[rt-users] [SOLVED] Problem configuring AD integration

Bruno Martins bmartins at galileu.pt
Sat Feb 4 17:21:07 EST 2012


From: rt-users-bounces at lists.bestpractical.com [rt-users-bounces at lists.bestpractical.com] on behalf of Kevin Falcone [falcone at bestpractical.com]
Sent: Thursday, February 02, 2012 5:15 PM
To: rt-users at lists.bestpractical.com
Subject: Re: [rt-users] Problem configuring AD integration

On Thu, Feb 02, 2012 at 04:21:48PM +0000, Bruno Martins wrote:
> Can't call method "as_string" on an undefined value at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm line 304.
>
> I've followed instructions at http://requesttracker.wikia.com/wiki/ExternalAuth to set this up.

I suggest the docs in the config and with the module over anything on
the wiki.

> Set($ExternalAuthPriority,  [   'My_LDAP',
>                                 'My_MySQL',
>                                 'My_SSO_Cookie'
>                             ]
> );
>
> Set($ExternalInfoPriority,  [   'My_MySQL',
>                                 'My_LDAP'
>                             ]
> );

Why do you have all of these turned on? You've only configured
My_LDAP. Telling RT to look into a misconfigured My_MySQL will only
cause other errors.

The config as shipped is an example and you should remove the pieces
you aren't using.

>                                 'My_LDAP'       =>  {   ## GENERIC SECTION
>                                                         # The type of service (db/ldap/cookie)
>                                                         'type'                      =>  'ldap',
>                                                         # The server hosting the service
>                                                         'server'                    =>  'jupiter.galileu-f.galileu.pt',
>                                                         ## SERVICE-SPECIFIC SECTION
>                                                         # If you can bind to your LDAP server anonymously you should
>                                                         # remove the user and pass config lines, otherwise specify them here:
>                                                         #
>                                                         # The username RT should use to connect to the LDAP server
>                                                         'user'                      =>  'ldap_domainadmin',
>                                                         # The password RT should use to connect to the LDAP server
>                                                         'pass'                    =>  'ldap_password',
>                                                         #
>                                                         # The LDAP search base
>                                                         'base'                      =>  'dc=galileu-f,dc=galileu,dc=pt',
>                                                         #
>                                                         # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!

See this doc ^

>                                                         # YOU **MUST** SPECIFY A filter AND A d_filter!!
>                                                         #
>                                                         # The filter to use to match RT-Users
>                                                         'filter'                    =>  'objectClass=*',

You're missing parens on this filter which I believe is causing your
problem.

>                                                         # A catch-all example filter: '(objectClass=*)'
>                                                         #
>                                                         # The filter that will only match disabled users
>                                                         'd_filter'                  =>  'UserAccountControl:1.2.840.113556.1.4.803:=2',
>                                                         # A catch-none example d_filter: '(objectClass=FooBarBaz)'
>                                                         #
>                                                         # Should we try to use TLS to encrypt connections?
>                                                         'tls'                       =>  0,
>                                                         # SSL Version to provide to Net::SSLeay *if* using SSL
>                                                         'ssl_version'               =>  3,
>                                                         # What other args should I pass to Net::LDAP->new($host, at args)?
>                                                         'net_ldap_args'             => [    version =>  3 , port => 3268  ],
>                                                         # Does authentication depend on group membership? What group name?
>                                                         #'group'                     =>  'GROUP_NAME',
>                                                         # What is the attribute for the group object that determines membership?
>                                                         #'group_attr'                =>  'GROUP_ATTR',
>                                                         ## RT ATTRIBUTE MATCHING SECTION
>                                                         # The list of RT attributes that uniquely identify a user
>                                                       # This example shows what you *can* specify.. I recommend reducing this
>                                                         # to just the Name and EmailAddress to save encountering problems later.
>                                                         'attr_match_list'           => [    'Name',
>                                                                                             'EmailAddress',
>                                                                                             'RealName',
>                                                                                             'WorkPhone',
>                                                                                             'Address2'
>                                                                                         ],

You also want to read the doc above attr_match_list.  As configured, you
cannot have to Bob Smiths in your RT.

-kevin

>                                                         # The mapping of RT attributes on to LDAP attributes
>                                                         'attr_map'                  =>  {   'Name' => 'sAMAccountName',
>                                                                                             'EmailAddress' => 'mail',
>                                                                                             'Organization' => 'physicalDeliveryOfficeName',
>                                                                                             'RealName' => 'cn',
>                                                                                             'ExternalAuthId' => 'sAMAccountName',
>                                                                                             'Gecos' => 'sAMAccountName',
>                                                                                             'WorkPhone' => 'telephoneNumber',
>                                                                                             'Address1' => 'streetAddress',
>                                                                                             'City' => 'l',
>                                                                                             'State' => 'st',
>                                                                                             'Zip' => 'postalCode',
>                                                                                             'Country' => 'co'
>                                                                                         }
>                                                     },

Good night,

After some struggles, it's working now. Here's the configuration that worked:

joe at debian:~$ su -c 'cat /opt/rt4/etc/RT_SiteConfig.pm'
Password: 
# Any configuration directives you include  here will override 
# RT's default configuration file, RT_Config.pm
#
# To include a directive here, just copy the equivalent statement
# from RT_Config.pm and change the value. We've included a single
# sample value below.
#
# This file is actually a perl module, so you can include valid
# perl code, as well.
#
# The converse is also true, if this file isn't valid perl, you're
# going to run into trouble. To check your SiteConfig file, use
# this comamnd:
#
#   perl -c /path/to/your/etc/RT_SiteConfig.pm
#
# You must restart your webserver after making changes to this file.


