Has anyone sucessfully configured LDAP to authenticate against AD with version 4.0.1?

I am trying to make this work. I installed the latest version of
ExternalAuth. I am working with Request Tracker for the first time, just
upgraded from 3.8.7 to 4.0.1. There are a few things that I think are off
but I am not sure what the correct solution is.

  1. I am not sure what to use for the group_attr I want to have users in the
    group Request-Tracker inside of AD be able to authenticate with their
    credentials when logging into RT and I believe the filter is set correctly
    other than what needs to be added for the group_attribute. I am not sure
    what that should be.

  2. For my base statement. I am specifying the Users OU but none of my users
    are in that OU. I am not sure exactly what it’s looking for there.

Any help is appreciated!
ExternalAuth config:

I have added the following to my RT_SiteConfig.pm:

@RT::MailPlugins = (“RT::Authen::ExternalAuth”);
Set(@Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalAuthPriority, [ ‘Active_Directory’
]
);
Set($ExternalInfoPriority, [ ‘Active_Directory’
]
);
Set($AutoCreateNonExternalUsers, 0);

Set($ExternalSettings, { ‘Active_Directory’ => { ‘type’
=> ‘ldap’,
‘auth’
=> 1,
‘info’
=> 1,
‘server’
=> ‘rt.mydomain.local’,
‘base’
=> ‘OU=Users,DC=mydomain,DC=local’,
# The filter to use
to match RT-Users
’filter’
=> ‘(objectclass=person)’,
# The filter that
will only match disabled users
’d_filter’
=> ‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
# Should we try to
use TLS to encrypt connections?
‘tls’
=> 0,
# What other args
should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’
=> [ version => 3 ],
# Does
authentication depend on group membership? What group name?
‘group’
=> ‘Request-Tracker’,
# What is the
attribute for the group object that determines membership?
#‘group_attr’
=> ‘GROUP_ATTR’,
## RT ATTRIBUTE
MATCHING SECTION
# The list of RT
attributes that uniquely identify a user
’attr_match_list’
=> [ ‘ExternalAuthId’,‘EmailAddress’ ],
# The mapping of RT
attributes on to LDAP attributes
’attr_map’
=> { ‘Name’ => ‘sAMAccountName’,

‘EmailAddress’ => ‘mail’,

‘Organization’ => ‘physicalDeliveryOfficeName’,

‘RealName’ => ‘displayName’,

‘ExternalAuthId’ => ‘sAMAccountName’,

‘Gecos’ => ‘sAMAccountName’,

‘WorkPhone’ => ‘telephoneNumber’,

‘Address1’ => ‘streetAddress’,

‘City’ => ‘l’,

‘State’ => ‘st’,

‘Zip’ => ‘postalCode’,

‘Country’ => ‘co’

}
}
}
);

View this message in context: http://old.nabble.com/Has-anyone-sucessfully-configured-LDAP-to-authenticate-against-AD-with-version-4.0.1--tp32358024p32358024.html

  1. For group_attr, you want the term to be ‘member’. That checks for
    membership in the group.

  2. For your base, you need to choose the next highest level of Active
    Directory beyond where your users are stored. This means you need to
    specify the OU where your users are, not just a random “Users” OU.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.eduOn 8/29/2011 11:26 AM, josh.cole wrote:

I am trying to make this work. I installed the latest version of
ExternalAuth. I am working with Request Tracker for the first time, just
upgraded from 3.8.7 to 4.0.1. There are a few things that I think are off
but I am not sure what the correct solution is.

  1. I am not sure what to use for the group_attr I want to have users in the
    group Request-Tracker inside of AD be able to authenticate with their
    credentials when logging into RT and I believe the filter is set correctly
    other than what needs to be added for the group_attribute. I am not sure
    what that should be.

  2. For my base statement. I am specifying the Users OU but none of my users
    are in that OU. I am not sure exactly what it’s looking for there.

Any help is appreciated!
ExternalAuth config:

I have added the following to my RT_SiteConfig.pm:

@RT::MailPlugins = (“RT::Authen::ExternalAuth”);
Set(@Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalAuthPriority, [ ‘Active_Directory’
]
);
Set($ExternalInfoPriority, [ ‘Active_Directory’
]
);
Set($AutoCreateNonExternalUsers, 0);

Set($ExternalSettings, { ‘Active_Directory’ => { ‘type’
=> ‘ldap’,
‘auth’
=> 1,
‘info’
=> 1,
‘server’
=> ‘rt.mydomain.local’,
‘base’
=> ‘OU=Users,DC=mydomain,DC=local’,
# The filter to use
to match RT-Users
’filter’
=> ‘(objectclass=person)’,
# The filter that
will only match disabled users
’d_filter’
=> ‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
# Should we try to
use TLS to encrypt connections?
‘tls’
=> 0,
# What other args
should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’
=> [ version => 3 ],
# Does
authentication depend on group membership? What group name?
‘group’
=> ‘Request-Tracker’,
# What is the
attribute for the group object that determines membership?
#‘group_attr’
=> ‘GROUP_ATTR’,
## RT ATTRIBUTE
MATCHING SECTION
# The list of RT
attributes that uniquely identify a user
’attr_match_list’
=> [ ‘ExternalAuthId’,‘EmailAddress’ ],
# The mapping of RT
attributes on to LDAP attributes
’attr_map’
=> { ‘Name’ => ‘sAMAccountName’,

‘EmailAddress’ => ‘mail’,

‘Organization’ => ‘physicalDeliveryOfficeName’,

‘RealName’ => ‘displayName’,

‘ExternalAuthId’ => ‘sAMAccountName’,

‘Gecos’ => ‘sAMAccountName’,

‘WorkPhone’ => ‘telephoneNumber’,

‘Address1’ => ‘streetAddress’,

‘City’ => ‘l’,

‘State’ => ‘st’,

‘Zip’ => ‘postalCode’,

‘Country’ => ‘co’

}
}
}
);

smime.p7s (7.24 KB)

Thank you for your response. So just to make sure I understand, if the users
I want to be able to authenticate in RT are not in the OU specified it will
not work? So I should move those users to whatever the OU is that I specify
in the base?

Andrew Wagner-4 wrote:

  1. For group_attr, you want the term to be ‘member’. That checks for
    membership in the group.

  2. For your base, you need to choose the next highest level of Active
    Directory beyond where your users are stored. This means you need to
    specify the OU where your users are, not just a random “Users” OU.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu

I am trying to make this work. I installed the latest version of
ExternalAuth. I am working with Request Tracker for the first time, just
upgraded from 3.8.7 to 4.0.1. There are a few things that I think are off
but I am not sure what the correct solution is.

  1. I am not sure what to use for the group_attr I want to have users in
    the
    group Request-Tracker inside of AD be able to authenticate with their
    credentials when logging into RT and I believe the filter is set
    correctly
    other than what needs to be added for the group_attribute. I am not sure
    what that should be.

  2. For my base statement. I am specifying the Users OU but none of my
    users
    are in that OU. I am not sure exactly what it’s looking for there.

