Andrew Wagner Assistant Network Administrator [email protected] 265-5710 Room 370B Wisconsin Center for Education Research (WCER) www.wcer.wisc.edu
On 8/29/2011 2:18 PM, josh.cole wrote:
The user is within the base. The user exists in a sub-OU inside of ITS. I have the correct DC, I have the ip entered for the DC/LDAP Server. Yes sir that is correct, I am using placeholders. I do not believe that SSL is being used based on the config I provided. All of the information is correct. I have used an ldap browser to verify connectivity on port 389 and to verify the information I've placed into the config. Andrew Wagner-4 wrote:I believe that if you specify SSL, Authen-External will automatically uses port 636 (LDAPS). TLS encryption uses 389. We used TLS as LDAPS is no longer officially supported. Is the user you are trying to authenticate with inside your base? Do you have the correct domain controller specified under server? Do you have the right domain specified and formatted under base? I assume you're replacing your domain information with placeholders in your config and are not actually using rt.mydomain.local. Andrew Wagner Assistant Network Administrator [email protected] 265-5710 Room 370B Wisconsin Center for Education Research (WCER) www.wcer.wisc.edu On 8/29/2011 12:55 PM, josh.cole wrote:I think I am close now. I made those changes to the config. I am receiving an error when I try to login with my AD credentials. The error is: [Mon Aug 29 17:35:31 2011] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to rt.mydomain.local (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:437) Do I need to specify an ldap port? I did add a username and password to authenticate. josh.cole wrote:Thank you very much for your feedback. I really appreciate it. Andrew Wagner-4 wrote:Yes, Josh. That is correct. The ExternalAuthen checks all locations for users under the base OU. Either change your specified base in RT_SiteConfig.pm or move the users to the OU that you want RT to search. Andrew Wagner Assistant Network Administrator [email protected] 265-5710 Room 370B Wisconsin Center for Education Research (WCER) www.wcer.wisc.edu On 8/29/2011 11:39 AM, josh.cole wrote:Thank you for your response. So just to make sure I understand, if the users I want to be able to authenticate in RT are not in the OU specified it will not work? So I should move those users to whatever the OU is that I specify in the base? Andrew Wagner-4 wrote:1. For group_attr, you want the term to be 'member'. That checks for membership in the group. 2. For your base, you need to choose the next highest level of Active Directory beyond where your users are stored. This means you need to specify the OU where your users are, not just a random "Users" OU. Andrew Wagner Assistant Network Administrator [email protected] 265-5710 Room 370B Wisconsin Center for Education Research (WCER) www.wcer.wisc.edu On 8/29/2011 11:26 AM, josh.cole wrote:I am trying to make this work. I installed the latest version of ExternalAuth. I am working with Request Tracker for the first time, just upgraded from 3.8.7 to 4.0.1. There are a few things that I think are off but I am not sure what the correct solution is. 1. I am not sure what to use for the group_attr I want to have users in the group Request-Tracker inside of AD be able to authenticate with their credentials when logging into RT and I believe the filter is set correctly other than what needs to be added for the group_attribute. I am not sure what that should be. 2. For my base statement. I am specifying the Users OU but none of my users are in that OU. I am not sure exactly what it's looking for there. Any help is appreciated! ExternalAuth config: I have added the following to my RT_SiteConfig.pm: @RT::MailPlugins = ("RT::Authen::ExternalAuth"); Set(@Plugins, qw(RT::Authen::ExternalAuth) ); Set($ExternalAuthPriority, [ 'Active_Directory' ] ); Set($ExternalInfoPriority, [ 'Active_Directory' ] ); Set($AutoCreateNonExternalUsers, 0); Set($ExternalSettings, { 'Active_Directory' => { 'type' => 'ldap', 'auth' => 1, 'info' => 1, 'server' => 'rt.mydomain.local', 'base' => 'OU=Users,DC=mydomain,DC=local', # The filter to use to match RT-Users 'filter' => '(objectclass=person)', # The filter that will only match disabled users 'd_filter' => '(userAccountControl:1.2.840.113556.1.4.803:=2)', # Should we try to use TLS to encrypt connections? 'tls' => 0, # What other args should I pass to Net::LDAP->new($host,@args)? 'net_ldap_args' => [ version => 3 ], # Does authentication depend on group membership? What group name? 'group' => 'Request-Tracker', # What is the attribute for the group object that determines membership? #'group_attr' => 'GROUP_ATTR', ## RT ATTRIBUTE MATCHING SECTION # The list of RT attributes that uniquely identify a user 'attr_match_list' => [ 'ExternalAuthId','EmailAddress' ], # The mapping of RT attributes on to LDAP attributes 'attr_map' => { 'Name' => 'sAMAccountName', 'EmailAddress' => 'mail', 'Organization' => 'physicalDeliveryOfficeName', 'RealName' => 'displayName', 'ExternalAuthId' => 'sAMAccountName', 'Gecos' => 'sAMAccountName', 'WorkPhone' => 'telephoneNumber', 'Address1' => 'streetAddress', 'City' => 'l', 'State' => 'st', 'Zip' => 'postalCode', 'Country' => 'co' } } } );-------- RT Training Sessions (http://bestpractical.com/services/training.html) * Chicago, IL, USA September 26& 27, 2011 * San Francisco, CA, USA October 18& 19, 2011 * Washington DC, USA October 31& November 1, 2011 * Melbourne VIC, Australia November 28& 29, 2011 * Barcelona, Spain November 28& 29, 2011-------- RT Training Sessions (http://bestpractical.com/services/training.html) * Chicago, IL, USA September 26& 27, 2011 * San Francisco, CA, USA October 18& 19, 2011 * Washington DC, USA October 31& November 1, 2011 * Melbourne VIC, Australia November 28& 29, 2011 * Barcelona, Spain November 28& 29, 2011-------- RT Training Sessions (http://bestpractical.com/services/training.html) * Chicago, IL, USA September 26& 27, 2011 * San Francisco, CA, USA October 18& 19, 2011 * Washington DC, USA October 31& November 1, 2011 * Melbourne VIC, Australia November 28& 29, 2011 * Barcelona, Spain November 28& 29, 2011
smime.p7s
Description: S/MIME Cryptographic Signature
-------- RT Training Sessions (http://bestpractical.com/services/training.html) * Chicago, IL, USA September 26 & 27, 2011 * San Francisco, CA, USA October 18 & 19, 2011 * Washington DC, USA October 31 & November 1, 2011 * Melbourne VIC, Australia November 28 & 29, 2011 * Barcelona, Spain November 28 & 29, 2011
