Assistance w/ LDAP Logins

RT Users
1

Think I’m close, but could use some help from some experts… I have $LogtoScreen set to ‘debug’, but it doesn’t appear to Be giving me any additional information than it was before…

Local login works fine, but the ldap logins keep getting rejected With incorrect password. Here is the relevant portion of my
config:
Set( $ExternalAuthPriority, [‘My_LDAP’] ); Set( $ExternalInfoPriority, [‘My_LDAP’] ); Set( $ExternalServiceUsesSSLorTLS, 0 ); Set( $AutoCreateNonExternalUsers, 0 ); Set( $ExternalSettings, { ‘My_LDAP’ => { ‘type’ => ‘ldap’, ‘server’ => ‘dc1.XXX.local’, ‘rt_ldap_username’ => ‘cn=rt,ou=Users,dc=XXX,dc=local’, ‘rt_ldap_password’ => ‘ldap’, ‘base’ => ‘dc=XXX,dc=local’, ‘filter’ => ‘(&(ObjectCategory=User)(ObjectClass=Person))’,
‘d_filter’ => ‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
‘tls’ => 0,

‘ssl_version’ => 3,

‘net_ldap_args’ => [ version => 3 ],
‘attr_match_list’ => [ ‘Name’,‘EmailAddress’ ], ‘attr_map’ => { ‘Name’ => ‘sAMAccountName’, ‘EmailAddress’ => ‘mail’, ‘RealName’ => ‘cn’, ‘ExternalAuthId’ => ‘sAMAccountName’, ‘Gecos’ => ‘sAMAccountName’
} } }, );

And here is the tail of my apache log:
[Fri Jul 6 18:59:26 2012] [info]: Successful login for root from 10.5.10.52 (/usr/local/libdata/perl5/site_perl/RT/Interface/Web.pm:660)
[Fri Jul 6 18:59:36 2012] [error]: FAILED LOGIN for testuser from 10.5.10.52 (/usr/local/libdata/perl5/site_perl/RT/Interface/Web.pm:655)

Any idea how else I could perhaps get more detailed logging of where the Credentials are falling down atleast?

Thanks in advance,
-m

                   -----BEGIN PGP PUBLIC KEY CRYTPO BLOCK----- mQENBE66pkIBCACXZ3ltfLhx2JXg5NCkP2frIWTYTmmQEXXVHjA9gZGSs1YKVO2d

RjhpMSICBmYcx5drxDurDaHId0J8+ZomCZhaLgEU7SsLKJCB6qhu47YzoKNuQe/N
Yu4pLec6zYfQGpTgeAIOKxkZpHrVT+zaWyUCUnSK685+iVP3a/pt/OlO355wHH9b
YHYElp+FWkLOetV0o6wPRbjpqBLIE6sL0alGnHOM23nn8truk4bPjdDB3/q1SpUT
CBHPT8at2FAqKwz8fNVdihusVjDln7gGRwecp2RY2yfmT+FA82aYr0pendYMJaUW
MN24l6SHzKmKcDwPV8oCXPqSr56dH0OcaKXRABEBAAG0Ik1hcmlvIERpTmF0YWxl
IDxtYXJpb2dkQGdtYWlsLmNvbT6JATgEEwECACIFAk66pkICGw8GCwkIBwMCBhUI
AgkKCwQWAgMBAh4BAheAAAoJEHiKyXG4XFzjocAH/3F3+39v/rADiulBxdy6Zn4F
S0yfbsM2WXxj1m+L1lRfM06Se920xh9G/PQGkd0QiQRMiawnr1voKkKkV2rqH4wJ
r116Ff8kwFGFozVbc4kXokA21Ua694/FNmxUfD2eVCNJVfbIl1jdSRU0A6Fy4UgW
djesrHYsb1qwqD75ZbVHAmTT+o+AKIhIKr135AE6aG0Qh2rO4bRSOYZE1BfGJ0fV
DjM6rMHgTmdxKizPM3eynkrXwcgGYRyl6Bn661FAoyBwhSMmjG9tMNNwZYnFvoxW
e15jUPH0k9TmY3+0Yqs/1PMLuNIGQ8GecIBs2y6a6uU6Pwmaes/rAulmVIQkd54=
=YGdf
-----END PGP PUBLIC KEY CRYTPO BLOCK-----

2

Think I’m close, but could use some help from some experts… I have $LogtoScreen set to ‘debug’, but it doesn’t appear to Be giving me any additional information than it was before…

Local login works fine, but the ldap logins keep getting rejected With incorrect password. Here is the relevant portion of my
config:
Set( $ExternalAuthPriority, [‘My_LDAP’] ); Set( $ExternalInfoPriority, [‘My_LDAP’] ); Set( $ExternalServiceUsesSSLorTLS, 0 ); Set( $AutoCreateNonExternalUsers, 0 ); Set( $ExternalSettings, { ‘My_LDAP’ => { ‘type’ => ‘ldap’, ‘server’ => ‘dc1.XXX.local’, ‘rt_ldap_username’ => ‘cn=rt,ou=Users,dc=XXX,dc=local’, ‘rt_ldap_password’ => ‘ldap’, ‘base’ => ‘dc=XXX,dc=local’, ‘filter’ => ‘(&(ObjectCategory=User)(ObjectClass=Person))’,
‘d_filter’ => ‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
‘tls’ => 0,

