Re: [rt-users] RT 3.8 Active Directory integration and single
Mike, Thank you very much for the advice. I am now able to authenticate using LDAP when I log a new user into the RT web interface. I followed your suggestion to use the full DN in the value for both the 'user' and 'group' attributes. eg. 'user' = 'cn=John Doe,ou=Some_Ou,dc=example,dc=local', 'group' = 'cn=Some_Group,ou=Some_Ou,dc=example,dc=local', instead of 'user' = 'cn=jdoe,ou=Some_Ou,dc=example,dc=local', 'group' = 'cn=Some_Group,ou=Some_Ou,dc=example,dc=local', Another question would be, did you attempt the telnet from the RT box? Yes, I did and was able to. Thanks again, Gene Evans RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
Re: [rt-users] RT 3.8 Active Directory integration and single sign-on
Kevin, Thank you for your suggestions. Try using the ldapsearch command line client, I find it is much closer to the way the perl ldap library is connecting. Once you make that connect, the same user should be fine. One thing about AD is that sometimes the AD server responds better to a user of samaccountn...@domain (email address style login) rather than a full DN, but I've never found an explanation for why. yes, I had been trying to use ldapsearch but was getting bogged down in getting it configured to work. First had to install OpenLdap which also depended on BerkeleyDB, then ran out of HDD space and finally gave up. I was able to get it to run but never did get it to return anything at the command line. Ended up I was able to to get things working without that and without resorting to the samaccountn...@domain format (see my reply today to Mike Johnson), but may try it as a test anyway just to have an alternative in case something down the road requires it. I appreciate the help. Sincerely, Gene Evans RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
[rt-users] RT 3.8 Active Directory integration and single sign-on
Mike, Thankyou for the reply. Looks like I'll need to dive a bit deeper than I first anticipated. I'll post my results. Sincerely, Gene Evans IT Administrator Heapy Engineering 937-224-0861 x1404 -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of rt-users-requ...@lists.bestpractical.com Sent: Thursday, August 05, 2010 8:49 AM To: rt-users@lists.bestpractical.com Subject: RT-Users Digest, Vol 77, Issue 20 Send RT-Users mailing list submissions to rt-users@lists.bestpractical.com To subscribe or unsubscribe via the World Wide Web, visit http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users or, via email, send a message with subject or body 'help' to rt-users-requ...@lists.bestpractical.com You can reach the person managing the list at rt-users-ow...@lists.bestpractical.com When replying, please edit your Subject line so it is more specific than Re: Contents of RT-Users digest... Today's Topics: 1. RT 3.8 Active Directory integration and single sign-on (Eugene M. Evans) 2. Re: RT 3.8 Active Directory integration and singlesign-on (Mike Johnson) -- Message: 1 Date: Wed, 4 Aug 2010 22:58:07 -0400 From: Eugene M. Evans emev...@heapy.com To: rt-users@lists.bestpractical.com Subject: [rt-users] RT 3.8 Active Directory integration and single sign-on Message-ID: bfa145aa31febc449d510adc62ff513e14a...@dayxchng0.heapy.local Content-Type: text/plain; charset=us-ascii I am trying to accomplish two things: First, to integrate RT with Active Directory such that an RT user account will automatically be created in either of the following cases. a) when a user first submits a ticket request via email, and b) when a user first logs in via the RT web interface Secondly, Single sign-on, such that once an RT account has been created an MS-Windows user will not need to enter their password on subsequent visits to the RT web interface. I've started by attempting to implement the Auth::ExternalAuth extension but have been unable to get it working. I cannot log into the RT web interface using any account except the root account that has already been created within RT. Once in RT as root, I am unable to create a new user. I get the error User could not be created: Could not set user info. I've tried the solution mentioned in this thread -- http://www.gossamer-threads.com/lists/rt/users/94218 to get RT to auto-create users, but to no avail. Note that when I uncomment the statement Set($WebExternalAuto,1); and restart apache the RT login screen provides no login box in which to enter a username or a password. Any advice would be greatly appreciated. Below is my RT configuration. #Begin /opt/rt3/etc/RT_SiteConfig.pm tail ... # The following two statements support single sign-on. # but I have commented them out