[rt-users] [SOLVED] Problem configuring AD integration
Bruno Martins
bmartins at galileu.pt
Sat Feb 4 17:21:07 EST 2012
From: rt-users-bounces at lists.bestpractical.com [rt-users-bounces at lists.bestpractical.com] on behalf of Kevin Falcone [falcone at bestpractical.com]
Sent: Thursday, February 02, 2012 5:15 PM
To: rt-users at lists.bestpractical.com
Subject: Re: [rt-users] Problem configuring AD integration
On Thu, Feb 02, 2012 at 04:21:48PM +0000, Bruno Martins wrote:
> Can't call method "as_string" on an undefined value at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm line 304.
>
> I've followed instructions at http://requesttracker.wikia.com/wiki/ExternalAuth to set this up.
I suggest the docs in the config and with the module over anything on
the wiki.
> Set($ExternalAuthPriority, [ 'My_LDAP',
> 'My_MySQL',
> 'My_SSO_Cookie'
> ]
> );
>
> Set($ExternalInfoPriority, [ 'My_MySQL',
> 'My_LDAP'
> ]
> );
Why do you have all of these turned on? You've only configured
My_LDAP. Telling RT to look into a misconfigured My_MySQL will only
cause other errors.
The config as shipped is an example and you should remove the pieces
you aren't using.
> 'My_LDAP' => { ## GENERIC SECTION
> # The type of service (db/ldap/cookie)
> 'type' => 'ldap',
> # The server hosting the service
> 'server' => 'jupiter.galileu-f.galileu.pt',
> ## SERVICE-SPECIFIC SECTION
> # If you can bind to your LDAP server anonymously you should
> # remove the user and pass config lines, otherwise specify them here:
> #
> # The username RT should use to connect to the LDAP server
> 'user' => 'ldap_domainadmin',
> # The password RT should use to connect to the LDAP server
> 'pass' => 'ldap_password',
> #
> # The LDAP search base
> 'base' => 'dc=galileu-f,dc=galileu,dc=pt',
> #
> # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
See this doc ^
> # YOU **MUST** SPECIFY A filter AND A d_filter!!
> #
> # The filter to use to match RT-Users
> 'filter' => 'objectClass=*',
You're missing parens on this filter which I believe is causing your
problem.
> # A catch-all example filter: '(objectClass=*)'
> #
> # The filter that will only match disabled users
> 'd_filter' => 'UserAccountControl:1.2.840.113556.1.4.803:=2',
> # A catch-none example d_filter: '(objectClass=FooBarBaz)'
> #
> # Should we try to use TLS to encrypt connections?
> 'tls' => 0,
> # SSL Version to provide to Net::SSLeay *if* using SSL
> 'ssl_version' => 3,
> # What other args should I pass to Net::LDAP->new($host, at args)?
> 'net_ldap_args' => [ version => 3 , port => 3268 ],
> # Does authentication depend on group membership? What group name?
> #'group' => 'GROUP_NAME',
> # What is the attribute for the group object that determines membership?
> #'group_attr' => 'GROUP_ATTR',
> ## RT ATTRIBUTE MATCHING SECTION
> # The list of RT attributes that uniquely identify a user
> # This example shows what you *can* specify.. I recommend reducing this
> # to just the Name and EmailAddress to save encountering problems later.
> 'attr_match_list' => [ 'Name',
> 'EmailAddress',
> 'RealName',
> 'WorkPhone',
> 'Address2'
> ],
You also want to read the doc above attr_match_list. As configured, you
cannot have to Bob Smiths in your RT.
-kevin
> # The mapping of RT attributes on to LDAP attributes
> 'attr_map' => { 'Name' => 'sAMAccountName',
> 'EmailAddress' => 'mail',
> 'Organization' => 'physicalDeliveryOfficeName',
> 'RealName' => 'cn',
> 'ExternalAuthId' => 'sAMAccountName',
> 'Gecos' => 'sAMAccountName',
> 'WorkPhone' => 'telephoneNumber',
> 'Address1' => 'streetAddress',
> 'City' => 'l',
> 'State' => 'st',
> 'Zip' => 'postalCode',
> 'Country' => 'co'
> }
> },
Good night,
After some struggles, it's working now. Here's the configuration that worked:
joe at debian:~$ su -c 'cat /opt/rt4/etc/RT_SiteConfig.pm'
Password:
