[rt-users] ExternalAuth - loading fine but isn't authenticating to LDAP

Mike Johnson mike.johnson at nosm.ca
Fri Jul 23 10:03:21 EDT 2010


I found another guide that outlines how to setup ExternalAuth for AD on the
wiki

http://wiki.bestpractical.com/view/CentOS5InstallPlusSome

Others following this thread might find it useful...

I did learn that you're looking for the full cn/ou path for your user, not
just a username...(I forgot that's how LDAP finds users)....

Haris you might want to check that in your config... didn't help me *shrug*
but might help you.

Thanks!
Mike.




On Fri, Jul 23, 2010 at 9:18 AM, Mike Johnson <mike.johnson at nosm.ca> wrote:

> Hi Haris,
>
> No go yet.
>
> Kenneth did send some info for me to check out, perhaps it may help you...
>
> **Kenneth's email cut/pasted**
>   Mike,
> First off, check to see how you've set $WebExternalAuto. I'm not sure how
> that would affect LDAP if it was turned on.
> Second, I'll assume you've set your "Plugins" appropriately to include
> "RT::Authen::ExternalAuth".
> Thirdly, you have to make sure certain LDAP parameters are consistent (ie.
> if you're using TLS, etc.).
> Below is what we use for our list of parameters:
>
> Set($ExternalAuthPriority,  [ 'My_LDAP' ] );
> Set($ExternalInfoPriority,  [ 'My_LDAP' ] );
> Set($ExternalServiceUsesSSLorTLS, 1);
> Set($AutoCreateNonExternalUsers, 0);
>
> Set(
>     $ExternalSettings,
>       {
>         'My_LDAP' =>
>            {
>             ‘type’        => 'ldap',
>             ‘server’     => 'ldap.lbl.gov’,
>             ‘user’        =>  ‘’,
>             ‘pass’        =>  ‘’,
>             ‘base’        => 'ou=People,o=name of our company,c=US’,
>             ‘filter’       => '(&(status that equals active)(|(dicision
> code)))’,
>             ‘d_filter’   => '(!(|(lblEmpStat=Staff)(lblEmpStat=Guest)))',
>             ‘tls’            => 1,
>             ‘net_ldap_args’    => [ version => 3],
>             ‘attr_match_list’  => ['Name',
>                                                   'EmailAddress',
>                                                   'RealName',
>                                                   'uid'
>                                                 ],
>             ‘attr_map’            =>  {'Name'                  => 'uid',
>                                                   'EmailAddress'    =>
> 'mail',
>                                                   'Organization'      =>
> ‘o’,
>                                                   'RealName'           =>
> 'cn',
>                                                   'ExternalAuthId'  =>
> 'uid',
>                                                   'Gecos'
> => 'uid',
>                                                   'WorkPhone'         =>
> 'telephonenumber',
>                                                   'Address1'             =>
> 'lblmailstop',
>                                                   'Address2'             =>
> 'postaladdress’
>                                                  }
>            }
>       }
>    );
> 1;
>
> I don't think the attr_map would affect this, but your match list could.
> Anyway, check it all out cause if there are any inconsistencies (like TLS
> being used and on), it will fail.
> Hope this helps.
> Kenn
> LBNL
>
> *** end cut/paste**
>
>   On Thu, Jul 22, 2010 at 7:23 PM, M.F.Haris <mfharis at gmail.com> wrote:
>
>> hi Mike,
>> I am also facing the same problem and i have checked my configuration over
>> and over, also compared with some available on internet.
>> in my case i didn't enter any attribute with blank value like 'group'
>> attribute in your case. but rest of the things are similar to what i have
>> entered.
>>
>> I get a message 'Failed to Login with user (myuser) ... '
>>
>> do you get the same error message? please share your experience if you are
>> able to solve this crap.
>>
>> thanks
>> Haris
>>
>>
>>  On Thu, Jul 22, 2010 at 3:59 PM, Mike Johnson <mike.johnson at nosm.ca>wrote:
>>
>>>   Hi everyone,
>>>
>>> Where do I start debugging my setup??
>>>
>>> I have CentOS5.5, RT3.8.8, ExternalAuth 0.8 attempting to connect to an
>>> Active Drectory LDAP.
>>>
>>> Everything loads fine(I get no errors from my config files).  I've loaded
>>> the ExternalAuth plugin, but when I attempt to login to the UI with an LDAP
>>> user, I get an invalid user/pass.  The only error/logging I can find
>>> anywhere is in syslog and that just tells me the same thing...
>>>
>>> I'm connecting to an Active Directory server, and with some
>>> googling/rt-users searching I found the following settings to use.
>>>
>>> 'filter'                    =>  '(objectCategory=User)',
>>>  'd_filter'                  =>
>>> '(userAccountControl:1.2.840.113556.1.4.803:=2)',
>>>
>>>
>>> I've left group and group_attr blank(is that allowed?) as I want all
>>> users found under my base DN to be able to use RT.
>>>
>>> In the attr_match_list I have name and email address only
>>> In attr_map I have the sAMAccountName mail and cn mapped to their
>>> respective places in RT.
>>>
>>> I've tested the user/pass I'm using(our LDAP is setup to not allow
>>> anonymous unfortunately, so I have to use an account to bind.
>>>
>>> I can't seem to find where ExternalAuth would toss an error out for me to
>>> read if it's failling because of the arguments I've set...
>>>
>>> Any help would be appreciated.
>>> --
>>> Mike Johnson
>>> Datatel Programmer/Analyst
>>> Northern Ontario School of Medicine
>>> 955 Oliver Road
>>> Thunder Bay, ON   P7B 5E1
>>> Phone: (807) 766-7331
>>> Email: mike.johnson at nosm.ca
>>>
>>>
>>> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
>>> Buy a copy at http://rtbook.bestpractical.com
>>>
>>
>>
>
>
> --
> Mike Johnson
> Datatel Programmer/Analyst
> Northern Ontario School of Medicine
> 955 Oliver Road
> Thunder Bay, ON   P7B 5E1
> Phone: (807) 766-7331
> Email: mike.johnson at nosm.ca
>



-- 
Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON   P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson at nosm.ca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20100723/76547a6b/attachment.htm>


More information about the rt-users mailing list