# You must install Plugins on your own, this is only an example
# of the correct syntax to use when activating them.
# There should only be one @Plugins declaration in your config file.
#Set(@Plugins,(qw(RT::Extension::QuickDelete RT::Extension::CommandByMail)));

Set( $DatabaseUser, 'rt_user' );
Set( $CorrespondAddress, '' );
Set( $rtname, 'galileu.pt' );
Set( $DatabaseRequireSSL, '' );
Set( $WebPort, '8080' );
Set( $Organization, 'galileu.pt' );
Set( $DatabaseType, 'mysql' );
Set( $DatabasePort, '' );
Set( $DatabasePassword, 'Pa$$w0rd' );
Set( $DatabaseAdmin, 'root' );
Set( $SendmailPath, '/usr/sbin/sendmail' );
Set( $WebDomain, 'debian' );
Set( $DatabaseAdminPassword, 'Pa$$w0rd' );
Set( $CommentAddress, '' );
Set( $DatabaseHost, 'localhost' );
Set( $DatabaseName, 'rt4' );
Set( $OwnerEmail, 'root at localhost' );
Set( @Plugins, qw(RT::Authen::ExternalAuth) );

### Configuracao para Active Directory ###

# The order in which the services defined in ExternalSettings
# should be used to authenticate users. User is authenticated
# if successfully confirmed by any service - no more services
# are checked.
Set($ExternalAuthPriority,  [   'My_LDAP'   ]
);

# The order in which the services defined in ExternalSettings
# should be used to get information about users. This includes
# RealName, Tel numbers etc, but also whether or not the user
# should be considered disabled. 
#
# Once user info is found, no more services are checked.
#
# You CANNOT use a SSO cookie for authentication.
Set($ExternalInfoPriority,  [   'My_LDAP'   ]

);

# If this is set to true, then the relevant packages will
# be loaded to use SSL/TLS connections. At the moment,
# this just means "use Net::SSLeay;"
Set($ExternalServiceUsesSSLorTLS,    0);

# If this is set to 1, then users should be autocreated by RT
# as internal users if they fail to authenticate from an
# external service.
Set($AutoCreateNonExternalUsers,    0);

# These are the full settings for each external service as a HashOfHashes
# Note that you may have as many external services as you wish. They will
# be checked in the order specified in the Priority directives above.
# e.g. 
#   Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP','Other-DB']);
#
Set($ExternalSettings,      {  
                                'My_LDAP'       =>  {   ## GENERIC SECTION
                                                        # The type of service (db/ldap/cookie) 
                                                        'type'                      =>  'ldap',
                                                        # The server hosting the service
                                                        'server'                    =>  'jupiter.galileu-f.galileu.pt',
                                                        ## SERVICE-SPECIFIC SECTION
                                                        # If you can bind to your LDAP server anonymously you should 
                                                        # remove the user and pass config lines, otherwise specify them here:
                                                        # 
                                                        # The username RT should use to connect to the LDAP server 
                                                        'user'                      =>  'ghelpdesk',
                                                        # The password RT should use to connect to the LDAP server
                                                        'pass'                    =>  'N3s9uik34',
                                                        #
                                                        # The LDAP search base
                                                        'base'                      =>  'dc=galileu-f,dc=galileu,dc=pt',
                                                        #
                                                        # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
                                                        # YOU **MUST** SPECIFY A filter AND A d_filter!!
                                                        #
                                                        # The filter to use to match RT-Users
                                                        'filter'                    =>  '(objectClass=*)',
                                                        # A catch-all example filter: '(objectClass=*)'
                                                        #
                                                        # The filter that will only match disabled users
                                                        'd_filter'                  =>  '(objectClass=FooBarBaz)',
                                                        # A catch-none example d_filter: '(objectClass=FooBarBaz)'
                                                        #
                                                        # Should we try to use TLS to encrypt connections?
                                                        'tls'                       =>  0,
                                                        # SSL Version to provide to Net::SSLeay *if* using SSL
                                                        'ssl_version'               =>  3,
                                                        # What other args should I pass to Net::LDAP->new($host, at args)?
                                                        'net_ldap_args'             => [    version =>  3 , port => 3268  ],
                                                        # Does authentication depend on group membership? What group name?
                                                        #'group'                     =>  'GROUP_NAME',
                                                        # What is the attribute for the group object that determines membership?
                                                        #'group_attr'                =>  'GROUP_ATTR',
                                                        ## RT ATTRIBUTE MATCHING SECTION
                                                        # The list of RT attributes that uniquely identify a user
							# This example shows what you *can* specify.. I recommend reducing this
                                                        # to just the Name and EmailAddress to save encountering problems later.
                                                        'attr_match_list'           => [    'Name',
                                                                                            'EmailAddress', 
                                                                                            'RealName',
                                                                                            'WorkPhone', 
                                                                                            'Address2'
                                                                                        ],
                                                        # The mapping of RT attributes on to LDAP attributes
                                                        'attr_map'                  =>  {   'Name' => 'sAMAccountName',
                                                                                            'EmailAddress' => 'mail',
                                                                                            'Organization' => 'physicalDeliveryOfficeName',
                                                                                            'RealName' => 'cn',
                                                                                            'ExternalAuthId' => 'sAMAccountName',
                                                                                            'Gecos' => 'sAMAccountName',
                                                                                            'WorkPhone' => 'telephoneNumber',
                                                                                            'Address1' => 'streetAddress',
                                                                                            'City' => 'l',
                                                                                            'State' => 'st',
                                                                                            'Zip' => 'postalCode',
                                                                                            'Country' => 'co'
                                                                                        }
                                                    },
                                }
);

1;

Hope this helps anyone in the world.

Thanks for your help. RT community support seems awesome.

Best regards,

Bruno Martins


More information about the rt-users mailing list