[rt-users] Issue Trying To Get AD Integration Working
Chris Davies
chris at roaima.co.uk
Thu Apr 3 11:45:41 EDT 2014
On 02/04/14 20:44, Jason Batchelor wrote:
> I have been trying for sometime to get AD auth working correctly on my
> server. I've managed to get most of the way there I think but am
> consistently getting hung up on an error.
> Set($ExternalSettings, {
> 'My_LDAP' => {
> 'type' => 'ldap',
> 'server' => 'ldaps://example.company.org
> <http://example.company.org>',
> 'base' => 'dc=xxxxx,dc=org',
> 'filter' => '(objectClass=*)',
> 'd_filter' =>
> '(userAccountControl:1.2.840.113556.1.4.803:=2)',
> 'tls' => 0,
> 'ssl_version' => 3,
> 'net_ldap_args' => [ version => 3 ]
> },
> } );
>
Some questions:
- Do you have SSL configured on port tcp/636 for your AD? (It's not an
out-of-the-box option.) We've dropped back to using mandatory TLS on
tcp/389.
- Have you tried using something like ldapsearch to confirm that your
connection parameters are correct?
- IME, AD requires authentication to bind to anything other than the
base scope. Have you omitted this just for the email, or in its entirety?
The following is a configuration that "works for me"
'type' => 'ldap',
'server' => 'dc.example.org',
'user' => 'user at example.org',
'pass' => 'secretpassword',
'base' => 'dc=example,dc=org',
'filter' => '(ObjectClass=User)',
'd_filter' => '(userAccountControl:1.2.840.113556.1.4.803:=2)',
'attr_match_list' => [ 'Name', 'EmailAddress', 'displayName' ],
'attr_map' => {
'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'Organization' => 'physicalDeliveryOfficeName',
'RealName' => 'cn',
'ExternalAuthId' => 'sAMAccountName',
'Gecos' => 'sAMAccountName',
'WorkPhone' => 'telephoneNumber',
'Address1' => 'streetAddress',
'City' => 'l',
'State' => 'st',
'Zip' => 'postalCode',
'Country' => 'co',
},
# Permit domain prefix on username ("EXAMPLE\user")
# 'ad_domain_prefix' => 'EXAMPLE', # case insensitive
# 'ad_domain_required' => 'no', # { 'yes' | 'no' }
# 'ad_domain_separator' => '\\', # split here
Here are some URLs of configurations that according to my notes were
useful at the time
- http://www.gossamer-threads.com/lists/rt/users/109309
- http://requesttracker.wikia.com/wiki/ExternalAuth
- /opt/rt4/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm
- /root/.cpan/build/RT-Authen-ExternalAuth-0.12-9Em3TJ/README
Regards,
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20140403/660f341e/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3746 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20140403/660f341e/attachment.bin>
More information about the rt-users
mailing list