[rt-users] Has anyone sucessfully configured LDAP to authenticate against AD with version 4.0.1?

josh.cole josh.cole at fresno.edu
Mon Aug 29 16:09:09 EDT 2011


Below is the result:

[Mon Aug 29 20:04:21 2011] [critical]:
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind:
LDAP_INVALID_CREDENTIALS 49
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:467)


Andrew Wagner-4 wrote:
> 
> I should have noticed this sooner - try specifying the full DN of your 
> rtauth user.  That is, 
> CN=rtauth,OU=someOU,OU=anotherOU,DC=mine,DC=his,DC=hers,DC=com.
> 
> Andrew Wagner
> Assistant Network Administrator
> aawagner at wisc.edu
> 265-5710
> Room 370B
> Wisconsin Center for Education Research (WCER)
> www.wcer.wisc.edu
> 
> 
> On 8/29/2011 2:18 PM, josh.cole wrote:
>> The user is within the base. The user exists in a sub-OU inside of ITS. I
>> have the correct DC, I have the ip entered for the DC/LDAP Server.
>>
>> Yes sir that is correct, I am using placeholders. I do not believe that
>> SSL
>> is being used based on the config I provided. All of the information is
>> correct. I have used an ldap browser to verify connectivity on port 389
>> and
>> to verify the information I've placed into the config.
>>
>>
>> Andrew Wagner-4 wrote:
>>> I believe that if you specify SSL, Authen-External will automatically
>>> uses port 636 (LDAPS).  TLS encryption uses 389.  We used TLS as LDAPS
>>> is no longer officially supported.
>>>
>>> Is the user you are trying to authenticate with inside your base?  Do
>>> you have the correct domain controller specified under server?  Do you
>>> have the right domain specified and formatted under base?  I assume
>>> you're replacing your domain information with placeholders in your
>>> config and are not actually using rt.mydomain.local.
>>>
>>> Andrew Wagner
>>> Assistant Network Administrator
>>> aawagner at wisc.edu
>>> 265-5710
>>> Room 370B
>>> Wisconsin Center for Education Research (WCER)
>>> www.wcer.wisc.edu
>>>
>>>
>>> On 8/29/2011 12:55 PM, josh.cole wrote:
>>>> I think I am close now. I made those changes to the config. I am
>>>> receiving an
>>>> error when I try to login with my AD credentials. The error is:
>>>> [Mon Aug 29 17:35:31 2011] [critical]:
>>>> RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to
>>>> rt.mydomain.local
>>>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:437)
>>>>
>>>> Do I need to specify an ldap port? I did add a username and password to
>>>> authenticate.
>>>>
>>>>
>>>> josh.cole wrote:
>>>>> Thank you very much for your feedback. I really appreciate it.
>>>>>
>>>>> Andrew Wagner-4 wrote:
>>>>>> Yes, Josh.  That is correct.  The ExternalAuthen checks all locations
>>>>>> for users under the base OU.  Either change your specified base in
>>>>>> RT_SiteConfig.pm or move the users to the OU that you want RT to
>>>>>> search.
>>>>>>
>>>>>> Andrew Wagner
>>>>>> Assistant Network Administrator
>>>>>> aawagner at wisc.edu
>>>>>> 265-5710
>>>>>> Room 370B
>>>>>> Wisconsin Center for Education Research (WCER)
>>>>>> www.wcer.wisc.edu
>>>>>>
>>>>>>
>>>>>> On 8/29/2011 11:39 AM, josh.cole wrote:
>>>>>>> Thank you for your response. So just to make sure I understand, if
>>>>>>> the
>>>>>>> users
>>>>>>> I want to be able to authenticate in RT are not in the OU specified
>>>>>>> it
>>>>>>> will
>>>>>>> not work? So I should move those users to whatever the OU is that I
>>>>>>> specify
>>>>>>> in the base?
>>>>>>>
>>>>>>> Andrew Wagner-4 wrote:
>>>>>>>> 1.  For group_attr, you want the term to be 'member'.  That checks
>>>>>>>> for
>>>>>>>> membership in the group.
>>>>>>>>
>>>>>>>> 2.  For your base, you need to choose the next highest level of
