[rt-users] ExternalAuth help needed

Wes Modes wmodes at ucsc.edu
Tue Jan 11 13:33:02 EST 2011


As suggested in a thread in this forum, I connected with ldapsearch with 
no problem:

    [root at rt2]# ldapsearch -x -LLL -D "cn=admin,dc=ucsc,dc=edu" -W -h
    dir1.library.ucsc.edu -b "ou=people,dc=ucsc,dc=edu" uid=wmodes cn
    telephoneNumber
    Enter LDAP Password:
    dn: uid=wmodes,ou=people,dc=ucsc,dc=edu
    cn: Wes Modes
    telephoneNumber: 831-459-5208

This was run from the server running RT.  The DN and password I'm using 
to connect is the same here and in the config file.  Now what?

Wes


On 1/11/2011 7:43 AM, Kevin Falcone wrote:
> On Mon, Jan 10, 2011 at 06:03:37PM -0800, Wes Modes wrote:
>>     I am using ExternalAuth to connect RT3.8.8 to LDAP.
>>
>>     Detailed documentation seems to be woefully absent, and I've scoured the web and tried the
>>     dozens of conflicting suggestions, so I'm turning to y'all.
>>
>>     Here's the error I get:
>>
>>       [Tue Jan 11 01:41:56 2011] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj
>>       Can't bind: LDAP_INVALID_DN_SYNTAX 34
>>       (/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:467)
> The error seems clear, something in your username or password isn't
> valid DN syntax according to your server.
>
> Try connecting using the ldapsearch command line client.
>
> -kevin
>
>>     Here's the LDAP section from my RT_Authen-ExternalAuth.pm
>>
>>           'My_LDAP'       =>   {
>>               ## GENERIC SECTION
>>               # The type of service (db/ldap/cookie)
>>               'type'                      =>   'ldap',
>>               # The server hosting the service
>>               'server'                    =>   'dir1.library.ucsc.edu',
>>               ## SERVICE-SPECIFIC SECTION
>>               # If you can bind to your LDAP server anonymously you should
>>               # remove the user and pass config lines, otherwise specify them here:
>>               #
>>               # The username RT should use to connect to the LDAP server
>>               'user'                      =>   'cn=admin,dc=ucsc,dc=edu',
>>               # The password RT should use to connect to the LDAP server
>>               'pass'                    =>   'PASSWORD',
>>               #
>>               # The LDAP search base
>>               'base'                      =>   'ou=people,dc=ucsc,dc=edu',
>>               #
>>               # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
>>               # YOU **MUST** SPECIFY A filter AND A d_filter!!
>>               #
>>               # The filter to use to match RT-Users
>>               'filter'                    =>   '(objectClass=person)',
>>               # A catch-all example filter: '(objectClass=*)'
>>               #
>>               # The filter that will only match disabled users
>>               'd_filter'                  =>   '(objectClass=FooBarBaz)',
>>               # A catch-none example d_filter: '(objectClass=FooBarBaz)'
>>               #
>>               # Should we try to use TLS to encrypt connections?
>>               'tls'                       =>   0,
>>               # SSL Version to provide to Net::SSLeay *if* using SSL
>>               'ssl_version'               =>   3,
>>               # What other args should I pass to Net::LDAP->new($host, at args)?
>>               'net_ldap_args'             =>  [    version =>   3   ],
>>               # Does authentication depend on group membership? What group name?
>>               'group'                     =>   'staff',
>>               # What is the attribute for the group object that determines membership?
>>               'group_attr'                =>   'ou=group,dc=ucsc,dc=edu',
>>               ## RT ATTRIBUTE MATCHING SECTION
>>               # The list of RT attributes that uniquely identify a user
>>
>>               # This example shows what you *can* specify.. I recommend reducing this
>>
>>               # to just the Name and EmailAddress to save encountering problems later.
>>               'attr_match_list'           =>  [    'Name',
>>                                                   'EmailAddress',
>>                                               ],
>>               # The mapping of RT attributes on to LDAP attributes
>>               'attr_map'                  =>   {   'Name' =>  'uid',
>>                                                   'EmailAddress' =>  'mail',
>>                                                   'RealName' =>  'cn',
>>                                                   'ExternalAuthId' =>  'uid',
>>                                                   'Gecos' =>  'gecos',
>>                                                   'WorkPhone' =>  'telephoneNumber',
>>                                               }
>>
>>           },
>>
>>     What more do you need to know to help me get this working?
>>
>>     Wes
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20110111/4c74eea7/attachment.htm>


More information about the rt-users mailing list