I think I have made some progress. Still receiving an error. The error is: [Mon Aug 29 23:15:41 2011] [debug]: Attempting to use external auth service: Active_Directory (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Mon Aug 29 23:15:41 2011] [debug]: Calling UserExists with $username (josh cole) and $service (Active_Directory) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105) [Mon Aug 29 23:15:41 2011] [debug]: UserExists params: username: josh cole , service: Active_Directory (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274) [Mon Aug 29 23:15:41 2011] [debug]: LDAP Search === Base: DC=fpu,DC=local == Filter: (&(objectclass=person)(sAMAccountName=josh cole)) == Attrs: mail,sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304) [Mon Aug 29 23:15:41 2011] [debug]: RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::Authen::ExternalAuth /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm 553 with: Disabled: 0, EmailAddress: , Gecos: josh cole, Name: josh cole, Privileged: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:450) [Mon Aug 29 23:15:41 2011] [debug]: Attempting to get user info using this external service: Active_Directory (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:458) [Mon Aug 29 23:15:41 2011] [debug]: Attempting to use this canonicalization key: ExternalAuthId (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472) [Mon Aug 29 23:15:41 2011] [debug]: This attribute ( ExternalAuthId ) is null or incorrectly defined in the attr_map for this service ( Active_Directory ) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:474) [Mon Aug 29 23:15:41 2011] [debug]: Attempting to use this canonicalization key: EmailAddress (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472) [Mon Aug 29 23:15:41 2011] [debug]: LDAP Search === Base: DC=mydomain,DC=local == Filter: (&(objectclass=person)) == Attrs: mail,sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:195) [Mon Aug 29 23:15:51 2011] [info]: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: 0, EmailAddress: , Gecos: josh cole, Name: josh cole, Privileged: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536) [Mon Aug 29 23:15:51 2011] [error]: Couldn't create user josh cole: Could not set user info (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129) [Mon Aug 29 23:15:51 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11) [Mon Aug 29 23:15:51 2011] [error]: FAILED LOGIN for josh cole from 172.18.10.65 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:655)
josh.cole wrote: > > Below is the result: > > [Mon Aug 29 20:04:21 2011] [critical]: > RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: > LDAP_INVALID_CREDENTIALS 49 > (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:467) > > > Andrew Wagner-4 wrote: >> >> I should have noticed this sooner - try specifying the full DN of your >> rtauth user. That is, >> CN=rtauth,OU=someOU,OU=anotherOU,DC=mine,DC=his,DC=hers,DC=com. >> >> Andrew Wagner >> Assistant Network Administrator >> [email protected] >> 265-5710 >> Room 370B >> Wisconsin Center for Education Research (WCER) >> www.wcer.wisc.edu >> >> >> On 8/29/2011 2:18 