Any help is appreciated!
ExternalAuth config:

I have added the following to my RT_SiteConfig.pm:

@RT::MailPlugins = (“RT::Authen::ExternalAuth”);
Set(@Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalAuthPriority, [ ‘Active_Directory’
]
);
Set($ExternalInfoPriority, [ ‘Active_Directory’
]
);
Set($AutoCreateNonExternalUsers, 0);

Set($ExternalSettings, { ‘Active_Directory’ => { ‘type’
=> ‘ldap’,
‘auth’
=> 1,
‘info’
=> 1,
‘server’
=> ‘rt.mydomain.local’,
‘base’
=> ‘OU=Users,DC=mydomain,DC=local’,
# The filter to
use
to match RT-Users
’filter’
=> ‘(objectclass=person)’,
# The filter
that
will only match disabled users
’d_filter’
=> ‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
# Should we try
to
use TLS to encrypt connections?
‘tls’
=> 0,
# What other
args
should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’
=> [ version => 3 ],
# Does
authentication depend on group membership? What group name?
‘group’
=> ‘Request-Tracker’,
# What is the
attribute for the group object that determines membership?
#‘group_attr’
=> ‘GROUP_ATTR’,
## RT ATTRIBUTE
MATCHING SECTION
# The list of RT
attributes that uniquely identify a user

‘attr_match_list’
=> [ ‘ExternalAuthId’,‘EmailAddress’ ],
# The mapping of
RT
attributes on to LDAP attributes
’attr_map’
=> { ‘Name’ => ‘sAMAccountName’,

‘EmailAddress’ => ‘mail’,

‘Organization’ => ‘physicalDeliveryOfficeName’,

‘RealName’ => ‘displayName’,

‘ExternalAuthId’ => ‘sAMAccountName’,

‘Gecos’ => ‘sAMAccountName’,

‘WorkPhone’ => ‘telephoneNumber’,

‘Address1’ => ‘streetAddress’,

‘City’ => ‘l’,

‘State’ => ‘st’,

‘Zip’ => ‘postalCode’,

‘Country’ => ‘co’

}
}
}
);


RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA — September 26 & 27, 2011
  • San Francisco, CA, USA — October 18 & 19, 2011
  • Washington DC, USA — October 31 & November 1, 2011
  • Melbourne VIC, Australia — November 28 & 29, 2011
  • Barcelona, Spain — November 28 & 29, 2011

View this message in context: http://old.nabble.com/Has-anyone-sucessfully-configured-LDAP-to-authenticate-against-AD-with-version-4.0.1--tp32358024p32358276.html

Yes, Josh. That is correct. The ExternalAuthen checks all locations
for users under the base OU. Either change your specified base in
RT_SiteConfig.pm or move the users to the OU that you want RT to search.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.eduOn 8/29/2011 11:39 AM, josh.cole wrote:

Thank you for your response. So just to make sure I understand, if the users
I want to be able to authenticate in RT are not in the OU specified it will
not work? So I should move those users to whatever the OU is that I specify
in the base?

Andrew Wagner-4 wrote:

  1. For group_attr, you want the term to be ‘member’. That checks for
    membership in the group.

  2. For your base, you need to choose the next highest level of Active
    Directory beyond where your users are stored. This means you need to
    specify the OU where your users are, not just a random “Users” OU.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu

On 8/29/2011 11:26 AM, josh.cole wrote:

I am trying to make this work. I installed the latest version of
ExternalAuth. I am working with Request Tracker for the first time, just
upgraded from 3.8.7 to 4.0.1. There are a few things that I think are off
but I am not sure what the correct solution is.

  1. I am not sure what to use for the group_attr I want to have users in
    the
    group Request-Tracker inside of AD be able to authenticate with their
    credentials when logging into RT and I believe the filter is set
    correctly
    other than what needs to be added for the group_attribute. I am not sure
    what that should be.

  2. For my base statement. I am specifying the Users OU but none of my
    users
    are in that OU. I am not sure exactly what it’s looking for there.

Any help is appreciated!
ExternalAuth config:

I have added the following to my RT_SiteConfig.pm:

@RT::MailPlugins = (“RT::Authen::ExternalAuth”);
Set(@Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalAuthPriority, [ ‘Active_Directory’
]
);
Set($ExternalInfoPriority, [ ‘Active_Directory’
]
);
Set($AutoCreateNonExternalUsers, 0);

Set($ExternalSettings, { ‘Active_Directory’ => { ‘type’
=> ‘ldap’,
‘auth’
=> 1,
‘info’
=> 1,
‘server’
=> ‘rt.mydomain.local’,
‘base’
=> ‘OU=Users,DC=mydomain,DC=local’,
# The filter to
use
to match RT-Users
’filter’
=> ‘(objectclass=person)’,
# The filter
that
will only match disabled users
’d_filter’
=> ‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
# Should we try
to
use TLS to encrypt connections?
‘tls’
=> 0,
# What other
args
should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’
=> [ version => 3 ],
# Does
authentication depend on group membership? What group name?
‘group’
=> ‘Request-Tracker’,
# What is the
attribute for the group object that determines membership?
#‘group_attr’
=> ‘GROUP_ATTR’,
## RT ATTRIBUTE
MATCHING SECTION
# The list of RT
attributes that uniquely identify a user

‘attr_match_list’
=> [ ‘ExternalAuthId’,‘EmailAddress’ ],
# The mapping of
RT
attributes on to LDAP attributes
’attr_map’
=> { ‘Name’ => ‘sAMAccountName’,

‘EmailAddress’ => ‘mail’,

‘Organization’ => ‘physicalDeliveryOfficeName’,

‘RealName’ => ‘displayName’,

‘ExternalAuthId’ => ‘sAMAccountName’,

‘Gecos’ => ‘sAMAccountName’,

‘WorkPhone’ => ‘telephoneNumber’,

‘Address1’ => ‘streetAddress’,

‘City’ => ‘l’,

‘State’ => ‘st’,

‘Zip’ => ‘postalCode’,

‘Country’ => ‘co’

}
}
}
);


RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA — September 26& 27, 2011
  • San Francisco, CA, USA — October 18& 19, 2011
  • Washington DC, USA — October 31& November 1, 2011
  • Melbourne VIC, Australia — November 28& 29, 2011
  • Barcelona, Spain — November 28& 29, 2011

smime.p7s (7.24 KB)

Thank you very much for your feedback. I really appreciate it.

Andrew Wagner-4 wrote:

Yes, Josh. That is correct. The ExternalAuthen checks all locations
for users under the base OU. Either change your specified base in
RT_SiteConfig.pm or move the users to the OU that you want RT to search.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu

Thank you for your response. So just to make sure I understand, if the
users
I want to be able to authenticate in RT are not in the OU specified it
will
not work? So I should move those users to whatever the OU is that I
specify
in the base?

Andrew Wagner-4 wrote:

  1. For group_attr, you want the term to be ‘member’. That checks for
    membership in the group.

  2. For your base, you need to choose the next highest level of Active
    Directory beyond where your users are stored. This means you need to
    specify the OU where your users are, not just a random “Users” OU.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu

I am trying to make this work. I installed the latest version of
ExternalAuth. I am working with Request Tracker for the first time,
just
upgraded from 3.8.7 to 4.0.1. There are a few things that I think are
off
but I am not sure what the correct solution is.

  1. I am not sure what to use for the group_attr I want to have users in
    the
    group Request-Tracker inside of AD be able to authenticate with their
    credentials when logging into RT and I believe the filter is set
    correctly
    other than what needs to be added for the group_attribute. I am not
    sure
    what that should be.

  2. For my base statement. I am specifying the Users OU but none of my
    users
    are in that OU. I am not sure exactly what it’s looking for there.

Any help is appreciated!
ExternalAuth config:

I have added the following to my RT_SiteConfig.pm:

@RT::MailPlugins = (“RT::Authen::ExternalAuth”);
Set(@Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalAuthPriority, [ ‘Active_Directory’
]
);
Set($ExternalInfoPriority, [ ‘Active_Directory’
]
);
Set($AutoCreateNonExternalUsers, 0);

Set($ExternalSettings, { ‘Active_Directory’ => {
‘type’
=> ‘ldap’,
‘auth’
=> 1,
‘info’
=> 1,
‘server’
=> ‘rt.mydomain.local’,
‘base’
=> ‘OU=Users,DC=mydomain,DC=local’,
# The filter
to
use
to match RT-Users
’filter’
=> ‘(objectclass=person)’,
# The filter
that
will only match disabled users
’d_filter’
=> ‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
# Should we
try
to
use TLS to encrypt connections?
‘tls’
=> 0,
# What other
args
should I pass to Net::LDAP->new($host,@args)?

