[rt-users] RT::Authen::ExternalAuth debugging
Rich West
Rich.West at wesmo.com
Wed Oct 15 17:17:40 EDT 2008
I'm going down the route of integrating a new RT 3.8.1 install in to a
Windows 2003 Active Directory environment, and after going through the
wiki web of information, I found that the "proper" method is now
RT::Authen::ExternalAuth. That was, unfortunately, after I tried
several other methods. :(
Anyhow, I saw a couple of postings on the list (specifically:
http://lists.bestpractical.com/pipermail/rt-users/2008-July/052959.html),
and managed to get things configured, but not functioning. :(
I am able to successfully ldapsearch :
ldapsearch -LLL -x -D "CN=Administrator,OU=IT
Department,OU=Users,DC=ourdomain,DC=local" -w ourpasswd -h
ad.ourdomain.local "(objectClass=Person)" -b "dc=ourdomain,dc=local"
And I tried a couple of different variants for searching with command
line success: (objectClass=*), (sAMAccountName=user)
However, I cannot seem to get it to work for RT. I'm getting "Your
username or password is incorrect" after only a few seconds of
processing. Probably the thing preventing me from debugging this
further is.. well.. I'm not sure how to turn up the volume on the
debugging. The most I am seeing in the logs is the login failure.
Any ideas?
Thanks!
-Rich
RT_SiteConfig.pm contains:
# The order in which the services defined in ExternalSettings
# should be used to authenticate users. User is authenticated
# if successfully confirmed by any service - no more services
# are checked.
Set($ExternalAuthPriority, [ 'My_LDAP'
]
);
# The order in which the services defined in ExternalSettings
# should be used to get information about users. This includes
# RealName, Tel numbers etc, but also whether or not the user
# should be considered disabled.
# Once user info is found, no more services are checked.
Set($ExternalInfoPriority, [
'My_LDAP'
]
);
# If this is set to true, then the relevant packages will
# be loaded to use SSL/TLS connections. At the moment,
# this just means "use Net::SSLeay;"
Set($ExternalServiceUsesSSLorTLS, 0);
# If this is set to 1, then users should be autocreated by RT
# as internal users if they fail to authenticate from an
# external service.
Set($AutoCreateNonExternalUsers, 1);
# These are the full settings for each external service as a HashOfHashes
# Note that you may have as many external services as you wish. They will
# be checked in the order specified in the Priority directives above.
# e.g.
#
Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP','Other-DB']);
#
Set($ExternalSettings, {
# AN EXAMPLE LDAP SERVICE
'My_LDAP' => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
'type' => 'ldap',
# Should the service be used for authentication?
'auth' => 1,
# Should the service be used for information?
'info' => 1,
# The server hosting the service
'server' => 'ad.ourdomain.local',
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you
should
# remove the user and pass config lines, otherwise
specify them here:
#
# The username RT should use to connect to the LDAP server
'user' => 'CN=Administrator,OU=IT
Department,OU=Users,DC=ourdomain,DC=local',
# The password RT should use to connect to the LDAP server
'pass' => 'ourpasswd',
#
# The LDAP search base
'base' => 'dc=ourdomain,dc=local',
# The filter to use to match RT-Users
'filter' => '(objectclass=Person)',
# The filter that will only match disabled users
# 'd_filter' =>
'(serAccountControl:1.2.840.113556.1.4.803:=2)',
'd_filter' =>
'(&(objectCategory=person)(objectClass=user)
(userAccountControl:1.2.840.113556.1.4.803:=2))',
# Should we try to use TLS to encrypt connections?
'tls' => 0,
# What other args should I pass to
Net::LDAP->new($host, at args)?
'net_ldap_args' => [ version => 3 ],
# Does authentication depend on group membership? What
group name?
'group' => '',
# What is the attribute for the group object that
determines membership?
'group_attr' => '',
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
'attr_match_list' => [ 'Name',
'EmailAddress',
'RealName',
'WorkPhone',
'Address2'
],
# The mapping of RT attributes on to LDAP attributes
'attr_map' => { 'Name' =>
'sAMAccountName',
'EmailAddress' =>
'mail',
'Organization' =>
'physicalDeliveryOfficeName',
'RealName' => 'cn',
'ExternalAuthId' =>
'sAMAccountName',
'Gecos' =>
'sAMAccountName',
'WorkPhone' =>
'telephoneNumber',
'Address1' =>
'streetAddress',
'City' => 'l',
'State' => 'st',
'Zip' => 'postalCode',
'Country' => 'co'
}
}
}
);
1;
More information about the rt-users
mailing list