[rt-users] External Authentication with LDAPS

Anthony BRODARD brodard.anthony at gmail.com
Mon Aug 2 05:40:37 EDT 2010


Hi Mike!

Thanks for your replies.
After i had try what you said in your last mail, i've decide to reinstall a
new clean RT, and test only the external authentication plugin.

So, this is a part of my new RT_SiteConfig, with your last recommendations:


Set( @Plugins, qw(RT::Authen::ExternalAuth) );

Set($ExternalAuthPriority,  ['My_LDAP']);
Set($ExternalInfoPriority,  ['My_LDAP']);
Set($ExternalServiceUsesSSLorTLS,   1);
Set($AutoCreateNonExternalUsers,    0);
Set($ExternalSettings,      {   'My_LDAP' =>  {
        'type' => 'ldap',
        'server' => 'ldap.mydomain',
        'user' => 'cn=auth,o=others,dc=blanked,dc=fr',
        'pass' => 'xxxxx',
        'base' => 'dc=blanked,dc=fr',
        'filter' => '(uid=*)',
        'd_filter' => 'objectClass=Nothing',
        'tls' => 1,
        'ssl_version' => 3,
        'net_ldap_args' => [ version => 3 ],
#       'group' =>
#       'group_attr' =>
        'attr_match_list' => ['Name'],
        'attr_map' => { 'Name' => 'uid'},
        }
});

And in my error-rt.log:

[Mon Aug  2 09:26:09 2010] [critical]:
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to
ldap.blank.fr(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:437)
[Mon Aug  2 09:26:09 2010] [error]: FAILED LOGIN for anthony.brodard from
10.1.104.30 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)

I don't understand how to sets the fields "d_filter", "group", "group_attr".

Thanks

Anthony BRODARD


2010/7/29 Mike Johnson <mike.johnson at nosm.ca>

> make sure you reply to the list, very important to share all this so others
> can learn.
>
> The only thing I could think of is your LDAP settings are incorrect
> somewhere.
>
> Some things I found when I was setting things up
>
>
> 1. user = the fully qualified CN of the user(ie CN=Mike
> Johnson,OU=Users,OU=mycompany,OU=mydomain,OU=local
> 2. filter and d_filter have to have valid settings
> 3. Group/Group_Attr had to have settings.
>
> I was binding to an AD, so I'm not 100% on 3 if it isn't an AD... but 1 and
> 2 hold true for any LDAP.
>
> HTH
> Mike.
>
> On Thu, Jul 29, 2010 at 9:38 AM, Anthony BRODARD <
> brodard.anthony at gmail.com> wrote:
>
>> TLS argument is already sets to 1.
>>
>> I don't know how to see if it's the ldap's server which refuses the
>> connection, or it's an other problem.
>>
>>
>>
>> 2010/7/29 Mike Johnson <mike.johnson at nosm.ca>
>>
>>  Oops, looking at it again, i was looking at the mysql config part, not
>>> ldap.
>>>
>>> i think the only way you can adjust what port you are connecting to
>>> through LDAP is specifying if it's TLS or not(I believe TLS is 636? google
>>> to confirm).
>>>
>>> You said you are supposed to be connecting on 636, so set the tls
>>> argument in your LDAP settings to 1.
>>>
>>> restart apache and give it a shot.
>>>
>>> Good luck!
>>> Mike.
>>>
>>>   On Thu, Jul 29, 2010 at 8:48 AM, Mike Johnson <mike.johnson at nosm.ca>wrote:
>>>
>>>> If you read the ExternalAuth's RT_SiteConfig.pm in
>>>> /RTROOT/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm
>>>>
>>>> It shows you how to set the port you are connecting on.
>>>>
>>>> Set that to the port your LDAP server is listening to.
>>>>
>>>> Good luck
>>>> MIke.
>>>>
>>>>
>>
>
>
> --
> Mike Johnson
> Datatel Programmer/Analyst
> Northern Ontario School of Medicine
> 955 Oliver Road
> Thunder Bay, ON   P7B 5E1
> Phone: (807) 766-7331
> Email: mike.johnson at nosm.ca
>
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20100802/b8b8d263/attachment.htm>


More information about the rt-users mailing list