‘net_ldap_args’
=> [ version => 3 ],
# Does
authentication depend on group membership? What group name?
‘group’
=> ‘Request-Tracker’,
# What is the
attribute for the group object that determines membership?
#‘group_attr’
=> ‘GROUP_ATTR’,
## RT
ATTRIBUTE
MATCHING SECTION
# The list of
RT
attributes that uniquely identify a user

‘attr_match_list’
=> [ ‘ExternalAuthId’,‘EmailAddress’ ],
# The mapping
of
RT
attributes on to LDAP attributes
’attr_map’
=> { ‘Name’ => ‘sAMAccountName’,

‘EmailAddress’ => ‘mail’,

‘Organization’ => ‘physicalDeliveryOfficeName’,

‘RealName’ => ‘displayName’,

‘ExternalAuthId’ => ‘sAMAccountName’,

‘Gecos’ => ‘sAMAccountName’,

‘WorkPhone’ => ‘telephoneNumber’,

‘Address1’ => ‘streetAddress’,

‘City’ => ‘l’,

‘State’ => ‘st’,

‘Zip’ => ‘postalCode’,

‘Country’ => ‘co’

}
}
}
);


RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA — September 26& 27, 2011
  • San Francisco, CA, USA — October 18& 19, 2011
  • Washington DC, USA — October 31& November 1, 2011
  • Melbourne VIC, Australia — November 28& 29, 2011
  • Barcelona, Spain — November 28& 29, 2011

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA — September 26 & 27, 2011
  • San Francisco, CA, USA — October 18 & 19, 2011
  • Washington DC, USA — October 31 & November 1, 2011
  • Melbourne VIC, Australia — November 28 & 29, 2011
  • Barcelona, Spain — November 28 & 29, 2011

View this message in context: http://old.nabble.com/Has-anyone-sucessfully-configured-LDAP-to-authenticate-against-AD-with-version-4.0.1--tp32358024p32358398.html

I think I am close now. I made those changes to the config. I am receiving an
error when I try to login with my AD credentials. The error is:
[Mon Aug 29 17:35:31 2011] [critical]:
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to
rt.mydomain.local
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:437)

Do I need to specify an ldap port? I did add a username and password to
authenticate.

josh.cole wrote:

Thank you very much for your feedback. I really appreciate it.

Andrew Wagner-4 wrote:

Yes, Josh. That is correct. The ExternalAuthen checks all locations
for users under the base OU. Either change your specified base in
RT_SiteConfig.pm or move the users to the OU that you want RT to search.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu

Thank you for your response. So just to make sure I understand, if the
users
I want to be able to authenticate in RT are not in the OU specified it
will
not work? So I should move those users to whatever the OU is that I
specify
in the base?

Andrew Wagner-4 wrote:

  1. For group_attr, you want the term to be ‘member’. That checks for
    membership in the group.

  2. For your base, you need to choose the next highest level of Active
    Directory beyond where your users are stored. This means you need to
    specify the OU where your users are, not just a random “Users” OU.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu

I am trying to make this work. I installed the latest version of
ExternalAuth. I am working with Request Tracker for the first time,
just
upgraded from 3.8.7 to 4.0.1. There are a few things that I think are
off
but I am not sure what the correct solution is.

  1. I am not sure what to use for the group_attr I want to have users
    in
    the
    group Request-Tracker inside of AD be able to authenticate with their
    credentials when logging into RT and I believe the filter is set
    correctly
    other than what needs to be added for the group_attribute. I am not
    sure
    what that should be.

  2. For my base statement. I am specifying the Users OU but none of my
    users
    are in that OU. I am not sure exactly what it’s looking for there.

Any help is appreciated!
ExternalAuth config:

I have added the following to my RT_SiteConfig.pm:

@RT::MailPlugins = (“RT::Authen::ExternalAuth”);
Set(@Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalAuthPriority, [ ‘Active_Directory’
]
);
Set($ExternalInfoPriority, [ ‘Active_Directory’
]
);
Set($AutoCreateNonExternalUsers, 0);

Set($ExternalSettings, { ‘Active_Directory’ => {
‘type’
=> ‘ldap’,
‘auth’
=> 1,
‘info’
=> 1,
‘server’
=> ‘rt.mydomain.local’,
‘base’
=> ‘OU=Users,DC=mydomain,DC=local’,
# The filter
to
use
to match RT-Users
’filter’
=> ‘(objectclass=person)’,
# The filter
that
will only match disabled users
’d_filter’
=> ‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
# Should we
try
to
use TLS to encrypt connections?
‘tls’
=> 0,
# What other
args
should I pass to Net::LDAP->new($host,@args)?

‘net_ldap_args’
=> [ version => 3 ],
# Does
authentication depend on group membership? What group name?
‘group’
=> ‘Request-Tracker’,
# What is
the
attribute for the group object that determines membership?

#‘group_attr’
=> ‘GROUP_ATTR’,
## RT
ATTRIBUTE
MATCHING SECTION
# The list
of RT
attributes that uniquely identify a user

‘attr_match_list’
=> [ ‘ExternalAuthId’,‘EmailAddress’ ],
# The
mapping of
RT
attributes on to LDAP attributes
’attr_map’
=> { ‘Name’ => ‘sAMAccountName’,

‘EmailAddress’ => ‘mail’,

‘Organization’ => ‘physicalDeliveryOfficeName’,

‘RealName’ => ‘displayName’,

‘ExternalAuthId’ => ‘sAMAccountName’,

‘Gecos’ => ‘sAMAccountName’,

‘WorkPhone’ => ‘telephoneNumber’,

‘Address1’ => ‘streetAddress’,

‘City’ => ‘l’,

‘State’ => ‘st’,

‘Zip’ => ‘postalCode’,

‘Country’ => ‘co’

}
}
}
);


RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA — September 26& 27, 2011
  • San Francisco, CA, USA — October 18& 19, 2011
  • Washington DC, USA — October 31& November 1, 2011
  • Melbourne VIC, Australia — November 28& 29, 2011
  • Barcelona, Spain — November 28& 29, 2011

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA — September 26 & 27, 2011
  • San Francisco, CA, USA — October 18 & 19, 2011
  • Washington DC, USA — October 31 & November 1, 2011
  • Melbourne VIC, Australia — November 28 & 29, 2011
  • Barcelona, Spain — November 28 & 29, 2011

View this message in context: http://old.nabble.com/Has-anyone-sucessfully-configured-LDAP-to-authenticate-against-AD-with-version-4.0.1--tp32358024p32358824.html

Enabled debugging and here is the output. I know I exist, I must have missed
something somewhere when configuring the authentication method. I will also
post my current RT_SiteConfig underneath the error log.

[Mon Aug 29 18:57:19 2011] [debug]: Attempting to use external auth service:
Active_Directory
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Aug 29 18:57:19 2011] [debug]: SSO Failed and no user to test with.
Nexting
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Mon Aug 29 18:57:19 2011] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[Mon Aug 29 18:57:23 2011] [debug]: Attempting to use external auth service:
Active_Directory
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Aug 29 18:57:23 2011] [debug]: Calling UserExists with $username (josh
cole) and $service (Active_Directory)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Mon Aug 29 18:57:23 2011] [debug]: UserExists params:
username: josh cole , service: Active_Directory
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Mon Aug 29 18:57:23 2011] [debug]: LDAP Search === Base:
OU=ITS,DC=mydomain,DC=local == Filter:
(&(objectclass=person)(sAMAccountName=josh cole)) == Attrs:
l,displayName,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,sAMAccountName
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Mon Aug 29 18:57:23 2011] [debug]: User Check Failed :: ( Active_Directory
) josh cole User not found
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:318)

Current config:

This file was generated by running “update-rt-siteconfig-3.8”.

