[rt-users] ExternalAuth help needed

Lamers, Dan dlamers at elcan.com
Tue Jan 11 13:48:48 EST 2011


My config file for LDAP uses this format

 

'user' => 'username at domain',

'pass' => 'password',

 

Regards, 
Dan

________________________________

From: rt-users-bounces at lists.bestpractical.com
[mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Wes Modes
Sent: January-11-11 1:33 PM
To: rt-users at lists.bestpractical.com
Subject: Re: [rt-users] ExternalAuth help needed

 

As suggested in a thread in this forum, I connected with ldapsearch with
no problem:

[root at rt2]# ldapsearch -x -LLL -D "cn=admin,dc=ucsc,dc=edu" -W -h
dir1.library.ucsc.edu -b "ou=people,dc=ucsc,dc=edu" uid=wmodes cn
telephoneNumber
Enter LDAP Password: 
dn: uid=wmodes,ou=people,dc=ucsc,dc=edu
cn: Wes Modes
telephoneNumber: 831-459-5208

This was run from the server running RT.  The DN and password I'm using
to connect is the same here and in the config file.  Now what?

Wes


On 1/11/2011 7:43 AM, Kevin Falcone wrote: 

On Mon, Jan 10, 2011 at 06:03:37PM -0800, Wes Modes wrote:

	   I am using ExternalAuth to connect RT3.8.8 to LDAP.
	 
	   Detailed documentation seems to be woefully absent, and I've
scoured the web and tried the
	   dozens of conflicting suggestions, so I'm turning to y'all.
	 
	   Here's the error I get:
	 
	     [Tue Jan 11 01:41:56 2011] [critical]:
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj
	     Can't bind: LDAP_INVALID_DN_SYNTAX 34
	
(/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth
/LDAP.pm:467)

 
The error seems clear, something in your username or password isn't
valid DN syntax according to your server.
 
Try connecting using the ldapsearch command line client.
 
-kevin
 

	   Here's the LDAP section from my RT_Authen-ExternalAuth.pm
	 
	         'My_LDAP'       =>  {
	             ## GENERIC SECTION
	             # The type of service (db/ldap/cookie)
	             'type'                      =>  'ldap',
	             # The server hosting the service
	             'server'                    =>
'dir1.library.ucsc.edu',
	             ## SERVICE-SPECIFIC SECTION
	             # If you can bind to your LDAP server anonymously
you should
	             # remove the user and pass config lines, otherwise
specify them here:
	             #
	             # The username RT should use to connect to the LDAP
server
	             'user'                      =>
'cn=admin,dc=ucsc,dc=edu',
	             # The password RT should use to connect to the LDAP
server
	             'pass'                    =>  'PASSWORD',
	             #
	             # The LDAP search base
	             'base'                      =>
'ou=people,dc=ucsc,dc=edu',
	             #
	             # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN
PARENTHESES!
	             # YOU **MUST** SPECIFY A filter AND A d_filter!!
	             #
	             # The filter to use to match RT-Users
	             'filter'                    =>
'(objectClass=person)',
	             # A catch-all example filter: '(objectClass=*)'
	             #
	             # The filter that will only match disabled users
	             'd_filter'                  =>
'(objectClass=FooBarBaz)',
	             # A catch-none example d_filter:
'(objectClass=FooBarBaz)'
	             #
	             # Should we try to use TLS to encrypt connections?
	             'tls'                       =>  0,
	             # SSL Version to provide to Net::SSLeay *if* using
SSL
	             'ssl_version'               =>  3,
	             # What other args should I pass to
Net::LDAP->new($host, at args)?
	             'net_ldap_args'             => [    version =>  3
],
	             # Does authentication depend on group membership?
What group name?
	             'group'                     =>  'staff',
	             # What is the attribute for the group object that
determines membership?
	             'group_attr'                =>
'ou=group,dc=ucsc,dc=edu',
	             ## RT ATTRIBUTE MATCHING SECTION
	             # The list of RT attributes that uniquely identify
a user
	 
	             # This example shows what you *can* specify.. I
recommend reducing this
	 
	             # to just the Name and EmailAddress to save
encountering problems later.
	             'attr_match_list'           => [    'Name',
	                                                 'EmailAddress',
	                                             ],
	             # The mapping of RT attributes on to LDAP
attributes
	             'attr_map'                  =>  {   'Name' =>
'uid',
	                                                 'EmailAddress'
=> 'mail',
	                                                 'RealName' =>
'cn',
	
'ExternalAuthId' => 'uid',
	                                                 'Gecos' =>
'gecos',
	                                                 'WorkPhone' =>
'telephoneNumber',
	                                             }
	 
	         },
	 
	   What more do you need to know to help me get this working?
	 
	   Wes


 
This document (or software if applicable) may contain data whose export/transfer/disclosure is restricted by U.S. or Canadian law. Dissemination may require an export license or other authorization.
CONFIDENTIALITY NOTICE: The information in this message, as well as any attachments, previous e-mail messages and /or any links provided herein, is Proprietary/Confidential information belonging to Raytheon ELCAN Optical Technologies, and its affiliates, and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error.
WARNING: Malicious code including viruses can be transmitted via email. Although Raytheon ELCAN Optical Technologies has taken reasonable precautions to ensure no malicious code is present in this email, non-encrypted electronic transmissions cannot be guaranteed to be secure or error-free as information could be intercepted and manipulated therefore Raytheon ELCAN Optical Technologies does not accept any responsibility for any loss or damage arising from the use of this email or attachments.
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20110111/9ce2975a/attachment.htm>


More information about the rt-users mailing list