[rt-users] ExternalAuth - loading fine but isn't authenticating to LDAP
Kenneth Crocker
kfcrocker at lbl.gov
Thu Jul 22 11:24:48 EDT 2010
Mike,
First off, check to see how you've set $WebExternalAuto. I'm not sure how
that would affect LDAP if it was turned on.
Second, I'll assume you've set your "Plugins" appropriately to include
"RT::Authen::ExternalAuth".
Thirdly, you have to make sure certain LDAP parameters are consistent (ie.
if you're using TLS, etc.).
Below is what we use for our list of parameters:
*Set($ExternalAuthPriority, [ 'My_LDAP' ] );*
*Set($ExternalInfoPriority, [ 'My_LDAP' ] );*
*Set($ExternalServiceUsesSSLorTLS, 1);*
*Set($AutoCreateNonExternalUsers, 0);*
*Set(*
* $ExternalSettings,*
* {*
* 'My_LDAP' =>*
* {*
* ‘type’ => 'ldap',*
* ‘server’ => 'ldap.lbl.gov’,*
* ‘user’ => ‘’,*
* ‘pass’ => ‘’,*
* ‘base’ => 'ou=People,o=name of our company,c=US’,*
* ‘filter’ => '(&(status that equals active)(|(dicision
code)))’,*
* ‘d_filter’ => '(!(|(lblEmpStat=Staff)(lblEmpStat=Guest)))',*
* ‘tls’ => 1,*
* ‘net_ldap_args’ => [ version => 3],*
* ‘attr_match_list’ => ['Name',*
* 'EmailAddress',*
* 'RealName',*
* 'uid'*
* ],*
* ‘attr_map’ => {'Name' => 'uid',*
* 'EmailAddress' =>
'mail',*
* 'Organization' =>
‘o’,*
* 'RealName' =>
'cn',*
* 'ExternalAuthId' =>
'uid',*
* 'Gecos'
=> 'uid',*
* 'WorkPhone' =>
'telephonenumber',*
* 'Address1' =>
'lblmailstop',*
* 'Address2' =>
'postaladdress’*
* }*
* }*
* }*
* );*
*1;*
**
I don't think the attr_map would affect this, but your match list could.
Anyway, check it all out cause if there are any inconsistencies (like TLS
being *used* and *on*), it will fail.
Hope this helps.
Kenn
LBNL
On Thu, Jul 22, 2010 at 6:59 AM, Mike Johnson <mike.johnson at nosm.ca> wrote:
> Hi everyone,
>
> Where do I start debugging my setup??
>
> I have CentOS5.5, RT3.8.8, ExternalAuth 0.8 attempting to connect to an
> Active Drectory LDAP.
>
> Everything loads fine(I get no errors from my config files). I've loaded
> the ExternalAuth plugin, but when I attempt to login to the UI with an LDAP
> user, I get an invalid user/pass. The only error/logging I can find
> anywhere is in syslog and that just tells me the same thing...
>
> I'm connecting to an Active Directory server, and with some
> googling/rt-users searching I found the following settings to use.
>
> 'filter' => '(objectCategory=User)',
> 'd_filter' =>
> '(userAccountControl:1.2.840.113556.1.4.803:=2)',
>
>
> I've left group and group_attr blank(is that allowed?) as I want all users
> found under my base DN to be able to use RT.
>
> In the attr_match_list I have name and email address only
> In attr_map I have the sAMAccountName mail and cn mapped to their
> respective places in RT.
>
> I've tested the user/pass I'm using(our LDAP is setup to not allow
> anonymous unfortunately, so I have to use an account to bind.
>
> I can't seem to find where ExternalAuth would toss an error out for me to
> read if it's failling because of the arguments I've set...
>
> Any help would be appreciated.
> --
> Mike Johnson
> Datatel Programmer/Analyst
> Northern Ontario School of Medicine
> 955 Oliver Road
> Thunder Bay, ON P7B 5E1
> Phone: (807) 766-7331
> Email: mike.johnson at nosm.ca
>
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20100722/365dfbe5/attachment.htm>
More information about the rt-users
mailing list