[rt-users] Resend: Problems getting LDAP authentication working...
Kevin Gagel
gagel at cnc.bc.ca
Tue Jun 2 14:25:34 EDT 2009
No bites on this so here is additional/updated information.
Using RT 3.8.2
Using Plugin RT-Authen-ExternalAuth to connect to Windows Active Directory for authentication
I cannot get the group E group_attr figured out to allow login by group only. What changes to my configuration do I need to make?
My RT_SiteConfig.pm:
Set( $rtname, 'XXXXXX');
Set($LogToFileNamed, "/var/tmp/rt3.error");
Set($LogToFile, 'debug');
Set($ExternalAuthPriority,['My_LDAP']);
Set($ExternalInfoPriority,['My_LDAP']);
Set(@Plugins,qw(RT::Authen::ExternalAuth));
Set($ExternalSettings, {
'My_LDAP' => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
'type' => 'ldap',
'auth' => 1,
'info' => 1,
# The server hosting the service
'server' => 'XXX.XXX.XXX.XXX',
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
#
# The username RT should use to connect to the LDAP server
'user' => 'XXXXX',
# The password RT should use to connect to the LDAP server
'pass' => 'XXXXX',
#
# The LDAP search base
'base' => 'ou=Campus,dc=ad,dc=cnc,dc=bc,dc=ca',
#
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU **MUST** SPECIFY A filter AND A d_filter!!
#
# The filter to use to match RT-Users
'filter' => '(objectClass=User)',
# A catch-all example filter: '(objectClass=*)'
#
# The filter that will only match disabled users
'd_filter' => '(userAccountConrol:1.2.840.113556.1.4.803:=2)',
# A catch-none example d_filter: '(objectClass=FooBarBaz)'
#
# Should we try to use TLS to encrypt connections?
'tls' => 0,
# SSL Version to provide to Net::SSLeay *if* using SSL
'ssl_version' => 3,
# What other args should I pass to Net::LDAP->new($host, at args)?
'net_ldap_args' => [ version => 3 ],
# Does authentication depend on group membership? What group name?
'group' => 'CSER',
# What is the attribute for the group object that determines membership?
'group_attr' => 'member',
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you *can* specify.. I recommend reducing this
# to just the Name and EmailAddress to save encountering problems later.
'attr_match_list' => [ 'Name',
'EmailAddress',
],
# The mapping of RT attributes on to LDAP attributes
'attr_map' => { 'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
}
}
}
);
1;
Debug output:
[debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[debug]: SSO Failed and no user to test with. Nexting (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[debug]: RT's GnuPG libraries couldn't successfully read your configured GnuPG home directory (/opt/rt3/var/data/gpg). PGP support has been disabled (/opt/rt3/bin/../lib/RT/Config.pm:339)
[debug]: Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[debug]: Calling UserExists with $username (XXXXX) and $service (My_LDAP) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[debug]: UserExists params:
username: XXXXX , service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[debug]: LDAP Search === Base: ou=Campus,dc=ad,dc=cnc,dc=bc,dc=ca == Filter: (t(objectClass=User)(sAMAccountName=XXXXX)) == Attrs: mail,sAMAccountName (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[debug]: Password validation required for service - Executing... (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
[debug]: Trying external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
[debug]: LDAP Search === Base: ou=Campus,dc=ad,dc=cnc,dc=bc,dc=ca == Filter: (n(sAMAccountName=XXXXX)(objectClass=User)) == Attrs: dn (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
[debug]: Found LDAP DN: CN=XXXXX,OU=CompServices,OU=Users,OU=PG,OU=Campus,DC=ad,DC=cnc,DC=bc,DC=ca (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
[debug]: LDAP Search === Base: ou=Campus,dc=ad,dc=cnc,dc=bc,dc=ca == Filter: (member=CN=XXXXX,OU=CompServices,OU=Users,OU=PG,OU=Campus,DC=ad,DC=cnc,DC=bc,DC=ca) == Attrs: dn (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
[critical]: Search for (member=CN=XXXXX,OU=CompServices,OU=Users,OU=PG,OU=Campus,DC=ad,DC=cnc,DC=bc,DC=ca) failed: LDAP_INVALID_DN_SYNTAX 34 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:116)
[debug]: LDAP password validation result: 0 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
[debug]: Password Validation Check Result: 0 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
[debug]: Autohandler called ExternalAuth. Response: (0, Password Invalid) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[error]: FAILED LOGIN for XXXXX from 142.27.70.153 (/opt/rt3/share/html/autohandler:268)
I can see that the group_attr seems to be incorrect so what group attribute am I supposed to be using? I've tried various ones with no success. I'm using ADSIEdit to pick attributes to try but haven't been able to find the correct one. I've spent days researching net with LDAP and trying to figure it out.
Could someone please help me or at least point me to the right resource. I can't find anymore information on how to integrate this plugin to use my LDAP source.
Kevin W. Gagel
Network Administrator
Local 5448
My blog:
http://mail.cnc.bc.ca/blogs/gagel
My shared files:
http://mail.cnc.bc.ca/users/gagel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20090602/0444e2ae/attachment.htm>
More information about the rt-users
mailing list