While local modifications will not be overwritten without permission,

it is recommended the they are instead placed in

/etc/request-tracker3.8/RT_SiteConfig.d

Note that modifications to the RT_SiteConfig.d directory won’t

take effect until the update command mentioned above is run again.

start /etc/request-tracker3.8/RT_SiteConfig.d/40-timezone

dynamically find out the current timezone

my $zone = “PST”;
$zone=/bin/cat /etc/timezone
if -f “/etc/timezone”;
chomp $zone;
Set($Timezone, $zone);

end /etc/request-tracker3.8/RT_SiteConfig.d/40-timezone

start /etc/request-tracker3.8/RT_SiteConfig.d/50-debconf

THE BASICS:

Set($WebDomain, ‘rt.netman.mydomain.local’);
Set($rtname, ‘rt.netman.mydomain.local’);
Set($Organization, ‘netman.mydomain.local’);

#Set($CorrespondAddress , ‘rt@netman.mydomain.local’);
#Set($CommentAddress , ‘rt-comment@netman.mydomain.local’);
Set($MaxAttachmentSize , 10000000);
Set($FriendlyFromLineFormat, “”%s" <%s>");
Set(@Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalServiceUsesSSLorTLS, 0);
Set($ExternalAuthPriority, [ ‘Active_Directory’
]
);
Set($ExternalInfoPriority, [ ‘Active_Directory’
]
);
Set($AutoCreateNonExternalUsers, 0);

Set($ExternalSettings, { ‘Active_Directory’ => { ‘type’
=> ‘ldap’,
‘auth’
=> 1,
‘info’
=> 1,
‘server’
=> ‘172.16.1.70’,
‘base’
=> ‘OU=ITS,DC=fpu,DC=local’,
‘user’ => ‘rtauth’,
# The password RT
should use to connect to the LDAP server
’pass’
=> ‘xxxxxx’,
# The filter to use
to match RT-Users
’filter’
=> ‘(objectclass=person)’,
# The filter that
will only match disabled users
’d_filter’
=> ‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
# Should we try to
use TLS to encrypt connections?
‘tls’
=> 0,
# What other args
should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’
=> [ version => 3 ],
# Does
authentication depend on group membership? What group name?
‘group’
=> ‘Request-Tracker’,
# What is the
attribute for the group object that determines membership?
‘group_attr’
=> ‘member’,
## RT ATTRIBUTE
MATCHING SECTION
# The list of RT
attributes that uniquely identify a user
’attr_match_list’
=> [ ‘ExternalAuthId’,‘EmailAddress’ ],
# The mapping of RT
attributes on to LDAP attributes
’attr_map’
=> { ‘Name’ => ‘sAMAccountName’,

‘EmailAddress’ => ‘mail’,

‘Organization’ => ‘physicalDeliveryOfficeName’,

‘RealName’ => ‘displayName’,

‘ExternalAuthId’ => ‘sAMAccountName’,

‘Gecos’ => ‘sAMAccountName’,

‘WorkPhone’ => ‘telephoneNumber’,

‘Address1’ => ‘streetAddress’,

‘City’ => ‘l’,

‘State’ => ‘st’,

‘Zip’ => ‘postalCode’,

‘Country’ => ‘co’

}
}
}
);

THE WEBSERVER:

Set($LogToFile, ‘debug’);
Set($LogDir, ‘/var/log/rt’);

Set($WebPath , “/rt”);
Set($WebBaseURL , “http://rt.netman.mydomain.local”);

end /etc/request-tracker3.8/RT_SiteConfig.d/50-debconf

start /etc/request-tracker3.8/RT_SiteConfig.d/51-dbconfig-common

THE DATABASE:

generated by dbconfig-common

map from dbconfig-common database types to their names as known by RT

my %typemap = (
mysql => ‘mysql’,
pgsql => ‘Pg’,
sqlite3 => ‘SQLite’,
);

Set($DatabaseType, $typemap{mysql} || “UNKNOWN”);

Set($DatabaseHost, ‘localhost’);
Set($DatabasePort, ‘’);

Set($DatabaseUser , ‘rtuser’);
Set($DatabasePassword , ‘xxxxxx’);

SQLite needs a special case, since $DatabaseName must be a full pathname

my $dbc_dbname = ‘rtdb’; if ( “mysql” eq “sqlite3” ) { Set ($DatabaseName,
’’ . ‘/’ . $dbc_dbname); } else { Set ($DatabaseName, $dbc_dbname); }

end /etc/request-tracker3.8/RT_SiteConfig.d/51-dbconfig-common

1;

josh.cole wrote:

I think I am close now. I made those changes to the config. I am receiving
an error when I try to login with my AD credentials. The error is simply:
[Mon Aug 29 18:18:58 2011] [error]: FAILED LOGIN for josh cole from
xxx.xxx.xxx.xxx (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:655)

Do I need to specify an ldap port? I did add a username and password to
authenticate.

josh.cole wrote:

Thank you very much for your feedback. I really appreciate it.

Andrew Wagner-4 wrote:

Yes, Josh. That is correct. The ExternalAuthen checks all locations
for users under the base OU. Either change your specified base in
RT_SiteConfig.pm or move the users to the OU that you want RT to search.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu

Thank you for your response. So just to make sure I understand, if the
users
I want to be able to authenticate in RT are not in the OU specified it
will
not work? So I should move those users to whatever the OU is that I
specify
in the base?

Andrew Wagner-4 wrote:

  1. For group_attr, you want the term to be ‘member’. That checks for
    membership in the group.

  2. For your base, you need to choose the next highest level of Active
    Directory beyond where your users are stored. This means you need to
    specify the OU where your users are, not just a random “Users” OU.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu

I am trying to make this work. I installed the latest version of
ExternalAuth. I am working with Request Tracker for the first time,
just
upgraded from 3.8.7 to 4.0.1. There are a few things that I think are
off
but I am not sure what the correct solution is.

  1. I am not sure what to use for the group_attr I want to have users
    in
    the
    group Request-Tracker inside of AD be able to authenticate with their
    credentials when logging into RT and I believe the filter is set
    correctly
    other than what needs to be added for the group_attribute. I am not
    sure
    what that should be.

  2. For my base statement. I am specifying the Users OU but none of my
    users
    are in that OU. I am not sure exactly what it’s looking for there.

Any help is appreciated!
ExternalAuth config:

I have added the following to my RT_SiteConfig.pm:

@RT::MailPlugins = (“RT::Authen::ExternalAuth”);
Set(@Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalAuthPriority, [ ‘Active_Directory’
]
);
Set($ExternalInfoPriority, [ ‘Active_Directory’
]
);
Set($AutoCreateNonExternalUsers, 0);

Set($ExternalSettings, { ‘Active_Directory’ => {
‘type’
=> ‘ldap’,
‘auth’
=> 1,
‘info’
=> 1,
‘server’
=> ‘rt.mydomain.local’,
‘base’
=> ‘OU=Users,DC=mydomain,DC=local’,
# The
filter to
use
to match RT-Users
’filter’
=> ‘(objectclass=person)’,
# The
filter
that
will only match disabled users
’d_filter’
=> ‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
# Should we
try
to
use TLS to encrypt connections?
‘tls’
=> 0,
# What
other
args
should I pass to Net::LDAP->new($host,@args)?

‘net_ldap_args’
=> [ version => 3 ],
# Does
authentication depend on group membership? What group name?
‘group’
=> ‘Request-Tracker’,
# What is
the
attribute for the group object that determines membership?

