[rt-users] RT & mysql / LDAP Auth

Mike Peachey mike.peachey at jennic.com
Fri May 14 05:32:32 EDT 2010


Julian Grunnell wrote:

> Right, thanks - that makes sense now. I misunderstood the use of this
> and thought you had to define ALL the authentication methods you wanted
> to use. So I have removed the MySQL section completely from the config
> and tried again with different results. Using my LDAP credentials I
> still get "Your username or password is incorrect" BUT RT has created me
> as a user, the "Let this user be granted rights" box is unchecked and
> I'm NOT a member of any Groups. The logs created when this was done are:

1. It found you and loaded your information from LDAP just as it should.
2. ExternalAuth cannot currently add you to any internal RT groups based
on LDAP information, this must be done in the RT administration panels.
3. If you want LDAP users to be automatically assigned "Let this user be
granted rights" then you may do so with this config setting:
  Set($AutoCreate, {Privileged => 1});
Otherwise it will need setting manually along with group membership.


The only thing that is now failing for you is authentication and the
reason is now obvious:

Your config
#######################################################################
# Does authentication depend on group membership? What group name?
'group'  =>  'GROUP_NAME',
# What is the attribute for the group object that determines membership?
'group_attr'  =>  'GROUP_ATTR',
#######################################################################

Your log
#######################################################################
[Fri May 14 08:22:42 2010]

[critical]:

Search for (GROUP_ATTR=CN=Julian
Grunnell,OU=Technical,OU=Users,OU=Leeds,OU=Webfusion,OU=Hosting,OU=Corp,DC=internal,DC=hosteurope,DC=com)


failed: LDAP_INVALID_DN_SYNTAX 34

#######################################################################

You have told ExternalAuth that all ldap users must be in an ldap group
named GROUP_NAME and that in order to confirm that the users are a
member of that group, the members should be in the GROUP_ATTR attribute
of that group.

If you simply comment out group and group_attr it should work fine. If
in future you wish to restrict access by group, ensure the group name is
specified in full ldap dn form.
-- 
Kind Regards,

__________________________________________________

Mike Peachey, IT Systems Administrator
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com
__________________________________________________



More information about the rt-users mailing list