015 at 11:24
                                            AM, Yan Seiner <span dir="ltr"><<a href="mailto:yan@seiner.com" target="_blank"></a><a href="mailto:yan@seiner.com" target="_blank">yan@seiner.com</a>></span>
                                            wrote:<br>
                                            <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I'm
                                              coming back to RT after a
                                              few years.  I am trying to
                                              set up external auth
                                              against our AD server.<br>
                                              <br>
                                              I have a working
                                              implementation for
                                              mediawiki, so I know that
                                              it's possible on our
                                              system.  As far as
                                              possible I've duplicated
                                              the options from
                                              mediawiki/php to rt/perl,
                                              but I am still missing
                                              something important as all
                                              login attempts get
                                              rejected with a NoUser.<br>
                                              <br>
                                              The only thing that I find
                                              different (and I'm
                                              searching my memory from a
                                              few years ago when I set
                                              up mediawiki) there is a
                                              line where the user name
                                              is pre-pended with the
                                              domain for AD:<br>
                                              <br>
                                              $wgLDAPSearchStrings =
                                              array( 'HPM' =>
                                              "HPM\\USER-NAME" );<br>
                                              <br>
                                              And I can't find anything
                                              like that in the RT
                                              config.<br>
                                              <br>
                                              Does anyone have a working
                                              AD external auth they can
                                              share?<br>
                                              <br>
                                              Thanks.<br>
                                              <br>
                                              Here's the logfile
                                              snippet:<br>
                                              <br>
                                              [4835] [Tue Jul  7
                                              15:17:14 2015] [debug]:
                                              Attempting to use external
                                              auth service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:424)<br>
                                              [4835] [Tue Jul  7
                                              15:17:14 2015] [debug]:
                                              Calling UserExists with
                                              $username (yans) and
                                              $service (My_LDAP)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:465)<br>
                                              [4835] [Tue Jul  7
                                              15:17:14 2015] [debug]:
                                              UserExists params:<br>
                                              username: yans , service:
                                              My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)<br>
                                              [4835] [Tue Jul  7
                                              15:17:14 2015] [debug]:
                                              LDAP Search ===  Base:
                                              ou=Staff,dc=hpm,dc=net ==
                                              Filter:
                                              (&(objectClass=inetOrgPerson)(sAMAccountName=yans))
                                              == Attrs:
                                              cn,co,telephoneNumber,l,postalCode,streetAddress,st,sAMAccountName,mail
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)<br>
                                              [4835] [Tue Jul  7
                                              15:17:14 2015] [debug]:
                                              User Check Failed :: (
                                              My_LDAP ) yans User not
                                              found
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:483)<br>
                                              [4835] [Tue Jul  7
                                              15:17:14 2015] [debug]:
                                              Autohandler called
                                              ExternalAuth. Response:
                                              (0, No User)
                                              (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)<br>
                                              [4835] [Tue Jul  7
                                              15:17:14 2015] [error]:
                                              FAILED LOGIN for yans from
                                              10.10.30.51
                                              (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:810)<br>
                                              <br>
                                              And here's the setup in
                                              RTSiteConfig.pm:<br>
                                              <br>
Plugin('RT::Authen::ExternalAuth');<br>
                                              Set($ExternalAuthPriority, 
                                              [ 'My_LDAP' ]);<br>
                                              Set($ExternalInfoPriority, 
                                              [ 'My_LDAP' ]);<br>
                                              Set($ExternalSettings, {<br>
                                                   'My_LDAP'     
                                               =>  {<br>
                                                   'type'           
                                               =>  'ldap',<br>
                                                   'server'         
                                               =>  '<a href="http://file_print.hpm.net" rel="noreferrer" target="_blank">file_print.hpm.net</a>',<br>
                                                              # By not
                                              passing 'user' and 'pass'
                                              we are using an anonymous<br>
                                                              # bind,
                                              which some servers to not
                                              allow<br>
                                                   'base'           
                                               =>  'dc=hpm,dc=net',<br>
                                                   'filter'         
                                               => 
                                              '(objectClass=inetOrgPerson)',<br>
                                                              # Users
                                              are allowed to log in via
                                              email address or account<br>
                                                              # name<br>
                                                   'attr_match_list' 
                                              => [<br>
                                                         'Name',<br>
                                              #         
                                               'EmailAddress',<br>
                                                         ],<br>
                                                              # Import
                                              the following properties
                                              of the user from LDAP upon<br>
                                                              # login<br>
                                                              'attr_map'
                                              => {<br>
                                                                 
                                              'Name'         =>
                                              'sAMAccountName',<br>
                                                                 
                                              'EmailAddress' =>
                                              'mail',<br>
                                                                 
                                              'RealName'     => 'cn',<br>
                                                                 
                                              'WorkPhone'    =>
                                              'telephoneNumber',<br>
                                                                 
                                              'Address1'     =>
                                              'streetAddress',<br>
                                                                 
                                              'City'         => 'l',<br>
                                                                 
                                              'State'        => 'st',<br>
                                                                  'Zip' 
                                                      =>
                                              'postalCode',<br>
                                                                 
                                              'Country'      => 'co',<br>
                                                              },<br>
                                                          },<br>
                                                      } );<br>
                                              <br>
                                            </blockquote>
                                          </div>
                                          <br>
                                        </div>
                                      </blockquote>
                                      <br>
                                    </div>
                                  </div>
                                </div>
                              </blockquote>
                            </div>
                            <br>
                          </div>
                        </div>
                      </div>
                    </blockquote>
                  </div>
                  <br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </div>

</blockquote></div><br></div>