[rt-users] Has anyone sucessfully configured LDAP to authenticate against AD with version 4.0.1?
Andrew Wagner
aawagner at wisc.edu
Mon Aug 29 15:49:09 EDT 2011
I should have noticed this sooner - try specifying the full DN of your
rtauth user. That is,
CN=rtauth,OU=someOU,OU=anotherOU,DC=mine,DC=his,DC=hers,DC=com.
Andrew Wagner
Assistant Network Administrator
aawagner at wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu
On 8/29/2011 2:18 PM, josh.cole wrote:
> The user is within the base. The user exists in a sub-OU inside of ITS. I
> have the correct DC, I have the ip entered for the DC/LDAP Server.
>
> Yes sir that is correct, I am using placeholders. I do not believe that SSL
> is being used based on the config I provided. All of the information is
> correct. I have used an ldap browser to verify connectivity on port 389 and
> to verify the information I've placed into the config.
>
>
> Andrew Wagner-4 wrote:
>> I believe that if you specify SSL, Authen-External will automatically
>> uses port 636 (LDAPS). TLS encryption uses 389. We used TLS as LDAPS
>> is no longer officially supported.
>>
>> Is the user you are trying to authenticate with inside your base? Do
>> you have the correct domain controller specified under server? Do you
>> have the right domain specified and formatted under base? I assume
>> you're replacing your domain information with placeholders in your
>> config and are not actually using rt.mydomain.local.
>>
>> Andrew Wagner
>> Assistant Network Administrator
>> aawagner at wisc.edu
>> 265-5710
>> Room 370B
>> Wisconsin Center for Education Research (WCER)
>> www.wcer.wisc.edu
>>
>>
>> On 8/29/2011 12:55 PM, josh.cole wrote:
>>> I think I am close now. I made those changes to the config. I am
>>> receiving an
>>> error when I try to login with my AD credentials. The error is:
>>> [Mon Aug 29 17:35:31 2011] [critical]:
>>> RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to
>>> rt.mydomain.local
>>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:437)
>>>
>>> Do I need to specify an ldap port? I did add a username and password to
>>> authenticate.
>>>
>>>
>>> josh.cole wrote:
>>>> Thank you very much for your feedback. I really appreciate it.
>>>>
>>>> Andrew Wagner-4 wrote:
>>>>> Yes, Josh. That is correct. The ExternalAuthen checks all locations
>>>>> for users under the base OU. Either change your specified base in
>>>>> RT_SiteConfig.pm or move the users to the OU that you want RT to
>>>>> search.
>>>>>
>>>>> Andrew Wagner
>>>>> Assistant Network Administrator
>>>>> aawagner at wisc.edu
>>>>> 265-5710
>>>>> Room 370B
>>>>> Wisconsin Center for Education Research (WCER)
>>>>> www.wcer.wisc.edu
>>>>>
>>>>>
>>>>> On 8/29/2011 11:39 AM, josh.cole wrote:
>>>>>> Thank you for your response. So just to make sure I understand, if the
>>>>>> users
>>>>>> I want to be able to authenticate in RT are not in the OU specified it
>>>>>> will
>>>>>> not work? So I should move those users to whatever the OU is that I
>>>>>> specify
>>>>>> in the base?
>>>>>>
>>>>>> Andrew Wagner-4 wrote:
>>>>>>> 1. For group_attr, you want the term to be 'member'. That checks
>>>>>>> for
>>>>>>> membership in the group.
>>>>>>>
>>>>>>> 2. For your base, you need to choose the next highest level of
>>>>>>> Active
>>>>>>> Directory beyond where your users are stored. This means you need to
>>>>>>> specify the OU where your users are, not just a random "Users" OU.
>>>>>>>
>>>>>>> Andrew Wagner
>>>>>>> Assistant Network Administrator
>>>>>>> aawagner at wisc.edu
>>>>>>> 265-5710
>>>>>>> Room 370B
>>>>>>> Wisconsin Center for Education Research (WCER)
>>>>>>> www.wcer.wisc.edu
>>>>>>>
>>>>>>>
>>>>>>> On 8/29/2011 11:26 AM, josh.cole wrote:
>>>>>>>> I am trying to make this work. I installed the latest version of
>>>>>>>> ExternalAuth. I am working with Request Tracker for the first time,
>>>>>>>> just
>>>>>>>> upgraded from 3.8.7 to 4.0.1. There are a few things that I think
>>>>>>>> are
>>>>>>>> off
>>>>>>>> but I am not sure what the correct solution is.
>>>>>>>>
>>>>>>>> 1. I am not sure what to use for the group_attr I want to have users
>>>>>>>> in
>>>>>>>> the
>>>>>>>> group Request-Tracker inside of AD be able to authenticate with
>>>>>>>> their
>>>>>>>> credentials when logging into RT and I believe the filter is set
>>>>>>>> correctly
>>>>>>>> other than what needs to be added for the group_attribute. I am not
>>>>>>>> sure
>>>>>>>> what that should be.
>>>>>>>>
>>>>>>>> 2. For my base statement. I am specifying the Users OU but none of
>>>>>>>> my
>>>>>>>> users
>>>>>>>> are in that OU. I am not sure exactly what it's looking for there.
>>>>>>>>
>>>>>>>> Any help is appreciated!
