[rt-users] Issue Trying To Get AD Integration Working

Chris Davies chris at roaima.co.uk
Thu Apr 3 11:45:41 EDT 2014 

On 02/04/14 20:44, Jason Batchelor wrote:
> I have been trying for sometime to get AD auth working correctly on my 
> server. I've managed to get most of the way there I think but am 
> consistently getting hung up on an error.

> Set($ExternalSettings, {
>     'My_LDAP'       =>  {
>         'type'                      =>  'ldap',
>         'server'                    =>  'ldaps://example.company.org 
> <http://example.company.org>',
>         'base'                      =>  'dc=xxxxx,dc=org',
>         'filter'                    =>  '(objectClass=*)',
>         'd_filter'                  => 
> '(userAccountControl:1.2.840.113556.1.4.803:=2)',
>         'tls'                       =>  0,
>         'ssl_version'               =>  3,
>         'net_ldap_args'             => [ version =>  3 ]
>         },
> } );
>

Some questions:
- Do you have SSL configured on port tcp/636 for your AD? (It's not an 
out-of-the-box option.) We've dropped back to using mandatory TLS on 
tcp/389.
- Have you tried using something like ldapsearch to confirm that your 
connection parameters are correct?
- IME, AD requires authentication to bind to anything other than the 
base scope. Have you omitted this just for the email, or in its entirety?


The following is a configuration that "works for me"

     'type' => 'ldap',
     'server' => 'dc.example.org',
     'user' => 'user at example.org',
     'pass' => 'secretpassword',
     'base' => 'dc=example,dc=org',
     'filter' => '(ObjectClass=User)',
     'd_filter' => '(userAccountControl:1.2.840.113556.1.4.803:=2)',
     'attr_match_list' => [ 'Name', 'EmailAddress', 'displayName' ],
     'attr_map' => {
             'Name' => 'sAMAccountName',
             'EmailAddress' => 'mail',
             'Organization' => 'physicalDeliveryOfficeName',
             'RealName' => 'cn',
             'ExternalAuthId' => 'sAMAccountName',
             'Gecos' => 'sAMAccountName',
             'WorkPhone' => 'telephoneNumber',
             'Address1' => 'streetAddress',
             'City' => 'l',
             'State' => 'st',
             'Zip' => 'postalCode',
             'Country' => 'co',
     },
     # Permit domain prefix on username ("EXAMPLE\user")
     # 'ad_domain_prefix' => 'EXAMPLE',      # case insensitive
     # 'ad_domain_required' => 'no',         # { 'yes' | 'no' }
     # 'ad_domain_separator' => '\\',        # split here


Here are some URLs of configurations that according to my notes were 
useful at the time
- http://www.gossamer-threads.com/lists/rt/users/109309
- http://requesttracker.wikia.com/wiki/ExternalAuth
- /opt/rt4/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm
- /root/.cpan/build/RT-Authen-ExternalAuth-0.12-9Em3TJ/README

Regards,
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20140403/660f341e/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3746 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20140403/660f341e/attachment.bin>

More information about the rt-users mailing list