#‘group_attr’
=> ‘GROUP_ATTR’,
## RT
ATTRIBUTE
MATCHING SECTION
# The list
of RT
attributes that uniquely identify a user

‘attr_match_list’
=> [ ‘ExternalAuthId’,‘EmailAddress’ ],
# The
mapping of
RT
attributes on to LDAP attributes
’attr_map’
=> { ‘Name’ => ‘sAMAccountName’,

‘EmailAddress’ => ‘mail’,

‘Organization’ => ‘physicalDeliveryOfficeName’,

‘RealName’ => ‘displayName’,

‘ExternalAuthId’ => ‘sAMAccountName’,

‘Gecos’ => ‘sAMAccountName’,

‘WorkPhone’ => ‘telephoneNumber’,

‘Address1’ => ‘streetAddress’,

‘City’ => ‘l’,

‘State’ => ‘st’,

‘Zip’ => ‘postalCode’,

‘Country’ => ‘co’

}
}
}
);


RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA — September 26& 27, 2011
  • San Francisco, CA, USA — October 18& 19, 2011
  • Washington DC, USA — October 31& November 1, 2011
  • Melbourne VIC, Australia — November 28& 29, 2011
  • Barcelona, Spain — November 28& 29, 2011

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA — September 26 & 27, 2011
  • San Francisco, CA, USA — October 18 & 19, 2011
  • Washington DC, USA — October 31 & November 1, 2011
  • Melbourne VIC, Australia — November 28 & 29, 2011
  • Barcelona, Spain — November 28 & 29, 2011

View this message in context: http://old.nabble.com/Has-anyone-sucessfully-configured-LDAP-to-authenticate-against-AD-with-version-4.0.1--tp32358024p32359355.html

I believe that if you specify SSL, Authen-External will automatically
uses port 636 (LDAPS). TLS encryption uses 389. We used TLS as LDAPS
is no longer officially supported.

Is the user you are trying to authenticate with inside your base? Do
you have the correct domain controller specified under server? Do you
have the right domain specified and formatted under base? I assume
you’re replacing your domain information with placeholders in your
config and are not actually using rt.mydomain.local.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.eduOn 8/29/2011 12:55 PM, josh.cole wrote:

I think I am close now. I made those changes to the config. I am receiving an
error when I try to login with my AD credentials. The error is:
[Mon Aug 29 17:35:31 2011] [critical]:
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to
rt.mydomain.local
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:437)

Do I need to specify an ldap port? I did add a username and password to
authenticate.

josh.cole wrote:

Thank you very much for your feedback. I really appreciate it.

Andrew Wagner-4 wrote:

Yes, Josh. That is correct. The ExternalAuthen checks all locations
for users under the base OU. Either change your specified base in
RT_SiteConfig.pm or move the users to the OU that you want RT to search.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu

On 8/29/2011 11:39 AM, josh.cole wrote:

Thank you for your response. So just to make sure I understand, if the
users
I want to be able to authenticate in RT are not in the OU specified it
will
not work? So I should move those users to whatever the OU is that I
specify
in the base?

Andrew Wagner-4 wrote:

  1. For group_attr, you want the term to be ‘member’. That checks for
    membership in the group.

  2. For your base, you need to choose the next highest level of Active
    Directory beyond where your users are stored. This means you need to
    specify the OU where your users are, not just a random “Users” OU.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu

On 8/29/2011 11:26 AM, josh.cole wrote:

I am trying to make this work. I installed the latest version of
ExternalAuth. I am working with Request Tracker for the first time,
just
upgraded from 3.8.7 to 4.0.1. There are a few things that I think are
off
but I am not sure what the correct solution is.

  1. I am not sure what to use for the group_attr I want to have users
    in
    the
    group Request-Tracker inside of AD be able to authenticate with their
    credentials when logging into RT and I believe the filter is set
    correctly
    other than what needs to be added for the group_attribute. I am not
    sure
    what that should be.

  2. For my base statement. I am specifying the Users OU but none of my
    users
    are in that OU. I am not sure exactly what it’s looking for there.

Any help is appreciated!
ExternalAuth config:

I have added the following to my RT_SiteConfig.pm:

@RT::MailPlugins = (“RT::Authen::ExternalAuth”);
Set(@Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalAuthPriority, [ ‘Active_Directory’
]
);
Set($ExternalInfoPriority, [ ‘Active_Directory’
]
);
Set($AutoCreateNonExternalUsers, 0);

Set($ExternalSettings, { ‘Active_Directory’ => {
‘type’
=> ‘ldap’,
‘auth’
=> 1,
‘info’
=> 1,
‘server’
=> ‘rt.mydomain.local’,
‘base’
=> ‘OU=Users,DC=mydomain,DC=local’,
# The filter
to
use
to match RT-Users
’filter’
=> ‘(objectclass=person)’,
# The filter
that
will only match disabled users
’d_filter’
=> ‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
# Should we
try
to
use TLS to encrypt connections?
‘tls’
=> 0,
# What other
args
should I pass to Net::LDAP->new($host,@args)?

‘net_ldap_args’
=> [ version => 3 ],
# Does
authentication depend on group membership? What group name?
‘group’
=> ‘Request-Tracker’,
# What is
the
attribute for the group object that determines membership?

#‘group_attr’
=> ‘GROUP_ATTR’,
## RT
ATTRIBUTE
MATCHING SECTION
# The list
of RT
attributes that uniquely identify a user

‘attr_match_list’
=> [ ‘ExternalAuthId’,‘EmailAddress’ ],
# The
mapping of
RT
attributes on to LDAP attributes
’attr_map’
=> { ‘Name’ => ‘sAMAccountName’,

‘EmailAddress’ => ‘mail’,

‘Organization’ => ‘physicalDeliveryOfficeName’,

‘RealName’ => ‘displayName’,

‘ExternalAuthId’ => ‘sAMAccountName’,

‘Gecos’ => ‘sAMAccountName’,

‘WorkPhone’ => ‘telephoneNumber’,

‘Address1’ => ‘streetAddress’,

‘City’ => ‘l’,

‘State’ => ‘st’,

‘Zip’ => ‘postalCode’,

‘Country’ => ‘co’

}
}
}
);


RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA — September 26& 27, 2011
  • San Francisco, CA, USA — October 18& 19, 2011
  • Washington DC, USA — October 31& November 1, 2011
  • Melbourne VIC, Australia — November 28& 29, 2011
  • Barcelona, Spain — November 28& 29, 2011

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA — September 26& 27, 2011
  • San Francisco, CA, USA — October 18& 19, 2011
  • Washington DC, USA — October 31& November 1, 2011
  • Melbourne VIC, Australia — November 28& 29, 2011
  • Barcelona, Spain — November 28& 29, 2011

smime.p7s (7.24 KB)

The user is within the base. The user exists in a sub-OU inside of ITS. I
have the correct DC, I have the ip entered for the DC/LDAP Server.

Yes sir that is correct, I am using placeholders. I do not believe that SSL
is being used based on the config I provided. All of the information is
correct. I have used an ldap browser to verify connectivity on port 389 and
to verify the information I’ve placed into the config.

Andrew Wagner-4 wrote:

I believe that if you specify SSL, Authen-External will automatically
uses port 636 (LDAPS). TLS encryption uses 389. We used TLS as LDAPS
is no longer officially supported.

Is the user you are trying to authenticate with inside your base? Do
you have the correct domain controller specified under server? Do you
have the right domain specified and formatted under base? I assume
you’re replacing your domain information with placeholders in your
config and are not actually using rt.mydomain.local.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu

I think I am close now. I made those changes to the config. I am
receiving an
error when I try to login with my AD credentials. The error is:
[Mon Aug 29 17:35:31 2011] [critical]:
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to
rt.mydomain.local
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:437)

Do I need to specify an ldap port? I did add a username and password to
authenticate.

josh.cole wrote:

Thank you very much for your feedback. I really appreciate it.

Andrew Wagner-4 wrote:

Yes, Josh. That is correct. The ExternalAuthen checks all locations
for users under the base OU. Either change your specified base in
RT_SiteConfig.pm or move the users to the OU that you want RT to
search.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu

Thank you for your response. So just to make sure I understand, if the
users
I want to be able to authenticate in RT are not in the OU specified it
will
not work? So I should move those users to whatever the OU is that I
specify
in the base?

