[rt-users] Problems getting LDAP authentication working...

Kevin Gagel gagel at cnc.bc.ca
Mon Jun 1 15:26:02 EDT 2009


I'm trying to setup LDAP through the RT-Authen-ExternalAuth plugin.

I have gotten far enough to login as a user via LDAP but I want to restrict login's to a specific group within my Windows AD. I can't seem to get that part working. I know its something I'm doing wrong but I'm not seeing what it is.

So, what I want is to allow users within a group "CSER" to be able to login and create tickets. I want another group "ITAdmin" to be equivalent to the RTAdmin. How do I set this up?

Here is my current configuration:

Set( $rtname, 'XXXXXX.ca');
Set($LogToFileNamed, "/var/tmp/rt3.error");
Set($LogToFile, 'debug');
Set($ExternalAuthPriority,['My_LDAP']);
Set($ExternalInfoPriority,['My_LDAP']);
Set(@Plugins,qw(RT::Authen::ExternalAuth));
Set($ExternalSettings, {
                                'My_LDAP'       =>  {   ## GENERIC SECTION
                                                        # The type of service (db/ldap/cookie)
                                                        'type' => 'ldap',
                                                        'auth' => 1,
                                                        'info' => 1,
                                                        # The server hosting the service
                                                        'server'                    =>  'XXX.XXX.XXX.XXX',
                                                        # The username RT should use to connect to the LDAP server
                                                        'user'                      =>  'XXXXXX',
                                                        # The password RT should use to connect to the LDAP server
                                                        'pass'                    =>  'XXXXXX',
                                                        'base'         =>  'XXXXXX',
                                                        'filter'                    =>  '(objectClass=Person)',
                                                        # A catch-all example filter: '(objectClass=*)'
                                                        #
                                                        # The filter that will only match disabled users
                                                        'd_filter'                  =>  '(userAccountConrol:1.2.840.113556.1.4.803:=2)',
                                                        # Should we try to use TLS to encrypt connections?
                                                        'tls'                       =>  0,
                                                        # SSL Version to provide to Net::SSLeay *if* using SSL
                                                        'ssl_version'               =>  3,
                                                        # What other args should I pass to Net::LDAP->new($host, at args)?
                                                        'net_ldap_args'             => [    version =>  3   ],
                                                        # Does authentication depend on group membership? What group name?
                                                        'group'                     =>  'CSER',
                                                        # What is the attribute for the group object that determines membership?
                                                        'group_attr'                =>  '',
                                                        'attr_match_list'           => [    'Name',
                                                                                            'EmailAddress',
                                                                                        ],
                                                        'attr_map'                  =>  {   'Name' => 'sAMAccountName',
                                                                                            'EmailAddress' => 'mail',
                                                                                        }
                                                    }
                                }
);
1;

With the above configuration I am able to login after I get an error because of the blank group_attr. What exactly is supposed to be there? Every attempt to put something there causes the login to fail. Sample debug follows:

[Mon Jun  1 19:20:27 2009] [debug]: RT's GnuPG libraries couldn't successfully read your configured GnuPG home directory (/opt/rt3/var/data/gpg). PGP support has been disabled (/opt/rt3/bin/../lib/RT/Config.pm:339)
[Mon Jun  1 19:20:32 2009] [debug]: Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[Mon Jun  1 19:20:32 2009] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Jun  1 19:20:32 2009] [debug]: Calling UserExists with $username (gagel) and $service (My_LDAP) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Mon Jun  1 19:20:32 2009] [debug]: UserExists params:
username: gagel , service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Mon Jun  1 19:20:32 2009] [debug]: LDAP Search ===  Base: ou=XXXXX=ca == Filter: (i(objectClass=Person)(sAMAccountName=XXXXX)) == Attrs: mail,sAMAccountName (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Mon Jun  1 19:20:32 2009] [debug]: Password validation required for service - Executing... (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
[Mon Jun  1 19:20:32 2009] [debug]: Trying external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
[Mon Jun  1 19:20:32 2009] [debug]: LDAP Search ===  Base: ou=XXXXXX=ca == Filter: (l(sAMAccountName=XXXXX)(objectClass=Person)) == Attrs: dn (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
[Mon Jun  1 19:20:32 2009] [debug]: Found LDAP DN: CN=XXXX,OU=XXXXXX=ca (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
[Mon Jun  1 19:20:32 2009] [debug]: RT's GnuPG libraries couldn't successfully read your configured GnuPG home directory (/opt/rt3/var/data/gpg). PGP support has been disabled (/opt/rt3/bin/../lib/RT/Config.pm:339)
[Mon Jun  1 19:20:32 2009] [debug]: Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[Mon Jun  1 19:20:32 2009] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Jun  1 19:20:32 2009] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Mon Jun  1 19:20:32 2009] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)

What am I doing wrong?

Kevin W. Gagel
Network Administrator
Local 5448
My blog:
http://mail.cnc.bc.ca/blogs/gagel
My shared files:
http://mail.cnc.bc.ca/users/gagel


 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20090601/26e70e3e/attachment.htm>


More information about the rt-users mailing list