[rt-users] AD integration for external auth

Yan Seiner yan at seiner.com
Tue Jul 7 13:24:06 EDT 2015


What format do you use for the username?

When I try hpm\yans which should, in theory, work, I get:

[5367] [Tue Jul  7 17:07:28 2015] [debug]: LDAP Search ===  Base: 
dc=hpm,dc=net == Filter: (&(objectClass=*)(sAMAccountName=hpm\5cyans)) 
== Attrs: sAMAccountName,mail 
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)

Notice the mangled sAMAccountName=hpm\5cyans .  If this is what it is 
searching for, then we have a problem.   :)

--Yan

On 7/7/2015 11:57 AM, Trev wrote:
> This may help:
>
> http://trevthorpe.blogspot.com/2015/01/request-tracker-424-ldap-authentication.html
>
>
>
> On Tue, Jul 7, 2015 at 11:24 AM, Yan Seiner <yan at seiner.com 
> <mailto:yan at seiner.com>> wrote:
>
>     I'm coming back to RT after a few years.  I am trying to set up
>     external auth against our AD server.
>
>     I have a working implementation for mediawiki, so I know that it's
>     possible on our system.  As far as possible I've duplicated the
>     options from mediawiki/php to rt/perl, but I am still missing
>     something important as all login attempts get rejected with a NoUser.
>
>     The only thing that I find different (and I'm searching my memory
>     from a few years ago when I set up mediawiki) there is a line
>     where the user name is pre-pended with the domain for AD:
>
>     $wgLDAPSearchStrings = array( 'HPM' => "HPM\\USER-NAME" );
>
>     And I can't find anything like that in the RT config.
>
>     Does anyone have a working AD external auth they can share?
>
>     Thanks.
>
>     Here's the logfile snippet:
>
>     [4835] [Tue Jul  7 15:17:14 2015] [debug]: Attempting to use
>     external auth service: My_LDAP
>     (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:424)
>     [4835] [Tue Jul  7 15:17:14 2015] [debug]: Calling UserExists with
>     $username (yans) and $service (My_LDAP)
>     (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:465)
>     [4835] [Tue Jul  7 15:17:14 2015] [debug]: UserExists params:
>     username: yans , service: My_LDAP
>     (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)
>     [4835] [Tue Jul  7 15:17:14 2015] [debug]: LDAP Search === Base:
>     ou=Staff,dc=hpm,dc=net == Filter:
>     (&(objectClass=inetOrgPerson)(sAMAccountName=yans)) == Attrs:
>     cn,co,telephoneNumber,l,postalCode,streetAddress,st,sAMAccountName,mail
>     (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)
>     [4835] [Tue Jul  7 15:17:14 2015] [debug]: User Check Failed :: (
>     My_LDAP ) yans User not found
>     (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:483)
>     [4835] [Tue Jul  7 15:17:14 2015] [debug]: Autohandler called
>     ExternalAuth. Response: (0, No User)
>     (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
>     [4835] [Tue Jul  7 15:17:14 2015] [error]: FAILED LOGIN for yans
>     from 10.10.30.51 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:810)
>
>     And here's the setup in RTSiteConfig.pm:
>
>     Plugin('RT::Authen::ExternalAuth');
>     Set($ExternalAuthPriority,  [ 'My_LDAP' ]);
>     Set($ExternalInfoPriority,  [ 'My_LDAP' ]);
>     Set($ExternalSettings, {
>          'My_LDAP'       =>  {
>          'type'             =>  'ldap',
>          'server'           =>  'file_print.hpm.net
>     <http://file_print.hpm.net>',
>                     # By not passing 'user' and 'pass' we are using an
>     anonymous
>                     # bind, which some servers to not allow
>          'base'             =>  'dc=hpm,dc=net',
>          'filter'           => '(objectClass=inetOrgPerson)',
>                     # Users are allowed to log in via email address or
>     account
>                     # name
>          'attr_match_list'  => [
>                'Name',
>     #           'EmailAddress',
>                ],
>                     # Import the following properties of the user from
>     LDAP upon
>                     # login
>                     'attr_map' => {
>                         'Name'         => 'sAMAccountName',
>                         'EmailAddress' => 'mail',
>                         'RealName'     => 'cn',
>                         'WorkPhone'    => 'telephoneNumber',
>                         'Address1'     => 'streetAddress',
>                         'City'         => 'l',
>                         'State'        => 'st',
>                         'Zip'          => 'postalCode',
>                         'Country'      => 'co',
>                     },
>                 },
>             } );
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20150707/e2275161/attachment.htm>


More information about the rt-users mailing list