No bites on this so here is additional/updated information.
Using RT 3.8.2
Using Plugin RT-Authen-ExternalAuth to connect to Windows Active Directory for
authentication
I cannot get the group E group_attr figured out to allow login by group only.
What changes to my configuration do I need to make?
My RT_SiteConfig.pm:
Set( $rtname, 'XXXXXX');
Set($LogToFileNamed, "/var/tmp/rt3.error");
Set($LogToFile, 'debug');
Set($ExternalAuthPriority,['My_LDAP']);
Set($ExternalInfoPriority,['My_LDAP']);
Set(@Plugins,qw(RT::Authen::ExternalAuth));
Set($ExternalSettings, {
'My_LDAP' => { ## GENERIC SECTION
# The type of service
(db/ldap/cookie)
'type' => 'ldap',
'auth' => 1,
'info' => 1,
# The server hosting
the service
'server'
=> 'XXX.XXX.XXX.XXX',
## SERVICE-SPECIFIC
SECTION
# If you can bind to
your LDAP server anonymously you should
# remove the user and
pass config lines, otherwise specify them here:
#
# The username RT
should use to connect to the LDAP server
'user'
=> 'XXXXX',
# The password RT
should use to connect to the LDAP server
'pass'
=> 'XXXXX',
#
# The LDAP search base
'base' =>
'ou=Campus,dc=ad,dc=cnc,dc=bc,dc=ca',
#
# ALL FILTERS MUST BE
VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU **MUST** SPECIFY
A filter AND A d_filter!!
#
# The filter to use to
match RT-Users
'filter'
=> '(objectClass=User)',
# A catch-all example
filter: '(objectClass=*)'
#
# The filter that will
only match disabled users
'd_filter'
=> '(userAccountConrol:1.2.840.113556.1.4.803:=2)',
# A catch-none example
d_filter: '(objectClass=FooBarBaz)'
#
# Should we try to use
TLS to encrypt connections?
'tls'
=> 0,
# SSL Version to
provide to Net::SSLeay *if* using SSL
'ssl_version'
=> 3,
# What other args
should I pass to Net::LDAP->new($host,@args)?
'net_ldap_args'
=> [ version => 3 ],
# Does authentication
depend on group membership? What group name?
'group'
=> 'CSER',
# What is the attribute
for the group object that determines membership?
'group_attr'
=> 'member',
## RT ATTRIBUTE
MATCHING SECTION
# The list of RT
attributes that uniquely identify a user
# This example shows
what you *can* specify.. I recommend reducing this
# to just the Name and
EmailAddress to save encountering problems later.
'attr_match_list'
=> [ 'Name',
'EmailAddress',
],
# The mapping of RT
attributes on to LDAP attributes
'attr_map'
=> { 'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
}
}
}
);
1;
Debug output:
[debug]: Attempting to use external auth service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[debug]: SSO Failed and no user to test with. Nexting
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[debug]: Autohandler called ExternalAuth. Response: (0, No User)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[debug]: RT's GnuPG libraries couldn't successfully read your configured GnuPG
home directory (/opt/rt3/var/data/gpg). PGP support has been disabled
(/opt/rt3/bin/../lib/RT/Config.pm:339)
[debug]: Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[debug]: Attempting to use external auth service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[debug]: Calling UserExists with $username (XXXXX) and $service (My_LDAP)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[debug]: UserExists params:
username: XXXXX , service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[debug]: LDAP Search === Base: ou=Campus,dc=ad,dc=cnc,dc=bc,dc=ca == Filter:
(t(objectClass=User)(sAMAccountName=XXXXX)) == Attrs: mail,sAMAccountName
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[debug]: Password validation required for service - Executing...
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
[debug]: Trying external auth service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
[debug]: LDAP Search === Base: ou=Campus,dc=ad,dc=cnc,dc=bc,dc=ca == Filter:
(n(sAMAccountName=XXXXX)(objectClass=User)) == Attrs: dn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
[debug]: Found LDAP DN:
CN=XXXXX,OU=CompServices,OU=Users,OU=PG,OU=Campus,DC=ad,DC=cnc,DC=bc,DC=ca
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
[debug]: LDAP Search === Base: ou=Campus,dc=ad,dc=cnc,dc=bc,dc=ca == Filter:
(member=CN=XXXXX,OU=CompServices,OU=Users,OU=PG,OU=Campus,DC=ad,DC=cnc,DC=bc,DC=ca)
== Attrs: dn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
[critical]: Search for
(member=CN=XXXXX,OU=CompServices,OU=Users,OU=PG,OU=Campus,DC=ad,DC=cnc,DC=bc,DC=ca)
failed: LDAP_INVALID_DN_SYNTAX 34
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:116)
[debug]: LDAP password validation result: 0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
[debug]: Password Validation Check Result: 0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
[debug]: Autohandler called ExternalAuth. Response: (0, Password Invalid)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[error]: FAILED LOGIN for XXXXX from 142.27.70.153
(/opt/rt3/share/html/autohandler:268)
I can see that the group_attr seems to be incorrect so what group attribute am
I supposed to be using? I've tried various ones with no success. I'm using
ADSIEdit to pick attributes to try but haven't been able to find the correct
one. I've spent days researching net with LDAP and trying to figure it out.
Could someone please help me or at least point me to the right resource. I
can't find anymore information on how to integrate this plugin to use my LDAP
source.
Kevin W. Gagel
Network Administrator
Local 5448
My blog:
http://mail.cnc.bc.ca/blogs/gagel
My shared files:
http://mail.cnc.bc.ca/users/gagel
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
Community help: http://wiki.bestpractical.com
Commercial support: [email protected]
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
