Hi,
I am trying to get ExternalAuth against AD working on an existing RT
instance. I can successfully login using AD credentials, however I would
like to limit access by group membership. When I try to do this it
simply wont work. Attached is my RT_SiteConfig.pm (“anonymized”). This
config works as I have commented out the sections relevant to group
membership. Can someone point out where I’m going wrong?
Regards
Jim Tambling
Network Services
Data Tote (England) Ltd.
Set($Timezone, “Europe/London”);
Set($rtname, ‘CGS ITC Department’);
Set($Organization, ‘xxxxxxxxx.xxxxxx.sch.uk’);
Set($CorrespondAddress , ‘rt-support@xxxxxxxxx.xxxxxx.sch.uk’);
Set($CommentAddress , ‘rt-support-c@xxxxxxxxx.xxxxxx.sch.uk’);
Set( $rtname, ‘My Organization’);
THE WEBSERVER:
Set($WebDomain, ‘request.xxxxxxxx.com’);
Set($WebPath , “/rt”);
Set($WebBaseURL , “http://request.xxxxxxxx.com”);
The Database
Set($DatabasePassword, q{xxxxxxxx});
MAIL CONFIG
#Set($MailCommand , ‘smtp’);
You must install Plugins on your own, this is only an example
of the correct syntax to use when activating them.
There should only be one @Plugins declaration in your config file.
#Set(@Plugins,(qw(RT::Extension::QuickDelete
RT::Extension::CommandByMail)));
Set(@Plugins,(qw(RTx::AssetTracker RT::Extension::MandatorySubject
RT::Extension::ResetPassword RT::Authen::ExternalAuth)));
Set($ExternalAuthPriority, [ ‘My_LDAP’,
]
);
Set($ExternalInfoPriority, [ ‘My_LDAP’
]
);
If this is set to true, then the relevant packages will
be loaded to use SSL/TLS connections. At the moment,
this just means “use Net::SSLeay;”
Set($ExternalServiceUsesSSLorTLS, 0);
If this is set to 1, then users should be autocreated by RT
as internal users if they fail to authenticate from an
external service.
Set($AutoCreateNonExternalUsers, 0);
These are the full settings for each external service as a
HashOfHashes
Note that you may have as many external services as you wish. They
will
be checked in the order specified in the Priority directives above.
e.g.
Set($ExternalAuthPriority,[‘My_LDAP’,‘My_MySQL’,‘My_Oracle’,‘SecondaryLD
AP’,‘Other-DB’]);
Set($ExternalAuthPriority,[‘My_LDAP’]);
Set($ExternalSettings, {
# First LDAP
'My_LDAP' => { ## GENERIC
SECTION
# The type of
service (db/ldap/cookie)
'type'
=> ‘ldap’,
# The server
hosting the service
'server'
=> ‘dc1.xxxxxxxx.com’,
SERVICE-SPECIFIC SECTION
# If you can
bind to your LDAP server anonymously you should
# remove the
user and pass config lines, otherwise specify them here:
# The username
RT should use to connect to the LDAP server
'user'
=> ‘rtbind@xxxxxxxx.com’,
# The password
RT should use to connect to the LDAP server
'pass'
=> ‘xxxxxxxxxx’,
# The LDAP
search base
'base'
=> ‘ou=XXX,dc=xxxxxxxx,dc=com’,
# ALL FILTERS
MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU **MUST**
SPECIFY A filter AND A d_filter!!
# The filter to
use to match RT-Users
'filter'
=> ‘(&(ObjectCategory=User)(ObjectClass=Person))’,
# A catch-all
example filter: ‘(objectClass=*)’
# The filter
that will only match disabled users
'd_filter'
=> ‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
# A catch-none
example d_filter: ‘(objectClass=FooBarBaz)’
# Should we try
to use TLS to encrypt connections?
'tls'
=> 1,
# SSL Version to
provide to Net::SSLeay if using SSL
'ssl_version'
=> 3,
# What other
args should I pass to Net::LDAP->new($host,@args)?
'net_ldap_args'
=> [ version => 3 ],
# Does
authentication depend on group membership? What group name?
#'group'
=>
‘cn=Request_Tracker,ou=Groups,ou=XXXXXXXXX,ou=XXX,dc=xxxxxxxx,dc=com’,
# What is the
attribute for the group object that determines membership?
#'group_attr'
=> ‘memberOf’,
# What is the
attribute of the user entry that should be matched against group_attr
above? (Optional; defaults to ‘dn’)
‘group_attr_value’ => ‘GROUP_ATTR_VALUE’,
## RT ATTRIBUTE
MATCHING SECTION
‘attr_match_list’ => [ ‘Name’,
‘EmailAddress’
],
# The mapping of
RT attributes on to LDAP attributes
'attr_map'
=> { ‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’
}
},
}
);
1;