[rt-users] LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension
James Treleaven
J.Treleaven at greenfieldethanol.com
Wed Apr 9 18:57:02 EDT 2008
I have installed the ExternalAuth extension (thanks Mike!) to try and
validate against my Active Directory server, but I am failing with the
following message in my apache error_log:
[Wed Apr 9 22:20:09 2008] [critical]: RT::User::_GetBoundLdapObj Can't
bind: LDAP_INVALID_CREDENTIALS 49
(/usr/local/rt3/lib/RT/User_Vendor.pm:1056)
This looked to me (and other messages on this list seemed to indicate)
that my problem was one of not providing a correct username/password
pair with which to connect to the AD server. This seemed strange to me
because I was able to validate, on the same machine that is running RT,
against AD using the same username/password pair using ldapsearch.
So I had our AD admin configure AD to allow "Anonymous Binding". Now I
am still getting the same error message as above, even though the
following use of ldapsearch binds against AD just fine with no
usercode/password provided:
ldapsearch -b dc=comalc,dc=com -H ldap://redacted.comalc.com
"(objectclass=*)" -x
I suspect that I must have misconfigured ExternalAuth, so I have pasted
in my RT_SiteConfig.pm below. Thanks in advance for any help.
James
---/etc/rt3/RT_SiteConfig.pm---
# Any configuration directives you include here will override
# RT's default configuration file, RT_Config.pm
#
# To include a directive here, just copy the equivalent statement
# from RT_Config.pm and change the value. We've included a single
# sample value below.
#
# This file is actually a perl module, so you can include valid
# perl code, as well.
#
# The converse is also true, if this file isn't valid perl, you're
# going to run into trouble. To check your SiteConfig file, use
# this comamnd:
#
# perl -c /path/to/your/etc/RT_SiteConfig.pm
Set( $rtname, 'greenfieldethanol.com');
# Set( $Organization , "example.com");
# Look into the zoneinfo database for valid values
(/usr/share/zoneinfo/)
Set( $Timezone , 'US/Eastern');
# Set( $WebBaseURL , "http://localhost");
Set( $WebPath , "/rt3");
Set($LogToSyslog, '');
Set($LogToFile, 'debug');
Set($LogDir, '/var/log/rt');
Set($LogToFileNamed , "rt.log");
# The order in which the services defined in ExternalSettings
# should be used to authenticate users. User is authenticated
# if successfully confirmed by any service - no more services
# are checked.
Set($ExternalAuthPriority, ['My_LDAP']);
# The order in which the services defined in ExternalSettings
# should be used to get information about users. This includes
# RealName, Tel numbers etc, but also whether or not the user
# should be considered disabled.
# Once user info is found, no more services are checked.
Set($ExternalInfoPriority, ['My_LDAP']);
# If this is set to true, then the relevant packages will
# be loaded to use SSL/TLS connections. At the moment,
# this just means "use Net::SSLeay;"
Set($ExternalServiceUsesSSLorTLS, 0);
# If this is set to 1, then users should be autocreated by RT
# as internal users if they fail to authenticate from an
# external service.
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings, { # AN EXAMPLE LDAP SERVICE
'My_LDAP' => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
'type' => 'ldap',
# Should the service be used for authentication?
'auth' => 1,
# Should the service be used for information?
'info' => 1,
# The server hosting the service
'server' => 'redacted.comalc.com',
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you
should
# remove the user and pass config lines, otherwise
specify them here:
#
# The username RT should use to connect to the LDAP
server
'user' => 'redacted',
# The password RT should use to connect to the LDAP
server
'pass' => 'redacted',
#
# The LDAP search base
'base' => 'ou=Organisational
Unit,dc=domain,dc=TLD',
# The filter to use to match RT-Users
'filter' => '(objectclass=*)',
# The filter that will only match disabled users
'd_filter' =>
'(userAccountControl:1.2.840.113556.1.4.803:=2)',
# Should we try to use TLS to encrypt connections?
'tls' => 0,
# What other args should I pass to
Net::LDAP->new($host, at args)?
'net_ldap_args' => [ version => 3 ],
# Does authentication depend on group membership? What
group name?
#'group' => 'GROUP_NAME',
# What is the attribute for the group object that
determines membership?
#'group_attr' => 'GROUP_ATTR',
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a
user
'attr_match_list' => [ 'Name',
'EmailAddress',
'RealName',
'WorkPhone',
'Address2'
],
# The mapping of RT attributes on to LDAP attributes
'attr_map' => { 'Name' =>
'sAMAccountName',
'EmailAddress' => 'mail',
'Organization' => 'physicalDeliveryOfficeName',
'RealName' => 'cn',
'ExternalAuthId' => 'sAMAccountName',
'Gecos' => 'sAMAccountName',
'WorkPhone' => 'telephoneNumber',
'Address1' => 'streetAddress',
'City' => 'l',
'State' => 'st',
'Zip' => 'postalCode',
'Country' => 'co'
}
}
}
);
1;
______________________________________________________________________
This email has been scanned for viruses and spam by the MessageLabs Email Security System.
______________________________________________________________________
More information about the rt-users
mailing list