eDirectory authentication and groups question

RT Users
1

Hello:

I’ve been working on migrating my school district from an MS Access based work order system to RT. I have been able to get it up and running with Ubuntu 8.04, MySQL 5, RT 3.8.6, ExternalAuth 0.08 and RTFM 2.4.2. But I am having some problems

What I would like to do is have general staff be able to log in and have an account created, then for a support staff to be able to manually (automatically would be better but I’ll take manual) add them to a custom group within RT if they need more permissions than to submit a trouble ticket to the support queue.

Currently I am able to authenticate to my eDirectory through LDAP and ExternalAuth as an unpriveleged user but I haven’t been able to figure out the rest. Any help or suggestions would be appreciated. I am including my RT_SiteConfig (modified to protect some information) below.

THE BASICS:

Set($rtname, ‘server.name’);
Set($Organization, ‘LMUSD’);

Set($CorrespondAddress , ‘removed’);
Set($CommentAddress , ‘removed’);

Set($Timezone , ‘US/PACIFIC’); # obviously choose what suits you

THE DATABASE:

Set($DatabaseType, ‘mysql’); # e.g. Pg or mysql

These are the settings we used above when creating the RT database,

you MUST set these to what you chose in the section above.

Set($DatabaseUser , ‘removed’);
Set($DatabasePassword , ‘removed’);
Set($DatabaseName , ‘removed’);

THE WEBSERVER:

Set($WebDomain, ‘localhost’ );
Set($WebPath , “”);
Set($WebBaseURL , “http://removed”);

THE PLUGINS

Set(@Plugins,qw(
RT::FM
RT::Authen::ExternalAuth
));

LDAP Authentication

Set($ExternalAuthPriority, [ ‘My_LDAP’, ] );

Set($ExternalInfoPriority, [ ‘My_LDAP’ ] );

Set($ExternalServiceUsesSSLorTLS, 0);

Set($AutoCreateNonExternalUsers, 0);

Set($ExternalSettings, { ‘My_LDAP’ => { ‘type’ => ‘ldap’,
‘server’ => ‘removed’,
‘base’ => ‘o=’,
‘filter’ => ‘(objectClass=Person)’,
‘d_filter’ => ‘(objectClass=Computer)’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3 ],
#‘group’ => ‘RT_Users’,
#‘group_attr’ => ‘groupmembersattribute’,
‘attr_match_list’ => [ ‘Name’,
‘EmailAddress’,
],
‘attr_map’ => { ‘Name’ => ‘uid’,
‘EmailAddress’ => ‘mail’,

                                                                                                                                            }
                                                                                            },

                                                    }
            );

1;

Scott Melot
Personal Computer Network Specialist III, Information Technology Services
Lucia Mar Unified School District
Phone: (805) 474-3000 ext 1016

2

said:

What I would like to do is have general staff be able to log in and have
an account created, then for a support staff to be able to manually
(automatically would be better but I’ll take manual) add them to a custom
group within RT if they need more permissions than to submit a trouble
ticket to the support queue.

All that needs to be done is for an admin to go to Configuration, Users,
and search for the username of the person you want to set up (be sure to
change the search type to Name, defaults to User ID). Click their user
and check the box that says “Let this person be granted rights” and make
them a member of the appropriate group.

You can also get a list of all privileged and non-privileged users in RT
by entering % in the search box.

3

This helped with part of my problem, and for that I am very grateful (it showed me the LDAP authenticated users were being created and I could convert them to privileged users). However, I am still having trouble getting LDAP to work based on a group. In my original mailing I may have been unclear, and for that I apologize. I can authenticate with the group attributes disabled but when I try to restrict logins to only members of an eDirectory group called “RT_Users” I cannot log in through LDAP. I am only told the user couldn’t authenticate. The only member of the group is my account (which works without the group attribute). Has anyone running a Novell eDirectory environment been able to get ExternalAuth to work with the groups attribute? If so I would appreciate any configuration guidance as I am a bit of a newbie when it comes to eDirectory and LDAP.

Thank you again for the advice on the % search, that was very helpful.

change+lists.rt@nightwind.net 12/4/2009 4:46 PM >>>

said:

What I would like to do is have general staff be able to log in and have
an account created, then for a support staff to be able to manually
(automatically would be better but I’ll take manual) add them to a custom
group within RT if they need more permissions than to submit a trouble
ticket to the support queue.

All that needs to be done is for an admin to go to Configuration, Users,
and search for the username of the person you want to set up (be sure to
change the search type to Name, defaults to User ID). Click their user
and check the box that says “Let this person be granted rights” and make
them a member of the appropriate group.

You can also get a list of all privileged and non-privileged users in RT
by entering % in the search box.
.

4

This helped with part of my problem, and for that I am very grateful
(it showed me the LDAP authenticated users were being created and I
could convert them to privileged users). However, I am still having
trouble getting LDAP to work based on a group. In my original
mailing I may have been unclear, and for that I apologize. I can
authenticate with the group attributes disabled but when I try to
restrict logins to only members of an eDirectory group called
“RT_Users” I cannot log in through LDAP. I am only told the user
couldn’t authenticate. The only member of the group is my account
(which works without the group attribute). Has anyone running a
Novell eDirectory environment been able to get ExternalAuth to work
with the groups attribute? If so I would appreciate any
configuration guidance as I am a bit of a newbie when it comes to
eDirectory and LDAP.

If you turn your logging up to debug, RT-Authen-ExternalAuth will log
the LDAP queries it is running and then you should be able to inspect
or run them manually against your server until you get the syntax
correct.

-kevin