Re: [rt-users] RT 3.8 Active Directory integration and single
Mike, Thank you very much for the advice. I am now able to authenticate using LDAP when I log a new user into the RT web interface. I followed your suggestion to use the full DN in the value for both the 'user' and 'group' attributes. eg. 'user' = 'cn=John Doe,ou=Some_Ou,dc=example,dc=local', 'group' = 'cn=Some_Group,ou=Some_Ou,dc=example,dc=local', instead of 'user' = 'cn=jdoe,ou=Some_Ou,dc=example,dc=local', 'group' = 'cn=Some_Group,ou=Some_Ou,dc=example,dc=local', Another question would be, did you attempt the telnet from the RT box? Yes, I did and was able to. Thanks again, Gene Evans RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
Re: [rt-users] RT 3.8 Active Directory integration and single sign-on
Kevin, Thank you for your suggestions. Try using the ldapsearch command line client, I find it is much closer to the way the perl ldap library is connecting. Once you make that connect, the same user should be fine. One thing about AD is that sometimes the AD server responds better to a user of samaccountn...@domain (email address style login) rather than a full DN, but I've never found an explanation for why. yes, I had been trying to use ldapsearch but was getting bogged down in getting it configured to work. First had to install OpenLdap which also depended on BerkeleyDB, then ran out of HDD space and finally gave up. I was able to get it to run but never did get it to return anything at the command line. Ended up I was able to to get things working without that and without resorting to the samaccountn...@domain format (see my reply today to Mike Johnson), but may try it as a test anyway just to have an alternative in case something down the road requires it. I appreciate the help. Sincerely, Gene Evans RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
[rt-users] RT 3.8 Active Directory integration and single sign-on
Mike,
Thankyou for the reply. Looks like I'll need to dive a bit deeper than
I first anticipated. I'll post my results.
Sincerely,
Gene Evans
IT Administrator
Heapy Engineering
937-224-0861 x1404
-Original Message-
From: rt-users-boun...@lists.bestpractical.com
[mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of
rt-users-requ...@lists.bestpractical.com
Sent: Thursday, August 05, 2010 8:49 AM
To: rt-users@lists.bestpractical.com
Subject: RT-Users Digest, Vol 77, Issue 20
Send RT-Users mailing list submissions to
rt-users@lists.bestpractical.com
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
or, via email, send a message with subject or body 'help' to
rt-users-requ...@lists.bestpractical.com
You can reach the person managing the list at
rt-users-ow...@lists.bestpractical.com
When replying, please edit your Subject line so it is more specific than
Re: Contents of RT-Users digest...
Today's Topics:
1. RT 3.8 Active Directory integration and single sign-on
(Eugene M. Evans)
2. Re: RT 3.8 Active Directory integration and singlesign-on
(Mike Johnson)
--
Message: 1
Date: Wed, 4 Aug 2010 22:58:07 -0400
From: Eugene M. Evans emev...@heapy.com
To: rt-users@lists.bestpractical.com
Subject: [rt-users] RT 3.8 Active Directory integration and single
sign-on
Message-ID:
bfa145aa31febc449d510adc62ff513e14a...@dayxchng0.heapy.local
Content-Type: text/plain; charset=us-ascii
I am trying to accomplish two things:
First, to integrate RT with Active Directory such that an RT user
account will automatically be created in either of the following cases.
a) when a user first submits a ticket request via email, and
b) when a user first logs in via the RT web interface
Secondly, Single sign-on, such that once an RT account has been created
an MS-Windows user will not need to enter their password on subsequent
visits to the RT web interface.
I've started by attempting to implement the Auth::ExternalAuth extension
but have been unable to get it working. I cannot log into the RT web
interface using any account except the root account that has already
been created within RT. Once in RT as root, I am unable to create a new
user. I get the error User could not be created: Could not set user
info.
I've tried the solution mentioned in this thread --
http://www.gossamer-threads.com/lists/rt/users/94218 to get RT to
auto-create users, but to no avail.
Note that when I uncomment the statement Set($WebExternalAuto,1); and
restart apache the RT login screen provides no login box in which to
enter a username or a password.
Any advice would be greatly appreciated.
Below is my RT configuration.
#Begin /opt/rt3/etc/RT_SiteConfig.pm tail ...
# The following two statements support single sign-on.
# but I have commented them out for now since they are # said to
conflict with the ExternalAuth extension.
# See http://wiki.bestpractical.com/view/ExternalAuth
http://wiki.bestpractical.com/view/ExternalAuth .
# Tell RT to trust the webserver to handle authentication.
# Set($WebExternalAuth, 3);
# If the webserver hands RT a user RT is not # familiar with, RT should
just go ahead and # create an account.
