[rt-users] Intergration with LDAP

Mike Peachey mike.peachey at jennic.com
Tue Apr 8 15:14:33 EDT 2008


Nelson Pereira wrote:
 > Ok, So I read the instruction on the link given although I still cannot
 > login with a valid Active Directory account....
 >
 > Installed the CPAN module…
 >
 > I made the changes in the RT_SiteConfig.pm, restarted the webserver (OK)
 >
 > Try to login and I get this error in /var/log/httpd/error_log
 >
 > [Tue Apr  8 17:07:02 2008] [error]: Could not record email: RT couldn't
 > find the queue: general
 > (/opt/rt3/share/html/REST/1.0/NoAuth/mail-gateway:75)

This is nothing to do with the ExternalAuth extension.

 > [Tue Apr  8 17:07:13 2008] [critical]: RT::User::_GetBoundLdapObj Can't
 > bind: LDAP_INVALID_CREDENTIALS 49
 > (/opt/rt3/local/lib/RT/User_Vendor.pm:1056)
 >
 > What is this saying?

The error given here is throw directly from Net::LDAP (the perl module 
used to perform LDAP communication). The error means that the username 
and password you have given to make a connection to the LDAP server in 
order to search for users is not valid.

This is similar to the rt-user you create to allow RT to use its own 
database. You should have a specified account on your LDAP server that 
RT is given to let it search for users.

Alternatively, you can allow "anonymous binding" in your LDAP server 
that will allow anyone to search it without a username and password. If 
you allow anonymous binding, you simply don't specify a user or pass for 
the ldap server.

 > #####################################################################
 > ###################### LDAP AUthentication###########################
 > #####################################################################
 > # Order in which the services defined in ExternalSettings
 > # should be used to authenticate users. User is authenticated
 > # if successfully confirmed by any service - no more services
 > # are checked.
 >
 > Set($ExternalAuthPriority,  [   'My_LDAP',
 >                                 'My_MySQL'
 >                             ]
 > );

You are not using an external MySQL authentication service, so you 
should not be specifying one. The above line needs to be reduced to this:

Set($ExternalAuthPriority, ['My_LDAP']);

Although you can call the service whatever you want, it doesn't need to 
be My_LDAP, just as long as you change the name in the ExternalSettings 
paramater.

 > # The order in which the services defined in ExternalSettings
 > # should be used to get information about users. This includes
 > # RealName, Tel numbers etc, but also whether or not the user
 > # should be considered disabled.
 > # Once user info is found, no more services are checked.
 > Set($ExternalInfoPriority,  [   'My_MySQL',
 >
 >                                 'My_LDAP'
 >
 >                             ]
 >
 > );

Again, you're not using an SQL information service. Reduce it to:

Set($ExternalInfoPriority, ['My_LDAP']);

 > # If this is set to true, then the relevant packages will
 > # be loaded to use SSL/TLS connections. At the moment,
 > # this just means "use Net::SSLeay;"
 > Set($ExternalServiceUsesSSLorTLS,    0);

Although there's no harm in clearly specifying this as 0, it's not required.

 > # If this is set to 1, then users should be autocreated by RT
 > # as internal users if they fail to authenticate from an
 > # external service.
 > Set($AutoCreateNonExternalUsers,    1);

Are you sure that you want to allow the automatic creation of users who 
fail to authenticate by LDAP or by RT's own internals? You might want 
to, but it's worth knowing if you are sure.

 > # These are the full settings for each external service as a HashOfHashes
 > # Note that you may have as many external services as you wish. They will
 > # be checked in the order specified in the Priority directives above.
 > # e.g.
 >
 > Set($ExternalSettings,      {   # A LDAP SERVICE
 >
 >                                 'My_LDAP'       =>  {   ## GENERIC 
SECTION
 > 'type'                      =>  'ldap',
 > # Should the service be used for authentication?
 > 'auth'                      =>  1,
 > # Should the service be used for information? 

 > 'info'                      =>  1,
 > # The server hosting the service
 > 'server'                    =>  'my.domain.name',

Have you set the server to your AD server's name? This is still what I 
set it to in the example.

 > # If you can bind to your LDAP server anonymously you should
 > # remove the user and pass config lines, otherwise specify them here:
 > # The username RT should use to connect to the LDAP server 

 > 'user'                      =>  'myldapuser',
 > # The password RT should use to connect to the LDAP server
 > 'pass'                    =>  'myladappass$',

Do you want to bind to the server anonymously, or do you need to specify 
a username and password? If you have an RT user on the LDAP server to 
use, specify the username and password here. Otherwise, remove these lines.

