[rt-users] RT4/ExternalAuth/AD issues:
Duncan Carter
duncan.carter at trustonic.com
Thu May 16 11:37:03 EDT 2013
Hello,
I've been staring at this for hours now and I'm not getting anywhere.
CentOS 5.9, RT 4.0.10, RT-Authen-ExternalAuth 0.13
RT is installed and I can connect to it from a browser, can login as root, trying to login as a domain user and it's saying my password is wrong.
I've got logging enabled (best as I can find out how to...), but I can't see any LDAP messages, just failed logins.
RT_SiteConfig.pm:
# Any configuration directives you include here will override
# RT's default configuration file, RT_Config.pm
#
# To include a directive here, just copy the equivalent statement
# from RT_Config.pm and change the value. We've included a single
# sample value below.
#
# This file is actually a perl module, so you can include valid
# perl code, as well.
#
# The converse is also true, if this file isn't valid perl, you're
# going to run into trouble. To check your SiteConfig file, use
# this comamnd:
#
# perl -c /path/to/your/etc/RT_SiteConfig.pm
#
# You must restart your webserver after making changes to this file.
# You must install Plugins on your own, this is only an example
# of the correct syntax to use when activating them.
# There should only be one @Plugins declaration in your config file.
#Set(@Plugins,(qw(RT::Extension::QuickDelete RT::Extension::CommandByMail RT::Authen::ExternalAuth)));
Set($LogToFile, 'debug');
Set($LogDir, '/var/log/rt');
Set( $CommentAddress, 'rt-comment at domain.com' );
Set( $CorrespondAddress, 'rt-correspond at domain.com' );
Set( $DatabaseHost, 'localhost' );
Set( $DatabaseName, 'rt4' );
Set( $DatabasePassword, 'password' );
Set( $DatabasePort, '' );
Set( $DatabaseRequireSSL, '' );
Set( $DatabaseType, 'mysql' );
Set( $DatabaseUser, 'rt_user' );
Set( $Organization, 'domain.com' );
Set( $OwnerEmail, 'it-support at domain.com' );
Set( $SendmailPath, '/usr/sbin/sendmail' );
Set( $WebDomain, '10.x.x.x' );
Set( $WebPort, '80' );
Set( $rtname, 'domain.com' );
#ExtAuth:
Set($ExternalAuthPriority, [ 'My_LDAP'
]
);
Set($ExternalInfoPriority, [ 'My_LDAP'
]
);
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 1);
Set($ExternalSettings, { # AN EXAMPLE LDAP SERVICE
'My_LDAP' => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
'type' => 'ldap',
# The server hosting the service
'server' => 'ad01.domain.local',
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
#
# The username RT should use to connect to the LDAP server
'user' => 'ad-rt-user',
# The password RT should use to connect to the LDAP server
'pass' => 'password',
#
# The LDAP search base
'base' => 'ou=OrgUnit,dc=domain,dc=local',
#
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU **MUST** SPECIFY A filter AND A d_filter!!
#
# The filter to use to match RT-Users
'filter' => '(sAMAccountType=805306368)',
# A catch-all example filter: '(objectClass=*)'
#
# The filter that will only match disabled users
'd_filter' => '(&(sAMAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=2))',
# A catch-none example d_filter: '(objectClass=FooBarBaz)'
#
# Should we try to use TLS to encrypt connections?
'tls' => 0,
# SSL Version to provide to Net::SSLeay *if* using SSL
'ssl_version' => 3,
# What other args should I pass to Net::LDAP->new($host, at args)?
'net_ldap_args' => [ version => 3 ],
# Does authentication depend on group membership? What group name?
'group' => 'RTusers',
# What is the scope of the group search? (base, one, sub)
# Optional; defaults to 'base', which is good enough for most cases. 'sub' is appropriate when you have nested groups
'group_scope' => 'base',
# What is the attribute for the group object that determines membership?
'group_attr' => 'member',
# What is the attribute of the user entry that should be matched against group_attr above? (Optional; defaults to 'dn')
#'group_attr_value' => 'GROUP_ATTR_VALUE',
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you *can* specify.. I recommend reducing this
# to just the Name and EmailAddress to save encountering problems later.
'attr_match_list' => [ 'Name',
'EmailAddress',
'RealName'
],
# The mapping of RT attributes on to LDAP attributes
'attr_map' => { 'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'RealName' => 'cn',
'ExternalAuthId' => 'sAMAccountName',
'Gecos' => 'sAMAccountName'
}
},
}
);
1;
Can someone please point me in the right direction, whether it's more detailed documentation on how to configure AD authentication, or hints as to where I may be going wrong?
Many thanks in advance,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20130516/fa20703b/attachment.htm>
More information about the rt-users
mailing list