PM, josh.cole wrote: >>> The user is within the base. The user exists in a sub-OU inside of ITS. >>> I >>> have the correct DC, I have the ip entered for the DC/LDAP Server. >>> >>> Yes sir that is correct, I am using placeholders. I do not believe that >>> SSL >>> is being used based on the config I provided. All of the information is >>> correct. I have used an ldap browser to verify connectivity on port 389 >>> and >>> to verify the information I've placed into the config. >>> >>> >>> Andrew Wagner-4 wrote: >>>> I believe that if you specify SSL, Authen-External will automatically >>>> uses port 636 (LDAPS). TLS encryption uses 389. We used TLS as LDAPS >>>> is no longer officially supported. >>>> >>>> Is the user you are trying to authenticate with inside your base? Do >>>> you have the correct domain controller specified under server? Do you >>>> have the right domain specified and formatted under base? I assume >>>> you're replacing your domain information with placeholders in your >>>> config and are not actually using rt.mydomain.local. >>>> >>>> Andrew Wagner >>>> Assistant Network Administrator >>>> [email protected] >>>> 265-5710 >>>> Room 370B >>>> Wisconsin Center for Education Research (WCER) >>>> www.wcer.wisc.edu >>>> >>>> >>>> On 8/29/2011 12:55 PM, josh.cole wrote: >>>>> I think I am close now. I made those changes to the config. I am >>>>> receiving an >>>>> error when I try to login with my AD credentials. The error is: >>>>> [Mon Aug 29 17:35:31 2011] [critical]: >>>>> RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to >>>>> rt.mydomain.local >>>>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:437) >>>>> >>>>> Do I need to specify an ldap port? I did add a username and password >>>>> to >>>>> authenticate. >>>>> >>>>> >>>>> josh.cole wrote: >>>>>> Thank you very much for your feedback. I really appreciate it. >>>>>> >>>>>> Andrew Wagner-4 wrote: >>>>>>> Yes, Josh. That is correct. The ExternalAuthen checks all >>>>>>> locations >>>>>>> for users under the base OU. Either change your specified base in >>>>>>> RT_SiteConfig.pm or move the users to the OU that you want RT to >>>>>>> search. >>>>>>> >>>>>>> Andrew Wagner >>>>>>> Assistant Network Administrator >>>>>>> [email protected] >>>>>>> 265-5710 >>>>>>> Room 370B >>>>>>> Wisconsin Center for Education Research (WCER) >>>>>>> www.wcer.wisc.edu >>>>>>> >>>>>>> >>>>>>> On 8/29/2011 11:39 AM, josh.cole wrote: >>>>>>>> Thank you for your response. So just to make sure I understand, if >>>>>>>> the >>>>>>>> users >>>>>>>> I want to be able to authenticate in RT are not in the OU specified >>>>>>>> it >>>>>>>> will >>>>>>>> not work? So I should move those users to whatever the OU is that I >>>>>>>> specify >>>>>>>> in the base? >>>>>>>> >>>>>>>> Andrew Wagner-4 wrote: >>>>>>>>> 1. For group_attr, you want the term to be 'member'. That checks >>>>>>>>> for >>>>>>>>> membership in the group. >>>>>>>>> >>>>>>>>> 2. For your base, you need to choose the next highest level of >>>>>>>>> Active >>>>>>>>> Directory beyond where your users are stored. This means you need >>>>>>>>> to >>>>>>>>> specify the OU where your users are, not just a