[rt-users] RT::Authen::ExternalAuth debugging
Andrew Konkol
akonkol at gmail.com
Wed Oct 15 17:32:43 EDT 2008
I too was going down this path. What ended up working for me is creating
local accounts on rt first, then ldap authentication worked.
The other problem I ran into is the "give permissions for everyone to create
ticket" error when this plugin was activated. Double checked all
permissions, and ensured that everyone could create a ticket for the given
queue and had no luck.
For now I've rolled back the use of the plugin and I am just using local
accounts :(
-a
On Wed, Oct 15, 2008 at 4:17 PM, Rich West <Rich.West at wesmo.com> wrote:
> I'm going down the route of integrating a new RT 3.8.1 install in to a
> Windows 2003 Active Directory environment, and after going through the
> wiki web of information, I found that the "proper" method is now
> RT::Authen::ExternalAuth. That was, unfortunately, after I tried
> several other methods. :(
>
> Anyhow, I saw a couple of postings on the list (specifically:
> http://lists.bestpractical.com/pipermail/rt-users/2008-July/052959.html),
> and managed to get things configured, but not functioning. :(
>
> I am able to successfully ldapsearch :
> ldapsearch -LLL -x -D "CN=Administrator,OU=IT
> Department,OU=Users,DC=ourdomain,DC=local" -w ourpasswd -h
> ad.ourdomain.local "(objectClass=Person)" -b "dc=ourdomain,dc=local"
>
> And I tried a couple of different variants for searching with command
> line success: (objectClass=*), (sAMAccountName=user)
>
> However, I cannot seem to get it to work for RT. I'm getting "Your
> username or password is incorrect" after only a few seconds of
> processing. Probably the thing preventing me from debugging this
> further is.. well.. I'm not sure how to turn up the volume on the
> debugging. The most I am seeing in the logs is the login failure.
>
> Any ideas?
>
> Thanks!
> -Rich
>
>
>
> RT_SiteConfig.pm contains:
> # The order in which the services defined in ExternalSettings
> # should be used to authenticate users. User is authenticated
> # if successfully confirmed by any service - no more services
> # are checked.
> Set($ExternalAuthPriority, [ 'My_LDAP'
> ]
> );
>
> # The order in which the services defined in ExternalSettings
> # should be used to get information about users. This includes
> # RealName, Tel numbers etc, but also whether or not the user
> # should be considered disabled.
> # Once user info is found, no more services are checked.
> Set($ExternalInfoPriority, [
> 'My_LDAP'
> ]
> );
>
> # If this is set to true, then the relevant packages will
> # be loaded to use SSL/TLS connections. At the moment,
> # this just means "use Net::SSLeay;"
> Set($ExternalServiceUsesSSLorTLS, 0);
>
> # If this is set to 1, then users should be autocreated by RT
> # as internal users if they fail to authenticate from an
> # external service.
> Set($AutoCreateNonExternalUsers, 1);
>
> # These are the full settings for each external service as a HashOfHashes
> # Note that you may have as many external services as you wish. They will
> # be checked in the order specified in the Priority directives above.
> # e.g.
> #
>
> Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP','Other-DB']);
> #
> Set($ExternalSettings, {
> # AN EXAMPLE LDAP SERVICE
> 'My_LDAP' => { ## GENERIC SECTION
> # The type of service (db/ldap/cookie)
> 'type' => 'ldap',
> # Should the service be used for authentication?
> 'auth' => 1,
> # Should the service be used for information?
> 'info' => 1,
> # The server hosting the service
> 'server' => 'ad.ourdomain.local',
> ## SERVICE-SPECIFIC SECTION
> # If you can bind to your LDAP server anonymously you
> should
> # remove the user and pass config lines, otherwise
> specify them here:
> #
> # The username RT should use to connect to the LDAP server
> 'user' => 'CN=Administrator,OU=IT
> Department,OU=Users,DC=ourdomain,DC=local',
> # The password RT should use to connect to the LDAP server
> 'pass' => 'ourpasswd',
> #
> # The LDAP search base
> 'base' => 'dc=ourdomain,dc=local',
> # The filter to use to match RT-Users
> 'filter' => '(objectclass=Person)',
> # The filter that will only match disabled users
> # 'd_filter' =>
> '(serAccountControl:1.2.840.113556.1.4.803:=2)',
> 'd_filter' =>
> '(&(objectCategory=person)(objectClass=user)
> (userAccountControl:1.2.840.113556.1.4.803:=2))',
> # Should we try to use TLS to encrypt connections?
> 'tls' => 0,
> # What other args should I pass to
> Net::LDAP->new($host, at args)?
> 'net_ldap_args' => [ version => 3 ],
> # Does authentication depend on group membership? What
> group name?
> 'group' => '',
> # What is the attribute for the group object that
> determines membership?
> 'group_attr' => '',
> ## RT ATTRIBUTE MATCHING SECTION
> # The list of RT attributes that uniquely identify a user
> 'attr_match_list' => [ 'Name',
> 'EmailAddress',
> 'RealName',
> 'WorkPhone',
> 'Address2'
> ],
> # The mapping of RT attributes on to LDAP attributes
> 'attr_map' => { 'Name' =>
> 'sAMAccountName',
> 'EmailAddress' =>
> 'mail',
> 'Organization' =>
> 'physicalDeliveryOfficeName',
> 'RealName' => 'cn',
> 'ExternalAuthId' =>
> 'sAMAccountName',
> 'Gecos' =>
> 'sAMAccountName',
> 'WorkPhone' =>
> 'telephoneNumber',
> 'Address1' =>
> 'streetAddress',
> 'City' => 'l',
> 'State' => 'st',
> 'Zip' => 'postalCode',
> 'Country' => 'co'
> }
> }
> }
> );
> 1;
>
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
>
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20081015/e0d892b0/attachment.htm>
More information about the rt-users
mailing list