Below is the result: [Mon Aug 29 20:04:21 2011] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_INVALID_CREDENTIALS 49 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:467)
Andrew Wagner-4 wrote: > > I should have noticed this sooner - try specifying the full DN of your > rtauth user. That is, > CN=rtauth,OU=someOU,OU=anotherOU,DC=mine,DC=his,DC=hers,DC=com. > > Andrew Wagner > Assistant Network Administrator > [email protected] > 265-5710 > Room 370B > Wisconsin Center for Education Research (WCER) > www.wcer.wisc.edu > > > On 8/29/2011 2:18 PM, josh.cole wrote: >> The user is within the base. The user exists in a sub-OU inside of ITS. I >> have the correct DC, I have the ip entered for the DC/LDAP Server. >> >> Yes sir that is correct, I am using placeholders. I do not believe that >> SSL >> is being used based on the config I provided. All of the information is >> correct. I have used an ldap browser to verify connectivity on port 389 >> and >> to verify the information I've placed into the config. >> >> >> Andrew Wagner-4 wrote: >>> I believe that if you specify SSL, Authen-External will automatically >>> uses port 636 (LDAPS). TLS encryption uses 389. We used TLS as LDAPS >>> is no longer officially supported. >>> >>> Is the user you are trying to authenticate with inside your base? Do >>> you have the correct domain controller specified under server? Do you >>> have the right domain specified and formatted under base? I assume >>> you're replacing your domain information with placeholders in your >>> config and are not actually using rt.mydomain.local. >>> >>> Andrew Wagner >>> Assistant Network Administrator >>> [email protected] >>> 265-5710 >>> Room 370B >>> Wisconsin Center for Education Research (WCER) >>> www.wcer.wisc.edu >>> >>> >>> On 8/29/2011 12:55 PM, josh.cole wrote: >>>> I think I am close now. I made those changes to the config. I am >>>> receiving an >>>> error when I try to login with my AD credentials. The error is: >>>> [Mon Aug 29 17:35:31 2011] [critical]: >>>> RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to >>>> rt.mydomain.local >>>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:437) >>>> >>>> Do I need to specify an ldap port? I did add a username and password to >>>> authenticate. >>>> >>>> >>>> josh.cole wrote: >>>>> Thank you very much for your feedback. I really appreciate it. >>>>> >>>>> Andrew Wagner-4 wrote: >>>>>> Yes, Josh. That is correct. The ExternalAuthen checks all locations >>>>>> for users under the base OU. Either change your specified base in >>>>>> RT_SiteConfig.pm or move the users to the OU that you want RT to >>>>>> search. >>>>>> >>>>>> Andrew Wagner >>>>>> Assistant Network Administrator >>>>>> [email protected] >>>>>> 265-5710 >>>>>> Room 370B >>>>>> Wisconsin Center for Education Research (WCER) >>>>>> www.wcer.wisc.edu >>>>>> >>>>>> >>>>>> On 8/29/2011 11:39 AM, josh.cole wrote: >>>>>>> Thank you for your response. So just to make sure I understand, if >>>>>>> the >>>>>>> users >>>>>>> I want to be able to authenticate in RT are not in the OU specified >>>>>>> it >>>>>>> will >>>>>>> not work? So I should move those users to whatever the OU is that I >>>>>>> specify >>>>>>> in the