The user is within the base. The user exists in a sub-OU inside of ITS. I have the correct DC, I have the ip entered for the DC/LDAP Server.
Yes sir that is correct, I am using placeholders. I do not believe that SSL is being used based on the config I provided. All of the information is correct. I have used an ldap browser to verify connectivity on port 389 and to verify the information I've placed into the config. Andrew Wagner-4 wrote: > > I believe that if you specify SSL, Authen-External will automatically > uses port 636 (LDAPS). TLS encryption uses 389. We used TLS as LDAPS > is no longer officially supported. > > Is the user you are trying to authenticate with inside your base? Do > you have the correct domain controller specified under server? Do you > have the right domain specified and formatted under base? I assume > you're replacing your domain information with placeholders in your > config and are not actually using rt.mydomain.local. > > Andrew Wagner > Assistant Network Administrator > [email protected] > 265-5710 > Room 370B > Wisconsin Center for Education Research (WCER) > www.wcer.wisc.edu > > > On 8/29/2011 12:55 PM, josh.cole wrote: >> I think I am close now. I made those changes to the config. I am >> receiving an >> error when I try to login with my AD credentials. The error is: >> [Mon Aug 29 17:35:31 2011] [critical]: >> RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to >> rt.mydomain.local >> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:437) >> >> Do I need to specify an ldap port? I did add a username and password to >> authenticate. >> >> >> josh.cole wrote: >>> Thank you very much for your feedback. I really appreciate it. >>> >>> Andrew Wagner-4 wrote: >>>> Yes, Josh. That is correct. The ExternalAuthen checks all locations >>>> for users under the base OU. Either change your specified base in >>>> RT_SiteConfig.pm or move the users to the OU that you want RT to >>>> search. >>>> >>>> Andrew Wagner >>>> Assistant Network Administrator >>>> [email protected] >>>> 265-5710 >>>> Room 370B >>>> Wisconsin Center for Education Research (WCER) >>>> www.wcer.wisc.edu >>>> >>>> >>>> On 8/29/2011 11:39 AM, josh.cole wrote: >>>>> Thank you for your response. So just to make sure I understand, if the >>>>> users >>>>> I want to be able to authenticate in RT are not in the OU specified it >>>>> will >>>>> not work? So I should move those users to whatever the OU is that I >>>>> specify >>>>> in the base? >>>>> >>>>> Andrew Wagner-4 wrote: >>>>>> 1. For group_attr, you want the term to be 'member'. That checks >>>>>> for >>>>>> membership in the group. >>>>>> >>>>>> 2. For your base, you need to choose the next highest level of >>>>>> Active >>>>>> Directory beyond where your users are stored. This means you need to >>>>>> specify the OU where your users are, not just a random "Users" OU. >>>>>> >>>>>> Andrew Wagner >>>>>> Assistant Network Administrator >>>>>> [email protected] >>>>>> 265-5710 >>>>>> Room 370B >>>>>> Wisconsin Center for Education Research (WCER) >>>>>> www.wcer.wisc.edu >>>>>> >>>>>> >>>>>> On 8/29/2011 11:26 AM, josh.cole wrote: >>>>>>> I am trying to make this work. I installed the latest version of >>>>>>> ExternalAuth. I am working with Request Tracker for the first time, >>>>>>> just >>>>>>> upgraded from 3.8.7 to 4.0.1. There are a few things that I think >>>>>>> are >>>>>>> off >>>>>>> but I am not sure what the correct solution is. >>>>>>> >>>>>>> 1. I am not sure what to use for the group_attr I want to have users >>>>>>> in >>>>>>> the >>>>>>> group Request-Tracker inside of AD be able to authenticate with >>>>>>> their >>>>>>> credentials when logging into RT and I believe the filter is set >>>>>>> correctly >>>>>>> other than what needs to be added for the group_attribute. I am not >>>>>>> sure >>>>>>> what that should be. >>>>>>> >>>>>>> 2. For my base statement. I am specifying the Users OU but none of >>>>>>> my >>>>>>> users >>>>>>> are in that OU. I am not sure exactly what it's looking for there. >>>>>>> >>>>>>> Any help is