[rt-users] Has anyone sucessfully configured LDAP to authenticate against AD with version 4.0.1?

Andrew Wagner aawagner at wisc.edu
Mon Aug 29 15:49:09 EDT 2011


I should have noticed this sooner - try specifying the full DN of your 
rtauth user.  That is, 
CN=rtauth,OU=someOU,OU=anotherOU,DC=mine,DC=his,DC=hers,DC=com.

Andrew Wagner
Assistant Network Administrator
aawagner at wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu


On 8/29/2011 2:18 PM, josh.cole wrote:
> The user is within the base. The user exists in a sub-OU inside of ITS. I
> have the correct DC, I have the ip entered for the DC/LDAP Server.
>
> Yes sir that is correct, I am using placeholders. I do not believe that SSL
> is being used based on the config I provided. All of the information is
> correct. I have used an ldap browser to verify connectivity on port 389 and
> to verify the information I've placed into the config.
>
>
> Andrew Wagner-4 wrote:
>> I believe that if you specify SSL, Authen-External will automatically
>> uses port 636 (LDAPS).  TLS encryption uses 389.  We used TLS as LDAPS
>> is no longer officially supported.
>>
>> Is the user you are trying to authenticate with inside your base?  Do
>> you have the correct domain controller specified under server?  Do you
>> have the right domain specified and formatted under base?  I assume
>> you're replacing your domain information with placeholders in your
>> config and are not actually using rt.mydomain.local.
>>
>> Andrew Wagner
>> Assistant Network Administrator
>> aawagner at wisc.edu
>> 265-5710
>> Room 370B
>> Wisconsin Center for Education Research (WCER)
>> www.wcer.wisc.edu
>>
>>
>> On 8/29/2011 12:55 PM, josh.cole wrote:
>>> I think I am close now. I made those changes to the config. I am
>>> receiving an
>>> error when I try to login with my AD credentials. The error is:
>>> [Mon Aug 29 17:35:31 2011] [critical]:
>>> RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to
>>> rt.mydomain.local
>>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:437)
>>>
>>> Do I need to specify an ldap port? I did add a username and password to
>>> authenticate.
>>>
>>>
>>> josh.cole wrote:
>>>> Thank you very much for your feedback. I really appreciate it.
>>>>
>>>> Andrew Wagner-4 wrote:
>>>>> Yes, Josh.  That is correct.  The ExternalAuthen checks all locations
>>>>> for users under the base OU.  Either change your specified base in
>>>>> RT_SiteConfig.pm or move the users to the OU that you want RT to
>>>>> search.
>>>>>
>>>>> Andrew Wagner
>>>>> Assistant Network Administrator
>>>>> aawagner at wisc.edu
>>>>> 265-5710
>>>>> Room 370B
>>>>> Wisconsin Center for Education Research (WCER)
>>>>> www.wcer.wisc.edu
>>>>>
>>>>>
>>>>> On 8/29/2011 11:39 AM, josh.cole wrote:
>>>>>> Thank you for your response. So just to make sure I understand, if the
>>>>>> users
>>>>>> I want to be able to authenticate in RT are not in the OU specified it
>>>>>> will
>>>>>> not work? So I should move those users to whatever the OU is that I
>>>>>> specify
>>>>>> in the base?
>>>>>>
>>>>>> Andrew Wagner-4 wrote:
>>>>>>> 1.  For group_attr, you want the term to be 'member'.  That checks
>>>>>>> for
>>>>>>> membership in the group.
>>>>>>>
>>>>>>> 2.  For your base, you need to choose the next highest level of
>>>>>>> Active
>>>>>>> Directory beyond where your users are stored.  This means you need to
>>>>>>> specify the OU where your users are, not just a random "Users" OU.
>>>>>>>
>>>>>>> Andrew Wagner
>>>>>>> Assistant Network Administrator
>>>>>>> aawagner at wisc.edu
>>>>>>> 265-5710
>>>>>>> Room 370B
>>>>>>> Wisconsin Center for Education Research (WCER)
>>>>>>> www.wcer.wisc.edu
>>>>>>>
>>>>>>>
>>>>>>> On 8/29/2011 11:26 AM, josh.cole wrote:
>>>>>>>> I am trying to make this work. I installed the latest version of
>>>>>>>> ExternalAuth. I am working with Request Tracker for the first time,
>>>>>>>> just
>>>>>>>> upgraded from 3.8.7 to 4.0.1. There are a few things that I think
>>>>>>>> are
>>>>>>>> off
>>>>>>>> but I am not sure what the correct solution is.
>>>>>>>>
>>>>>>>> 1. I am not sure what to use for the group_attr I want to have users
>>>>>>>> in
>>>>>>>> the
>>>>>>>> group Request-Tracker inside of AD be able to authenticate with
>>>>>>>> their
>>>>>>>> credentials when logging into RT and I believe the filter is set
>>>>>>>> correctly
>>>>>>>> other than what needs to be added for the group_attribute. I am not
>>>>>>>> sure
>>>>>>>> what that should be.
>>>>>>>>
>>>>>>>> 2. For my base statement. I am specifying the Users OU but none of
>>>>>>>> my
>>>>>>>> users
>>>>>>>> are in that OU. I am not sure exactly what it's looking for there.
>>>>>>>>
>>>>>>>> Any help is appreciated!
>>>>>>>> ExternalAuth config:
>>>>>>>>
>>>>>>>> I have added the following to my RT_SiteConfig.pm:
>>>>>>>>
>>>>>>>> @RT::MailPlugins = ("RT::Authen::ExternalAuth");
>>>>>>>> Set(@Plugins, qw(RT::Authen::ExternalAuth) );
