[rt-users] LDAP authentication..
TeleMole
telemole at gmail.com
Mon Nov 28 15:22:42 EST 2005
ok - apologies for my last post - I discovered those errors were
simply due to my missing a critical step and not have Net::LDAP
installed.
That is recitified - now the only success I am having is getting as
far as attemtping to authenticate to the webserver - entering
credentials in the window - then getting a failure message - my web
log shows the following :
Mon Nov 28 15:15:33 2005] [error] [client 192.75.12.248] FastCGI:
server "/opt/rt3/bin/mason_handler.fcgi" stderr: [Mon Nov 28 20:15:33
2005] [critical]: IsLdapPassword: Cannot bind to LDAP: retval= 48
LDAP_INAPPROPRIATE_AUTH (/opt/rt3/lib/RT/User_Local.pm:382)
I am guessing that I am not configuring the settings for LDAP in my
RT_SiteConfig properly - and I just don't know enough to know which
value might be wrong...
here's what I have there - with some privacy stuff renamed - can
anyone offer assistance? We run a Novell LDAP server, and I have
successfully enabled the LDAP authentication to the web server - just
RT I need to get working now...
I was guessing at filling in these values - can anyone check my work?
may thanks..
RT_SiteConfig contains this info for LDAP support:
Set($WebExternalAuth , '1');
Set($WebFallbackToInternalAuth , '1');
Set($WebExternalGecos , undef);
Set($WebExternalAuto , '1');
Set($LDAPExternalAuth, '1'); # Enable LDAP auth
Set($LdapServer, "myldapserver.domain.ca");
#Set($LdapCAFile, undef);
Set($LdapUser, 'cn=ldap_proxy,o=ourcorp');
#Set($LdapPass, '');
#Set($LdapAuthStartTLS, '1'); # Need to use TLS or ldaps to
check passwords
#Set($LdapAuthBase, "o=ourcorp");
Set($LdapAuthUidAttr, 'cn');
#Set($LdapAuthFilter, '(objectClass=user)');
#Set($LdapMailBase, 'cn=Users,dc=ourcorp,dc=ca');
#Set($LdapMailFilter, '(objectClass=user)');
Set($LdapMailScope, 'sub');
Set($LdapMailSearchAttr, 'mail');
%RT::LdapMailResultMap = (
'cn' => 'Name',
'mail' => 'EmailAddress',
'cn' => 'RealName',
);
On 11/28/05, TeleMole <telemole at gmail.com> wrote:
> I went through the guide as suggested - set as many of the variables
> as well as I could - but when I start Apache now - I get the following
> errors in errlog:
>
> <exerpt from /var/log/httpd/errlog>
> Compilation failed in require at /opt/rt3/lib/RT/Record.pm line 69.
> BEGIN failed--compilation aborted at /opt/rt3/lib/RT/Record.pm line 69.
> Compilation failed in require at /opt/rt3/lib/RT/CurrentUser.pm line 73.
> BEGIN failed--compilation aborted at /opt/rt3/lib/RT/CurrentUser.pm line 73.
> Compilation failed in require at /opt/rt3/lib/RT.pm line 49.
> BEGIN failed--compilation aborted at /opt/rt3/lib/RT.pm line 49.
> Compilation failed in require at /opt/rt3/bin/webmux.pl line 66.
> BEGIN failed--compilation aborted at /opt/rt3/bin/webmux.pl line 66.
> Compilation failed in require at /opt/rt3/bin/mason_handler.fcgi line 52.
> [Mon Nov 28 11:30:26 2005] [warn] FastCGI: server
> "/opt/rt3/bin/mason_handler.fcgi" (pid 27092) terminated by calling
> exit with status '2'
>
> I'm really not sure where to go from here - any help is greatly
> appreciated - I really need this functionality for the project to be a
> go...
>
> Cheers and thanks for your help so far!
> Sean
>
>
>
> On 11/28/05, Nathan J. Mehl <rtusers at memory.blank.org> wrote:
> > In the immortal words of TeleMole (telemole at gmail.com):
> > >
> > > We run a Novell Netware tree and have LDAP servers runnning there. I
> > > have been able to successfully use ldap to authenticate users to
> > > access the rt web server - but not to the RT application.
> > >
> > > example : user 'sdaniels' exists in both the tree (as
> > > sdaniels.people.ourcompany) and 'sdaneils' exists in RT (having been
> > > manually created) but when i turn on ldap authentication to the RT app
> > > (setting WebExternalAuth to 1) i am not loggin in successfully to RT.
> > >
> > > I then decided to set WebExternalAuto to 1 to see just who exactly was
> > > authinticating according to LDAP :)
> > >
> > > The result was the creation of a user called
> > > 'cn=sdaniels,ou=people,o=ourcompany'
> > >
> > > I am hoping someone has already encountered and conquered this before,
> > > as I am admittedly a little out of my depth.
> > >
> > > If I can get LDAP authentication working - ie - just the user name
> > > being created or passed, what happens when people email requests in?
> > > Is there a way to strip the '@ourcompany.com' off the user name upon
> > > autocreation of the account?
> >
> > Although it's windows-centric, you may find the information here to be
> > a good starting point:
> >
> > http://blank.org/memory/output/rt-ad-sso.html
> >
> > Obviously the bits about mod_ntlm aren't relevant, but if you mentally
> > map the ntlm auth bits to ldap auth, the rest of it should apply
> > pretty cleanly.
> >
> > -n
> >
> > ------------------------------------------------------------<memory at blank.org>
> > "Zombies are the liberal nightmare. Here you have the masses, whom you would
> > love to love, appearing at your front door and their faces falling off; and
> > you're trying to be as humane as you possibly can, but they are, after all,
> > eating the cat. And the fear of mass activity, of mindlessness on a national
> > scale, underlies my fear of zombies.' (--Clive Barker)
> > <http://blank.org/memory/>----------------------------------------------------
> > _______________________________________________
> > http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
> >
> > Be sure to check out the RT Wiki at http://wiki.bestpractical.com
> >
> > Download a free sample chapter of RT Essentials from O'Reilly Media at http://rtbook.bestpractical.com
> >
> > WE'RE COMING TO YOUR TOWN SOON - RT Training in Amsterdam, Boston and
> > San Francisco - Find out more at http://bestpractical.com/services/training.html
> >
>
More information about the rt-users
mailing list