[rt-users] RT+ExternalAuth+LDAP+AD windows 2003
Bouzite, Radouan
radbou at ipexna.com
Wed May 19 16:19:27 EDT 2010
I am testing RT, and I Installed RT from :
http://wiki.bestpractical.com/view/CentOS5InstallGuide
No I am trying to setup RT+ExternalAuth+LDAP+AD windows 2003, I complete
all steps in the following instructions :
http://wiki.bestpractical.com/view/ExternalAuth
When I connect to http://rt <http://rt/> I still have to Enter my
username and password , if you can help me to check my config and show
me which log files where I can see what is wrong ?
Thanks
My RT_SiteConfig.pm file :
# The order in which the services defined in ExternalSettings # should
be used to authenticate users. User is authenticated # if successfully
confirmed by any service - no more services # are checked.
Set($ExternalAuthPriority, [ 'My_LDAP',
'My_MySQL',
'My_SSO_Cookie'
]
);
# The order in which the services defined in ExternalSettings # should
be used to get information about users. This includes # RealName, Tel
numbers etc, but also whether or not the user # should be considered
disabled.
#
# Once user info is found, no more services are checked.
#
# You CANNOT use a SSO cookie for authentication.
Set($ExternalInfoPriority, [ 'My_MySQL',
'My_LDAP'
]
);
# If this is set to true, then the relevant packages will # be loaded to
use SSL/TLS connections. At the moment, # this just means "use
Net::SSLeay;"
Set($ExternalServiceUsesSSLorTLS, 0);
# If this is set to 1, then users should be autocreated by RT # as
internal users if they fail to authenticate from an # external service.
Set($AutoCreateNonExternalUsers, 0);
# These are the full settings for each external service as a
HashOfHashes # Note that you may have as many external services as you
wish. They will # be checked in the order specified in the Priority
directives above.
# e.g.
#
Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDA
P','Other-DB']);
#
Set($ExternalSettings, { # AN EXAMPLE DB SERVICE
'My_MySQL' => { ## GENERIC
SECTION
# The type of
service (db/ldap/cookie)
'type'
=> 'db',
# The server
hosting the service
'server'
=> 'server.domain.tld',
##
SERVICE-SPECIFIC SECTION
# The database
name
'database'
=> 'DB_NAME',
# The database
table
'table'
=> 'USERS_TABLE',
# The user to
connect to the database as
'user'
=> 'DB_USER',
# The password
to use to connect with
'pass'
=> 'DB_PASS',
# The port to
use to connect with (e.g. 3306)
'port'
=> 'DB_PORT',
# The name of
the Perl DBI driver to use (e.g. mysql)
'dbi_driver'
=> 'DBI_DRIVER',
# The field in
the table that holds usernames
'u_field'
=> 'username',
# The field in
the table that holds passwords
'p_field'
=> 'password',
# The Perl
package & subroutine used to encrypt passwords
# e.g. if the
passwords are stored using the MySQL v3.23 "PASSWORD"
# function, then
you will need Crypt::MySQL::password, but for the
# MySQL4+
password function you will need Crypt::MySQL::password41
# Alternatively,
you could use Digest::MD5::md5_hex or any other
# encryption
subroutine you can load in your perl installation
'p_enc_pkg'
=> 'Crypt::MySQL',
'p_enc_sub'
=> 'password',
# If your
p_enc_sub takes a salt as a second parameter,
# uncomment this
line to add your salt
#'p_salt'
=> 'SALT',
#
# The field and
values in the table that determines if a user should
# be disabled.
For example, if the field is 'user_status' and the values
# are
['0','1','2','disabled'] then the user will be disabled if their
# user_status is
set to '0','1','2' or the string 'disabled'.
# Otherwise,
they will be considered enabled.
