[rt-users] ExternalAuth help needed
Wes Modes
wmodes at ucsc.edu
Tue Jan 11 13:33:02 EST 2011
As suggested in a thread in this forum, I connected with ldapsearch with
no problem:
[root at rt2]# ldapsearch -x -LLL -D "cn=admin,dc=ucsc,dc=edu" -W -h
dir1.library.ucsc.edu -b "ou=people,dc=ucsc,dc=edu" uid=wmodes cn
telephoneNumber
Enter LDAP Password:
dn: uid=wmodes,ou=people,dc=ucsc,dc=edu
cn: Wes Modes
telephoneNumber: 831-459-5208
This was run from the server running RT. The DN and password I'm using
to connect is the same here and in the config file. Now what?
Wes
On 1/11/2011 7:43 AM, Kevin Falcone wrote:
> On Mon, Jan 10, 2011 at 06:03:37PM -0800, Wes Modes wrote:
>> I am using ExternalAuth to connect RT3.8.8 to LDAP.
>>
>> Detailed documentation seems to be woefully absent, and I've scoured the web and tried the
>> dozens of conflicting suggestions, so I'm turning to y'all.
>>
>> Here's the error I get:
>>
>> [Tue Jan 11 01:41:56 2011] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj
>> Can't bind: LDAP_INVALID_DN_SYNTAX 34
>> (/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:467)
> The error seems clear, something in your username or password isn't
> valid DN syntax according to your server.
>
> Try connecting using the ldapsearch command line client.
>
> -kevin
>
>> Here's the LDAP section from my RT_Authen-ExternalAuth.pm
>>
>> 'My_LDAP' => {
>> ## GENERIC SECTION
>> # The type of service (db/ldap/cookie)
>> 'type' => 'ldap',
>> # The server hosting the service
>> 'server' => 'dir1.library.ucsc.edu',
>> ## SERVICE-SPECIFIC SECTION
>> # If you can bind to your LDAP server anonymously you should
>> # remove the user and pass config lines, otherwise specify them here:
>> #
>> # The username RT should use to connect to the LDAP server
>> 'user' => 'cn=admin,dc=ucsc,dc=edu',
>> # The password RT should use to connect to the LDAP server
>> 'pass' => 'PASSWORD',
>> #
>> # The LDAP search base
>> 'base' => 'ou=people,dc=ucsc,dc=edu',
>> #
>> # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
>> # YOU **MUST** SPECIFY A filter AND A d_filter!!
>> #
>> # The filter to use to match RT-Users
>> 'filter' => '(objectClass=person)',
>> # A catch-all example filter: '(objectClass=*)'
>> #
>> # The filter that will only match disabled users
>> 'd_filter' => '(objectClass=FooBarBaz)',
>> # A catch-none example d_filter: '(objectClass=FooBarBaz)'
>> #
>> # Should we try to use TLS to encrypt connections?
>> 'tls' => 0,
>> # SSL Version to provide to Net::SSLeay *if* using SSL
>> 'ssl_version' => 3,
>> # What other args should I pass to Net::LDAP->new($host, at args)?
>> 'net_ldap_args' => [ version => 3 ],
>> # Does authentication depend on group membership? What group name?
>> 'group' => 'staff',
>> # What is the attribute for the group object that determines membership?
>> 'group_attr' => 'ou=group,dc=ucsc,dc=edu',
>> ## RT ATTRIBUTE MATCHING SECTION
>> # The list of RT attributes that uniquely identify a user
>>
>> # This example shows what you *can* specify.. I recommend reducing this
>>
>> # to just the Name and EmailAddress to save encountering problems later.
>> 'attr_match_list' => [ 'Name',
>> 'EmailAddress',
>> ],
>> # The mapping of RT attributes on to LDAP attributes
>> 'attr_map' => { 'Name' => 'uid',
>> 'EmailAddress' => 'mail',
>> 'RealName' => 'cn',
>> 'ExternalAuthId' => 'uid',
>> 'Gecos' => 'gecos',
>> 'WorkPhone' => 'telephoneNumber',
>> }
>>
>> },
>>
>> What more do you need to know to help me get this working?
>>
>> Wes
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20110111/4c74eea7/attachment.htm>
More information about the rt-users
mailing list