random "Users" OU. >>>>>>>>> >>>>>>>>> Andrew Wagner >>>>>>>>> Assistant Network Administrator >>>>>>>>> [email protected] >>>>>>>>> 265-5710 >>>>>>>>> Room 370B >>>>>>>>> Wisconsin Center for Education Research (WCER) >>>>>>>>> www.wcer.wisc.edu >>>>>>>>> >>>>>>>>> >>>>>>>>> On 8/29/2011 11:26 AM, josh.cole wrote: >>>>>>>>>> I am trying to make this work. I installed the latest version of >>>>>>>>>> ExternalAuth. I am working with Request Tracker for the first >>>>>>>>>> time, >>>>>>>>>> just >>>>>>>>>> upgraded from 3.8.7 to 4.0.1. There are a few things that I think >>>>>>>>>> are >>>>>>>>>> off >>>>>>>>>> but I am not sure what the correct solution is. >>>>>>>>>> >>>>>>>>>> 1. I am not sure what to use for the group_attr I want to have >>>>>>>>>> users >>>>>>>>>> in >>>>>>>>>> the >>>>>>>>>> group Request-Tracker inside of AD be able to authenticate with >>>>>>>>>> their >>>>>>>>>> credentials when logging into RT and I believe the filter is set >>>>>>>>>> correctly >>>>>>>>>> other than what needs to be added for the group_attribute. I am >>>>>>>>>> not >>>>>>>>>> sure >>>>>>>>>> what that should be. >>>>>>>>>> >>>>>>>>>> 2. For my base statement. I am specifying the Users OU but none >>>>>>>>>> of >>>>>>>>>> my >>>>>>>>>> users >>>>>>>>>> are in that OU. I am not sure exactly what it's looking for >>>>>>>>>> there. >>>>>>>>>> >>>>>>>>>> Any help is appreciated! >>>>>>>>>> ExternalAuth config: >>>>>>>>>> >>>>>>>>>> I have added the following to my RT_SiteConfig.pm: >>>>>>>>>> >>>>>>>>>> @RT::MailPlugins = ("RT::Authen::ExternalAuth"); >>>>>>>>>> Set(@Plugins, qw(RT::Authen::ExternalAuth) ); >>>>>>>>>> Set($ExternalAuthPriority, [ 'Active_Directory' >>>>>>>>>> ] >>>>>>>>>> ); >>>>>>>>>> Set($ExternalInfoPriority, [ 'Active_Directory' >>>>>>>>>> ] >>>>>>>>>> ); >>>>>>>>>> Set($AutoCreateNonExternalUsers, 0); >>>>>>>>>> >>>>>>>>>> Set($ExternalSettings, { 'Active_Directory' => >>>>>>>>>> { >>>>>>>>>> 'type' >>>>>>>>>> => 'ldap', >>>>>>>>>> >>>>>>>>>> 'auth' >>>>>>>>>> => 1, >>>>>>>>>> >>>>>>>>>> 'info' >>>>>>>>>> => 1, >>>>>>>>>> >>>>>>>>>> 'server' >>>>>>>>>> => 'rt.mydomain.local', >>>>>>>>>> >>>>>>>>>> 'base' >>>>>>>>>> => 'OU=Users,DC=mydomain,DC=local', >>>>>>>>>> # The >>>>>>>>>> filter >>>>>>>>>> to >>>>>>>>>> use >>>>>>>>>> to match RT-Users >>>>>>>>>> >>>>>>>>>> 'filter' >>>>>>>>>> => '(objectclass=person)', >>>>>>>>>> # The >>>>>>>>>> filter >>>>>>>>>> that >>>>>>>>>> will only match disabled users >>>>>>>>>> >>>>>>>>>> 'd_filter' >>>>>>>>>> => '(userAccountControl:1.2.840.113556.1.4.803:=2)', >>>>>>>>>> # >>>>>>>>>> Should >>>>>>>>>> we >>>>>>>>>> try >>>>>>>>>> to >>>>>>>>>> use TLS to encrypt connections? >>>>>>>>>> 'tls' >>>>>>>>>> => 0, >>>>>>>>>> # >>>>>>>>>> What >>>>>>>>>> other >>>>>>>>>> args >>>>>>>>>> should I pass to Net::LDAP->new($host,@args)? >>>>>>>>>> >>>>>>>>>> 'net_ldap_args' >>>>>>>>>> => [ version => 3 ], >>>>>>>>>> # >>>>>>>>>> Does >>>>>>>>>> authentication depend on group membership? What group name? >>>>>>>>>> >>>>>>>>>> 'group' >>>>>>>>>> => 'Request-Tracker', >>>>>>>>>> # >>>>>>>>>> What is >>>>>>>>>> the >>>>>>>>>> attribute for the group object that determines