'd_field'
=> 'disabled',
'd_values'
=> ['0'],
## RT ATTRIBUTE
MATCHING SECTION
# The list of RT
attributes that uniquely identify a user
'attr_match_list' => [ 'Gecos',
'Name'
],
# The mapping of
RT attributes on to field names
'attr_map'
=> { 'Name' => 'username',
'EmailAddress' => 'email',
'ExternalAuthId' => 'username',
'Gecos' => 'userID'
}
},
# AN EXAMPLE LDAP SERVICE
'My_LDAP' => { ## GENERIC
SECTION
# The type of
service (db/ldap/cookie)
'type'
=> 'ldap',
# The server
hosting the service
'server'
=> 'adc1ids.our.domain',
##
SERVICE-SPECIFIC SECTION
# If you can
bind to your LDAP server anonymously you should
# remove the
user and pass config lines, otherwise specify them here:
#
# The username
RT should use to connect to the LDAP server
'user'
=> 'RTLDAP',
# The password
RT should use to connect to the LDAP server
'pass'
=> 'xxxxxxxx',
#
# The LDAP
search base
'base'
=> 'ou=UserAccounts,ou=Ipex,dc=ipex,dc=network',
#
# ALL FILTERS
MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU **MUST**
SPECIFY A filter AND A d_filter!!
#
# The filter to
use to match RT-Users
'filter'
=> '(objectClass=*)',
# A catch-all
example filter: '(objectClass=*)'
#
# The filter
that will only match disabled users
'd_filter'
=> '(objectClass=FooBarBaz)',
# A catch-none
example d_filter: '(objectClass=FooBarBaz)'
#
# Should we try
to use TLS to encrypt connections?
'tls'
=> 0,
# SSL Version to
provide to Net::SSLeay *if* using SSL
'ssl_version'
=> 3,
# What other
args should I pass to Net::LDAP->new($host, at args)?
'net_ldap_args'
=> [ version => 3 ],
# Does
authentication depend on group membership? What group name?
### 'group'
=> 'Domain Users',
# What is the
attribute for the group object that determines membership?
### 'group_attr'
=> 'GROUP_ATTR',
'group_attr'
=> 'GROUP_ATTR',
## RT ATTRIBUTE
MATCHING SECTION
# The list of RT
attributes that uniquely identify a user
# This example shows what you
*can* specify.. I recommend reducing this
# to just the
Name and EmailAddress to save encountering problems later.
'attr_match_list' => [ 'Name',
'EmailAddress',
'RealName',
'WorkPhone',
'Address2'
],
# The mapping of
RT attributes on to LDAP attributes
'attr_map'
=> { 'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'Organization' => 'physicalDeliveryOfficeName',
'RealName' => 'cn',
'ExternalAuthId' => 'sAMAccountName',
'Gecos' => 'sAMAccountName',
'WorkPhone' => 'telephoneNumber',
'Address1' => 'streetAddress',
'City' => 'l',
'State' => 'st',
'Zip' => 'postalCode',
'Country' => 'co'
}
},
# An example SSO cookie service
'My_SSO_Cookie' => { # # The type of
service (db/ldap/cookie)
'type'
=> 'cookie',
# The name of
the cookie to be used
'name'
=> 'loginCookieValue',
# The users
table
'u_table'
=> 'users',
# The username
field in the users table
'u_field'
=> 'username',
# The field in
the users table that uniquely identifies a user
# and also
exists in the cookies table
'u_match_key'
=> 'userID',
# The cookies
table
'c_table'
=> 'login_cookie',
# The field that
stores cookie values
'c_field'
=> 'loginCookieValue',
# The field in
the cookies table that uniquely identifies a user
# and also
exists in the users table
'c_match_key'
=> 'loginCookieUserID',
# The DB service
in this configuration to use to lookup the cookie information
'db_service_name' => 'My_MySQL'
}
}
);
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
1;
---------------------------------------------
Radouan Bouzite
Unix/SAN Admin.
Ipex Management Inc.
Tel : (514) 769 3445 ext 291
Fax :(514) 769-1672
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20100519/2cf77cd6/attachment.htm>
More information about the rt-users
mailing list