[rt-users] Has anyone sucessfully configured LDAP to authenticate against AD with version 4.0.1?
josh.cole
josh.cole at fresno.edu
Mon Aug 29 15:18:08 EDT 2011
The user is within the base. The user exists in a sub-OU inside of ITS. I
have the correct DC, I have the ip entered for the DC/LDAP Server.
Yes sir that is correct, I am using placeholders. I do not believe that SSL
is being used based on the config I provided. All of the information is
correct. I have used an ldap browser to verify connectivity on port 389 and
to verify the information I've placed into the config.
Andrew Wagner-4 wrote:
>
> I believe that if you specify SSL, Authen-External will automatically
> uses port 636 (LDAPS). TLS encryption uses 389. We used TLS as LDAPS
> is no longer officially supported.
>
> Is the user you are trying to authenticate with inside your base? Do
> you have the correct domain controller specified under server? Do you
> have the right domain specified and formatted under base? I assume
> you're replacing your domain information with placeholders in your
> config and are not actually using rt.mydomain.local.
>
> Andrew Wagner
> Assistant Network Administrator
> aawagner at wisc.edu
> 265-5710
> Room 370B
> Wisconsin Center for Education Research (WCER)
> www.wcer.wisc.edu
>
>
> On 8/29/2011 12:55 PM, josh.cole wrote:
>> I think I am close now. I made those changes to the config. I am
>> receiving an
>> error when I try to login with my AD credentials. The error is:
>> [Mon Aug 29 17:35:31 2011] [critical]:
>> RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to
>> rt.mydomain.local
>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:437)
>>
>> Do I need to specify an ldap port? I did add a username and password to
>> authenticate.
>>
>>
>> josh.cole wrote:
>>> Thank you very much for your feedback. I really appreciate it.
>>>
>>> Andrew Wagner-4 wrote:
>>>> Yes, Josh. That is correct. The ExternalAuthen checks all locations
>>>> for users under the base OU. Either change your specified base in
>>>> RT_SiteConfig.pm or move the users to the OU that you want RT to
>>>> search.
>>>>
>>>> Andrew Wagner
>>>> Assistant Network Administrator
>>>> aawagner at wisc.edu
>>>> 265-5710
>>>> Room 370B
>>>> Wisconsin Center for Education Research (WCER)
>>>> www.wcer.wisc.edu
>>>>
>>>>
>>>> On 8/29/2011 11:39 AM, josh.cole wrote:
>>>>> Thank you for your response. So just to make sure I understand, if the
>>>>> users
>>>>> I want to be able to authenticate in RT are not in the OU specified it
>>>>> will
>>>>> not work? So I should move those users to whatever the OU is that I
>>>>> specify
>>>>> in the base?
>>>>>
>>>>> Andrew Wagner-4 wrote:
>>>>>> 1. For group_attr, you want the term to be 'member'. That checks
>>>>>> for
>>>>>> membership in the group.
>>>>>>
>>>>>> 2. For your base, you need to choose the next highest level of
>>>>>> Active
>>>>>> Directory beyond where your users are stored. This means you need to
>>>>>> specify the OU where your users are, not just a random "Users" OU.
>>>>>>
>>>>>> Andrew Wagner
>>>>>> Assistant Network Administrator
>>>>>> aawagner at wisc.edu
>>>>>> 265-5710
>>>>>> Room 370B
>>>>>> Wisconsin Center for Education Research (WCER)
>>>>>> www.wcer.wisc.edu
>>>>>>
>>>>>>
>>>>>> On 8/29/2011 11:26 AM, josh.cole wrote:
>>>>>>> I am trying to make this work. I installed the latest version of
>>>>>>> ExternalAuth. I am working with Request Tracker for the first time,
>>>>>>> just
>>>>>>> upgraded from 3.8.7 to 4.0.1. There are a few things that I think
>>>>>>> are
>>>>>>> off
>>>>>>> but I am not sure what the correct solution is.
>>>>>>>
>>>>>>> 1. I am not sure what to use for the group_attr I want to have users
>>>>>>> in
>>>>>>> the
>>>>>>> group Request-Tracker inside of AD be able to authenticate with
>>>>>>> their
>>>>>>> credentials when logging into RT and I believe the filter is set
>>>>>>> correctly
>>>>>>> other than what needs to be added for the group_attribute. I am not
>>>>>>> sure
>>>>>>> what that should be.
>>>>>>>
>>>>>>> 2. For my base statement. I am specifying the Users OU but none of
>>>>>>> my
>>>>>>> users
>>>>>>> are in that OU. I am not sure exactly what it's looking for there.
>>>>>>>
>>>>>>> Any help is appreciated!
