[rt-users] rt4 and External Auth to AD 2008 non-ssl

Brian Murphy blmurphy at eiu.edu
Wed Aug 24 14:09:15 EDT 2011

I am trying desparately to get this goingnd am not seeing that my externalauth is even being called.  I am attaching my RT_SiteConfig.pm for review.  I am a newbie and don't know much about anything RT as yet.  I see very little in my /var/log/messages other tham LOGIN failed for xxxxx from web.pm, so I don't really think my externalauth is really in play as of yet.  Any assistance in getting this going would be greatly appreciated.


Brian Murphy
Eastern Illinois University

# Any configuration directives you include  here will override 
# RT's default configuration file, RT_Config.pm
# To include a directive here, just copy the equivalent statement
# from RT_Config.pm and change the value. We've included a single
# sample value below.
# This file is actually a perl module, so you can include valid
# perl code, as well.
# The converse is also true, if this file isn't valid perl, you're
# going to run into trouble. To check your SiteConfig file, use
# this comamnd:
#   perl -c /path/to/your/etc/RT_SiteConfig.pm
# You must restart your webserver after making changes to this file.

# You must install Plugins on your own, this is only an example
# of the correct syntax to use when activating them.
# There should only be one @Plugins declaration in your config file.
#Set(@Plugins,(qw(RT::Extension::QuickDelete RT::Extension::CommandByMail  RT::Extension::ActivityReports)));
Set(@Plugins,(qw(RT::Extension::ActivityReports RT::Authen::ExternalAuth)));

Set( $CorrespondAddress, '' );
Set( $rtname, 'EIU ITS Campus Technology' );
Set( $DatabaseRequireSSL, '' );
Set( $WebPort, '8080' );

Set( $DatabaseType, 'mysql' );

Set( $SendmailPath, '/usr/sbin/sendmail' );
Set( $WebDomain, 'localhost' );

Set( $CommentAddress, '' );
Set($Timezone, "US/Central");
Set($UnsafeEmailCommands, 1);
Set($ParseNewMessageForTicketCcs, 1);
Set($NotifyActor, 1);

Set( $OwnerEmail, '' );
Set( $DatabaseUser, 'rt_user' );
Set( $DatabasePort, '' );
Set( $DatabasePassword, 'RT_pass1-' );
Set( $DatabaseAdmin, 'root' );
Set( $DatabaseAdminPassword, 'Mtfbwu+1' );
Set( $DatabaseHost, 'localhost' );
Set( $DatabaseName, 'rt4' );
Set( $Organization, 'ITS' );
# The order in which the services defined in ExternalSettings
# should be used to authenticate users. User is authenticated
# if successfully confirmed by any service - no more services
# are checked.
Set($ExternalAuthPriority,  [   'EIUAD'

# The order in which the services defined in ExternalSettings
# should be used to get information about users. This includes
# RealName, Tel numbers etc, but also whether or not the user
# should be considered disabled. 
# Once user info is found, no more services are checked.
# You CANNOT use a SSO cookie for authentication.
Set($ExternalInfoPriority,  [   'EIUAD'

# If this is set to true, then the relevant packages will
# be loaded to use SSL/TLS connections. At the moment,
# this just means "use Net::SSLeay;"
Set($ExternalServiceUsesSSLorTLS,    0);

# If this is set to 1, then users should be autocreated by RT
# as internal users if they fail to authenticate from an
# external service.
Set($AutoCreateNonExternalUsers,    0);

# These are the full settings for each external service as a HashOfHashes
# Note that you may have as many external services as you wish. They will
# be checked in the order specified in the Priority directives above.
# e.g. 
#   Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP','Other-DB']);
Set($ExternalSettings,      {   
                                # EIUAD Active Directory
                                'EIUAD'       =>  {   ## GENERIC SECTION
                                                        # The type of service (db/ldap/cookie) 
                                                        'type'                      =>  'ldap',
                                                        # The server hosting the service
                                                        'server'                    =>  'xxxxx.xxx.edu',
                                                        ## SERVICE-SPECIFIC SECTION
                                                        # If you can bind to your LDAP server anonymously you should 
                                                        # remove the user and pass config lines, otherwise specify them here:
                                                        # The username RT should use to connect to the LDAP server 
                                                        'user'                      =>  'rtauth',
                                                        # The password RT should use to connect to the LDAP server
                                                        'pass'                    =>  'xxxxxxx,
                                                        # The LDAP search base
                                                        'base'                      =>  'dc=xxxxx,dc=xxx,dc=edu',
                                                        # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
                                                        # YOU **MUST** SPECIFY A filter AND A d_filter!!
                                                        # The filter to use to match RT-Users
                                                        'filter'                    =>  '(objectclass=person)',
                                                        # A catch-all example filter: '(objectClass=*)'
                                                        # The filter that will only match disabled users
                                                        'd_filter'                  =>  '(objectclass=Foo)',
                                                        # A catch-none example d_filter: '(objectClass=FooBarBaz)'
                                                        # Should we try to use TLS to encrypt connections?
                                                        'tls'                       =>  0,
                                                        # SSL Version to provide to Net::SSLeay *if* using SSL
                                                        'ssl_version'               =>  3,
                                                        # What other args should I pass to Net::LDAP->new($host, at args)?
                                                        'net_ldap_args'             => [    version =>  3   ],
                                                        # Does authentication depend on group membership? What group name?
                                                        'group'                     =>  'rt_access',
                                                        # What is the attribute for the group object that determines membership?
                                                        'group_attr'                =>  'memberOf',
                                                        ## RT ATTRIBUTE MATCHING SECTION
                                                        # The list of RT attributes that uniquely identify a user
							# This example shows what you *can* specify.. I recommend reducing this
                                                        # to just the Name and EmailAddress to save encountering problems later.
                                                        'attr_match_list'           => [    'Name'
                                                        # The mapping of RT attributes on to LDAP attributes
                                                        'attr_map'                  =>  {   'Name' => 'sAMAccountName'


More information about the rt-users mailing list