Andrew Wagner-4 wrote:

  1. For group_attr, you want the term to be ‘member’. That checks
    for
    membership in the group.

  2. For your base, you need to choose the next highest level of
    Active
    Directory beyond where your users are stored. This means you need to
    specify the OU where your users are, not just a random “Users” OU.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu

I am trying to make this work. I installed the latest version of
ExternalAuth. I am working with Request Tracker for the first time,
just
upgraded from 3.8.7 to 4.0.1. There are a few things that I think
are
off
but I am not sure what the correct solution is.

  1. I am not sure what to use for the group_attr I want to have users
    in
    the
    group Request-Tracker inside of AD be able to authenticate with
    their
    credentials when logging into RT and I believe the filter is set
    correctly
    other than what needs to be added for the group_attribute. I am not
    sure
    what that should be.

  2. For my base statement. I am specifying the Users OU but none of
    my
    users
    are in that OU. I am not sure exactly what it’s looking for there.

Any help is appreciated!
ExternalAuth config:

I have added the following to my RT_SiteConfig.pm:

@RT::MailPlugins = (“RT::Authen::ExternalAuth”);
Set(@Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalAuthPriority, [ ‘Active_Directory’
]
);
Set($ExternalInfoPriority, [ ‘Active_Directory’
]
);
Set($AutoCreateNonExternalUsers, 0);

Set($ExternalSettings, { ‘Active_Directory’ => {
‘type’
=> ‘ldap’,
‘auth’
=> 1,
‘info’
=> 1,
‘server’
=> ‘rt.mydomain.local’,
‘base’
=> ‘OU=Users,DC=mydomain,DC=local’,
# The
filter
to
use
to match RT-Users
’filter’
=> ‘(objectclass=person)’,
# The
filter
that
will only match disabled users

‘d_filter’
=> ‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
# Should
we
try
to
use TLS to encrypt connections?
‘tls’
=> 0,
# What
other
args
should I pass to Net::LDAP->new($host,@args)?

‘net_ldap_args’
=> [ version => 3 ],
# Does
authentication depend on group membership? What group name?
‘group’
=> ‘Request-Tracker’,
# What is
the
attribute for the group object that determines membership?

#‘group_attr’
=> ‘GROUP_ATTR’,
## RT
ATTRIBUTE
MATCHING SECTION
# The
list
of RT
attributes that uniquely identify a user

‘attr_match_list’
=> [ ‘ExternalAuthId’,‘EmailAddress’ ],
# The
mapping of
RT
attributes on to LDAP attributes

‘attr_map’
=> { ‘Name’ => ‘sAMAccountName’,

‘EmailAddress’ => ‘mail’,

‘Organization’ => ‘physicalDeliveryOfficeName’,

‘RealName’ => ‘displayName’,

‘ExternalAuthId’ => ‘sAMAccountName’,

‘Gecos’ => ‘sAMAccountName’,

‘WorkPhone’ => ‘telephoneNumber’,

‘Address1’ => ‘streetAddress’,

‘City’ => ‘l’,

‘State’ => ‘st’,

‘Zip’ => ‘postalCode’,

‘Country’ => ‘co’

}
}
}
);


RT Training Sessions
(http://bestpractical.com/services/training.html)

  • Chicago, IL, USA — September 26& 27, 2011
  • San Francisco, CA, USA — October 18& 19, 2011
  • Washington DC, USA — October 31& November 1, 2011
  • Melbourne VIC, Australia — November 28& 29, 2011
  • Barcelona, Spain — November 28& 29, 2011

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA — September 26& 27, 2011
  • San Francisco, CA, USA — October 18& 19, 2011
  • Washington DC, USA — October 31& November 1, 2011
  • Melbourne VIC, Australia — November 28& 29, 2011
  • Barcelona, Spain — November 28& 29, 2011

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA — September 26 & 27, 2011
  • San Francisco, CA, USA — October 18 & 19, 2011
  • Washington DC, USA — October 31 & November 1, 2011
  • Melbourne VIC, Australia — November 28 & 29, 2011
  • Barcelona, Spain — November 28 & 29, 2011

View this message in context: http://old.nabble.com/Has-anyone-sucessfully-configured-LDAP-to-authenticate-against-AD-with-version-4.0.1--tp32358024p32359422.html

I should have noticed this sooner - try specifying the full DN of your
rtauth user. That is,
CN=rtauth,OU=someOU,OU=anotherOU,DC=mine,DC=his,DC=hers,DC=com.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.eduOn 8/29/2011 2:18 PM, josh.cole wrote:

The user is within the base. The user exists in a sub-OU inside of ITS. I
have the correct DC, I have the ip entered for the DC/LDAP Server.

Yes sir that is correct, I am using placeholders. I do not believe that SSL
is being used based on the config I provided. All of the information is
correct. I have used an ldap browser to verify connectivity on port 389 and
to verify the information I’ve placed into the config.

Andrew Wagner-4 wrote:

I believe that if you specify SSL, Authen-External will automatically
uses port 636 (LDAPS). TLS encryption uses 389. We used TLS as LDAPS
is no longer officially supported.

Is the user you are trying to authenticate with inside your base? Do
you have the correct domain controller specified under server? Do you
have the right domain specified and formatted under base? I assume
you’re replacing your domain information with placeholders in your
config and are not actually using rt.mydomain.local.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu

On 8/29/2011 12:55 PM, josh.cole wrote:

I think I am close now. I made those changes to the config. I am
receiving an
error when I try to login with my AD credentials. The error is:
[Mon Aug 29 17:35:31 2011] [critical]:
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to
rt.mydomain.local
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:437)

Do I need to specify an ldap port? I did add a username and password to
authenticate.

josh.cole wrote:

Thank you very much for your feedback. I really appreciate it.

Andrew Wagner-4 wrote:

Yes, Josh. That is correct. The ExternalAuthen checks all locations
for users under the base OU. Either change your specified base in
RT_SiteConfig.pm or move the users to the OU that you want RT to
search.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu

On 8/29/2011 11:39 AM, josh.cole wrote:

Thank you for your response. So just to make sure I understand, if the
users
I want to be able to authenticate in RT are not in the OU specified it
will
not work? So I should move those users to whatever the OU is that I
specify
in the base?

Andrew Wagner-4 wrote:

  1. For group_attr, you want the term to be ‘member’. That checks
    for
    membership in the group.

  2. For your base, you need to choose the next highest level of
    Active
    Directory beyond where your users are stored. This means you need to
    specify the OU where your users are, not just a random “Users” OU.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu

On 8/29/2011 11:26 AM, josh.cole wrote:

I am trying to make this work. I installed the latest version of
ExternalAuth. I am working with Request Tracker for the first time,
just
upgraded from 3.8.7 to 4.0.1. There are a few things that I think
are
off
but I am not sure what the correct solution is.

  1. I am not sure what to use for the group_attr I want to have users
    in
    the
    group Request-Tracker inside of AD be able to authenticate with
    their
    credentials when logging into RT and I believe the filter is set
    correctly
    other than what needs to be added for the group_attribute. I am not
    sure
    what that should be.

  2. For my base statement. I am specifying the Users OU but none of
    my
    users
    are in that OU. I am not sure exactly what it’s looking for there.

Any help is appreciated!
ExternalAuth config:

I have added the following to my RT_SiteConfig.pm:

@RT::MailPlugins = (“RT::Authen::ExternalAuth”);
Set(@Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalAuthPriority, [ ‘Active_Directory’
]
);
Set($ExternalInfoPriority, [ ‘Active_Directory’
]
);
Set($AutoCreateNonExternalUsers, 0);

Set($ExternalSettings, { ‘Active_Directory’ => {
‘type’
=> ‘ldap’,
‘auth’
=> 1,
‘info’
=> 1,
‘server’
=> ‘rt.mydomain.local’,
‘base’
=> ‘OU=Users,DC=mydomain,DC=local’,
# The
filter
to
use
to match RT-Users
’filter’
=> ‘(objectclass=person)’,
# The
filter
that
will only match disabled users

‘d_filter’
=> ‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
# Should
we
try
to
use TLS to encrypt connections?
‘tls’
=> 0,
# What
other
args
should I pass to Net::LDAP->new($host,@args)?

