Re: [rt-users] Issue Trying To Get AD Integration Working

Thu, 03 Apr 2014 08:47:17 -0700 

On 02/04/14 20:44, Jason Batchelor wrote:
I have been trying for sometime to get AD auth working correctly on my server. I've managed to get most of the way there I think but am consistently getting hung up on an error. 


Set($ExternalSettings, {
    'My_LDAP'       =>  {
        'type'                      =>  'ldap',

        'server'                    =>  'ldaps://example.company.org 
<http://example.company.org>',

        'base'                      =>  'dc=xxxxx,dc=org',
        'filter'                    =>  '(objectClass=*)',

        'd_filter'                  => 
'(userAccountControl:1.2.840.113556.1.4.803:=2)',

        'tls'                       =>  0,
        'ssl_version'               =>  3,
        'net_ldap_args'             => [ version =>  3 ]
        },
} );



Some questions:

- Do you have SSL configured on port tcp/636 for your AD? (It's not an 
out-of-the-box option.) We've dropped back to using mandatory TLS on 
tcp/389.
- Have you tried using something like ldapsearch to confirm that your 
connection parameters are correct?
- IME, AD requires authentication to bind to anything other than the 
base scope. Have you omitted this just for the email, or in its entirety?



The following is a configuration that "works for me"

    'type' => 'ldap',
    'server' => 'dc.example.org',
    'user' => '[email protected]',
    'pass' => 'secretpassword',
    'base' => 'dc=example,dc=org',
    'filter' => '(ObjectClass=User)',
    'd_filter' => '(userAccountControl:1.2.840.113556.1.4.803:=2)',
    'attr_match_list' => [ 'Name', 'EmailAddress', 'displayName' ],
    'attr_map' => {
            'Name' => 'sAMAccountName',
            'EmailAddress' => 'mail',
            'Organization' => 'physicalDeliveryOfficeName',
            'RealName' => 'cn',
            'ExternalAuthId' => 'sAMAccountName',
            'Gecos' => 'sAMAccountName',
            'WorkPhone' => 'telephoneNumber',
            'Address1' => 'streetAddress',
            'City' => 'l',
            'State' => 'st',
            'Zip' => 'postalCode',
            'Country' => 'co',
    },
    # Permit domain prefix on username ("EXAMPLE\user")
    # 'ad_domain_prefix' => 'EXAMPLE',      # case insensitive
    # 'ad_domain_required' => 'no',         # { 'yes' | 'no' }
    # 'ad_domain_separator' => '\\',        # split here



Here are some URLs of configurations that according to my notes were 
useful at the time

- http://www.gossamer-threads.com/lists/rt/users/109309
- http://requesttracker.wikia.com/wiki/ExternalAuth
- /opt/rt4/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm
- /root/.cpan/build/RT-Authen-ExternalAuth-0.12-9Em3TJ/README

Regards,
Chris



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


-- 
RT Training - Dallas May 20-21
http://bestpractical.com/training





















					Reply via email to