[rt-users] Has anyone sucessfully configured LDAP to authenticate against AD with version 4.0.1?

josh.cole josh.cole at fresno.edu
Mon Aug 29 12:54:31 EDT 2011


Thank you very much for your feedback. I really appreciate it. 

Andrew Wagner-4 wrote:
> 
> Yes, Josh.  That is correct.  The ExternalAuthen checks all locations 
> for users under the base OU.  Either change your specified base in 
> RT_SiteConfig.pm or move the users to the OU that you want RT to search.
> 
> Andrew Wagner
> Assistant Network Administrator
> aawagner at wisc.edu
> 265-5710
> Room 370B
> Wisconsin Center for Education Research (WCER)
> www.wcer.wisc.edu
> 
> 
> On 8/29/2011 11:39 AM, josh.cole wrote:
>> Thank you for your response. So just to make sure I understand, if the
>> users
>> I want to be able to authenticate in RT are not in the OU specified it
>> will
>> not work? So I should move those users to whatever the OU is that I
>> specify
>> in the base?
>>
>> Andrew Wagner-4 wrote:
>>> 1.  For group_attr, you want the term to be 'member'.  That checks for
>>> membership in the group.
>>>
>>> 2.  For your base, you need to choose the next highest level of Active
>>> Directory beyond where your users are stored.  This means you need to
>>> specify the OU where your users are, not just a random "Users" OU.
>>>
>>> Andrew Wagner
>>> Assistant Network Administrator
>>> aawagner at wisc.edu
>>> 265-5710
>>> Room 370B
>>> Wisconsin Center for Education Research (WCER)
>>> www.wcer.wisc.edu
>>>
>>>
>>> On 8/29/2011 11:26 AM, josh.cole wrote:
>>>> I am trying to make this work. I installed the latest version of
>>>> ExternalAuth. I am working with Request Tracker for the first time,
>>>> just
>>>> upgraded from 3.8.7 to 4.0.1. There are a few things that I think are
>>>> off
>>>> but I am not sure what the correct solution is.
>>>>
>>>> 1. I am not sure what to use for the group_attr I want to have users in
>>>> the
>>>> group Request-Tracker inside of AD be able to authenticate with their
>>>> credentials when logging into RT and I believe the filter is set
>>>> correctly
>>>> other than what needs to be added for the group_attribute. I am not
>>>> sure
>>>> what that should be.
>>>>
>>>> 2. For my base statement. I am specifying the Users OU but none of my
>>>> users
>>>> are in that OU. I am not sure exactly what it's looking for there.
>>>>
>>>> Any help is appreciated!
>>>> ExternalAuth config:
>>>>
>>>> I have added the following to my RT_SiteConfig.pm:
>>>>
>>>> @RT::MailPlugins = ("RT::Authen::ExternalAuth");
>>>> Set(@Plugins, qw(RT::Authen::ExternalAuth) );
>>>> Set($ExternalAuthPriority,  [   'Active_Directory'
>>>>                               ]
>>>> );
>>>> Set($ExternalInfoPriority,  [ 'Active_Directory'
>>>>                               ]
>>>> );
>>>> Set($AutoCreateNonExternalUsers,    0);
>>>>
>>>> Set($ExternalSettings,      {   'Active_Directory'       =>    {  
>>>> 'type'
>>>> =>    'ldap',
>>>>                                                           'auth'
>>>> =>    1,
>>>>                                                           'info'
>>>> =>    1,
>>>>                                                           'server'
>>>> =>    'rt.mydomain.local',
>>>>                                                           'base'
>>>> =>    'OU=Users,DC=mydomain,DC=local',
>>>>                                                           # The filter
>>>> to
>>>> use
>>>> to match RT-Users
>>>>                                                           'filter'
>>>> =>    '(objectclass=person)',
>>>>                                                           # The filter
>>>> that
>>>> will only match disabled users
>>>>                                                           'd_filter'
>>>> =>    '(userAccountControl:1.2.840.113556.1.4.803:=2)',
>>>>                                                           # Should we
>>>> try
>>>> to
>>>> use TLS to encrypt connections?
>>>>                                                           'tls'
>>>> =>    0,
>>>>                                                           # What other
>>>> args
>>>> should I pass to Net::LDAP->new($host, at args)?
>>>>                                                          
>>>> 'net_ldap_args'
>>>> =>   [    version =>    3   ],
>>>>                                                           # Does
>>>> authentication depend on group membership? What group name?
>>>>                                                           'group'
>>>> =>    'Request-Tracker',
>>>>                                                           # What is the
>>>> attribute for the group object that determines membership?
>>>>                                                           #'group_attr'
>>>> =>    'GROUP_ATTR',
>>>>                                                           ## RT
>>>> ATTRIBUTE
>>>> MATCHING SECTION
>>>>                                                           # The list of
>>>> RT
>>>> attributes that uniquely identify a user
>>>>
>>>> 'attr_match_list'
>>>> =>   [   'ExternalAuthId','EmailAddress' ],
>>>>                                                           # The mapping
>>>> of
>>>> RT
>>>> attributes on to LDAP attributes
>>>>                                                           'attr_map'
>>>> =>    {   'Name' =>   'sAMAccountName',
>>>>
>>>> 'EmailAddress' =>   'mail',
>>>>
>>>> 'Organization' =>   'physicalDeliveryOfficeName',
>>>>
>>>> 'RealName' =>   'displayName',
>>>>
>>>> 'ExternalAuthId' =>   'sAMAccountName',
>>>>
>>>> 'Gecos' =>   'sAMAccountName',
>>>>
>>>> 'WorkPhone' =>   'telephoneNumber',
>>>>
>>>> 'Address1' =>   'streetAddress',
>>>>
>>>> 'City' =>   'l',
>>>>
>>>> 'State' =>   'st',
>>>>
>>>> 'Zip' =>   'postalCode',
>>>>
>>>> 'Country' =>   'co'
>>>>
>>>> }
>>>>                                                       }
>>>>                                   }
>>>> );
>>>>
>>>
>>>
>>> --------
>>> RT Training Sessions (http://bestpractical.com/services/training.html)
>>> *  Chicago, IL, USA — September 26&  27, 2011
>>> *  San Francisco, CA, USA — October 18&  19, 2011
>>> *  Washington DC, USA — October 31&  November 1, 2011
>>> *  Melbourne VIC, Australia — November 28&  29, 2011
>>> *  Barcelona, Spain — November 28&  29, 2011
>>>
> 
> 
>  
> --------
> RT Training Sessions (http://bestpractical.com/services/training.html)
> *  Chicago, IL, USA — September 26 & 27, 2011
> *  San Francisco, CA, USA — October 18 & 19, 2011
> *  Washington DC, USA — October 31 & November 1, 2011
> *  Melbourne VIC, Australia — November 28 & 29, 2011
> *  Barcelona, Spain — November 28 & 29, 2011
> 

-- 
View this message in context: http://old.nabble.com/Has-anyone-sucessfully-configured-LDAP-to-authenticate-against-AD-with-version-4.0.1--tp32358024p32358398.html
Sent from the Request Tracker - User mailing list archive at Nabble.com.




More information about the rt-users mailing list