for now since they are # said to conflict with the ExternalAuth extension. # See http://wiki.bestpractical.com/view/ExternalAuth http://wiki.bestpractical.com/view/ExternalAuth . # Tell RT to trust the webserver to handle authentication. # Set($WebExternalAuth, 3); # If the webserver hands RT a user RT is not # familiar with, RT should just go ahead and # create an account. # Set($WebExternalAuto, 1); ... # Include the configuration for the ExternalAuth extension. require /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm; Set($AutoCreate,{Privileged = 0}); 1; #End /opt/rt3/etc/RT_SiteConfig.pm #Begin /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm in its entirety. Set($ExternalAuthPriority, [ 'Heapy_AD_LDAP' ] ); Set($ExternalInfoPriority, [ 'Heapy_AD_LDAP' ] ); Set($ExternalServiceUsesSSLorTLS,0); Set($AutoCreateNonExternalUsers, 0); Set($ExternalSettings, { 'Heapy_AD_LDAP' = { 'type' = 'ldap', 'server'= 'serverxyz.domain.domainSuffix', 'user' = 'cn=ldap,ou=Services,dc=domain,dc=domainSuffix', 'pass' = 'the_ldap_password', 'base' = 'dc=domain,dc=domainSuffix', 'filter'= '((ObjectCategory=User)(ObjectClass=Person))', 'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803:=2)', # 'tls' = 0, #'ssl_version' = 3, 'net_ldap_args' = [version = 3 ], 'group' = 'cn=group,ou=Services,dc=domain,dc=domainSuffix', 'group_attr'= 'member', 'attr_match_list' = [ 'Name
[rt-users] RT 3.8 Active Directory integration and single sign-on
I am trying to accomplish two things: First, to integrate RT with Active Directory such that an RT user account will automatically be created in either of the following cases. a) when a user first submits a ticket request via email, and b) when a user first logs in via the RT web interface Secondly, Single sign-on, such that once an RT account has been created an MS-Windows user will not need to enter their password on subsequent visits to the RT web interface. I've started by attempting to implement the Auth::ExternalAuth extension but have been unable to get it working. I cannot log into the RT web interface using any account except the root account that has already been created within RT. Once in RT as root, I am unable to create a new user. I get the error User could not be created: Could not set user info. I've tried the solution mentioned in this thread -- http://www.gossamer-threads.com/lists/rt/users/94218 to get RT to auto-create users, but to no avail. Note that when I uncomment the statement Set($WebExternalAuto,1); and restart apache the RT login screen provides no login box in which to enter a username or a password. Any advice would be greatly appreciated. Below is my RT configuration. #Begin /opt/rt3/etc/RT_SiteConfig.pm tail ... # The following two statements support single sign-on. # but I have commented them out for now since they are # said to conflict with the ExternalAuth extension. # See http://wiki.bestpractical.com/view/ExternalAuth http://wiki.bestpractical.com/view/ExternalAuth . # Tell RT to trust the webserver to handle authentication. # Set($WebExternalAuth, 3); # If the webserver hands RT a user RT is not # familiar with, RT should just go ahead and # create an account. # Set($WebExternalAuto, 1); ... # Include the configuration for the ExternalAuth extension. require /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm; Set($AutoCreate,{Privileged = 0}); 1; #End /opt/rt3/etc/RT_SiteConfig.pm #Begin /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm in its entirety. Set($ExternalAuthPriority, [ 'Heapy_AD_LDAP' ] ); Set($ExternalInfoPriority, [ 'Heapy_AD_LDAP' ] ); Set($ExternalServiceUsesSSLorTLS,0); Set($AutoCreateNonExternalUsers, 0); Set($ExternalSettings, { 'Heapy_AD_LDAP' = { 'type' = 'ldap', 'server'= 'serverxyz.domain.domainSuffix', 'user' = 'cn=ldap,ou=Services,dc=domain,dc=domainSuffix', 'pass' = 'the_ldap_password', 'base' = 'dc=domain,dc=domainSuffix', 'filter'= '((ObjectCategory=User)(ObjectClass=Person))', 'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803:=2)', # 'tls' = 0, #'ssl_version' = 3, 'net_ldap_args' = [version = 3 ], 'group' = 'cn=group,ou=Services,dc=domain,dc=domainSuffix', 'group_attr'= 'member', 'attr_match_list' = [ 'Name', 'EmailAddress' ], 'attr_map' = { 'Name' = 'sAMAccountName', 'EmailAddress' = 'mail', 'Organization' = 'physicalDeliveryOfficeName', 'RealName' = 'cn', 'ExternalAuthId' = 'sAMAccountName', 'Gecos' = 'sAMAccountName', 'WorkPhone' = 'telephoneNumber', 'Address1' = 'streetAddress', 'City' = 'l', 'State' = 'st', 'Zip' = 'postalCode', 'Country' = 'co' } } } ); Set(@Plugins, qw(RT::Authen::ExternalAuth)); 1; #End /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com