[rt-users] LDAP auth failing

Tim_Crouch at uttyler.edu Tim_Crouch at uttyler.edu
Wed Mar 21 09:45:26 EDT 2007 

Here's my RT_SiteConfig:


# Any configuration directives you include  here will override 
# RT's default configuration file, RT_Config.pm
#
# To include a directive here, just copy the equivalent statement
# from RT_Config.pm and change the value. We've included a single
# sample value below.
#
# This file is actually a perl module, so you can include valid
# perl code, as well.
#
# The converse is also true, if this file isn't valid perl, you're
# going to run into trouble. To check your SiteConfig file, use
# this comamnd:
#
#   perl -c /path/to/your/etc/RT_SiteConfig.pm

Set( $rtname, 'helpdesk.uttyler.edu');
1;
### What auth methods do you like and in what order?
#Set($AuthMethods, ['LDAP', 'Internal']);
Set($AuthMethods, ['LDAP']);
### LDAP Settings
#
# There are two different branches of this: LdapAuth* and LdapInfo*;
# additionally, most of the old Ldap* variables are honored, too.
#
# This means if you only have one LDAP server/config you can just set
# "LdapServer", "LdapUser", etc. and they will be used for both
# authentication and information

### Enable/Disable LDAP services
Set($LdapExternalAuth, 1);
Set($LdapExternalInfo, 1);

### Common Settings: affecting both auth and info services

# Should we create accounts for users who aren't in LDAP?
Set($LdapAutoCreateNonLdapUsers, 1);

# Map RT attributes to LDAP attributes
#
### THE MAPPING BELOW WILL NOT WORK FOR YOU UNLESS YOU CHANGE
### IT TO MATCH YOUR LDAP SCHEMA! See 
http://wiki.bestpractical.com/?LdapAttrMap
### to learn how to set this variable properly for either LDAP or Windows
### Active Directory.
Set($LdapAttrMap, {'Name' => 'uid', 
                   'EmailAddress' => 'mail', 
                   'Organization' => 'o', 
                   'RealName' => 'cn', 
                   'ExternalContactInfoId' => 'dn', 
                   'ExternalAuthId' => 'uid', 
                   'Gecos' => 'uid', 
                   'WorkPhone' => 'telephoneNumber', 
                   'Address1' => 'ou', 
                   'Address2' => 'physicalDeliveryOfficeName'}
);

# A list of RT attrs which can uniquely identify a user, 
# ordered from most to least preferred.
Set($LdapRTAttrMatchList, ['ExternalContactInfoId', 'Name',
                           'EmailAddress', 'RealName', 
                           'WorkPhone', 'Address2']
);

# A list of LDAP attrs to examine when canonicalizing email addresses,
# ordered from most to least preferred
Set($LdapEmailAttrMatchList, ['mail', 'mailRoutingAddress', 
                              'mailAlternateAddress']
);
# A list of prefixes to apply to email address matches.
# Windows 2003 AD uses prefixes or smtp: or SMTP:. 
# If not required just leave ''
Set($LdapEmailAttrMatchPrefix, ['', 'smtp:', 'SMTP:'] );

# The basics; if set, these override $RT::LdapAuth* and $RT::LdapInfo*
Set($LdapServer, 'ldap.uttyler.edu');
Set($LdapBase, 'ou=People,dc=uttyler,dc=edu');
Set($LdapFilter, '(objectclass=uid)');
#   Windows 2003 Active Directory does not allow anonymous LDAP binding
#   thus you must pass Net::LDAP a username and password that has
#   access to read the directory.
#
#   You may also need to specify the full distinguished name instead of
#   just a username for LdapUser below. 
#   e.g. cn=Username,cn=Users,dc=yourdomain,dc=com
#
Set($LdapUser, 'uid=<our RT user>,ou=<our RT OU>,dc=uttyler,dc=edu');
Set($LdapPass, '********');

# This filter is used by RT::User::UpdateFromLdap to test whether an 
# LDAP user's RT account should be disabled. Any user whose LDAP record
# passes this filter (returns true) will be disabled at login
Set($LdapDisableFilter, '(employmentStatus=Terminated)');

# If you set these, only members of this group can auth via LDAP
#Set($LdapGroup, 'cn=RT,ou=Group,dc=example,dc=com');
#Set($LdapGroupAttr, 'uniqueMember');