# Set($WebExternalAuto, 1);
...
# Include the configuration for the ExternalAuth extension.
require
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm;
Set($AutoCreate,{Privileged = 0});
1;
#End /opt/rt3/etc/RT_SiteConfig.pm
#Begin
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm in
its entirety.
Set($ExternalAuthPriority, [ 'Heapy_AD_LDAP' ] );
Set($ExternalInfoPriority, [ 'Heapy_AD_LDAP' ] );
Set($ExternalServiceUsesSSLorTLS,0);
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings, {
'Heapy_AD_LDAP' = {
'type' = 'ldap',
'server'=
'serverxyz.domain.domainSuffix',
'user' =
'cn=ldap,ou=Services,dc=domain,dc=domainSuffix',
'pass' = 'the_ldap_password',
'base' =
'dc=domain,dc=domainSuffix',
'filter'=
'((ObjectCategory=User)(ObjectClass=Person))',
'd_filter' =
'(userAccountControl:1.2.840.113556.1.4.803:=2)',
# 'tls' = 0,
#'ssl_version' = 3,
'net_ldap_args' = [version = 3
],
'group' =
'cn=group,ou=Services,dc=domain,dc=domainSuffix',
'group_attr'= 'member',
'attr_match_list' = [ 'Name
[rt-users] RT 3.8 Active Directory integration and single sign-on
I am trying to accomplish two things:
First, to integrate RT with Active Directory such that an RT user
account will automatically be created in either of the following cases.
a) when a user first submits a ticket request via email, and
b) when a user first logs in via the RT web interface
Secondly, Single sign-on, such that once an RT account has been created
an MS-Windows user will not need to enter their password on subsequent
visits to the RT web interface.
I've started by attempting to implement the Auth::ExternalAuth extension
but have been unable to get it working. I cannot log into the RT web
interface using any account except the root account that has already
been created within RT. Once in RT as root, I am unable to create a new
user. I get the error User could not be created: Could not set user
info.
I've tried the solution mentioned in this thread --
http://www.gossamer-threads.com/lists/rt/users/94218 to get RT to
auto-create users, but to no avail.
Note that when I uncomment the statement Set($WebExternalAuto,1); and
restart apache the RT login screen provides no login box in which to
enter a username or a password.
Any advice would be greatly appreciated.
Below is my RT configuration.
#Begin /opt/rt3/etc/RT_SiteConfig.pm tail
...
# The following two statements support single sign-on.
# but I have commented them out for now since they are
# said to conflict with the ExternalAuth extension.
# See http://wiki.bestpractical.com/view/ExternalAuth
http://wiki.bestpractical.com/view/ExternalAuth .
# Tell RT to trust the webserver to handle authentication.
# Set($WebExternalAuth, 3);
# If the webserver hands RT a user RT is not
# familiar with, RT should just go ahead and
# create an account.
# Set($WebExternalAuto, 1);
...
# Include the configuration for the ExternalAuth extension.
require
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm;
Set($AutoCreate,{Privileged = 0});
1;
#End /opt/rt3/etc/RT_SiteConfig.pm
#Begin
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm in
its entirety.
Set($ExternalAuthPriority, [ 'Heapy_AD_LDAP' ] );
Set($ExternalInfoPriority, [ 'Heapy_AD_LDAP' ] );
Set($ExternalServiceUsesSSLorTLS,0);
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings, {
'Heapy_AD_LDAP' = {
'type' = 'ldap',
'server'=
'serverxyz.domain.domainSuffix',
'user' =
'cn=ldap,ou=Services,dc=domain,dc=domainSuffix',
'pass' = 'the_ldap_password',
'base' =
'dc=domain,dc=domainSuffix',
'filter'=
'((ObjectCategory=User)(ObjectClass=Person))',
'd_filter' =
'(userAccountControl:1.2.840.113556.1.4.803:=2)',
# 'tls' = 0,
#'ssl_version' = 3,
'net_ldap_args' = [version = 3
],
'group' =
'cn=group,ou=Services,dc=domain,dc=domainSuffix',
'group_attr'= 'member',
'attr_match_list' = [ 'Name',
'EmailAddress' ],
'attr_map' = { 'Name' =
'sAMAccountName',
'EmailAddress' =
'mail',
'Organization' =
'physicalDeliveryOfficeName',
'RealName' = 'cn',
'ExternalAuthId' =
'sAMAccountName',
'Gecos' =
'sAMAccountName',
'WorkPhone' =
'telephoneNumber',
'Address1' =
'streetAddress',
'City' = 'l',
'State' = 'st',
'Zip' =
'postalCode',
'Country' = 'co'
}
}
}
);
Set(@Plugins, qw(RT::Authen::ExternalAuth));
1;
#End /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