>>>>>>>> Active
>>>>>>>> Directory beyond where your users are stored.  This means you need
>>>>>>>> to
>>>>>>>> specify the OU where your users are, not just a random "Users" OU.
>>>>>>>>
>>>>>>>> Andrew Wagner
>>>>>>>> Assistant Network Administrator
>>>>>>>> aawagner at wisc.edu
>>>>>>>> 265-5710
>>>>>>>> Room 370B
>>>>>>>> Wisconsin Center for Education Research (WCER)
>>>>>>>> www.wcer.wisc.edu
>>>>>>>>
>>>>>>>>
>>>>>>>> On 8/29/2011 11:26 AM, josh.cole wrote:
>>>>>>>>> I am trying to make this work. I installed the latest version of
>>>>>>>>> ExternalAuth. I am working with Request Tracker for the first
>>>>>>>>> time,
>>>>>>>>> just
>>>>>>>>> upgraded from 3.8.7 to 4.0.1. There are a few things that I think
>>>>>>>>> are
>>>>>>>>> off
>>>>>>>>> but I am not sure what the correct solution is.
>>>>>>>>>
>>>>>>>>> 1. I am not sure what to use for the group_attr I want to have
>>>>>>>>> users
>>>>>>>>> in
>>>>>>>>> the
>>>>>>>>> group Request-Tracker inside of AD be able to authenticate with
>>>>>>>>> their
>>>>>>>>> credentials when logging into RT and I believe the filter is set
>>>>>>>>> correctly
>>>>>>>>> other than what needs to be added for the group_attribute. I am
>>>>>>>>> not
>>>>>>>>> sure
>>>>>>>>> what that should be.
>>>>>>>>>
>>>>>>>>> 2. For my base statement. I am specifying the Users OU but none of
>>>>>>>>> my
>>>>>>>>> users
>>>>>>>>> are in that OU. I am not sure exactly what it's looking for there.
>>>>>>>>>
>>>>>>>>> Any help is appreciated!
>>>>>>>>> ExternalAuth config:
>>>>>>>>>
>>>>>>>>> I have added the following to my RT_SiteConfig.pm:
>>>>>>>>>
>>>>>>>>> @RT::MailPlugins = ("RT::Authen::ExternalAuth");
>>>>>>>>> Set(@Plugins, qw(RT::Authen::ExternalAuth) );
>>>>>>>>> Set($ExternalAuthPriority,  [   'Active_Directory'
>>>>>>>>>                                 ]
>>>>>>>>> );
>>>>>>>>> Set($ExternalInfoPriority,  [ 'Active_Directory'
>>>>>>>>>                                 ]
>>>>>>>>> );
>>>>>>>>> Set($AutoCreateNonExternalUsers,    0);
>>>>>>>>>
>>>>>>>>> Set($ExternalSettings,      {   'Active_Directory'       =>      {
>>>>>>>>> 'type'
>>>>>>>>> =>      'ldap',
>>>>>>>>>                                                             'auth'
>>>>>>>>> =>      1,
>>>>>>>>>                                                             'info'
>>>>>>>>> =>      1,
>>>>>>>>>                                                            
>>>>>>>>> 'server'
>>>>>>>>> =>      'rt.mydomain.local',
>>>>>>>>>                                                             'base'
>>>>>>>>> =>      'OU=Users,DC=mydomain,DC=local',
>>>>>>>>>                                                             # The
>>>>>>>>> filter
>>>>>>>>> to
>>>>>>>>> use
>>>>>>>>> to match RT-Users
>>>>>>>>>                                                            
>>>>>>>>> 'filter'
>>>>>>>>> =>      '(objectclass=person)',
>>>>>>>>>                                                             # The
>>>>>>>>> filter
>>>>>>>>> that
>>>>>>>>> will only match disabled users
>>>>>>>>>
>>>>>>>>> 'd_filter'
>>>>>>>>> =>      '(userAccountControl:1.2.840.113556.1.4.803:=2)',
>>>>>>>>>                                                             #
>>>>>>>>> Should
>>>>>>>>> we
>>>>>>>>> try
>>>>>>>>> to
>>>>>>>>> use TLS to encrypt connections?
>>>>>>>>>                                                             'tls'
>>>>>>>>> =>      0,
>>>>>>>>>                                                             # What
>>>>>>>>> other
>>>>>>>>> args
>>>>>>>>> should I pass to Net::LDAP->new($host, at args)?
>>>>>>>>>
>>>>>>>>> 'net_ldap_args'
>>>>>>>>> =>     [    version =>      3   ],