# These turn on SSL for LDAP
#Set($LdapTLS, 0);
#Set($LdapSSLVersion, 3);

### IF YOU USE THE SAME LDAP SERVER FOR AUTH AND INFO STOP HERE ###

### Authentication settings
#
# These are used only if their $RT::Ldap* analogs are not set;
# if you want one of these variables to be honored, you must comment
# out the corresponding $RT::Ldap* variable above

#Set($LdapAuthServer, 'ldap.example.com');
#Set($LdapAuthBase, 'ou=People,dc=example,dc=com');
#Set($LdapAuthFilter, "(objectclass=posixAccount)");
#Set($LdapAuthUser, '');
#Set($LdapAuthPass, '');

# This filter is used by RT::User::UpdateFromLdap to test whether an 
# LDAP user's RT account should be disabled. Any user whose LDAP record
# passes this filter (returns true) will be disabled at login
# Set($LdapAuthDisableFilter, '(employmentStatus=Terminated)');

# If you set these, only members of this group can auth via LDAP
#Set($LdapAuthGroup, 'cn=RT,ou=Group,dc=example,dc=com');
#Set($LdapAuthGroupAttr, 'uniqueMember');

# These turn on SSL for LDAP
#Set($LdapAuthTLS, 0);
#Set($LdapAuthSSLVersion, 3);

### Information settings
#
# These are used only if their $RT::Ldap* analogs are not set;
# if you want one of these variables to be honored, you must comment
# out the corresponding $RT::Ldap* variable above
#Set($LdapAuthServer, 'ldap.example.com');
#Set($LdapAuthBase, 'ou=People,dc=example,dc=com');
#Set($LdapAuthFilter, "(objectclass=posixAccount)");
#Set($LdapAuthUser, '');
#Set($LdapAuthPass, '');

# This filter is used by RT::User::UpdateFromLdap to test whether an 
# LDAP user's RT account should be disabled. Any user whose LDAP record
# passes this filter (returns true) will be disabled at login
# Set($LdapAuthDisableFilter, '(employmentStatus=Terminated)');

# If you set these, only members of this group can auth via LDAP
#Set($LdapAuthGroup, 'cn=RT,ou=Group,dc=example,dc=com');
#Set($LdapAuthGroupAttr, 'uniqueMember');

# These turn on SSL for LDAP
#Set($LdapAuthTLS, 0);
#Set($LdapAuthSSLVersion, 3);

### Information settings
#
# These are used only if their $RT::Ldap* analogs are not set;
# if you want one of these variables to be honored, you must comment
# out the corresponding $RT::Ldap* variable above

#Set($LdapInfoServer, 'ldap.example.com');
#Set($LdapInfoBase, 'ou=People,dc=example,dc=com');
#Set($LdapInfoFilter, "(objectclass=posixAccount)");
#Set($LdapInfoUser, '');
#Set($LdapInfoPass, '');

# This filter is used by RT::User::UpdateFromLdap to test whether an 
# LDAP user's RT account should be disabled. Any user whose LDAP record
# passes this filter (returns true) will be disabled at login
# Set($LdapInfoDisableFilter, '(employmentStatus=Terminated)');

# These turn on SSL for LDAP
#Set($LdapInfoTLS, 0);
#Set($LdapInfoSSLVersion, 3);


Tim Crouch
Systems Administrator
Campus Computing Services
University of Texas at Tyler
903-566-7476



chaim rieger <chaim.rieger at gmail.com> 
03/20/07 05:10 PM

To
Tim_Crouch at uttyler.edu
cc
rt-users at lists.bestpractical.com
Subject
Re: [rt-users] LDAP auth failing






Tim_Crouch at uttyler.edu wrote:
> I have just installed RT 3.6.1 on FC6.  I have read the WIKI on LDAP 
Auth 
> but am not able to get a successful auth.  This is the error I get in my 

> logs:
>
> [error]: FAILED LOGIN for username from xxx.xxx.xxx.xxx 
> (/opt/rt3/share/html/autohandler:238)
>
> I added the LdapSiteConfigSettings as per the Wiki
>
> I configured my LDAP settings per the Wiki, but to no avail.  Any help 
out 
> there?
>
> 
can you post the lines from SiteConfig.



-- 
--
Chaim Rieger

More information about the rt-users mailing list