[rt-users] AD integration for external auth

Trev trevor at onepost.net
Tue Jul 7 13:30:30 EDT 2015


Use -->   Plugin( "RT::Extension::LDAPImport" );

Note the configuration I linked to you prior.

I had some issues with limited functionality using
Plugin('RT::Authen::ExternalAuth').. it's been a while actually, I may
not even have had that extension working.



On Tue, Jul 7, 2015 at 1:28 PM, Trev <trevor at onepost.net> wrote:

> If you mean during the login via RT Gui --  username is, sAMAccountName.
> THere shouldn't be any need to prefix with the domain as the domain is
> already be queried.
>
>
>
> On Tue, Jul 7, 2015 at 1:24 PM, Yan Seiner <yan at seiner.com> wrote:
>
>>  What format do you use for the username?
>>
>> When I try hpm\yans which should, in theory, work, I get:
>>
>> [5367] [Tue Jul  7 17:07:28 2015] [debug]: LDAP Search ===  Base:
>> dc=hpm,dc=net == Filter: (&(objectClass=*)(sAMAccountName=hpm\5cyans)) ==
>> Attrs: sAMAccountName,mail
>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)
>>
>> Notice the mangled sAMAccountName=hpm\5cyans .  If this is what it is
>> searching for, then we have a problem.   :)
>>
>> --Yan
>>
>>
>> On 7/7/2015 11:57 AM, Trev wrote:
>>
>>  This may help:
>>
>>
>> http://trevthorpe.blogspot.com/2015/01/request-tracker-424-ldap-authentication.html
>>
>>
>>
>> On Tue, Jul 7, 2015 at 11:24 AM, Yan Seiner <yan at seiner.com> wrote:
>>
>>> I'm coming back to RT after a few years.  I am trying to set up external
>>> auth against our AD server.
>>>
>>> I have a working implementation for mediawiki, so I know that it's
>>> possible on our system.  As far as possible I've duplicated the options
>>> from mediawiki/php to rt/perl, but I am still missing something important
>>> as all login attempts get rejected with a NoUser.
>>>
>>> The only thing that I find different (and I'm searching my memory from a
>>> few years ago when I set up mediawiki) there is a line where the user name
>>> is pre-pended with the domain for AD:
>>>
>>> $wgLDAPSearchStrings = array( 'HPM' => "HPM\\USER-NAME" );
>>>
>>> And I can't find anything like that in the RT config.
>>>
>>> Does anyone have a working AD external auth they can share?
>>>
>>> Thanks.
>>>
>>> Here's the logfile snippet:
>>>
>>> [4835] [Tue Jul  7 15:17:14 2015] [debug]: Attempting to use external
>>> auth service: My_LDAP
>>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:424)
>>> [4835] [Tue Jul  7 15:17:14 2015] [debug]: Calling UserExists with
>>> $username (yans) and $service (My_LDAP)
>>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:465)
>>> [4835] [Tue Jul  7 15:17:14 2015] [debug]: UserExists params:
>>> username: yans , service: My_LDAP
>>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)
>>> [4835] [Tue Jul  7 15:17:14 2015] [debug]: LDAP Search ===  Base:
>>> ou=Staff,dc=hpm,dc=net == Filter:
>>> (&(objectClass=inetOrgPerson)(sAMAccountName=yans)) == Attrs:
>>> cn,co,telephoneNumber,l,postalCode,streetAddress,st,sAMAccountName,mail
>>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)
>>> [4835] [Tue Jul  7 15:17:14 2015] [debug]: User Check Failed :: (
>>> My_LDAP ) yans User not found
>>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:483)
>>> [4835] [Tue Jul  7 15:17:14 2015] [debug]: Autohandler called
>>> ExternalAuth. Response: (0, No User)
>>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
>>> [4835] [Tue Jul  7 15:17:14 2015] [error]: FAILED LOGIN for yans from
>>> 10.10.30.51 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:810)
>>>
>>> And here's the setup in RTSiteConfig.pm:
>>>
>>> Plugin('RT::Authen::ExternalAuth');
>>> Set($ExternalAuthPriority,  [ 'My_LDAP' ]);
>>> Set($ExternalInfoPriority,  [ 'My_LDAP' ]);
>>> Set($ExternalSettings, {
>>>      'My_LDAP'       =>  {
>>>      'type'             =>  'ldap',
>>>      'server'           =>  'file_print.hpm.net',
>>>                 # By not passing 'user' and 'pass' we are using an
>>> anonymous
>>>                 # bind, which some servers to not allow
>>>      'base'             =>  'dc=hpm,dc=net',
>>>      'filter'           =>  '(objectClass=inetOrgPerson)',
>>>                 # Users are allowed to log in via email address or
>>> account
>>>                 # name
>>>      'attr_match_list'  => [
>>>            'Name',
>>> #           'EmailAddress',
>>>            ],
>>>                 # Import the following properties of the user from LDAP
>>> upon
>>>                 # login
>>>                 'attr_map' => {
>>>                     'Name'         => 'sAMAccountName',
>>>                     'EmailAddress' => 'mail',
>>>                     'RealName'     => 'cn',
>>>                     'WorkPhone'    => 'telephoneNumber',
>>>                     'Address1'     => 'streetAddress',
>>>                     'City'         => 'l',
>>>                     'State'        => 'st',
>>>                     'Zip'          => 'postalCode',
>>>                     'Country'      => 'co',
>>>                 },
>>>             },
>>>         } );
>>>
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20150707/c9239abc/attachment.htm>


More information about the rt-users mailing list