[rt-users] ExternalAuth help needed
Alberto Vazquez
betovaz at gmail.com
Wed Jan 12 18:57:47 EST 2011
Guys,
I am new to RT, and I've encounter the following issue:
I have changed the domain on the email address for some of our users, but
now when they send a request to our queue, they get the following response.
Could not load a valid user
What do I need to change so that it does not happen again?
Thank you so much.
Alberto
On Wed, Jan 12, 2011 at 3:05 PM, Kevin Falcone <falcone at bestpractical.com>wrote:
> On Wed, Jan 12, 2011 at 03:00:30PM -0800, Wes Modes wrote:
> > Kevin, you said the error is clear. but it seems less than clear to
> > me. Especially since I have no problem connecting to ldap with
> > ldapsearch using the same DN.
> >
> > Are we stalled out here, then? If this forum can not offer help, any
> > suggestions where to turn to for help?
> >
> > In my experience with other software, LDAP is one of the simplest
> > integrations possible. In total one has to configure maybe three, maybe
> > four things. The server FQDN, maybe the port, the base DN, and maybe
> > the root DN. Voila! That's it! LDAP integration.
> >
> > I have a difficult time believing that RT is so difficult to integrate
> > with LDAP, that there is so little step-by-step documentation, and that
> > the user forums offer so little help. This has been a surprisingly
> > difficult process, but I'd still like to be proved completely wrong.
>
> Wes, plenty of folks have this working and I've set it up more times
> than I can count. You've cherry picked an error that tells me that
> your LDAP server is rejecting the connection attempt. What do your
> LDAP logs say?
>
> As someone observed, your group settings look interestingly wrong, but
> since I'm staring at one log line it's kind of hard to tell if this is
> the initial bind or a later bind failure.
>
> -kevin
>
> > On 1/11/2011 7:43 AM, Kevin Falcone wrote:
> > > On Mon, Jan 10, 2011 at 06:03:37PM -0800, Wes Modes wrote:
> > >> I am using ExternalAuth to connect RT3.8.8 to LDAP.
> > >>
> > >> Detailed documentation seems to be woefully absent, and I've
> scoured the web and tried the
> > >> dozens of conflicting suggestions, so I'm turning to y'all.
> > >>
> > >> Here's the error I get:
> > >>
> > >> [Tue Jan 11 01:41:56 2011] [critical]:
> RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj
> > >> Can't bind: LDAP_INVALID_DN_SYNTAX 34
> > >>
> (/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:467)
> > > The error seems clear, something in your username or password isn't
> > > valid DN syntax according to your server.
> > >
> > > Try connecting using the ldapsearch command line client.
> > >
> > > -kevin
> > >
> > >> Here's the LDAP section from my RT_Authen-ExternalAuth.pm
> > >>
> > >> 'My_LDAP' => {
> > >> ## GENERIC SECTION
> > >> # The type of service (db/ldap/cookie)
> > >> 'type' => 'ldap',
> > >> # The server hosting the service
> > >> 'server' => 'dir1.library.ucsc.edu',
> > >> ## SERVICE-SPECIFIC SECTION
> > >> # If you can bind to your LDAP server anonymously you
> should
> > >> # remove the user and pass config lines, otherwise
> specify them here:
> > >> #
> > >> # The username RT should use to connect to the LDAP
> server
> > >> 'user' =>
> 'cn=admin,dc=ucsc,dc=edu',
> > >> # The password RT should use to connect to the LDAP
> server
> > >> 'pass' => 'PASSWORD',
> > >> #
> > >> # The LDAP search base
> > >> 'base' =>
> 'ou=people,dc=ucsc,dc=edu',
> > >> #
> > >> # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN
> PARENTHESES!
> > >> # YOU **MUST** SPECIFY A filter AND A d_filter!!
> > >> #
> > >> # The filter to use to match RT-Users
> > >> 'filter' => '(objectClass=person)',
> > >> # A catch-all example filter: '(objectClass=*)'
> > >> #
> > >> # The filter that will only match disabled users
> > >> 'd_filter' =>
> '(objectClass=FooBarBaz)',
> > >> # A catch-none example d_filter:
> '(objectClass=FooBarBaz)'
> > >> #
> > >> # Should we try to use TLS to encrypt connections?
> > >> 'tls' => 0,
> > >> # SSL Version to provide to Net::SSLeay *if* using SSL
> > >> 'ssl_version' => 3,
> > >> # What other args should I pass to
> Net::LDAP->new($host, at args)?
> > >> 'net_ldap_args' => [ version => 3 ],
> > >> # Does authentication depend on group membership? What
> group name?
> > >> 'group' => 'staff',
> > >> # What is the attribute for the group object that
> determines membership?
> > >> 'group_attr' =>
> 'ou=group,dc=ucsc,dc=edu',
> > >> ## RT ATTRIBUTE MATCHING SECTION
> > >> # The list of RT attributes that uniquely identify a user
> > >>
> > >> # This example shows what you *can* specify.. I recommend
> reducing this
> > >>
> > >> # to just the Name and EmailAddress to save encountering
> problems later.
> > >> 'attr_match_list' => [ 'Name',
> > >> 'EmailAddress',
> > >> ],
> > >> # The mapping of RT attributes on to LDAP attributes
> > >> 'attr_map' => { 'Name' => 'uid',
> > >> 'EmailAddress' =>
> 'mail',
> > >> 'RealName' => 'cn',
> > >> 'ExternalAuthId' =>
> 'uid',
> > >> 'Gecos' => 'gecos',
> > >> 'WorkPhone' =>
> 'telephoneNumber',
> > >> }
> > >>
> > >> },
> > >>
> > >> What more do you need to know to help me get this working?
> > >>
> > >> Wes
>
--
Alberto Vazquez-Dzul
Email: betovaz at gmail.com
Mobile: (805) 444-0835
GVoice: (805) 768-4798
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20110112/48d62261/attachment.htm>
More information about the rt-users
mailing list