 > # The LDAP search base
 > 'base'                      =>  'cn=Users,dc=protus,dc=org',

This one actually looks right. Although you should tell your AD 
administrator that they ought to create an Organisational Unit for your 
organisation and create Users and Groups beneath it so that the 
system/admin users and groups remain in the original place, but "users" 
can then be kept easily organised within the OU.

 > # The filter to use to match RT-Users
 > 'filter'                    =>  '(FILTER_STRING)',

If you want EVERY SINGLE CONTAINER in cn=Users,dc=protus,dc=org to be 
allowed access to RT as a user then your filter string should read like 
this:

'filter'	=> '(objectClass=*)',

Or if you only want objects classed as Person to be considered valid 
users then:

'filter'	=> '(objectClass=Person)',

Or ANY other valid LDAP filter expression (look it up!)

 > # The filter that will only match disabled users
 > 'd_filter' 			=>  '(FILTER_STRING)',

If you want some users that match the filter above to be considered 
disabled then you need to specify the filter for them here, otherwise 
remove this line.

For Active Directory, it is recommended that you use this:

'd_filter'	=> '(userAccountControl:1.2.840.113556.1.4.803:=2)',

which will consider all users who are disabled in Active Directory as 
disabled in RT.

 > # Should we try to use TLS to encrypt connections?
 > 'tls'                       =>  0,

Self-explanatory -- leave it be.

 > # What other args should I pass to Net::LDAP->new($host, at args)?
 > 'net_ldap_args'             => [    version =>  3   ],

For Active Directory, leave this alone.

 > # Does authentication depend on group membership? What group name?
 > 'group'                     =>  'GROUP_NAME',

If users have to be a member of an active directory group to access RT, 
specify it here.. otherwise REMOVE it.

 > # What is the attribute for the group object that determines membership?
 > 'group_attr'                =>  'GROUP_ATTR',

If you allow access by groups as above, then you really should know 
this, or ask your LDAP administrator. Otherwise, remove it.


For Active Directory, leave all of the rest of these settings alone.
 >
 >                                                         ## RT ATTRIBUTE
 > MATCHING SECTION
 >
 >                                                         # The list of RT
 > attributes that uniquely identify a user
 >
 >
 > 'attr_match_list'           => [    'Name',
 >
 >
 >                                                   'EmailAddress',
 >
 > 

 > 'RealName',
 >
 > 

 >       'WorkPhone',
 >
 > 

 > 'Address2'
 >
 > 

 > ],
 >
 >                                                         # The mapping of
 > RT attributes on to LDAP attributes
 >
 >
 > 'attr_map'                  =>  {   'Name' => 'sAMAccountName',
 >
 >
 >                       'EmailAddress' => 'mail',
 >
 > 

 > 'Organization' => 'physicalDeliveryOfficeName',
 >
 >
 >                         'RealName' => 'cn',
 >
 > 

 > 'ExternalAuthId' => 'sAMAccountName',
 >
 > 

 >           'Gecos' => 'sAMAccountName',
 >
 > 

 > 'WorkPhone' => 'telephoneNumber',
 >
 > 

 >  'Address1' => 'streetAddress',
 >
 > 

 > 'City' => 'l',
 >
 > 

 > 'State' => 'st',
 >
 >
 > 
                'Zip'
 > => 'postalCode',
 >
 > 

 > 'Country' => 'co'
 >
 >
 >                                                  }
 >
 >                                                     }
 >
 >                                 }
 >
 > );
 >
 > 1;


Ok?



As for removing the ExternalAuth extension, you would need to remove:
$RTHOME/share/html/Callbacks/ExternalAuth
$RTHOME/local/etc/ExternalAuth/RT_SiteConfig.pm
$RTHOME/local/lib/RT/Authen/ExternalAuth.pm
$RTHOME/local/lib/RT/User_Vendor.pm

The top two might be Authen-ExternalAuth directories.. I can't remember, 
but am not in a position to check right now. It should be obvious in 
your installation.
--

Kind Regards,

___________________________________________________

Mike Peachey, IT
Tel: +44 (0) 114 281 2655
Fax: +44 (0) 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT,  UK
http://www.jennic.com
Confidential
___________________________________________________



More information about the rt-users mailing list