[rt-users] ExternalAuth - loading fine but isn't authenticating to LDAP

Kenneth Crocker kfcrocker at lbl.gov
Thu Jul 22 11:24:48 EDT 2010


Mike,

First off, check to see how you've set $WebExternalAuto. I'm not sure how
that would affect LDAP if it was turned on.

Second, I'll assume you've set your "Plugins" appropriately to include
"RT::Authen::ExternalAuth".

Thirdly, you have to make sure certain LDAP parameters are consistent (ie.
if you're using TLS, etc.).

Below is what we use for our list of parameters:

*Set($ExternalAuthPriority,  [ 'My_LDAP' ] );*

*Set($ExternalInfoPriority,  [ 'My_LDAP' ] );*

*Set($ExternalServiceUsesSSLorTLS, 1);*

*Set($AutoCreateNonExternalUsers, 0);*


*Set(*

*    $ExternalSettings,*

*      {*

*        'My_LDAP' =>*

*           {*

*            ‘type’        => 'ldap',*

*            ‘server’     => 'ldap.lbl.gov’,*

*            ‘user’        =>  ‘’,*

*            ‘pass’        =>  ‘’,*

*            ‘base’        => 'ou=People,o=name of our company,c=US’,*

*            ‘filter’       => '(&(status that equals active)(|(dicision
code)))’,*

*            ‘d_filter’   => '(!(|(lblEmpStat=Staff)(lblEmpStat=Guest)))',*

*            ‘tls’            => 1,*

*            ‘net_ldap_args’    => [ version => 3],*

*            ‘attr_match_list’  => ['Name',*

*                                                  'EmailAddress',*

*                                                  'RealName',*

*                                                  'uid'*

*                                                ],*

*            ‘attr_map’            =>  {'Name'                  => 'uid',*

*                                                  'EmailAddress'    =>
'mail',*

*                                                  'Organization'      =>
‘o’,*

*                                                  'RealName'           =>
'cn',*

*                                                  'ExternalAuthId'  =>
'uid',*

*                                                  'Gecos'
                  => 'uid',*

*                                                  'WorkPhone'         =>
'telephonenumber',*

*                                                  'Address1'             =>
'lblmailstop',*

*                                                  'Address2'             =>
'postaladdress’*

*                                                 }*

*           }*

*      }*

*   );*
*1;*
**


I don't think the attr_map would affect this, but your match list could.

Anyway, check it all out cause if there are any inconsistencies (like TLS
being *used* and *on*), it will fail.

Hope this helps.

Kenn
LBNL


On Thu, Jul 22, 2010 at 6:59 AM, Mike Johnson <mike.johnson at nosm.ca> wrote:

> Hi everyone,
>
> Where do I start debugging my setup??
>
> I have CentOS5.5, RT3.8.8, ExternalAuth 0.8 attempting to connect to an
> Active Drectory LDAP.
>
> Everything loads fine(I get no errors from my config files).  I've loaded
> the ExternalAuth plugin, but when I attempt to login to the UI with an LDAP
> user, I get an invalid user/pass.  The only error/logging I can find
> anywhere is in syslog and that just tells me the same thing...
>
> I'm connecting to an Active Directory server, and with some
> googling/rt-users searching I found the following settings to use.
>
> 'filter'                    =>  '(objectCategory=User)',
>  'd_filter'                  =>
> '(userAccountControl:1.2.840.113556.1.4.803:=2)',
>
>
> I've left group and group_attr blank(is that allowed?) as I want all users
> found under my base DN to be able to use RT.
>
> In the attr_match_list I have name and email address only
> In attr_map I have the sAMAccountName mail and cn mapped to their
> respective places in RT.
>
> I've tested the user/pass I'm using(our LDAP is setup to not allow
> anonymous unfortunately, so I have to use an account to bind.
>
> I can't seem to find where ExternalAuth would toss an error out for me to
> read if it's failling because of the arguments I've set...
>
> Any help would be appreciated.
> --
> Mike Johnson
> Datatel Programmer/Analyst
> Northern Ontario School of Medicine
> 955 Oliver Road
> Thunder Bay, ON   P7B 5E1
> Phone: (807) 766-7331
> Email: mike.johnson at nosm.ca
>
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20100722/365dfbe5/attachment.htm>


More information about the rt-users mailing list