I have installed the ExternalAuth extension (thanks Mike!) to try and validate against my Active Directory server, but I am failing with the following message in my apache error_log:
[Wed Apr 9 22:20:09 2008] [critical]: RT::User::_GetBoundLdapObj Can't bind: LDAP_INVALID_CREDENTIALS 49 (/usr/local/rt3/lib/RT/User_Vendor.pm:1056) This looked to me (and other messages on this list seemed to indicate) that my problem was one of not providing a correct username/password pair with which to connect to the AD server. This seemed strange to me because I was able to validate, on the same machine that is running RT, against AD using the same username/password pair using ldapsearch. So I had our AD admin configure AD to allow "Anonymous Binding". Now I am still getting the same error message as above, even though the following use of ldapsearch binds against AD just fine with no usercode/password provided: ldapsearch -b dc=comalc,dc=com -H ldap://redacted.comalc.com "(objectclass=*)" -x I suspect that I must have misconfigured ExternalAuth, so I have pasted in my RT_SiteConfig.pm below. Thanks in advance for any help. James ---/etc/rt3/RT_SiteConfig.pm--- # Any configuration directives you include here will override # RT's default configuration file, RT_Config.pm # # To include a directive here, just copy the equivalent statement # from RT_Config.pm and change the value. We've included a single # sample value below. # # This file is actually a perl module, so you can include valid # perl code, as well. # # The converse is also true, if this file isn't valid perl, you're # going to run into trouble. To check your SiteConfig file, use # this comamnd: # # perl -c /path/to/your/etc/RT_SiteConfig.pm Set( $rtname, 'greenfieldethanol.com'); # Set( $Organization , "example.com"); # Look into the zoneinfo database for valid values (/usr/share/zoneinfo/) Set( $Timezone , 'US/Eastern'); # Set( $WebBaseURL , "http://localhost";); Set( $WebPath , "/rt3"); Set($LogToSyslog, ''); Set($LogToFile, 'debug'); Set($LogDir, '/var/log/rt'); Set($LogToFileNamed , "rt.log"); # The order in which the services defined in ExternalSettings # should be used to authenticate users. User is authenticated # if successfully confirmed by any service - no more services # are checked. Set($ExternalAuthPriority, ['My_LDAP']); # The order in which the services defined in ExternalSettings # should be used to get information about users. This includes # RealName, Tel numbers etc, but also whether or not the user # should be considered disabled. # Once user info is found, no more services are checked. Set($ExternalInfoPriority, ['My_LDAP']); # If this is set to true, then the relevant packages will # be loaded to use SSL/TLS connections. At the moment, # this just means "use Net::SSLeay;" Set($ExternalServiceUsesSSLorTLS, 0); # If this is set to 1, then users should be autocreated by RT # as internal users if they fail to authenticate from an # external service. Set($AutoCreateNonExternalUsers, 0); Set($ExternalSettings, { # AN EXAMPLE LDAP SERVICE 'My_LDAP' => { ## GENERIC SECTION # The type of service (db/ldap/cookie) 'type' => 'ldap', # Should the service be used for authentication? 'auth' => 1, # Should the service be used for information? 'info' => 1, # The server hosting the service 'server' => 'redacted.comalc.com', ## SERVICE-SPECIFIC SECTION # If you can bind to your LDAP server anonymously you should # remove the user and pass config lines, otherwise specify them here: # # The username RT should use to connect to the LDAP server 'user' => 'redacted', # The password RT should use to connect to the LDAP server 'pass' => 'redacted', # # The LDAP search base 'base' => 'ou=Organisational Unit,dc=domain,dc=TLD', # The filter to use to match RT-Users 'filter' => '(objectclass=*)', # The filter that will only match disabled users 'd_filter' => '(userAccountControl:1.2.840.113556.1.4.803:=2)', # Should we try to use TLS to encrypt connections? 'tls' => 0, # What other args should I pass to Net::LDAP->new($host,@args)? 'net_ldap_args' => [ version => 3 ], # Does authentication depend on group membership? What group name? #'group' => 'GROUP_NAME', # What is the attribute for the group object that determines membership? #'group_attr' => 'GROUP_ATTR', ## RT ATTRIBUTE MATCHING SECTION # The list of RT attributes that uniquely identify a user 'attr_match_list' => [ 'Name', 'EmailAddress', 'RealName', 'WorkPhone', 'Address2' ], # The mapping of RT attributes on to LDAP attributes 'attr_map' => { 'Name' => 'sAMAccountName', 'EmailAddress' => 'mail', 'Organization' => 'physicalDeliveryOfficeName', 'RealName' => 'cn', 'ExternalAuthId' => 'sAMAccountName', 'Gecos' => 'sAMAccountName', 'WorkPhone' => 'telephoneNumber', 'Address1' => 'streetAddress', 'City' => 'l', 'State' => 'st', 'Zip' => 'postalCode', 'Country' => 'co' } } } ); 1; ______________________________________________________________________ This email has been scanned for viruses and spam by the MessageLabs Email Security System. ______________________________________________________________________ _______________________________________________ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
