[rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please

Jeff Solberg jsolberg at intrepidls.com
Thu Oct 17 16:50:29 EDT 2013


You shouldn’t need to preface the domain in your username string. Also to enter in an OU with 2 words just simply enter it is “OU=Special Accounts”..

To verify the CN name for your Bind account in AD, do a find/search on your bind user account, right-click on the object and select properties. Choose the Attribute Editor tab and scroll down to “distringuishedName”. This will give you the exact name.

Jeff

From: Mathew Snyder [mailto:mathew.snyder at gmail.com]
Sent: Thursday, October 17, 2013 1:40 PM
To: Jeff Solberg
Cc: rt-users at lists.bestpractical.com
Subject: Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please

I didn't know the OU until a few moments ago so I only entered "cn=user,dc=example,dc=com". That did seem to make a difference. However, I'm still not able to log in. Perhaps for other reasons, though:

Oct 17 16:33:11 zen-rt RT: [24525] RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_INVALID_CREDENTIALS 49
Oct 17 16:33:11 zen-rt RT: [24525] FAILED LOGIN for example\user from 192.168.236.102

I know I'm entering my username and password correctly and have again tried just the username, example\username, and example.com<http://example.com>\username. I'm wondering if the LDAP_INVALID_CREDENTIALS error is because of the missing OU. I do know it now, but how do I enter an OU that has two words? I was told it is example.com/Special<http://example.com/Special> Accounts.

-Mathew

"When you do things right, people won't be sure you've done anything at all." - God; Futurama

"We'll get along much better once you accept that you're wrong and neither am I." - Me

On Thu, Oct 17, 2013 at 4:27 PM, Jeff Solberg <jsolberg at intrepidls.com<mailto:jsolberg at intrepidls.com>> wrote:
For your ‘server’ try using IP rather than hostname.
Second for the ‘user’ field try using the DN name for your AD Binding user…{cn=some_user,ou=some_ou,dc=some_domain,dc=com

Hope this helps..

Jeff



From: rt-users-bounces at lists.bestpractical.com<mailto:rt-users-bounces at lists.bestpractical.com> [mailto:rt-users-bounces at lists.bestpractical.com<mailto:rt-users-bounces at lists.bestpractical.com>] On Behalf Of Mathew Snyder
Sent: Thursday, October 17, 2013 1:19 PM
To: rt-users at lists.bestpractical.com<mailto:rt-users at lists.bestpractical.com>
Subject: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please

These are the settings I've started with:

Set($ExternalSettings, {
    'AD'       =>  {
        'type'                      =>  'ldap',
        'server'                    =>  'domain_controller.example.com<http://domain_controller.example.com>',
        'base'                      =>  'dc=example,dc=com',
        'user'                      =>  'rtuser',
        'pass'                      =>  '********',
        'filter'                    =>  '(ObjectClass=*)',
        'tls'                       =>  0,
        'ssl_version'               =>  3,
        'net_ldap_args'             => [    version =>  3   ],
        'attr_match_list' => [
            'EmailAddress',
        ],
        'attr_map' => {
            'Name' => 'sAMAccountName',
            'EmailAddress' => 'mail',
            'RealName' => 'cn',
        },

They aren't working. Whenever someone attempts an initial login with just their username (which should create their RT account) the following error is logged:
Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string eq at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 613.
Oct 17 15:02:29 zen-rt RT: [23131] RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , EmailAddress: , Gecos: user, Name: user, Privileged:
Oct 17 16:14:01 zen-rt RT: [24382] Couldn't create user user: Could not set user info
Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from 192.168.236.102

When initial logins are attempted with either example\username or example.com<http://example.com>\username only the FAILED LOGIN line is displayed.

We also have our Openfire Jabber server authenticating successfully. Those settings are
ldap.autoFollowAliasReferrals = true
ldap.autoFollowReferrals = false
ldap.baseDN = dc=example,dc=com
ldap.connectionPoolEnabled = true
ldap.debugEnabled = false
ldap.emailField = mail
ldap.encloseDNs = true
ldap.groupDescriptionField = description
ldap.groupMemberField = member
ldap.groupNameField = cn
ldap.groupSearchFilter = (objectClass=group)
ldap.host = domain_controller.example.com<http://domain_controller.example.com>
ldap.ldapDebugEnabled = false
ldap.nameField = cn
ldap.port = 389
ldap.searchFilter = (objectClass=*)
ldap.usernameField = sAMAccountName


I know they don't match up exactly in terms of what Openfire calls the settings vs. what RT does, but I'm hoping someone can help me sort out what should be plugged in where on the RT side. For example, I don't know what the group_attr or group_attr_value setting should contain (if anything) in the RT_SiteConfig.pm file. Basically, anything from the "group" settings.

-Mathew

"When you do things right, people won't be sure you've done anything at all." - God; Futurama

"We'll get along much better once you accept that you're wrong and neither am I." - Me

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20131017/dcd2d142/attachment.htm>


More information about the rt-users mailing list