>>>>>>> ExternalAuth config:
>>>>>>>
>>>>>>> I have added the following to my RT_SiteConfig.pm:
>>>>>>>
>>>>>>> @RT::MailPlugins = ("RT::Authen::ExternalAuth");
>>>>>>> Set(@Plugins, qw(RT::Authen::ExternalAuth) );
>>>>>>> Set($ExternalAuthPriority, [ 'Active_Directory'
>>>>>>> ]
>>>>>>> );
>>>>>>> Set($ExternalInfoPriority, [ 'Active_Directory'
>>>>>>> ]
>>>>>>> );
>>>>>>> Set($AutoCreateNonExternalUsers, 0);
>>>>>>>
>>>>>>> Set($ExternalSettings, { 'Active_Directory' => {
>>>>>>> 'type'
>>>>>>> => 'ldap',
>>>>>>> 'auth'
>>>>>>> => 1,
>>>>>>> 'info'
>>>>>>> => 1,
>>>>>>> 'server'
>>>>>>> => 'rt.mydomain.local',
>>>>>>> 'base'
>>>>>>> => 'OU=Users,DC=mydomain,DC=local',
>>>>>>> # The
>>>>>>> filter
>>>>>>> to
>>>>>>> use
>>>>>>> to match RT-Users
>>>>>>> 'filter'
>>>>>>> => '(objectclass=person)',
>>>>>>> # The
>>>>>>> filter
>>>>>>> that
>>>>>>> will only match disabled users
>>>>>>>
>>>>>>> 'd_filter'
>>>>>>> => '(userAccountControl:1.2.840.113556.1.4.803:=2)',
>>>>>>> # Should
>>>>>>> we
>>>>>>> try
>>>>>>> to
>>>>>>> use TLS to encrypt connections?
>>>>>>> 'tls'
>>>>>>> => 0,
>>>>>>> # What
>>>>>>> other
>>>>>>> args
>>>>>>> should I pass to Net::LDAP->new($host, at args)?
>>>>>>>
>>>>>>> 'net_ldap_args'
>>>>>>> => [ version => 3 ],
>>>>>>> # Does
>>>>>>> authentication depend on group membership? What group name?
>>>>>>> 'group'
>>>>>>> => 'Request-Tracker',
>>>>>>> # What is
>>>>>>> the
>>>>>>> attribute for the group object that determines membership?
>>>>>>>
>>>>>>> #'group_attr'
>>>>>>> => 'GROUP_ATTR',
>>>>>>> ## RT
>>>>>>> ATTRIBUTE
>>>>>>> MATCHING SECTION
>>>>>>> # The
>>>>>>> list
>>>>>>> of RT
>>>>>>> attributes that uniquely identify a user
>>>>>>>
>>>>>>> 'attr_match_list'
>>>>>>> => [ 'ExternalAuthId','EmailAddress' ],
>>>>>>> # The
>>>>>>> mapping of
>>>>>>> RT
>>>>>>> attributes on to LDAP attributes
>>>>>>>
>>>>>>> 'attr_map'
>>>>>>> => { 'Name' => 'sAMAccountName',
>>>>>>>
>>>>>>> 'EmailAddress' => 'mail',
>>>>>>>
>>>>>>> 'Organization' => 'physicalDeliveryOfficeName',
>>>>>>>
>>>>>>> 'RealName' => 'displayName',
>>>>>>>
>>>>>>> 'ExternalAuthId' => 'sAMAccountName',
>>>>>>>
>>>>>>> 'Gecos' => 'sAMAccountName',
>>>>>>>
>>>>>>> 'WorkPhone' => 'telephoneNumber',
>>>>>>>
>>>>>>> 'Address1' => 'streetAddress',
>>>>>>>
>>>>>>> 'City' => 'l',
>>>>>>>
>>>>>>> 'State' => 'st',
>>>>>>>
>>>>>>> 'Zip' => 'postalCode',
>>>>>>>
>>>>>>> 'Country' => 'co'
>>>>>>>
>>>>>>> }
>>>>>>> }
>>>>>>> }
>>>>>>> );
>>>>>>>
>>>>>>
>>>>>> --------
>>>>>> RT Training Sessions
>>>>>> (http://bestpractical.com/services/training.html)
>>>>>> * Chicago, IL, USA — September 26& 27, 2011
>>>>>> * San Francisco, CA, USA — October 18& 19, 2011
>>>>>> * Washington DC, USA — October 31& November 1, 2011
>>>>>> * Melbourne VIC, Australia — November 28& 29, 2011
>>>>>> * Barcelona, Spain — November 28& 29, 2011
>>>>>>
>>>>
>>>>
>>>> --------
>>>> RT Training Sessions (http://bestpractical.com/services/training.html)
>>>> * Chicago, IL, USA — September 26& 27, 2011
>>>> * San Francisco, CA, USA — October 18& 19, 2011
>>>> * Washington DC, USA — October 31& November 1, 2011
>>>> * Melbourne VIC, Australia — November 28& 29, 2011
>>>> * Barcelona, Spain — November 28& 29, 2011
>>>>
>>>
>
>
>
> --------
> RT Training Sessions (http://bestpractical.com/services/training.html)
> * Chicago, IL, USA — September 26 & 27, 2011
> * San Francisco, CA, USA — October 18 & 19, 2011
> * Washington DC, USA — October 31 & November 1, 2011
> * Melbourne VIC, Australia — November 28 & 29, 2011
> * Barcelona, Spain — November 28 & 29, 2011
>
--
View this message in context: http://old.nabble.com/Has-anyone-sucessfully-configured-LDAP-to-authenticate-against-AD-with-version-4.0.1--tp32358024p32359422.html
Sent from the Request Tracker - User mailing list archive at Nabble.com.
More information about the rt-users
mailing list