‘net_ldap_args’
=> [ version => 3 ],
# Does
authentication depend on group membership? What group name?
‘group’
=> ‘Request-Tracker’,
# What is
the
attribute for the group object that determines membership?

#‘group_attr’
=> ‘GROUP_ATTR’,
## RT
ATTRIBUTE
MATCHING SECTION
# The
list
of RT
attributes that uniquely identify a user

‘attr_match_list’
=> [ ‘ExternalAuthId’,‘EmailAddress’ ],
# The
mapping of
RT
attributes on to LDAP attributes

‘attr_map’
=> { ‘Name’ => ‘sAMAccountName’,

‘EmailAddress’ => ‘mail’,

‘Organization’ => ‘physicalDeliveryOfficeName’,

‘RealName’ => ‘displayName’,

‘ExternalAuthId’ => ‘sAMAccountName’,

‘Gecos’ => ‘sAMAccountName’,

‘WorkPhone’ => ‘telephoneNumber’,

‘Address1’ => ‘streetAddress’,

‘City’ => ‘l’,

‘State’ => ‘st’,

‘Zip’ => ‘postalCode’,

‘Country’ => ‘co’

}
}
}
);


RT Training Sessions
(http://bestpractical.com/services/training.html)

  • Chicago, IL, USA — September 26& 27, 2011
  • San Francisco, CA, USA — October 18& 19, 2011
  • Washington DC, USA — October 31& November 1, 2011
  • Melbourne VIC, Australia — November 28& 29, 2011
  • Barcelona, Spain — November 28& 29, 2011

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA — September 26& 27, 2011
  • San Francisco, CA, USA — October 18& 19, 2011
  • Washington DC, USA — October 31& November 1, 2011
  • Melbourne VIC, Australia — November 28& 29, 2011
  • Barcelona, Spain — November 28& 29, 2011

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA — September 26& 27, 2011
  • San Francisco, CA, USA — October 18& 19, 2011
  • Washington DC, USA — October 31& November 1, 2011
  • Melbourne VIC, Australia — November 28& 29, 2011
  • Barcelona, Spain — November 28& 29, 2011

smime.p7s (7.24 KB)

Below is the result:

[Mon Aug 29 20:04:21 2011] [critical]:
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can’t bind:
LDAP_INVALID_CREDENTIALS 49
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:467)

Andrew Wagner-4 wrote:

I should have noticed this sooner - try specifying the full DN of your
rtauth user. That is,
CN=rtauth,OU=someOU,OU=anotherOU,DC=mine,DC=his,DC=hers,DC=com.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu

The user is within the base. The user exists in a sub-OU inside of ITS. I
have the correct DC, I have the ip entered for the DC/LDAP Server.

Yes sir that is correct, I am using placeholders. I do not believe that
SSL
is being used based on the config I provided. All of the information is
correct. I have used an ldap browser to verify connectivity on port 389
and
to verify the information I’ve placed into the config.

Andrew Wagner-4 wrote:

I believe that if you specify SSL, Authen-External will automatically
uses port 636 (LDAPS). TLS encryption uses 389. We used TLS as LDAPS
is no longer officially supported.

Is the user you are trying to authenticate with inside your base? Do
you have the correct domain controller specified under server? Do you
have the right domain specified and formatted under base? I assume
you’re replacing your domain information with placeholders in your
config and are not actually using rt.mydomain.local.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu

I think I am close now. I made those changes to the config. I am
receiving an
error when I try to login with my AD credentials. The error is:
[Mon Aug 29 17:35:31 2011] [critical]:
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to
rt.mydomain.local
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:437)

Do I need to specify an ldap port? I did add a username and password to
authenticate.

josh.cole wrote:

Thank you very much for your feedback. I really appreciate it.

Andrew Wagner-4 wrote:

Yes, Josh. That is correct. The ExternalAuthen checks all locations
for users under the base OU. Either change your specified base in
RT_SiteConfig.pm or move the users to the OU that you want RT to
search.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu

Thank you for your response. So just to make sure I understand, if
the
users
I want to be able to authenticate in RT are not in the OU specified
it
will
not work? So I should move those users to whatever the OU is that I
specify
in the base?

Andrew Wagner-4 wrote:

  1. For group_attr, you want the term to be ‘member’. That checks
    for
    membership in the group.

  2. For your base, you need to choose the next highest level of
    Active
    Directory beyond where your users are stored. This means you need
    to
    specify the OU where your users are, not just a random “Users” OU.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu

I am trying to make this work. I installed the latest version of
ExternalAuth. I am working with Request Tracker for the first
time,
just
upgraded from 3.8.7 to 4.0.1. There are a few things that I think
are
off
but I am not sure what the correct solution is.

  1. I am not sure what to use for the group_attr I want to have
    users
    in
    the
    group Request-Tracker inside of AD be able to authenticate with
    their
    credentials when logging into RT and I believe the filter is set
    correctly
    other than what needs to be added for the group_attribute. I am
    not
    sure
    what that should be.

  2. For my base statement. I am specifying the Users OU but none of
    my
    users
    are in that OU. I am not sure exactly what it’s looking for there.

Any help is appreciated!
ExternalAuth config:

I have added the following to my RT_SiteConfig.pm:

@RT::MailPlugins = (“RT::Authen::ExternalAuth”);
Set(@Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalAuthPriority, [ ‘Active_Directory’
]
);
Set($ExternalInfoPriority, [ ‘Active_Directory’
]
);
Set($AutoCreateNonExternalUsers, 0);

Set($ExternalSettings, { ‘Active_Directory’ => {
‘type’
=> ‘ldap’,
‘auth’
=> 1,
‘info’
=> 1,

‘server’
=> ‘rt.mydomain.local’,
‘base’
=> ‘OU=Users,DC=mydomain,DC=local’,
# The
filter
to
use
to match RT-Users

‘filter’
=> ‘(objectclass=person)’,
# The
filter
that
will only match disabled users

‘d_filter’
=> ‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
#
Should
we
try
to
use TLS to encrypt connections?
‘tls’
=> 0,
# What
other
args
should I pass to Net::LDAP->new($host,@args)?

‘net_ldap_args’
=> [ version => 3 ],
# Does
authentication depend on group membership? What group name?

‘group’
=> ‘Request-Tracker’,
# What
is
the
attribute for the group object that determines membership?

#‘group_attr’
=> ‘GROUP_ATTR’,
## RT
ATTRIBUTE
MATCHING SECTION
# The
list
of RT
attributes that uniquely identify a user

‘attr_match_list’
=> [ ‘ExternalAuthId’,‘EmailAddress’ ],
# The
mapping of
RT
attributes on to LDAP attributes

‘attr_map’
=> { ‘Name’ => ‘sAMAccountName’,

‘EmailAddress’ => ‘mail’,

‘Organization’ => ‘physicalDeliveryOfficeName’,

‘RealName’ => ‘displayName’,

‘ExternalAuthId’ => ‘sAMAccountName’,

‘Gecos’ => ‘sAMAccountName’,

‘WorkPhone’ => ‘telephoneNumber’,

‘Address1’ => ‘streetAddress’,

‘City’ => ‘l’,

‘State’ => ‘st’,

‘Zip’ => ‘postalCode’,

‘Country’ => ‘co’

}
}
}
);


RT Training Sessions
(http://bestpractical.com/services/training.html)

  • Chicago, IL, USA — September 26& 27, 2011
  • San Francisco, CA, USA — October 18& 19, 2011
  • Washington DC, USA — October 31& November 1, 2011
  • Melbourne VIC, Australia — November 28& 29, 2011
  • Barcelona, Spain — November 28& 29, 2011