base? >>>>>>> >>>>>>> Andrew Wagner-4 wrote: >>>>>>>> 1. For group_attr, you want the term to be 'member'. That checks >>>>>>>> for >>>>>>>> membership in the group. >>>>>>>> >>>>>>>> 2. For your base, you need to choose the next highest level of >>>>>>>> Active >>>>>>>> Directory beyond where your users are stored. This means you need >>>>>>>> to >>>>>>>> specify the OU where your users are, not just a random "Users" OU. >>>>>>>> >>>>>>>> Andrew Wagner >>>>>>>> Assistant Network Administrator >>>>>>>> [email protected] >>>>>>>> 265-5710 >>>>>>>> Room 370B >>>>>>>> Wisconsin Center for Education Research (WCER) >>>>>>>> www.wcer.wisc.edu >>>>>>>> >>>>>>>> >>>>>>>> On 8/29/2011 11:26 AM, josh.cole wrote: >>>>>>>>> I am trying to make this work. I installed the latest version of >>>>>>>>> ExternalAuth. I am working with Request Tracker for the first >>>>>>>>> time, >>>>>>>>> just >>>>>>>>> upgraded from 3.8.7 to 4.0.1. There are a few things that I think >>>>>>>>> are >>>>>>>>> off >>>>>>>>> but I am not sure what the correct solution is. >>>>>>>>> >>>>>>>>> 1. I am not sure what to use for the group_attr I want to have >>>>>>>>> users >>>>>>>>> in >>>>>>>>> the >>>>>>>>> group Request-Tracker inside of AD be able to authenticate with >>>>>>>>> their >>>>>>>>> credentials when logging into RT and I believe the filter is set >>>>>>>>> correctly >>>>>>>>> other than what needs to be added for the group_attribute. I am >>>>>>>>> not >>>>>>>>> sure >>>>>>>>> what that should be. >>>>>>>>> >>>>>>>>> 2. For my base statement. I am specifying the Users OU but none of >>>>>>>>> my >>>>>>>>> users >>>>>>>>> are in that OU. I am not sure exactly what it's looking for there. >>>>>>>>> >>>>>>>>> Any help is appreciated! >>>>>>>>> ExternalAuth config: >>>>>>>>> >>>>>>>>> I have added the following to my RT_SiteConfig.pm: >>>>>>>>> >>>>>>>>> @RT::MailPlugins = ("RT::Authen::ExternalAuth"); >>>>>>>>> Set(@Plugins, qw(RT::Authen::ExternalAuth) ); >>>>>>>>> Set($ExternalAuthPriority, [ 'Active_Directory' >>>>>>>>> ] >>>>>>>>> ); >>>>>>>>> Set($ExternalInfoPriority, [ 'Active_Directory' >>>>>>>>> ] >>>>>>>>> ); >>>>>>>>> Set($AutoCreateNonExternalUsers, 0); >>>>>>>>> >>>>>>>>> Set($ExternalSettings, { 'Active_Directory' => { >>>>>>>>> 'type' >>>>>>>>> => 'ldap', >>>>>>>>> 'auth' >>>>>>>>> => 1, >>>>>>>>> 'info' >>>>>>>>> => 1, >>>>>>>>> >>>>>>>>> 'server' >>>>>>>>> => 'rt.mydomain.local', >>>>>>>>> 'base' >>>>>>>>> => 'OU=Users,DC=mydomain,DC=local', >>>>>>>>> # The >>>>>>>>> filter >>>>>>>>> to >>>>>>>>> use >>>>>>>>> to match RT-Users >>>>>>>>> >>>>>>>>> 'filter' >>>>>>>>> => '(objectclass=person)', >>>>>>>>> # The >>>>>>>>> filter >>>>>>>>> that >>>>>>>>> will only match disabled users >>>>>>>>> >>>>>>>>> 'd_filter' >>>>>>>>> => '(userAccountControl:1.2.840.113556.1.4.803:=2)', >>>>>>>>> # >>>>>>>>> Should >>>>>>>>> we >>>>>>>>> try >>>>>>>>> to >>>>>>>>> use TLS to encrypt connections? >>>>>>>>> 'tls' >>>>>>>>> => 0, >>>>>>>>> # What >>>>>>>>> other >>>>>>>>> args >>>>>>>>> should I pass to Net::LDAP->new($host,@args)? >>>>>>>>> >>>>>>>>> 'net_ldap_args' >>>>>>>>> => [ version => 3 ], >>>>>>>>> # Does >>>>>>>>> authentication depend on group membership? What group name? >>>>>>>>> >>>>>>>>> 