appreciated! >>>>>>> ExternalAuth config: >>>>>>> >>>>>>> I have added the following to my RT_SiteConfig.pm: >>>>>>> >>>>>>> @RT::MailPlugins = ("RT::Authen::ExternalAuth"); >>>>>>> Set(@Plugins, qw(RT::Authen::ExternalAuth) ); >>>>>>> Set($ExternalAuthPriority, [ 'Active_Directory' >>>>>>> ] >>>>>>> ); >>>>>>> Set($ExternalInfoPriority, [ 'Active_Directory' >>>>>>> ] >>>>>>> ); >>>>>>> Set($AutoCreateNonExternalUsers, 0); >>>>>>> >>>>>>> Set($ExternalSettings, { 'Active_Directory' => { >>>>>>> 'type' >>>>>>> => 'ldap', >>>>>>> 'auth' >>>>>>> => 1, >>>>>>> 'info' >>>>>>> => 1, >>>>>>> 'server' >>>>>>> => 'rt.mydomain.local', >>>>>>> 'base' >>>>>>> => 'OU=Users,DC=mydomain,DC=local', >>>>>>> # The >>>>>>> filter >>>>>>> to >>>>>>> use >>>>>>> to match RT-Users >>>>>>> 'filter' >>>>>>> => '(objectclass=person)', >>>>>>> # The >>>>>>> filter >>>>>>> that >>>>>>> will only match disabled users >>>>>>> >>>>>>> 'd_filter' >>>>>>> => '(userAccountControl:1.2.840.113556.1.4.803:=2)', >>>>>>> # Should >>>>>>> we >>>>>>> try >>>>>>> to >>>>>>> use TLS to encrypt connections? >>>>>>> 'tls' >>>>>>> => 0, >>>>>>> # What >>>>>>> other >>>>>>> args >>>>>>> should I pass to Net::LDAP->new($host,@args)? >>>>>>> >>>>>>> 'net_ldap_args' >>>>>>> => [ version => 3 ], >>>>>>> # Does >>>>>>> authentication depend on group membership? What group name? >>>>>>> 'group' >>>>>>> => 'Request-Tracker', >>>>>>> # What is >>>>>>> the >>>>>>> attribute for the group object that determines membership? >>>>>>> >>>>>>> #'group_attr' >>>>>>> => 'GROUP_ATTR', >>>>>>> ## RT >>>>>>> ATTRIBUTE >>>>>>> MATCHING SECTION >>>>>>> # The >>>>>>> list >>>>>>> of RT >>>>>>> attributes that uniquely identify a user >>>>>>> >>>>>>> 'attr_match_list' >>>>>>> => [ 'ExternalAuthId','EmailAddress' ], >>>>>>> # The >>>>>>> mapping of >>>>>>> RT >>>>>>> attributes on to LDAP attributes >>>>>>> >>>>>>> 'attr_map' >>>>>>> => { 'Name' => 'sAMAccountName', >>>>>>> >>>>>>> 'EmailAddress' => 'mail', >>>>>>> >>>>>>> 'Organization' => 'physicalDeliveryOfficeName', >>>>>>> >>>>>>> 'RealName' => 'displayName', >>>>>>> >>>>>>> 'ExternalAuthId' => 'sAMAccountName', >>>>>>> >>>>>>> 'Gecos' => 'sAMAccountName', >>>>>>> >>>>>>> 'WorkPhone' => 'telephoneNumber', >>>>>>> >>>>>>> 'Address1' => 'streetAddress', >>>>>>> >>>>>>> 'City' => 'l', >>>>>>> >>>>>>> 'State' => 'st', >>>>>>> >>>>>>> 'Zip' => 'postalCode', >>>>>>> >>>>>>> 'Country' => 'co' >>>>>>> >>>>>>> } >>>>>>> } >>>>>>> } >>>>>>> ); >>>>>>> >>>>>> >>>>>> -------- >>>>>> RT Training Sessions >>>>>> (http://bestpractical.com/services/training.html) >>>>>> * Chicago, IL, USA September 26& 27, 2011 >>>>>> * San Francisco, CA, USA October 18& 19, 2011 >>>>>> * Washington DC, USA October 31& November 1, 2011 >>>>>> * Melbourne VIC, Australia November 28& 29, 2011 >>>>>> * Barcelona, Spain November 28& 29, 2011 >>>>>> >>>> >>>> >>>> -------- >>>> RT Training Sessions (http://bestpractical.com/services/training.html) >>>> * Chicago, IL, USA September 26& 27, 2011 >>>> * San Francisco, CA, USA October 18& 19, 2011 >>>> * Washington DC, USA October 31& November 1, 2011 >>>> * Melbourne VIC, Australia November 28& 29, 2011 >>>> * Barcelona, Spain November 28& 29, 2011 >>>> >>> > > > > -------- > RT Training Sessions (http://bestpractical.com/services/training.html) > * Chicago, IL, USA September 26 & 27, 2011 > * San Francisco, CA, USA October 18 & 19, 2011 > * Washington DC, USA October 31 & November 1, 2011 > * Melbourne VIC, Australia November 28 & 29, 2011 > * Barcelona, Spain November 28 & 29, 2011 > -- View this message in context: http://old.nabble.com/Has-anyone-sucessfully-configured-LDAP-to-authenticate-against-AD-with-version-4.0.1--tp32358024p32359422.html Sent from the Request Tracker - User mailing list archive at Nabble.com. -------- RT Training Sessions (http://bestpractical.com/services/training.html) * Chicago, IL, USA September 26 & 27, 2011 * San Francisco, CA, USA October 18 & 19, 2011 * Washington DC, USA October 31 & November 1, 2011 * Melbourne VIC, Australia November 28 & 29, 2011 * Barcelona, Spain November 28 & 29, 2011
