[rt-users] LDAP authentication..
Nathan J. Mehl
rtusers at memory.blank.org
Tue Nov 29 09:30:02 EST 2005
In the immortal words of TeleMole (telemole at gmail.com):
> That is recitified - now the only success I am having is getting as
> far as attemtping to authenticate to the webserver - entering
> credentials in the window - then getting a failure message - my web
> log shows the following :
>
> Mon Nov 28 15:15:33 2005] [error] [client 192.75.12.248] FastCGI:
> server "/opt/rt3/bin/mason_handler.fcgi" stderr: [Mon Nov 28 20:15:33
> 2005] [critical]: IsLdapPassword: Cannot bind to LDAP: retval= 48
> LDAP_INAPPROPRIATE_AUTH (/opt/rt3/lib/RT/User_Local.pm:382)
Well, that seems like a pretty straightfoward error: user_local.pm is
trying to perform an ldap bind, and failing.
Can you manually use a tool like ldapsearch to bind and search with
the same username/password you're providing to RT?
> Set($LdapUser, 'cn=ldap_proxy,o=ourcorp');
> #Set($LdapPass, '');
Question the first: is "cn=ldap_proxy,o=ourcorp", with no password,
actually a DN that can bind and search?
> #Set($LdapAuthBase, "o=ourcorp");
You probably want to actually set $LdapAuthBase to something
reasonable here, just so that every search doesn't have to traverse
the whoel tree.
> Set($LdapAuthUidAttr, 'cn');
Urk, this is almost certainly wrong. I say "almost", because I've
never used the Novell Directory Server here, but what you're looking
for here is your LDAP schema's equivilant to a unix/posix "uid"
attribute. In an ActiveDirectory server, that would be
"sAMAaccountNAme". I believe most OpenLDAP and SunONE/Netscape LDAP
servers use "username", although don't quote me on that. :)
> #Set($LdapAuthFilter, '(objectClass=user)');
> #Set($LdapMailBase, 'cn=Users,dc=ourcorp,dc=ca');
> #Set($LdapMailFilter, '(objectClass=user)');
Again, probably best to set up filters here, just to keep the results
tree manageable.
> Set($LdapMailSearchAttr, 'mail');
You'll want to make sure that 'mail' is, in fact, the attribute name
in your schema for the user's email address.
> %RT::LdapMailResultMap = (
> 'cn' => 'Name',
> 'mail' => 'EmailAddress',
> 'cn' => 'RealName',
> );
The first use of 'cn' there is almost certainly wrong: cn should map
to RealName, but something else, probably 'uid' or 'username' will map
to the Name field.
-n
------------------------------------------------------<memory at blank.org>
"You've got to hand it to postmodernism: no other literary movement in
history ever spread so much boredom in the name of playfulness."
(--B.R. Myers)
<http://blank.org/memory/>----------------------------------------------
More information about the rt-users
mailing list