'group' >>>>>>>>> => 'Request-Tracker', >>>>>>>>> # What >>>>>>>>> is >>>>>>>>> the >>>>>>>>> attribute for the group object that determines membership? >>>>>>>>> >>>>>>>>> #'group_attr' >>>>>>>>> => 'GROUP_ATTR', >>>>>>>>> ## RT >>>>>>>>> ATTRIBUTE >>>>>>>>> MATCHING SECTION >>>>>>>>> # The >>>>>>>>> list >>>>>>>>> of RT >>>>>>>>> attributes that uniquely identify a user >>>>>>>>> >>>>>>>>> 'attr_match_list' >>>>>>>>> => [ 'ExternalAuthId','EmailAddress' ], >>>>>>>>> # The >>>>>>>>> mapping of >>>>>>>>> RT >>>>>>>>> attributes on to LDAP attributes >>>>>>>>> >>>>>>>>> 'attr_map' >>>>>>>>> => { 'Name' => 'sAMAccountName', >>>>>>>>> >>>>>>>>> 'EmailAddress' => 'mail', >>>>>>>>> >>>>>>>>> 'Organization' => 'physicalDeliveryOfficeName', >>>>>>>>> >>>>>>>>> 'RealName' => 'displayName', >>>>>>>>> >>>>>>>>> 'ExternalAuthId' => 'sAMAccountName', >>>>>>>>> >>>>>>>>> 'Gecos' => 'sAMAccountName', >>>>>>>>> >>>>>>>>> 'WorkPhone' => 'telephoneNumber', >>>>>>>>> >>>>>>>>> 'Address1' => 'streetAddress', >>>>>>>>> >>>>>>>>> 'City' => 'l', >>>>>>>>> >>>>>>>>> 'State' => 'st', >>>>>>>>> >>>>>>>>> 'Zip' => 'postalCode', >>>>>>>>> >>>>>>>>> 'Country' => 'co' >>>>>>>>> >>>>>>>>> } >>>>>>>>> } >>>>>>>>> } >>>>>>>>> ); >>>>>>>>> >>>>>>>> -------- >>>>>>>> RT Training Sessions >>>>>>>> (http://bestpractical.com/services/training.html) >>>>>>>> * Chicago, IL, USA September 26& 27, 2011 >>>>>>>> * San Francisco, CA, USA October 18& 19, 2011 >>>>>>>> * Washington DC, USA October 31& November 1, 2011 >>>>>>>> * Melbourne VIC, Australia November 28& 29, 2011 >>>>>>>> * Barcelona, Spain November 28& 29, 2011 >>>>>>>> >>>>>> >>>>>> -------- >>>>>> RT Training Sessions >>>>>> (http://bestpractical.com/services/training.html) >>>>>> * Chicago, IL, USA September 26& 27, 2011 >>>>>> * San Francisco, CA, USA October 18& 19, 2011 >>>>>> * Washington DC, USA October 31& November 1, 2011 >>>>>> * Melbourne VIC, Australia November 28& 29, 2011 >>>>>> * Barcelona, Spain November 28& 29, 2011 >>>>>> >>> >>> >>> -------- >>> RT Training Sessions (http://bestpractical.com/services/training.html) >>> * Chicago, IL, USA September 26& 27, 2011 >>> * San Francisco, CA, USA October 18& 19, 2011 >>> * Washington DC, USA October 31& November 1, 2011 >>> * Melbourne VIC, Australia November 28& 29, 2011 >>> * Barcelona, Spain November 28& 29, 2011 >>> > > > > -------- > RT Training Sessions (http://bestpractical.com/services/training.html) > * Chicago, IL, USA September 26 & 27, 2011 > * San Francisco, CA, USA October 18 & 19, 2011 > * Washington DC, USA October 31 & November 1, 2011 > * Melbourne VIC, Australia November 28 & 29, 2011 > * Barcelona, Spain November 28 & 29, 2011 > -- View this message in context: http://old.nabble.com/Has-anyone-sucessfully-configured-LDAP-to-authenticate-against-AD-with-version-4.0.1--tp32358024p32359783.html Sent from the Request Tracker - User mailing list archive at Nabble.com. -------- RT Training Sessions (http://bestpractical.com/services/training.html) * Chicago, IL, USA September 26 & 27, 2011 * San Francisco, CA, USA October 18 & 19, 2011 * Washington DC, USA October 31 & November 1, 2011 * Melbourne VIC, Australia November 28 & 29, 2011 * Barcelona, Spain November 28 & 29, 2011