membership? >>>>>>>>>> >>>>>>>>>> #'group_attr' >>>>>>>>>> => 'GROUP_ATTR', >>>>>>>>>> ## RT >>>>>>>>>> ATTRIBUTE >>>>>>>>>> MATCHING SECTION >>>>>>>>>> # The >>>>>>>>>> list >>>>>>>>>> of RT >>>>>>>>>> attributes that uniquely identify a user >>>>>>>>>> >>>>>>>>>> 'attr_match_list' >>>>>>>>>> => [ 'ExternalAuthId','EmailAddress' ], >>>>>>>>>> # The >>>>>>>>>> mapping of >>>>>>>>>> RT >>>>>>>>>> attributes on to LDAP attributes >>>>>>>>>> >>>>>>>>>> 'attr_map' >>>>>>>>>> => { 'Name' => 'sAMAccountName', >>>>>>>>>> >>>>>>>>>> 'EmailAddress' => 'mail', >>>>>>>>>> >>>>>>>>>> 'Organization' => 'physicalDeliveryOfficeName', >>>>>>>>>> >>>>>>>>>> 'RealName' => 'displayName', >>>>>>>>>> >>>>>>>>>> 'ExternalAuthId' => 'sAMAccountName', >>>>>>>>>> >>>>>>>>>> 'Gecos' => 'sAMAccountName', >>>>>>>>>> >>>>>>>>>> 'WorkPhone' => 'telephoneNumber', >>>>>>>>>> >>>>>>>>>> 'Address1' => 'streetAddress', >>>>>>>>>> >>>>>>>>>> 'City' => 'l', >>>>>>>>>> >>>>>>>>>> 'State' => 'st', >>>>>>>>>> >>>>>>>>>> 'Zip' => 'postalCode', >>>>>>>>>> >>>>>>>>>> 'Country' => 'co' >>>>>>>>>> >>>>>>>>>> } >>>>>>>>>> } >>>>>>>>>> } >>>>>>>>>> ); >>>>>>>>>> >>>>>>>>> -------- >>>>>>>>> RT Training Sessions >>>>>>>>> (http://bestpractical.com/services/training.html) >>>>>>>>> * Chicago, IL, USA September 26& 27, 2011 >>>>>>>>> * San Francisco, CA, USA October 18& 19, 2011 >>>>>>>>> * Washington DC, USA October 31& November 1, 2011 >>>>>>>>> * Melbourne VIC, Australia November 28& 29, 2011 >>>>>>>>> * Barcelona, Spain November 28& 29, 2011 >>>>>>>>> >>>>>>> >>>>>>> -------- >>>>>>> RT Training Sessions >>>>>>> (http://bestpractical.com/services/training.html) >>>>>>> * Chicago, IL, USA September 26& 27, 2011 >>>>>>> * San Francisco, CA, USA October 18& 19, 2011 >>>>>>> * Washington DC, USA October 31& November 1, 2011 >>>>>>> * Melbourne VIC, Australia November 28& 29, 2011 >>>>>>> * Barcelona, Spain November 28& 29, 2011 >>>>>>> >>>> >>>> >>>> -------- >>>> RT Training Sessions (http://bestpractical.com/services/training.html) >>>> * Chicago, IL, USA September 26& 27, 2011 >>>> * San Francisco, CA, USA October 18& 19, 2011 >>>> * Washington DC, USA October 31& November 1, 2011 >>>> * Melbourne VIC, Australia November 28& 29, 2011 >>>> * Barcelona, Spain November 28& 29, 2011 >>>> >> >> >> >> -------- >> RT Training Sessions (http://bestpractical.com/services/training.html) >> * Chicago, IL, USA September 26 & 27, 2011 >> * San Francisco, CA, USA October 18 & 19, 2011 >> * Washington DC, USA October 31 & November 1, 2011 >> * Melbourne VIC, Australia November 28 & 29, 2011 >> * Barcelona, Spain November 28 & 29, 2011 >> > > -- View this message in context: http://old.nabble.com/Has-anyone-sucessfully-configured-LDAP-to-authenticate-against-AD-with-version-4.0.1--tp32358024p32360916.html Sent from the Request Tracker - User mailing list archive at Nabble.com. -------- RT Training Sessions (http://bestpractical.com/services/training.html) * Chicago, IL, USA September 26 & 27, 2011 * San Francisco, CA, USA October 18 & 19, 2011 * Washington DC, USA October 31 & November 1, 2011 * Melbourne VIC, Australia November 28 & 29, 2011 * Barcelona, Spain November 28 & 29, 2011
