[rt-users] LDAP external auth

Joachim Thuau Joachim.Thuau at spacex.com
Tue Nov 8 19:26:03 EST 2011

On 11/8/11 3:55 PM, "Tim Dunphy" <bluethundr at jokefire.com> wrote:

>   I have devised an LDAP query that successfully retrieves information
>that could be used to log into RT.
>   ldapsearch -x -p 389 -h ldap01.example.com -b dc=example,dc=com -D
>"uid=dunphy,ou=People,dc=example,dc=com" -w 'secret'
>"(&(objectClass=top)(|(cn=RTUsers)))" "uniqueMember"

> This is an example of what it finds:
> # extended LDIF
># LDAPv3
># base <dc=example,dc=com> with scope subtree
># filter: (&(objectClass=top)(|(cn=RTUsers)))
># requesting: uniqueMember
># RTUsers, Groups, example.com
>dn: cn=RTUsers,ou=Groups,dc=example,dc=com
>uniqueMember: uid=user1,ou=People,dc=example,dc=com
>uniqueMember: uid=user2,ou=People,dc=example,dc=com
>uniqueMember: uid=user3,ou=People,dc=example,dc=com
>uniqueMember: uid=user4t,ou=People,dc=example,dc=com
># search result
>search: 2
>result: 0 Success
># numResponses: 2
># numEntries: 1

So your query is returning a single object (numEntries: 1) that references
all the objects you want to use (you get a single group object).

With that in mind, you need to craft your query to return user objects.
You should look at the properties of
"uid=user1,ou=People,dc=example,dc=com" and use those to identify how to
filter your users. (I expect that there might be some entries in there to
reference the group the user is a member of, and you should build your
filter on that, and drop the "cn=RTUsers" in your filter, that is almost
certainly not what you want)

I hope this puts you in the right direction...

More information about the rt-users mailing list