CALLING EXTERNALAUTH TESTERS - v0.07_01 nowavailable

Hello,

V0.07_01 is working for us for authentication with MSFT AD, after
installing it on top of 0.06. New users can log in and get "autocreated"
properly.

Thanks a lot to all developers for the quick solution.

This is what we added to RT_SiteConfig.pm, in case it may help someone
else:

Config per LDAP Authentication

Set( @Plugins, qw(RT::Authen::ExternalAuth) );

LDAP Settings

Set($WebExternalAuth , 1);
Set($WebFallbackToInternalAuth , 1);
Set($ExternalAuthPriority, [ ‘AD_LDAP’
]
);
Set($ExternalInfoPriority, [ ‘AD_LDAP’
]
);
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 1);
Set($ExternalSettings, { # AN EXAMPLE LDAP SERVICE
’AD_LDAP’ => { ## GENERIC SECTION

The type of service (db/ldap/cookie)

‘type’ => ‘ldap’,

Should the service be used for authentication?

‘auth’ => 1,

Should the service be used for information?

‘info’ => 0,

The server hosting the service

‘server’ => ‘’,

SERVICE-SPECIFIC SECTION

If you can bind to your LDAP server anonymously you should

remove the user and pass config lines, otherwise specify them here:

The username RT should use to connect to the LDAP server

‘user’ => ‘<MyDomain\username>’,

The password RT should use to connect to the LDAP server

‘pass’ => ‘’,

The LDAP search base

‘base’ => ‘ou=,dc=nervianoms,dc=com’,

The filter to use to match RT-Users

‘filter’ =>
’(&(objectCategory=person)(objectClass=user))’,

The filter that will only match disabled users

‘d_filter’ =>
’(&(objectCategory=person)(objectClass=user)
(userAccountControl:1.2.840.113556.1.4.803:=2))’,

Should we try to use TLS to encrypt connections?

‘tls’ => 0,

What other args should I pass to Net::LDAP->new($host,@args)?

‘net_ldap_args’ => [ version => 3 ],

Does authentication depend on group membership? What group name?

#GV#‘group’ => ‘GROUP_NAME’,

What is the attribute for the group object that determines membership?

#GV#‘group_attr’ => ‘GROUP_ATTR’,

RT ATTRIBUTE MATCHING SECTION

The list of RT attributes that uniquely identify a user

‘attr_match_list’ => [ ‘Name’,
‘EmailAddress’,
‘RealName’
],

The mapping of RT attributes on to LDAP attributes

‘attr_map’ => { ‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘ExternalAuthId’ =>
‘sAMAccountName’,
}
}
}
);

Fine config per LDAP authentication…

Gabriele Franzini
ICT Applications Manager
Nerviano Medical Sciences SRL
PO Box 11 - Viale Pasteur 10
20014 Nerviano Italy

Franzini, Gabriele [Nervianoms] wrote:

Hello,

V0.07_01 is working for us for authentication with MSFT AD, after
installing it on top of 0.06. New users can log in and get “autocreated”
properly.

Thanks a lot to all developers for the quick solution.

This is what we added to RT_SiteConfig.pm, in case it may help someone
else:

Config per LDAP Authentication

Set( @Plugins, qw(RT::Authen::ExternalAuth) );

LDAP Settings

Set($WebExternalAuth , 1);
Set($WebFallbackToInternalAuth , 1);
Set($ExternalAuthPriority, [ ‘AD_LDAP’
]
);
Set($ExternalInfoPriority, [ ‘AD_LDAP’
]
);

You are using WebExternalAuth and ExternalAuth… is this intended? The
two are not designed to work together, it should be either/or.

Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England

Mike Peachey wrote:

Franzini, Gabriele [Nervianoms] wrote:

Hello,

You are using WebExternalAuth and ExternalAuth… is this intended? The
two are not designed to work together, it should be either/or.

Unless you are using WebExternalAuth for a non-LDAP source…

Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England

Franzini, Gabriele [Nervianoms] wrote:

Hello Mike,
This is intended, we kept it to enable non-LDAP users, e.g. root, to log
in. “Intended” does not mean “fully aware of consequences”, however –
we are still learning. Are there side effects?
Many thanks again,
Gabriele

WebExternalAuth doesn’t allow root to login.

RT::Authen::ExternalAuth allows external and internal users to login.
If the user already exists inside RT, then it doesn’t bother to look in
an external source for authentication, but will still look externally
and load user information if the user exists in an outside source.

WebExternalAuth is the system that checks to see if the web server has
authenticated a user, and logs the user in if it has. This is a
completely different system to Internal auth or “ExternalAuth” and
requires that your web server is configured to authenticate users trying
to access the RT directory.
Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England

Franzini, Gabriele [Nervianoms] wrote:

Got it.
We have set now WebExternalAuth to 0, and the system still behaves as it
should: both LDAP- AND non-LDAP users can log in.
Is it better to post the new line as an Errata Corrige to my previous
post?
Gabriele

Don’t think it matters much. Your config is pretty much as per the
examples provided anyway.

Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England