>>>>>>>> ExternalAuth config:
>>>>>>>>
>>>>>>>> I have added the following to my RT_SiteConfig.pm:
>>>>>>>>
>>>>>>>> @RT::MailPlugins = ("RT::Authen::ExternalAuth");
>>>>>>>> Set(@Plugins, qw(RT::Authen::ExternalAuth) );
>>>>>>>> Set($ExternalAuthPriority, [ 'Active_Directory'
>>>>>>>> ]
>>>>>>>> );
>>>>>>>> Set($ExternalInfoPriority, [ 'Active_Directory'
>>>>>>>> ]
>>>>>>>> );
>>>>>>>> Set($AutoCreateNonExternalUsers, 0);
>>>>>>>>
>>>>>>>> Set($ExternalSettings, { 'Active_Directory' => {
>>>>>>>> 'type'
>>>>>>>> => 'ldap',
>>>>>>>> 'auth'
>>>>>>>> => 1,
>>>>>>>> 'info'
>>>>>>>> => 1,
>>>>>>>> 'server'
>>>>>>>> => 'rt.mydomain.local',
>>>>>>>> 'base'
>>>>>>>> => 'OU=Users,DC=mydomain,DC=local',
>>>>>>>> # The
>>>>>>>> filter
>>>>>>>> to
>>>>>>>> use
>>>>>>>> to match RT-Users
>>>>>>>> 'filter'
>>>>>>>> => '(objectclass=person)',
>>>>>>>> # The
>>>>>>>> filter
>>>>>>>> that
>>>>>>>> will only match disabled users
>>>>>>>>
>>>>>>>> 'd_filter'
>>>>>>>> => '(userAccountControl:1.2.840.113556.1.4.803:=2)',
>>>>>>>> # Should
>>>>>>>> we
>>>>>>>> try
>>>>>>>> to
>>>>>>>> use TLS to encrypt connections?
>>>>>>>> 'tls'
>>>>>>>> => 0,
>>>>>>>> # What
>>>>>>>> other
>>>>>>>> args
>>>>>>>> should I pass to Net::LDAP->new($host, at args)?
>>>>>>>>
>>>>>>>> 'net_ldap_args'
>>>>>>>> => [ version => 3 ],
>>>>>>>> # Does
>>>>>>>> authentication depend on group membership? What group name?
>>>>>>>> 'group'
>>>>>>>> => 'Request-Tracker',
>>>>>>>> # What is
>>>>>>>> the
>>>>>>>> attribute for the group object that determines membership?
>>>>>>>>
>>>>>>>> #'group_attr'
>>>>>>>> => 'GROUP_ATTR',
>>>>>>>> ## RT
>>>>>>>> ATTRIBUTE
>>>>>>>> MATCHING SECTION
>>>>>>>> # The
>>>>>>>> list
>>>>>>>> of RT
>>>>>>>> attributes that uniquely identify a user
>>>>>>>>
>>>>>>>> 'attr_match_list'
>>>>>>>> => [ 'ExternalAuthId','EmailAddress' ],
>>>>>>>> # The
>>>>>>>> mapping of
>>>>>>>> RT
>>>>>>>> attributes on to LDAP attributes
>>>>>>>>
>>>>>>>> 'attr_map'
>>>>>>>> => { 'Name' => 'sAMAccountName',
>>>>>>>>
>>>>>>>> 'EmailAddress' => 'mail',
>>>>>>>>
>>>>>>>> 'Organization' => 'physicalDeliveryOfficeName',
>>>>>>>>
>>>>>>>> 'RealName' => 'displayName',
>>>>>>>>
>>>>>>>> 'ExternalAuthId' => 'sAMAccountName',
>>>>>>>>
>>>>>>>> 'Gecos' => 'sAMAccountName',
>>>>>>>>
>>>>>>>> 'WorkPhone' => 'telephoneNumber',
>>>>>>>>
>>>>>>>> 'Address1' => 'streetAddress',
>>>>>>>>
>>>>>>>> 'City' => 'l',
>>>>>>>>
>>>>>>>> 'State' => 'st',
>>>>>>>>
>>>>>>>> 'Zip' => 'postalCode',
>>>>>>>>
>>>>>>>> 'Country' => 'co'
>>>>>>>>
>>>>>>>> }
>>>>>>>> }
>>>>>>>> }
>>>>>>>> );
>>>>>>>>
>>>>>>> --------
>>>>>>> RT Training Sessions
>>>>>>> (http://bestpractical.com/services/training.html)
>>>>>>> * Chicago, IL, USA — September 26& 27, 2011
>>>>>>> * San Francisco, CA, USA — October 18& 19, 2011
>>>>>>> * Washington DC, USA — October 31& November 1, 2011
>>>>>>> * Melbourne VIC, Australia — November 28& 29, 2011
>>>>>>> * Barcelona, Spain — November 28& 29, 2011
>>>>>>>
>>>>>
>>>>> --------
>>>>> RT Training Sessions (http://bestpractical.com/services/training.html)
>>>>> * Chicago, IL, USA — September 26& 27, 2011
>>>>> * San Francisco, CA, USA — October 18& 19, 2011
>>>>> * Washington DC, USA — October 31& November 1, 2011
>>>>> * Melbourne VIC, Australia — November 28& 29, 2011
>>>>> * Barcelona, Spain — November 28& 29, 2011
>>>>>
>>
>>
>> --------
>> RT Training Sessions (http://bestpractical.com/services/training.html)
>> * Chicago, IL, USA — September 26& 27, 2011
>> * San Francisco, CA, USA — October 18& 19, 2011
>> * Washington DC, USA — October 31& November 1, 2011
>> * Melbourne VIC, Australia — November 28& 29, 2011
>> * Barcelona, Spain — November 28& 29, 2011
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7410 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20110829/fef47eda/attachment.bin>
More information about the rt-users
mailing list