Hi Malcolm,
Are you able to get any results from the LDAP server when you try the
same search
using ldapsearch from the commandline on the Debian box?
Something like:
ldapsearch -D LDAP_ACCOUNT -x -w -ZZ -H ldap://ggdc1.domain.int/ -b
ou=Production,dc=domain,dc=int "(objectClass=inetOrgPerson)"
I'm guessing your LDAP server is MS AD so you will probably need to
configure TLS.
The following items come from my configuration.
Set( $ExternalAuthPriority, ["My_LDAP"] );
Set( $ExternalInfoPriority, ["My_LDAP"] );
Set($ExternalAuth, 1);
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
Set($AutoCreateNonExternalUsers, 1);
# Use TLS
Set($ExternalServiceUsesSSLorTLS,1);
Set($ExternalSettings, {
'My_LDAP' => {
'type' => 'ldap',
'server' => 'ggdc1.domain.int',
# Configure TLS settings
'tls' => {
'verify' => 'require',
'cafile' => '/etc/ssl/certs/CACert.pem', # Path CA
file
},
'user' => 'LDAP_ACCOUNT',
'pass' => 'LDAP_ACCOUNT_PASS',
'base' => 'ou=Production,dc=domain,dc=int',
'filter' => '(objectClass=inetOrgPerson)',
'attr_match_list' => [
'Name',
'EmailAddress',
],
'attr_map' => {
'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'RealName' => 'cn',
'WorkPhone' => 'telephoneNumber',
'Address1' => 'streetAddress',
'City' => 'l',
'State' => 'st',
'Zip' => 'postalCode',
'Country' => 'co',
},
},
} );
Best Regards
Martin
On 2016-10-19 13:37, Malcolm Galland wrote:
I've set up RT, and am testing it with rt-server. Everything seems to
be going smoothly except LDAP with RT::Authen::ExternalAuth. I read
the docs and have implemented the suggested changes in
/opt/rt4/etc/RT_SiteConfig.pm like so:
Set( $ExternalAuthPriority, ["My_LDAP"] );
Set( $ExternalInfoPriority, ["My_LDAP"] );
Set($ExternalAuth, 1);
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
Set($AutoCreateNonExternalUsers, 1);
Set($ExternalSettings, {
'My_LDAP' => {
'type' => 'ldap',
'server' => 'ggdc1.domain.int',
'user' => 'LDAP_ACCOUNT',
'pass' => 'LDAP_ACCOUNT_PASS',
'base' => 'ou=Production,dc=domain,dc=int',
'filter' => '(objectClass=inetOrgPerson)',
'attr_match_list' => [
'Name',
'EmailAddress',
],
'attr_map' => {
'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'RealName' => 'cn',
'WorkPhone' => 'telephoneNumber',
'Address1' => 'streetAddress',
'City' => 'l',
'State' => 'st',
'Zip' => 'postalCode',
'Country' => 'co',
},
},
} );
The issue is when I try to login the users aren't allowed access, and I
get the following error from rt-server:
[error]: FAILED LOGIN for username_redacted from IP_REDACTED
(/opt/rt4/sbin/../lib/RT/Interface/Web.pm:826)
Just for kicks, if I run /opt/rt4/sbin/rt-ldapimport --debug
I get:
[critical]: Expected 'PeerHost' at
/usr/local/share/perl/5.20.2/Net/LDAP.pm line 164.
(/opt/rt4/sbin/../lib/RT.pm:390)
Any ideas? I read every document I could find, but it's hard to know
which non-official ones you can trust since RT has been around so long
and ExternalAuth was just added to the core. Also, the official docs
are a bit terse.
---------
RT 4.4 and RTIR training sessions, and a new workshop day!
https://bestpractical.com/training
* Boston - October 24-26
* Los Angeles - Q1 2017
---------
RT 4.4 and RTIR training sessions, and a new workshop day!
https://bestpractical.com/training
* Boston - October 24-26
* Los Angeles - Q1 2017
