[rt-users] ExternalAuth - loading fine but isn't authenticating to LDAP
Mike Johnson
mike.johnson at nosm.ca
Fri Jul 23 10:03:21 EDT 2010
I found another guide that outlines how to setup ExternalAuth for AD on the
wiki
http://wiki.bestpractical.com/view/CentOS5InstallPlusSome
Others following this thread might find it useful...
I did learn that you're looking for the full cn/ou path for your user, not
just a username...(I forgot that's how LDAP finds users)....
Haris you might want to check that in your config... didn't help me *shrug*
but might help you.
Thanks!
Mike.
On Fri, Jul 23, 2010 at 9:18 AM, Mike Johnson <mike.johnson at nosm.ca> wrote:
> Hi Haris,
>
> No go yet.
>
> Kenneth did send some info for me to check out, perhaps it may help you...
>
> **Kenneth's email cut/pasted**
> Mike,
> First off, check to see how you've set $WebExternalAuto. I'm not sure how
> that would affect LDAP if it was turned on.
> Second, I'll assume you've set your "Plugins" appropriately to include
> "RT::Authen::ExternalAuth".
> Thirdly, you have to make sure certain LDAP parameters are consistent (ie.
> if you're using TLS, etc.).
> Below is what we use for our list of parameters:
>
> Set($ExternalAuthPriority, [ 'My_LDAP' ] );
> Set($ExternalInfoPriority, [ 'My_LDAP' ] );
> Set($ExternalServiceUsesSSLorTLS, 1);
> Set($AutoCreateNonExternalUsers, 0);
>
> Set(
> $ExternalSettings,
> {
> 'My_LDAP' =>
> {
> ‘type’ => 'ldap',
> ‘server’ => 'ldap.lbl.gov’,
> ‘user’ => ‘’,
> ‘pass’ => ‘’,
> ‘base’ => 'ou=People,o=name of our company,c=US’,
> ‘filter’ => '(&(status that equals active)(|(dicision
> code)))’,
> ‘d_filter’ => '(!(|(lblEmpStat=Staff)(lblEmpStat=Guest)))',
> ‘tls’ => 1,
> ‘net_ldap_args’ => [ version => 3],
> ‘attr_match_list’ => ['Name',
> 'EmailAddress',
> 'RealName',
> 'uid'
> ],
> ‘attr_map’ => {'Name' => 'uid',
> 'EmailAddress' =>
> 'mail',
> 'Organization' =>
> ‘o’,
> 'RealName' =>
> 'cn',
> 'ExternalAuthId' =>
> 'uid',
> 'Gecos'
> => 'uid',
> 'WorkPhone' =>
> 'telephonenumber',
> 'Address1' =>
> 'lblmailstop',
> 'Address2' =>
> 'postaladdress’
> }
> }
> }
> );
> 1;
>
> I don't think the attr_map would affect this, but your match list could.
> Anyway, check it all out cause if there are any inconsistencies (like TLS
> being used and on), it will fail.
> Hope this helps.
> Kenn
> LBNL
>
> *** end cut/paste**
>
> On Thu, Jul 22, 2010 at 7:23 PM, M.F.Haris <mfharis at gmail.com> wrote:
>
>> hi Mike,
>> I am also facing the same problem and i have checked my configuration over
>> and over, also compared with some available on internet.
>> in my case i didn't enter any attribute with blank value like 'group'
>> attribute in your case. but rest of the things are similar to what i have
>> entered.
>>
>> I get a message 'Failed to Login with user (myuser) ... '
>>
>> do you get the same error message? please share your experience if you are
>> able to solve this crap.
>>
>> thanks
>> Haris
>>
>>
>> On Thu, Jul 22, 2010 at 3:59 PM, Mike Johnson <mike.johnson at nosm.ca>wrote:
>>
>>> Hi everyone,
>>>
>>> Where do I start debugging my setup??
>>>
>>> I have CentOS5.5, RT3.8.8, ExternalAuth 0.8 attempting to connect to an
>>> Active Drectory LDAP.
>>>
>>> Everything loads fine(I get no errors from my config files). I've loaded
>>> the ExternalAuth plugin, but when I attempt to login to the UI with an LDAP
>>> user, I get an invalid user/pass. The only error/logging I can find
>>> anywhere is in syslog and that just tells me the same thing...
>>>
>>> I'm connecting to an Active Directory server, and with some
>>> googling/rt-users searching I found the following settings to use.
>>>
>>> 'filter' => '(objectCategory=User)',
>>> 'd_filter' =>
>>> '(userAccountControl:1.2.840.113556.1.4.803:=2)',
>>>
>>>
>>> I've left group and group_attr blank(is that allowed?) as I want all
>>> users found under my base DN to be able to use RT.
>>>
>>> In the attr_match_list I have name and email address only
>>> In attr_map I have the sAMAccountName mail and cn mapped to their
>>> respective places in RT.
>>>
>>> I've tested the user/pass I'm using(our LDAP is setup to not allow
>>> anonymous unfortunately, so I have to use an account to bind.
>>>
>>> I can't seem to find where ExternalAuth would toss an error out for me to
>>> read if it's failling because of the arguments I've set...
>>>
>>> Any help would be appreciated.
>>> --
>>> Mike Johnson
>>> Datatel Programmer/Analyst
>>> Northern Ontario School of Medicine
>>> 955 Oliver Road
>>> Thunder Bay, ON P7B 5E1
>>> Phone: (807) 766-7331
>>> Email: mike.johnson at nosm.ca
>>>
>>>
>>> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
>>> Buy a copy at http://rtbook.bestpractical.com
>>>
>>
>>
>
>
> --
> Mike Johnson
> Datatel Programmer/Analyst
> Northern Ontario School of Medicine
> 955 Oliver Road
> Thunder Bay, ON P7B 5E1
> Phone: (807) 766-7331
> Email: mike.johnson at nosm.ca
>
--
Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson at nosm.ca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20100723/76547a6b/attachment.htm>
More information about the rt-users
mailing list