hello list!
I am attempting to use ExternalAuth to have RT authenticate against an LDAP
database.
Our RT users have a sparate common name under our Group ou.
cn=RTUsers,ou=Groups,dc=example,dc=com
I have devised an LDAP query that successfully retrieves information that
could be used to log into RT.
ldapsearch -x -p 389 -h ldap01.example.com -b dc=example,dc=com -D
"uid=dunphy,ou=People,dc=example,dc=com" -w 'secret'
"(&(objectClass=top)(|(cn=RTUsers)))" "uniqueMember"
I am a little new at LDAP but from what I can see above I am performing a
'simple' bind with my ldap account and searching for the RTUsers group with a
filter.
This is an example of what it finds:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (&(objectClass=top)(|(cn=RTUsers)))
# requesting: uniqueMember
#
# RTUsers, Groups, example.com
dn: cn=RTUsers,ou=Groups,dc=example,dc=com
uniqueMember: uid=user1,ou=People,dc=example,dc=com
uniqueMember: uid=user2,ou=People,dc=example,dc=com
uniqueMember: uid=user3,ou=People,dc=example,dc=com
uniqueMember: uid=user4t,ou=People,dc=example,dc=com
...
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
In the ldap server logs everything is looking good at this point:
[08/Nov/2011:18:30:54 -0500] conn=1735740 op=1 msgId=2 - SRCH
base="dc=example,dc=com" scope=2 filter="(uid=jvazquez)" attrs=ALL
[08/Nov/2011:18:30:54 -0500] conn=1735740 op=1 msgId=2 - RESULT err=0 tag=101
nentries=1 etime=0
[08/Nov/2011:18:30:54 -0500] conn=1735740 op=2 msgId=3 - UNBIND
However, as you might have guessed I'm having a little difficulty translating
this success on the command line into an RT config. :)
This is what I have, currently, as my LDAP service:
# AN EXAMPLE LDAP SERVICE
'My_LDAP' => { ## GENERIC SECTION
# The type of service
(db/ldap/cookie)
'type'
=> 'ldap',
# The server hosting
the service
'server'
=> 'ldap01.example.com',
## SERVICE-SPECIFIC
SECTION
# If you can bind to
your LDAP server anonymously you should
# remove the user and
pass config lines, otherwise specify them here:
#
# The username RT
should use to connect to the LDAP server
'user'
=> 'uid=myuser,ou=People,cn=example,cn=com',
# The password RT
should use to connect to the LDAP server
'pass'
=> 'secret',
#
# The LDAP search base
'base'
=> 'ou=Groups,dc=example,dc=com',
#
# ALL FILTERS MUST BE
VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU **MUST** SPECIFY
A filter AND A d_filter!!
#
# The filter to use to
match RT-Users
'filter'
=> '"(&(objectClass=top)(|(cn=RTUsers))) uniqueMember"',
# A catch-all example
filter: '(objectClass=*)'
#
# The filter that will
only match disabled users
'd_filter'
=> '(objectClass=FooBarBaz)',
# A catch-none example
d_filter: '(objectClass=FooBarBaz)'
#
# Should we try to use
TLS to encrypt connections?
'tls'
=> 0,
# SSL Version to
provide to Net::SSLeay *if* using SSL
'ssl_version'
=> 3,
# What other args
should I pass to Net::LDAP->new($host,@args)?
'net_ldap_args'
=> [ version => 3 ],
# Does authentication
depend on group membership? What group name?
'group'
=> 'RTUsers',
# What is the attribute
for the group object that determines membership?
'group_attr'
=> 'cn',
## RT ATTRIBUTE
MATCHING SECTION
# The list of RT
attributes that uniquely identify a user
# This example shows
what you *can* specify.. I recommend reducing this
# to just the Name and
EmailAddress to save encountering problems later.
'attr_match_list'
=> [ 'Name',
'EmailAddress',
],
# The mapping of RT
attributes on to LDAP attributes
'attr_map'
=> { 'Name' => 'uid',
'EmailAddress' => 'mail',
}
},
But for some reason I am still trying to determine when I attempt to log in
from the RT interface this is what results in the LDAP logs:
[08/Nov/2011:18:36:04 -0500] conn=1735759 op=0 msgId=1 - BIND
dn="uid=myuser,ou=People,cn=example,cn=com" method=128 version=3
[08/Nov/2011:18:36:04 -0500] conn=1735759 op=0 msgId=1 - RESULT err=32 tag=97
nentries=0 etime=0
[08/Nov/2011:18:36:04 -0500] conn=1735759 op=1 msgId=0 - RESULT err=80 tag=120
nentries=0 etime=0
Now error 32 is what constitutes a 'no such object' error. And error 80
indicates a password error. My theory is that because the object is not found
password authentication is failing. I was hoping that someone with a knowledge
of LDAP may be willing to assist.
Thank you and best regards,
tim
--------
RT Training Sessions (http://bestpractical.com/services/training.html)
* Barcelona, Spain November 28 & 29, 2011
