[rt-users] AD integration for external auth
Yan Seiner
yan at seiner.com
Tue Jul 7 13:24:06 EDT 2015
What format do you use for the username?
When I try hpm\yans which should, in theory, work, I get:
[5367] [Tue Jul 7 17:07:28 2015] [debug]: LDAP Search === Base:
dc=hpm,dc=net == Filter: (&(objectClass=*)(sAMAccountName=hpm\5cyans))
== Attrs: sAMAccountName,mail
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)
Notice the mangled sAMAccountName=hpm\5cyans . If this is what it is
searching for, then we have a problem. :)
--Yan
On 7/7/2015 11:57 AM, Trev wrote:
> This may help:
>
> http://trevthorpe.blogspot.com/2015/01/request-tracker-424-ldap-authentication.html
>
>
>
> On Tue, Jul 7, 2015 at 11:24 AM, Yan Seiner <yan at seiner.com
> <mailto:yan at seiner.com>> wrote:
>
> I'm coming back to RT after a few years. I am trying to set up
> external auth against our AD server.
>
> I have a working implementation for mediawiki, so I know that it's
> possible on our system. As far as possible I've duplicated the
> options from mediawiki/php to rt/perl, but I am still missing
> something important as all login attempts get rejected with a NoUser.
>
> The only thing that I find different (and I'm searching my memory
> from a few years ago when I set up mediawiki) there is a line
> where the user name is pre-pended with the domain for AD:
>
> $wgLDAPSearchStrings = array( 'HPM' => "HPM\\USER-NAME" );
>
> And I can't find anything like that in the RT config.
>
> Does anyone have a working AD external auth they can share?
>
> Thanks.
>
> Here's the logfile snippet:
>
> [4835] [Tue Jul 7 15:17:14 2015] [debug]: Attempting to use
> external auth service: My_LDAP
> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:424)
> [4835] [Tue Jul 7 15:17:14 2015] [debug]: Calling UserExists with
> $username (yans) and $service (My_LDAP)
> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:465)
> [4835] [Tue Jul 7 15:17:14 2015] [debug]: UserExists params:
> username: yans , service: My_LDAP
> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)
> [4835] [Tue Jul 7 15:17:14 2015] [debug]: LDAP Search === Base:
> ou=Staff,dc=hpm,dc=net == Filter:
> (&(objectClass=inetOrgPerson)(sAMAccountName=yans)) == Attrs:
> cn,co,telephoneNumber,l,postalCode,streetAddress,st,sAMAccountName,mail
> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)
> [4835] [Tue Jul 7 15:17:14 2015] [debug]: User Check Failed :: (
> My_LDAP ) yans User not found
> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:483)
> [4835] [Tue Jul 7 15:17:14 2015] [debug]: Autohandler called
> ExternalAuth. Response: (0, No User)
> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
> [4835] [Tue Jul 7 15:17:14 2015] [error]: FAILED LOGIN for yans
> from 10.10.30.51 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:810)
>
> And here's the setup in RTSiteConfig.pm:
>
> Plugin('RT::Authen::ExternalAuth');
> Set($ExternalAuthPriority, [ 'My_LDAP' ]);
> Set($ExternalInfoPriority, [ 'My_LDAP' ]);
> Set($ExternalSettings, {
> 'My_LDAP' => {
> 'type' => 'ldap',
> 'server' => 'file_print.hpm.net
> <http://file_print.hpm.net>',
> # By not passing 'user' and 'pass' we are using an
> anonymous
> # bind, which some servers to not allow
> 'base' => 'dc=hpm,dc=net',
> 'filter' => '(objectClass=inetOrgPerson)',
> # Users are allowed to log in via email address or
> account
> # name
> 'attr_match_list' => [
> 'Name',
> # 'EmailAddress',
> ],
> # Import the following properties of the user from
> LDAP upon
> # login
> 'attr_map' => {
> 'Name' => 'sAMAccountName',
> 'EmailAddress' => 'mail',
> 'RealName' => 'cn',
> 'WorkPhone' => 'telephoneNumber',
> 'Address1' => 'streetAddress',
> 'City' => 'l',
> 'State' => 'st',
> 'Zip' => 'postalCode',
> 'Country' => 'co',
> },
> },
> } );
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20150707/e2275161/attachment.htm>
More information about the rt-users
mailing list