‘ssl_version’ => 3,

‘net_ldap_args’ => [ version => 3 ],
‘attr_match_list’ => [ ‘Name’,‘EmailAddress’ ], ‘attr_map’ => { ‘Name’ => ‘sAMAccountName’, ‘EmailAddress’ => ‘mail’, ‘RealName’ => ‘cn’, ‘ExternalAuthId’ => ‘sAMAccountName’, ‘Gecos’ => ‘sAMAccountName’
} } }, );

Hey Mario! I have just recently set up 4.0.x with LDAP, perhaps this
will help?

Set( $ExternalAuthPriority, [‘WORK_LDAP’]);
Set( $ExternalServiceUsesSSLorTLS, 0);
Set( $AutoCreateNonExternalUsers, 1);
Set( $ExternalInfoPriority, [‘WORK_LDAP’]);
Set( $ExternalSettings, {‘WORK_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘dc01.work.com’,
‘port’ => ‘389’,
‘user’ => ‘user@work.com’,
‘pass’ => ‘pAs5w0Rdy3a4r1g4t’,
‘base’ => ‘dc=work,dc=com’,
‘filter’ => ‘(objectClass=*)’,
‘d_filter’ =>
‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
‘net_ldap_args’ => [ version => 3 ],
‘attr_match_list’ => [ ‘Name’, ‘EmailAddress’ ],
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
}
},
});

Hope this helps you out…
Best,
–Glenn

Glenn E. Sieb
System Administrator
+1 201 809-4958

eFashionSolutions
80 Enterprise Avenue South
Secaucus, NJ 07094

3

Wow yeah, thanks glen! That actually helped out tremendously!
I just converted:
‘rt_ldap_username’ => ‘cn=rt,ou=Users,dc=hamdenps,dc=local’,
‘rt_ldap_password’ => ‘ldap’,

To

‘user’ => ‘rt@hamdenps.local’,
‘pass’ => ‘ldap’,

And that fixed it… which is strange because it looks like the newest
documentation/examples given seem to want to use rt_ldap prefixes
for some reason… but all is well, its working perfectly.
Thanks again gentlemen

w00T! Glad to hear it, Mario!

Best,
–Glenn

Glenn E. Sieb
System Administrator
+1 201 809-4958

eFashionSolutions
80 Enterprise Avenue South
Secaucus, NJ 07094

4

Wow yeah, thanks glen! That actually helped out tremendously!
I just converted:
‘rt_ldap_username’ => ‘cn=rt,ou=Users,dc=hamdenps,dc=local’,
‘rt_ldap_password’ => ‘ldap’,

To

‘user’ => ‘rt@hamdenps.local’,
‘pass’ => ‘ldap’,

And that fixed it… which is strange because it looks like the newest
documentation/examples given seem to want to use rt_ldap prefixes
for some reason… but all is well, its working perfectly.
Thanks again gentlemen

I’d love to know the docs/examples that show rt_ldap_username so we
can fix them. Would you point us at them Mario?

Thanks

-kevin

5

My apologies Kevin,
vi’s word wrapping joined forces with my dyslexia forced me
to read this backwards…
thanks again,
-m

" ## SERVICE-SPECIFIC SECT
ION
# If you can bind to you
r LDAP server anonymously you should
# remove the user and pa
ss config lines, otherwise specify them here:
# The username RT should
use to connect to the LDAP server
‘user’
=> ‘rt_ldap_username’,
# The password RT should
use to connect to the LDAP server
‘pass’
=> ‘rt_ldap_password’, "-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Kevin Falcone
Sent: Monday, July 09, 2012 10:41 PM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Assistance w/ LDAP Logins

On Mon, Jul 09, 2012 at 02:22:38PM -0400, Glenn E. Sieb wrote:

On 07/09/2012 01:15 PM, Mario DiNatale wrote:

Wow yeah, thanks glen! That actually helped out tremendously!
I just converted:
‘rt_ldap_username’ => ‘cn=rt,ou=Users,dc=hamdenps,dc=local’,
‘rt_ldap_password’ => ‘ldap’,

To

‘user’ => ‘rt@hamdenps.local’,
‘pass’ => ‘ldap’,

And that fixed it… which is strange because it looks like the
newest documentation/examples given seem to want to use rt_ldap
prefixes for some reason… but all is well, its working perfectly.
Thanks again gentlemen

I’d love to know the docs/examples that show rt_ldap_username so we can fix them. Would you point us at them Mario?

Thanks

-kevin