[rt-users] LDAP external auth
Tim Dunphy
bluethundr at jokefire.com
Tue Nov 8 18:55:51 EST 2011
hello list!
I am attempting to use ExternalAuth to have RT authenticate against an LDAP database.
Our RT users have a sparate common name under our Group ou.
cn=RTUsers,ou=Groups,dc=example,dc=com
I have devised an LDAP query that successfully retrieves information that could be used to log into RT.
ldapsearch -x -p 389 -h ldap01.example.com -b dc=example,dc=com -D "uid=dunphy,ou=People,dc=example,dc=com" -w 'secret' "(&(objectClass=top)(|(cn=RTUsers)))" "uniqueMember"
I am a little new at LDAP but from what I can see above I am performing a 'simple' bind with my ldap account and searching for the RTUsers group with a filter.
This is an example of what it finds:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (&(objectClass=top)(|(cn=RTUsers)))
# requesting: uniqueMember
#
# RTUsers, Groups, example.com
dn: cn=RTUsers,ou=Groups,dc=example,dc=com
uniqueMember: uid=user1,ou=People,dc=example,dc=com
uniqueMember: uid=user2,ou=People,dc=example,dc=com
uniqueMember: uid=user3,ou=People,dc=example,dc=com
uniqueMember: uid=user4t,ou=People,dc=example,dc=com
...
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
In the ldap server logs everything is looking good at this point:
[08/Nov/2011:18:30:54 -0500] conn=1735740 op=1 msgId=2 - SRCH base="dc=example,dc=com" scope=2 filter="(uid=jvazquez)" attrs=ALL
[08/Nov/2011:18:30:54 -0500] conn=1735740 op=1 msgId=2 - RESULT err=0 tag=101 nentries=1 etime=0
[08/Nov/2011:18:30:54 -0500] conn=1735740 op=2 msgId=3 - UNBIND
However, as you might have guessed I'm having a little difficulty translating this success on the command line into an RT config. :)
This is what I have, currently, as my LDAP service:
# AN EXAMPLE LDAP SERVICE
'My_LDAP' => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
'type' => 'ldap',
# The server hosting the service
'server' => 'ldap01.example.com',
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
#
# The username RT should use to connect to the LDAP server
'user' => 'uid=myuser,ou=People,cn=example,cn=com',
# The password RT should use to connect to the LDAP server
'pass' => 'secret',
#
# The LDAP search base
'base' => 'ou=Groups,dc=example,dc=com',
#
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU **MUST** SPECIFY A filter AND A d_filter!!
#
# The filter to use to match RT-Users
'filter' => '"(&(objectClass=top)(|(cn=RTUsers))) uniqueMember"',
# A catch-all example filter: '(objectClass=*)'
#
# The filter that will only match disabled users
'd_filter' => '(objectClass=FooBarBaz)',
# A catch-none example d_filter: '(objectClass=FooBarBaz)'
#
# Should we try to use TLS to encrypt connections?
'tls' => 0,
# SSL Version to provide to Net::SSLeay *if* using SSL
'ssl_version' => 3,
# What other args should I pass to Net::LDAP->new($host, at args)?
'net_ldap_args' => [ version => 3 ],
# Does authentication depend on group membership? What group name?
'group' => 'RTUsers',
# What is the attribute for the group object that determines membership?
'group_attr' => 'cn',
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you *can* specify.. I recommend reducing this
# to just the Name and EmailAddress to save encountering problems later.
'attr_match_list' => [ 'Name',
'EmailAddress',
],
# The mapping of RT attributes on to LDAP attributes
'attr_map' => { 'Name' => 'uid',
'EmailAddress' => 'mail',
}
},
But for some reason I am still trying to determine when I attempt to log in from the RT interface this is what results in the LDAP logs:
[08/Nov/2011:18:36:04 -0500] conn=1735759 op=0 msgId=1 - BIND dn="uid=myuser,ou=People,cn=example,cn=com" method=128 version=3
[08/Nov/2011:18:36:04 -0500] conn=1735759 op=0 msgId=1 - RESULT err=32 tag=97 nentries=0 etime=0
[08/Nov/2011:18:36:04 -0500] conn=1735759 op=1 msgId=0 - RESULT err=80 tag=120 nentries=0 etime=0
Now error 32 is what constitutes a 'no such object' error. And error 80 indicates a password error. My theory is that because the object is not found password authentication is failing. I was hoping that someone with a knowledge of LDAP may be willing to assist.
Thank you and best regards,
tim
More information about the rt-users
mailing list