[rt-users] ExternalAuth help needed

Alberto Vazquez betovaz at gmail.com
Wed Jan 12 18:57:47 EST 2011


Guys,

I am new to RT, and I've encounter the following issue:

I have changed the domain on the email address for some of our users, but
now when they send a request to our queue, they get the following response.

Could not load a valid user

What do I need to change so that it does not happen again?

Thank you so much.

Alberto

On Wed, Jan 12, 2011 at 3:05 PM, Kevin Falcone <falcone at bestpractical.com>wrote:

> On Wed, Jan 12, 2011 at 03:00:30PM -0800, Wes Modes wrote:
> > Kevin, you said the error is clear.  but it seems less than clear to
> > me.  Especially since I have no problem connecting to ldap with
> > ldapsearch using the same DN.
> >
> > Are we stalled out here, then?  If this forum can not offer help, any
> > suggestions where to turn to for help?
> >
> > In my experience with other software, LDAP is one of the simplest
> > integrations possible.  In total one has to configure maybe three, maybe
> > four things.  The server FQDN, maybe the port, the base DN, and maybe
> > the root DN.  Voila!  That's it!  LDAP integration.
> >
> > I have a difficult time believing that RT is so difficult to integrate
> > with LDAP, that there is so little step-by-step documentation, and that
> > the user forums offer so little help.  This has been a surprisingly
> > difficult process, but I'd still like to be proved completely wrong.
>
> Wes, plenty of folks have this working and I've set it up more times
> than I can count.  You've cherry picked an error that tells me that
> your LDAP server is rejecting the connection attempt.  What do your
> LDAP logs say?
>
> As someone observed, your group settings look interestingly wrong, but
> since I'm staring at one log line it's kind of hard to tell if this is
> the initial bind or a later bind failure.
>
> -kevin
>
> > On 1/11/2011 7:43 AM, Kevin Falcone wrote:
> > > On Mon, Jan 10, 2011 at 06:03:37PM -0800, Wes Modes wrote:
> > >>    I am using ExternalAuth to connect RT3.8.8 to LDAP.
> > >>
> > >>    Detailed documentation seems to be woefully absent, and I've
> scoured the web and tried the
> > >>    dozens of conflicting suggestions, so I'm turning to y'all.
> > >>
> > >>    Here's the error I get:
> > >>
> > >>      [Tue Jan 11 01:41:56 2011] [critical]:
> RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj
> > >>      Can't bind: LDAP_INVALID_DN_SYNTAX 34
> > >>
>  (/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:467)
> > > The error seems clear, something in your username or password isn't
> > > valid DN syntax according to your server.
> > >
> > > Try connecting using the ldapsearch command line client.
> > >
> > > -kevin
> > >
> > >>    Here's the LDAP section from my RT_Authen-ExternalAuth.pm
> > >>
> > >>          'My_LDAP'       =>  {
> > >>              ## GENERIC SECTION
> > >>              # The type of service (db/ldap/cookie)
> > >>              'type'                      =>  'ldap',
> > >>              # The server hosting the service
> > >>              'server'                    =>  'dir1.library.ucsc.edu',
> > >>              ## SERVICE-SPECIFIC SECTION
> > >>              # If you can bind to your LDAP server anonymously you
> should
> > >>              # remove the user and pass config lines, otherwise
> specify them here:
> > >>              #
> > >>              # The username RT should use to connect to the LDAP
> server
> > >>              'user'                      =>
>  'cn=admin,dc=ucsc,dc=edu',
> > >>              # The password RT should use to connect to the LDAP
> server
> > >>              'pass'                    =>  'PASSWORD',
> > >>              #
> > >>              # The LDAP search base
> > >>              'base'                      =>
>  'ou=people,dc=ucsc,dc=edu',
> > >>              #
> > >>              # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN
> PARENTHESES!
> > >>              # YOU **MUST** SPECIFY A filter AND A d_filter!!
> > >>              #
> > >>              # The filter to use to match RT-Users
> > >>              'filter'                    =>  '(objectClass=person)',
> > >>              # A catch-all example filter: '(objectClass=*)'
> > >>              #
> > >>              # The filter that will only match disabled users
> > >>              'd_filter'                  =>
>  '(objectClass=FooBarBaz)',
> > >>              # A catch-none example d_filter:
> '(objectClass=FooBarBaz)'
> > >>              #
> > >>              # Should we try to use TLS to encrypt connections?
> > >>              'tls'                       =>  0,
> > >>              # SSL Version to provide to Net::SSLeay *if* using SSL
> > >>              'ssl_version'               =>  3,
> > >>              # What other args should I pass to
> Net::LDAP->new($host, at args)?
> > >>              'net_ldap_args'             => [    version =>  3   ],
> > >>              # Does authentication depend on group membership? What
> group name?
> > >>              'group'                     =>  'staff',
> > >>              # What is the attribute for the group object that
> determines membership?
> > >>              'group_attr'                =>
>  'ou=group,dc=ucsc,dc=edu',
> > >>              ## RT ATTRIBUTE MATCHING SECTION
> > >>              # The list of RT attributes that uniquely identify a user
> > >>
> > >>              # This example shows what you *can* specify.. I recommend
> reducing this
> > >>
> > >>              # to just the Name and EmailAddress to save encountering
> problems later.
> > >>              'attr_match_list'           => [    'Name',
> > >>                                                  'EmailAddress',
> > >>                                              ],
> > >>              # The mapping of RT attributes on to LDAP attributes
> > >>              'attr_map'                  =>  {   'Name' => 'uid',
> > >>                                                  'EmailAddress' =>
> 'mail',
> > >>                                                  'RealName' => 'cn',
> > >>                                                  'ExternalAuthId' =>
> 'uid',
> > >>                                                  'Gecos' => 'gecos',
> > >>                                                  'WorkPhone' =>
> 'telephoneNumber',
> > >>                                              }
> > >>
> > >>          },
> > >>
> > >>    What more do you need to know to help me get this working?
> > >>
> > >>    Wes
>



-- 
Alberto Vazquez-Dzul
Email:  betovaz at gmail.com
Mobile:  (805) 444-0835
GVoice: (805) 768-4798
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20110112/48d62261/attachment.htm>


More information about the rt-users mailing list