>>>>>>>>>                                                             # Does
>>>>>>>>> authentication depend on group membership? What group name?
>>>>>>>>>                                                            
>>>>>>>>> 'group'
>>>>>>>>> =>      'Request-Tracker',
>>>>>>>>>                                                             # What
>>>>>>>>> is
>>>>>>>>> the
>>>>>>>>> attribute for the group object that determines membership?
>>>>>>>>>
>>>>>>>>> #'group_attr'
>>>>>>>>> =>      'GROUP_ATTR',
>>>>>>>>>                                                             ## RT
>>>>>>>>> ATTRIBUTE
>>>>>>>>> MATCHING SECTION
>>>>>>>>>                                                             # The
>>>>>>>>> list
>>>>>>>>> of RT
>>>>>>>>> attributes that uniquely identify a user
>>>>>>>>>
>>>>>>>>> 'attr_match_list'
>>>>>>>>> =>     [   'ExternalAuthId','EmailAddress' ],
>>>>>>>>>                                                             # The
>>>>>>>>> mapping of
>>>>>>>>> RT
>>>>>>>>> attributes on to LDAP attributes
>>>>>>>>>
>>>>>>>>> 'attr_map'
>>>>>>>>> =>      {   'Name' =>     'sAMAccountName',
>>>>>>>>>
>>>>>>>>> 'EmailAddress' =>     'mail',
>>>>>>>>>
>>>>>>>>> 'Organization' =>     'physicalDeliveryOfficeName',
>>>>>>>>>
>>>>>>>>> 'RealName' =>     'displayName',
>>>>>>>>>
>>>>>>>>> 'ExternalAuthId' =>     'sAMAccountName',
>>>>>>>>>
>>>>>>>>> 'Gecos' =>     'sAMAccountName',
>>>>>>>>>
>>>>>>>>> 'WorkPhone' =>     'telephoneNumber',
>>>>>>>>>
>>>>>>>>> 'Address1' =>     'streetAddress',
>>>>>>>>>
>>>>>>>>> 'City' =>     'l',
>>>>>>>>>
>>>>>>>>> 'State' =>     'st',
>>>>>>>>>
>>>>>>>>> 'Zip' =>     'postalCode',
>>>>>>>>>
>>>>>>>>> 'Country' =>     'co'
>>>>>>>>>
>>>>>>>>> }
>>>>>>>>>                                                         }
>>>>>>>>>                                     }
>>>>>>>>> );
>>>>>>>>>
>>>>>>>> --------
>>>>>>>> RT Training Sessions
>>>>>>>> (http://bestpractical.com/services/training.html)
>>>>>>>> *  Chicago, IL, USA — September 26&    27, 2011
>>>>>>>> *  San Francisco, CA, USA — October 18&    19, 2011
>>>>>>>> *  Washington DC, USA — October 31&    November 1, 2011
>>>>>>>> *  Melbourne VIC, Australia — November 28&    29, 2011
>>>>>>>> *  Barcelona, Spain — November 28&    29, 2011
>>>>>>>>
>>>>>>
>>>>>> --------
>>>>>> RT Training Sessions
>>>>>> (http://bestpractical.com/services/training.html)
>>>>>> *  Chicago, IL, USA — September 26&   27, 2011
>>>>>> *  San Francisco, CA, USA — October 18&   19, 2011
>>>>>> *  Washington DC, USA — October 31&   November 1, 2011
>>>>>> *  Melbourne VIC, Australia — November 28&   29, 2011
>>>>>> *  Barcelona, Spain — November 28&   29, 2011
>>>>>>
>>>
>>>
>>> --------
>>> RT Training Sessions (http://bestpractical.com/services/training.html)
>>> *  Chicago, IL, USA — September 26&  27, 2011
>>> *  San Francisco, CA, USA — October 18&  19, 2011
>>> *  Washington DC, USA — October 31&  November 1, 2011
>>> *  Melbourne VIC, Australia — November 28&  29, 2011
>>> *  Barcelona, Spain — November 28&  29, 2011
>>>
> 
> 
>  
> --------
> RT Training Sessions (http://bestpractical.com/services/training.html)
> *  Chicago, IL, USA — September 26 & 27, 2011
> *  San Francisco, CA, USA — October 18 & 19, 2011
> *  Washington DC, USA — October 31 & November 1, 2011
> *  Melbourne VIC, Australia — November 28 & 29, 2011
> *  Barcelona, Spain — November 28 & 29, 2011
> 

-- 
View this message in context: http://old.nabble.com/Has-anyone-sucessfully-configured-LDAP-to-authenticate-against-AD-with-version-4.0.1--tp32358024p32359783.html
Sent from the Request Tracker - User mailing list archive at Nabble.com.




More information about the rt-users mailing list