[rt-users] RT version 3.8.0 and RT-Authen-ExternalAuth-0.05

Jason Doran Jason.Doran at nuim.ie
Mon Jul 28 09:51:38 EDT 2008 

Hi Brian,
Thanks for the reply. I have got this working on OpenLDAP. Some comments
for others:

I used:		'user'                      =>   'cn=manager,dc=mydomain,dc=ie'

It is not clear from documentation that this needs to be a full  
distinguished name (DN), which I see you use. Above is an example of  
the standard openldap admin user, or perhaps better to create a  
special user for this in OpenLDAP.

ldapsearch -LLL -x -D "cn=manager,dc=mydomain,dc=ie" -W -h  
myldap.mydomain.ie "(&(sn=Doran)(objectClass=posixAccount))"

This worked after I installed 'yum install openldap-clients'. I also  
installed perl-LDAP as you suggested, Good for testing.

My final comment. I was assuming that users were automatically created  
from the external data source when they tried to log on. So when I  
tried user 'jbloggs' I got the 'Your username or password is  
incorrect' error. However, when I simply added a user (just the user  
id) from the RT web interface up pops all the mapped attributes in the  
add user form, and the authentication is then successful.

I stupidly assumed that external sourced users were automatically  
created after authentication from
the external source.

I mis-read:

# If this is set to 1, then users should be autocreated by RT
# as internal users if they fail to authenticate from an
# external service.
Set($AutoCreateNonExternalUsers,    1);

as something like, AutoCreateExternalUsers. Ah well!

Thanks again,
Jason

On 25 Jul 2008, at 16:11, Brian Buchanan wrote:
>
> I can say it works with Active Directory.  I had to install perl-LDAP
> though, on my CentOS5 machine. yum install perl-LDAP
>
> I had just got the plugin working under 3.6.6 when 3.8.0 came out.  I
> moved my 3.6.6 directory out of the way, did it's install, and then  
> ran
> the ExternalAuth install.
>
> I noticed the path changed too when I copied over the plugin's
> RT_SiteConfig.pm file and had to fix the require line in my main
> RT_SiteConfig.pm.
>
> In case this can help, here's a stripped and manually redacted version
> of my RT_SiteConfig.pm in the Plugin's etc/ directory which works in  
> my
> Windows 2000 Active Directory environment:  (It's included via the  
> main
> RT_SiteConfig.pm with a 'require
> "/opt/rt3/local/plugins/RT-AuthenExternalAuth/etc/RT_SiteConfig.pm";'
> line)
>

 >>typo for people copying above location (dash missing!)
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm


> Set($ExternalAuthPriority,  [   'My_LDAP'
>                            ]
> );
>
> Set($ExternalInfoPriority,  [   'My_LDAP'
>                            ]
> );
>
> Set($ExternalServiceUsesSSLorTLS,    0);
>
> Set($AutoCreateNonExternalUsers,    0);
>
> Set($ExternalSettings,      {
>      'My_LDAP'       =>  {
> 'type'                      =>  'ldap',
> 'auth'                      =>  1,
> 'info'                      =>  1,
> 'server'                    =>  'adomaincontroller.example.com',
> 'user'                      =>
>      'CN=RTLDAPLookupUser,OU=someou,DC=example,DC=com',
> 'pass'                      => 'passwordofrtlookupuser',
> 'base'                      =>  'DC=example,DC=com',
> 'filter'                    =>  '(objectClass=Person)',
> 'd_filter'                  =>
> '(userAccountControl:1.2.840.113556.1.4.803:=2)',
> 'tls'                       =>  0,
> 'net_ldap_args'             => [    version =>  3   ],
> 'group'                     =>  '',
> 'group_attr'                =>  '',
> 'attr_match_list'           => [    'Name',
>  'EmailAddress',
>  'RealName',
>  'WorkPhone',
>  'Address2'
>  ],
> 'attr_map'                  =>  {
>  'Name' => 'sAMAccountName',
>  'EmailAddress' => 'mail',
>  'Organization' => 'physicalDeliveryOfficeName',
>  'RealName' => 'cn',
>  'ExternalAuthId' => 'sAMAccountName',
>  'Gecos' => 'sAMAccountName',
>  'WorkPhone' => 'telephoneNumber',
>  'Address1' => 'streetAddress',
>  'City' => 'l',
>  'State' => 'st',
>  'Zip' => 'postalCode',
>  'Country' => 'co'
> }
>   ],
> }
> }
> );
>
> 1;
>
> I also used ldapdisplay to test the ldap query of the Active  
> Directory:
>
> ldapsearch -LLL -x -D  
> "CN=RTLDAPLookupUser,OU=someou,DC=example,DC=com"
> -w passwordofrtlookupuser -h adomaincontroller.example.com
> "(&(sAMAccountName=BRIAN)(objectClass=Person))"
>
> BTW, for about an hour I found I was changing the left side of the
> password of the RT lookup user in RT_SiteConfig.pm, (The parameter  
> name)
> rather than the right side, the value.  I don't know why, I was just
> replacing `user` with the user and `pass` with the password I guess,
> even though I did the correct right-side replacement on everything  
> else.
>
> HTH.
>
> Brian
>
> On Fri, 2008-07-25 at 11:29 +0100, Jason Doran wrote:
>> Hi,
>> I have just installed RT 3.8.0 and RT-Authen-ExternalAuth-0.05.
>>
>> *Before* I post a more detailed report, I just would like to know if
>> this
>> is known to work with the new RT.
>
>
>
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
>
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4617 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20080728/dde27115/attachment.bin>

More information about the rt-users mailing list