# Any configuration directives you include here will override
# RT's default configuration file, RT_Config.pm
#
# To include a directive here, just copy the equivalent statement
# from RT_Config.pm and change the value. We've included a single
# sample value below.
#
# This file is actually a perl module, so you can include valid
# perl code, as well.
#
# The converse is also true, if this file isn't valid perl, you're
# going to run into trouble. To check your SiteConfig file, use
# this comamnd:
#
# perl -c /path/to/your/etc/RT_SiteConfig.pm
#
# You must restart your webserver after making changes to this file.
# You must install Plugins on your own, this is only an example
# of the correct syntax to use when activating them.
# There should only be one @Plugins declaration in your config file.
#Set(@Plugins,(qw(RT::Extension::QuickDelete RT::Extension::CommandByMail)));
Set( $DatabaseUser, 'rt_user' );
Set( $CorrespondAddress, '' );
Set( $rtname, 'galileu.pt' );
Set( $DatabaseRequireSSL, '' );
Set( $WebPort, '8080' );
Set( $Organization, 'galileu.pt' );
Set( $DatabaseType, 'mysql' );
Set( $DatabasePort, '' );
Set( $DatabasePassword, 'Pa$$w0rd' );
Set( $DatabaseAdmin, 'root' );
Set( $SendmailPath, '/usr/sbin/sendmail' );
Set( $WebDomain, 'debian' );
Set( $DatabaseAdminPassword, 'Pa$$w0rd' );
Set( $CommentAddress, '' );
Set( $DatabaseHost, 'localhost' );
Set( $DatabaseName, 'rt4' );
Set( $OwnerEmail, 'root at localhost' );
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
### Configuracao para Active Directory ###
# The order in which the services defined in ExternalSettings
# should be used to authenticate users. User is authenticated
# if successfully confirmed by any service - no more services
# are checked.
Set($ExternalAuthPriority, [ 'My_LDAP' ]
);
# The order in which the services defined in ExternalSettings
# should be used to get information about users. This includes
# RealName, Tel numbers etc, but also whether or not the user
# should be considered disabled.
#
# Once user info is found, no more services are checked.
#
# You CANNOT use a SSO cookie for authentication.
Set($ExternalInfoPriority, [ 'My_LDAP' ]
);
# If this is set to true, then the relevant packages will
# be loaded to use SSL/TLS connections. At the moment,
# this just means "use Net::SSLeay;"
Set($ExternalServiceUsesSSLorTLS, 0);
# If this is set to 1, then users should be autocreated by RT
# as internal users if they fail to authenticate from an
# external service.
Set($AutoCreateNonExternalUsers, 0);
# These are the full settings for each external service as a HashOfHashes
# Note that you may have as many external services as you wish. They will
# be checked in the order specified in the Priority directives above.
# e.g.
# Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP','Other-DB']);
#
Set($ExternalSettings, {
'My_LDAP' => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
'type' => 'ldap',
# The server hosting the service
'server' => 'jupiter.galileu-f.galileu.pt',
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
#
# The username RT should use to connect to the LDAP server
'user' => 'ghelpdesk',
# The password RT should use to connect to the LDAP server
'pass' => 'N3s9uik34',
#
# The LDAP search base
'base' => 'dc=galileu-f,dc=galileu,dc=pt',
#
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU **MUST** SPECIFY A filter AND A d_filter!!
#
# The filter to use to match RT-Users
'filter' => '(objectClass=*)',
# A catch-all example filter: '(objectClass=*)'
#
# The filter that will only match disabled users
'd_filter' => '(objectClass=FooBarBaz)',
# A catch-none example d_filter: '(objectClass=FooBarBaz)'
#
# Should we try to use TLS to encrypt connections?
'tls' => 0,
# SSL Version to provide to Net::SSLeay *if* using SSL
'ssl_version' => 3,
# What other args should I pass to Net::LDAP->new($host, at args)?
'net_ldap_args' => [ version => 3 , port => 3268 ],
# Does authentication depend on group membership? What group name?
#'group' => 'GROUP_NAME',
# What is the attribute for the group object that determines membership?
#'group_attr' => 'GROUP_ATTR',
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you *can* specify.. I recommend reducing this
# to just the Name and EmailAddress to save encountering problems later.
'attr_match_list' => [ 'Name',
'EmailAddress',
'RealName',
'WorkPhone',
'Address2'
],
# The mapping of RT attributes on to LDAP attributes
'attr_map' => { 'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'Organization' => 'physicalDeliveryOfficeName',
'RealName' => 'cn',
'ExternalAuthId' => 'sAMAccountName',
'Gecos' => 'sAMAccountName',
'WorkPhone' => 'telephoneNumber',
'Address1' => 'streetAddress',
'City' => 'l',
'State' => 'st',
'Zip' => 'postalCode',
'Country' => 'co'
}
},
}
);
1;
Hope this helps anyone in the world.
Thanks for your help. RT community support seems awesome.
Best regards,
Bruno Martins
More information about the rt-users
mailing list