>>>>>>>> Set($ExternalAuthPriority,  [   'Active_Directory'
>>>>>>>>                                 ]
>>>>>>>> );
>>>>>>>> Set($ExternalInfoPriority,  [ 'Active_Directory'
>>>>>>>>                                 ]
>>>>>>>> );
>>>>>>>> Set($AutoCreateNonExternalUsers,    0);
>>>>>>>>
>>>>>>>> Set($ExternalSettings,      {   'Active_Directory'       =>      {
>>>>>>>> 'type'
>>>>>>>> =>      'ldap',
>>>>>>>>                                                             'auth'
>>>>>>>> =>      1,
>>>>>>>>                                                             'info'
>>>>>>>> =>      1,
>>>>>>>>                                                             'server'
>>>>>>>> =>      'rt.mydomain.local',
>>>>>>>>                                                             'base'
>>>>>>>> =>      'OU=Users,DC=mydomain,DC=local',
>>>>>>>>                                                             # The
>>>>>>>> filter
>>>>>>>> to
>>>>>>>> use
>>>>>>>> to match RT-Users
>>>>>>>>                                                             'filter'
>>>>>>>> =>      '(objectclass=person)',
>>>>>>>>                                                             # The
>>>>>>>> filter
>>>>>>>> that
>>>>>>>> will only match disabled users
>>>>>>>>
>>>>>>>> 'd_filter'
>>>>>>>> =>      '(userAccountControl:1.2.840.113556.1.4.803:=2)',
>>>>>>>>                                                             # Should
>>>>>>>> we
>>>>>>>> try
>>>>>>>> to
>>>>>>>> use TLS to encrypt connections?
>>>>>>>>                                                             'tls'
>>>>>>>> =>      0,
>>>>>>>>                                                             # What
>>>>>>>> other
>>>>>>>> args
>>>>>>>> should I pass to Net::LDAP->new($host, at args)?
>>>>>>>>
>>>>>>>> 'net_ldap_args'
>>>>>>>> =>     [    version =>      3   ],
>>>>>>>>                                                             # Does
>>>>>>>> authentication depend on group membership? What group name?
>>>>>>>>                                                             'group'
>>>>>>>> =>      'Request-Tracker',
>>>>>>>>                                                             # What is
>>>>>>>> the
>>>>>>>> attribute for the group object that determines membership?
>>>>>>>>
>>>>>>>> #'group_attr'
>>>>>>>> =>      'GROUP_ATTR',
>>>>>>>>                                                             ## RT
>>>>>>>> ATTRIBUTE
>>>>>>>> MATCHING SECTION
>>>>>>>>                                                             # The
>>>>>>>> list
>>>>>>>> of RT
>>>>>>>> attributes that uniquely identify a user
>>>>>>>>
>>>>>>>> 'attr_match_list'
>>>>>>>> =>     [   'ExternalAuthId','EmailAddress' ],
>>>>>>>>                                                             # The
>>>>>>>> mapping of
>>>>>>>> RT
>>>>>>>> attributes on to LDAP attributes
>>>>>>>>
>>>>>>>> 'attr_map'
>>>>>>>> =>      {   'Name' =>     'sAMAccountName',
>>>>>>>>
>>>>>>>> 'EmailAddress' =>     'mail',
>>>>>>>>
>>>>>>>> 'Organization' =>     'physicalDeliveryOfficeName',
>>>>>>>>
>>>>>>>> 'RealName' =>     'displayName',
>>>>>>>>
>>>>>>>> 'ExternalAuthId' =>     'sAMAccountName',
>>>>>>>>
>>>>>>>> 'Gecos' =>     'sAMAccountName',
>>>>>>>>
>>>>>>>> 'WorkPhone' =>     'telephoneNumber',
>>>>>>>>
>>>>>>>> 'Address1' =>     'streetAddress',
>>>>>>>>
>>>>>>>> 'City' =>     'l',
>>>>>>>>
>>>>>>>> 'State' =>     'st',
>>>>>>>>
>>>>>>>> 'Zip' =>     'postalCode',
>>>>>>>>
>>>>>>>> 'Country' =>     'co'
>>>>>>>>
>>>>>>>> }
>>>>>>>>                                                         }
>>>>>>>>                                     }
>>>>>>>> );
>>>>>>>>
>>>>>>> --------
>>>>>>> RT Training Sessions
>>>>>>> (http://bestpractical.com/services/training.html)
>>>>>>> *  Chicago, IL, USA — September 26&    27, 2011
>>>>>>> *  San Francisco, CA, USA — October 18&    19, 2011
>>>>>>> *  Washington DC, USA — October 31&    November 1, 2011
>>>>>>> *  Melbourne VIC, Australia — November 28&    29, 2011
>>>>>>> *  Barcelona, Spain — November 28&    29, 2011
>>>>>>>
>>>>>
>>>>> --------
>>>>> RT Training Sessions (http://bestpractical.com/services/training.html)
>>>>> *  Chicago, IL, USA — September 26&   27, 2011
>>>>> *  San Francisco, CA, USA — October 18&   19, 2011
>>>>> *  Washington DC, USA — October 31&   November 1, 2011
>>>>> *  Melbourne VIC, Australia — November 28&   29, 2011
>>>>> *  Barcelona, Spain — November 28&   29, 2011
>>>>>
>>
>>
>> --------
>> RT Training Sessions (http://bestpractical.com/services/training.html)
>> *  Chicago, IL, USA — September 26&  27, 2011
>> *  San Francisco, CA, USA — October 18&  19, 2011
>> *  Washington DC, USA — October 31&  November 1, 2011
>> *  Melbourne VIC, Australia — November 28&  29, 2011
>> *  Barcelona, Spain — November 28&  29, 2011
>>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7410 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20110829/fef47eda/attachment.bin>


More information about the rt-users mailing list