[rt-users] Issue With ExternalAuth

Martin Wheldon martin.wheldon at greenhills-it.co.uk
Mon Dec 5 17:35:44 EST 2016 

Hi Claude,

Your english is much better than my french :)
I've cc'd the RT users list as they may have additional suggestions.
The short answer is no I don't believe your problem is caused by TLS 
bugs.

You seem to be mixing up the new RT 4.4 LDAP configuration syntax with 
the older RT::Authen::ExternalAuth syntax.

If you are using RT 4.4.x then you don't need the following, because it 
is the old style syntax:

> Set($LDAPBase,'MYLDAPSERVER');
> Set($LDAPFilter, '(&(objectClass=person))');
> Set($LDAPMapping, {
>         Name            => 'uid',
>         EmailAddress    => 'mail',
>         RealName        => 'cn'
> });

The following option should also be removed when using RT4.4.x

> 'ssl_version'      => 3,

Is RT able to read your CAcert file? Please could you check the file 
permissions.
Do you see any errors in the logs?

Best Regards

Martin

On 2016-12-05 13:22, claudeduma at gmail.com wrote:
> Hi Martin,
> 
> I try to configure LDAP authentication but it don't work.
> I'm sure all my config is correct (see below). I tried with
> ladapsearch and all it's OK. I look my ldap's server logs and i bind
> users correctly. Do you thinks it's TLS bugs ?
> 
> (sorry for my english I'm french)
> Thank you.
> 
> --------------
> Set($LDAPBase,'MYLDAPSERVER');
> Set($LDAPFilter, '(&(objectClass=person))');
> Set($LDAPMapping, {
>         Name            => 'uid',
>         EmailAddress    => 'mail',
>         RealName        => 'cn'
> });
> 
> 
>     # Use the below LDAP source for both authentication, as well as 
> user
>     # information
>     Set( $ExternalAuthPriority, ["My_LDAP"] );
>     Set( $ExternalInfoPriority, ["My_LDAP"] );
>     Set($ExternalServiceUsesSSLorTLS, 1);
> 
>     # Make users created from LDAP Privileged
>     Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
> 
>     # Users should still be autocreated by RT as internal users if they
>     # fail to exist in an external service; this is so requestors (who
>     # are not in LDAP) can still be created when they email in.
>     Set($AutoCreateNonExternalUsers, 0);
> 
>     # Minimal LDAP configuration; see RT::Authen::ExternalAuth::LDAP 
> for
>     # further details and examples
>     Set($ExternalSettings, {
>         'My_LDAP'       =>  {
>             'type'             =>  'ldap',
>             'server'           =>  'ldaps://MYLDAPSERVER',
>             'user'             =>  'MYUSER',
>             'pass'             =>  'MYPASS',
>             'base'             =>  'MYBASE',
>             'filter'           =>  '(objectClass=privperson)',
>             'tls'              => { verify => "require", cafile =>
> "/etc/CA.crt" },
>             'ssl_version'      => 3,
>             'net_ldap_args'    => [    version =>  3, debug => 8   ],
>             'attr_match_list'  => [
>                 'Name',
>                 'EmailAddress',
>             ],
> 
>             'attr_map' => {
>                 'Name'         => 'uid',
>                 'EmailAddress' => 'mail',
>                 'RealName'     => 'cn',
>                 'Gecos'        => 'uid',
>                 'Country'      => 'co',
>             }
>         },
>     }
> );
> 
> 1;
> 
> 
> 
> _____________________________________
> Sent from http://requesttracker.8502.n7.nabble.com

More information about the rt-users mailing list