[rt-users] Has anyone sucessfully configured LDAP to authenticate against AD with version 4.0.1?
Andrew Wagner
aawagner at wisc.edu
Mon Aug 29 12:34:23 EDT 2011
1. For group_attr, you want the term to be 'member'. That checks for
membership in the group.
2. For your base, you need to choose the next highest level of Active
Directory beyond where your users are stored. This means you need to
specify the OU where your users are, not just a random "Users" OU.
Andrew Wagner
Assistant Network Administrator
aawagner at wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu
On 8/29/2011 11:26 AM, josh.cole wrote:
> I am trying to make this work. I installed the latest version of
> ExternalAuth. I am working with Request Tracker for the first time, just
> upgraded from 3.8.7 to 4.0.1. There are a few things that I think are off
> but I am not sure what the correct solution is.
>
> 1. I am not sure what to use for the group_attr I want to have users in the
> group Request-Tracker inside of AD be able to authenticate with their
> credentials when logging into RT and I believe the filter is set correctly
> other than what needs to be added for the group_attribute. I am not sure
> what that should be.
>
> 2. For my base statement. I am specifying the Users OU but none of my users
> are in that OU. I am not sure exactly what it's looking for there.
>
> Any help is appreciated!
> ExternalAuth config:
>
> I have added the following to my RT_SiteConfig.pm:
>
> @RT::MailPlugins = ("RT::Authen::ExternalAuth");
> Set(@Plugins, qw(RT::Authen::ExternalAuth) );
> Set($ExternalAuthPriority, [ 'Active_Directory'
> ]
> );
> Set($ExternalInfoPriority, [ 'Active_Directory'
> ]
> );
> Set($AutoCreateNonExternalUsers, 0);
>
> Set($ExternalSettings, { 'Active_Directory' => { 'type'
> => 'ldap',
> 'auth'
> => 1,
> 'info'
> => 1,
> 'server'
> => 'rt.mydomain.local',
> 'base'
> => 'OU=Users,DC=mydomain,DC=local',
> # The filter to use
> to match RT-Users
> 'filter'
> => '(objectclass=person)',
> # The filter that
> will only match disabled users
> 'd_filter'
> => '(userAccountControl:1.2.840.113556.1.4.803:=2)',
> # Should we try to
> use TLS to encrypt connections?
> 'tls'
> => 0,
> # What other args
> should I pass to Net::LDAP->new($host, at args)?
> 'net_ldap_args'
> => [ version => 3 ],
> # Does
> authentication depend on group membership? What group name?
> 'group'
> => 'Request-Tracker',
> # What is the
> attribute for the group object that determines membership?
> #'group_attr'
> => 'GROUP_ATTR',
> ## RT ATTRIBUTE
> MATCHING SECTION
> # The list of RT
> attributes that uniquely identify a user
> 'attr_match_list'
> => [ 'ExternalAuthId','EmailAddress' ],
> # The mapping of RT
> attributes on to LDAP attributes
> 'attr_map'
> => { 'Name' => 'sAMAccountName',
>
> 'EmailAddress' => 'mail',
>
> 'Organization' => 'physicalDeliveryOfficeName',
>
> 'RealName' => 'displayName',
>
> 'ExternalAuthId' => 'sAMAccountName',
>
> 'Gecos' => 'sAMAccountName',
>
> 'WorkPhone' => 'telephoneNumber',
>
> 'Address1' => 'streetAddress',
>
> 'City' => 'l',
>
> 'State' => 'st',
>
> 'Zip' => 'postalCode',
>
> 'Country' => 'co'
>
> }
> }
> }
> );
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7410 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20110829/0d10d29d/attachment.bin>
More information about the rt-users
mailing list