[rt-users] RT 4.4.1 on Debian with RT::Authen::ExternalAuth?
Martin Wheldon
martin.wheldon at greenhills-it.co.uk
Wed Oct 19 10:34:49 EDT 2016
Hi Malcolm,
Are you able to get any results from the LDAP server when you try the
same search
using ldapsearch from the commandline on the Debian box?
Something like:
ldapsearch -D LDAP_ACCOUNT -x -w -ZZ -H ldap://ggdc1.domain.int/ -b
ou=Production,dc=domain,dc=int "(objectClass=inetOrgPerson)"
I'm guessing your LDAP server is MS AD so you will probably need to
configure TLS.
The following items come from my configuration.
> Set( $ExternalAuthPriority, ["My_LDAP"] );
> Set( $ExternalInfoPriority, ["My_LDAP"] );
> Set($ExternalAuth, 1);
> Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
> Set($AutoCreateNonExternalUsers, 1);
# Use TLS
Set($ExternalServiceUsesSSLorTLS,1);
> Set($ExternalSettings, {
> 'My_LDAP' => {
> 'type' => 'ldap',
> 'server' => 'ggdc1.domain.int',
# Configure TLS settings
'tls' => {
'verify' => 'require',
'cafile' => '/etc/ssl/certs/CACert.pem', # Path CA
file
},
> 'user' => 'LDAP_ACCOUNT',
> 'pass' => 'LDAP_ACCOUNT_PASS',
> 'base' => 'ou=Production,dc=domain,dc=int',
> 'filter' => '(objectClass=inetOrgPerson)',
> 'attr_match_list' => [
> 'Name',
> 'EmailAddress',
> ],
> 'attr_map' => {
> 'Name' => 'sAMAccountName',
> 'EmailAddress' => 'mail',
> 'RealName' => 'cn',
> 'WorkPhone' => 'telephoneNumber',
> 'Address1' => 'streetAddress',
> 'City' => 'l',
> 'State' => 'st',
> 'Zip' => 'postalCode',
> 'Country' => 'co',
> },
> },
> } );
Best Regards
Martin
On 2016-10-19 13:37, Malcolm Galland wrote:
> I've set up RT, and am testing it with rt-server. Everything seems to
> be going smoothly except LDAP with RT::Authen::ExternalAuth. I read
> the docs and have implemented the suggested changes in
> /opt/rt4/etc/RT_SiteConfig.pm like so:
>
> Set( $ExternalAuthPriority, ["My_LDAP"] );
> Set( $ExternalInfoPriority, ["My_LDAP"] );
> Set($ExternalAuth, 1);
> Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
> Set($AutoCreateNonExternalUsers, 1);
> Set($ExternalSettings, {
> 'My_LDAP' => {
> 'type' => 'ldap',
> 'server' => 'ggdc1.domain.int',
> 'user' => 'LDAP_ACCOUNT',
> 'pass' => 'LDAP_ACCOUNT_PASS',
> 'base' => 'ou=Production,dc=domain,dc=int',
> 'filter' => '(objectClass=inetOrgPerson)',
> 'attr_match_list' => [
> 'Name',
> 'EmailAddress',
> ],
> 'attr_map' => {
> 'Name' => 'sAMAccountName',
> 'EmailAddress' => 'mail',
> 'RealName' => 'cn',
> 'WorkPhone' => 'telephoneNumber',
> 'Address1' => 'streetAddress',
> 'City' => 'l',
> 'State' => 'st',
> 'Zip' => 'postalCode',
> 'Country' => 'co',
> },
> },
> } );
>
> The issue is when I try to login the users aren't allowed access, and I
> get the following error from rt-server:
>
> [error]: FAILED LOGIN for username_redacted from IP_REDACTED
> (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:826)
>
> Just for kicks, if I run /opt/rt4/sbin/rt-ldapimport --debug
> I get:
> [critical]: Expected 'PeerHost' at
> /usr/local/share/perl/5.20.2/Net/LDAP.pm line 164.
> (/opt/rt4/sbin/../lib/RT.pm:390)
>
> Any ideas? I read every document I could find, but it's hard to know
> which non-official ones you can trust since RT has been around so long
> and ExternalAuth was just added to the core. Also, the official docs
> are a bit terse.
> ---------
> RT 4.4 and RTIR training sessions, and a new workshop day!
> https://bestpractical.com/training
> * Boston - October 24-26
> * Los Angeles - Q1 2017
More information about the rt-users
mailing list