RT Training Sessions
(http://bestpractical.com/services/training.html)

  • Chicago, IL, USA — September 26& 27, 2011
  • San Francisco, CA, USA — October 18& 19, 2011
  • Washington DC, USA — October 31& November 1, 2011
  • Melbourne VIC, Australia — November 28& 29, 2011
  • Barcelona, Spain — November 28& 29, 2011

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA — September 26& 27, 2011
  • San Francisco, CA, USA — October 18& 19, 2011
  • Washington DC, USA — October 31& November 1, 2011
  • Melbourne VIC, Australia — November 28& 29, 2011
  • Barcelona, Spain — November 28& 29, 2011

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA — September 26 & 27, 2011
  • San Francisco, CA, USA — October 18 & 19, 2011
  • Washington DC, USA — October 31 & November 1, 2011
  • Melbourne VIC, Australia — November 28 & 29, 2011
  • Barcelona, Spain — November 28 & 29, 2011

View this message in context: http://old.nabble.com/Has-anyone-sucessfully-configured-LDAP-to-authenticate-against-AD-with-version-4.0.1--tp32358024p32359783.html

I think I have made some progress. Still receiving an error.

The error is:
[Mon Aug 29 23:15:41 2011] [debug]: Attempting to use external auth service:
Active_Directory
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Aug 29 23:15:41 2011] [debug]: Calling UserExists with $username (josh
cole) and $service (Active_Directory)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Mon Aug 29 23:15:41 2011] [debug]: UserExists params:
username: josh cole , service: Active_Directory
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Mon Aug 29 23:15:41 2011] [debug]: LDAP Search === Base: DC=fpu,DC=local
== Filter: (&(objectclass=person)(sAMAccountName=josh cole)) == Attrs:
mail,sAMAccountName
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Mon Aug 29 23:15:41 2011] [debug]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo called by
RT::Authen::ExternalAuth
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
553 with: Disabled: 0, EmailAddress: , Gecos: josh cole, Name: josh cole,
Privileged: 0
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:450)
[Mon Aug 29 23:15:41 2011] [debug]: Attempting to get user info using this
external service: Active_Directory
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:458)
[Mon Aug 29 23:15:41 2011] [debug]: Attempting to use this canonicalization
key: ExternalAuthId
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472)
[Mon Aug 29 23:15:41 2011] [debug]: This attribute ( ExternalAuthId ) is
null or incorrectly defined in the attr_map for this service (
Active_Directory )
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:474)
[Mon Aug 29 23:15:41 2011] [debug]: Attempting to use this canonicalization
key: EmailAddress
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472)
[Mon Aug 29 23:15:41 2011] [debug]: LDAP Search === Base:
DC=mydomain,DC=local == Filter: (&(objectclass=person)) == Attrs:
mail,sAMAccountName
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:195)
[Mon Aug 29 23:15:51 2011] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: 0,
EmailAddress: , Gecos: josh cole, Name: josh cole, Privileged: 0
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
[Mon Aug 29 23:15:51 2011] [error]: Couldn’t create user josh cole: Could
not set user info
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129)
[Mon Aug 29 23:15:51 2011] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[Mon Aug 29 23:15:51 2011] [error]: FAILED LOGIN for josh cole from
172.18.10.65 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:655)

josh.cole wrote:

Below is the result:

[Mon Aug 29 20:04:21 2011] [critical]:
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can’t bind:
LDAP_INVALID_CREDENTIALS 49
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:467)

Andrew Wagner-4 wrote:

I should have noticed this sooner - try specifying the full DN of your
rtauth user. That is,
CN=rtauth,OU=someOU,OU=anotherOU,DC=mine,DC=his,DC=hers,DC=com.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu

The user is within the base. The user exists in a sub-OU inside of ITS.
I
have the correct DC, I have the ip entered for the DC/LDAP Server.

Yes sir that is correct, I am using placeholders. I do not believe that
SSL
is being used based on the config I provided. All of the information is
correct. I have used an ldap browser to verify connectivity on port 389
and
to verify the information I’ve placed into the config.

Andrew Wagner-4 wrote:

I believe that if you specify SSL, Authen-External will automatically
uses port 636 (LDAPS). TLS encryption uses 389. We used TLS as LDAPS
is no longer officially supported.

Is the user you are trying to authenticate with inside your base? Do
you have the correct domain controller specified under server? Do you
have the right domain specified and formatted under base? I assume
you’re replacing your domain information with placeholders in your
config and are not actually using rt.mydomain.local.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu

I think I am close now. I made those changes to the config. I am
receiving an
error when I try to login with my AD credentials. The error is:
[Mon Aug 29 17:35:31 2011] [critical]:
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to
rt.mydomain.local
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:437)

Do I need to specify an ldap port? I did add a username and password
to
authenticate.

josh.cole wrote:

Thank you very much for your feedback. I really appreciate it.

Andrew Wagner-4 wrote:

Yes, Josh. That is correct. The ExternalAuthen checks all
locations
for users under the base OU. Either change your specified base in
RT_SiteConfig.pm or move the users to the OU that you want RT to
search.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu

Thank you for your response. So just to make sure I understand, if
the
users
I want to be able to authenticate in RT are not in the OU specified
it
will
not work? So I should move those users to whatever the OU is that I
specify
in the base?

Andrew Wagner-4 wrote:

  1. For group_attr, you want the term to be ‘member’. That checks
    for
    membership in the group.

  2. For your base, you need to choose the next highest level of
    Active
    Directory beyond where your users are stored. This means you need
    to
    specify the OU where your users are, not just a random “Users” OU.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu

I am trying to make this work. I installed the latest version of
ExternalAuth. I am working with Request Tracker for the first
time,
just
upgraded from 3.8.7 to 4.0.1. There are a few things that I think
are
off
but I am not sure what the correct solution is.

  1. I am not sure what to use for the group_attr I want to have
    users
    in
    the
    group Request-Tracker inside of AD be able to authenticate with
    their
    credentials when logging into RT and I believe the filter is set
    correctly
    other than what needs to be added for the group_attribute. I am
    not
    sure
    what that should be.

  2. For my base statement. I am specifying the Users OU but none
    of
    my
    users
    are in that OU. I am not sure exactly what it’s looking for
    there.

Any help is appreciated!
ExternalAuth config:

I have added the following to my RT_SiteConfig.pm:

@RT::MailPlugins = (“RT::Authen::ExternalAuth”);
Set(@Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalAuthPriority, [ ‘Active_Directory’
]
);
Set($ExternalInfoPriority, [ ‘Active_Directory’
]
);
Set($AutoCreateNonExternalUsers, 0);

Set($ExternalSettings, { ‘Active_Directory’ =>
{
‘type’
=> ‘ldap’,

‘auth’
=> 1,

‘info’
=> 1,

‘server’
=> ‘rt.mydomain.local’,

‘base’
=> ‘OU=Users,DC=mydomain,DC=local’,
# The
filter
to
use
to match RT-Users

‘filter’
=> ‘(objectclass=person)’,
# The
filter
that
will only match disabled users

‘d_filter’
=> ‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
#
Should
we
try
to
use TLS to encrypt connections?
‘tls’
=> 0,
#
What
other
args
should I pass to Net::LDAP->new($host,@args)?

‘net_ldap_args’
=> [ version => 3 ],
#
Does
authentication depend on group membership? What group name?

‘group’
=> ‘Request-Tracker’,
#
What is
the
attribute for the group object that determines membership?

#‘group_attr’
=> ‘GROUP_ATTR’,
## RT
ATTRIBUTE
MATCHING SECTION
# The
list
of RT
attributes that uniquely identify a user

‘attr_match_list’
=> [ ‘ExternalAuthId’,‘EmailAddress’ ],
# The
mapping of
RT
attributes on to LDAP attributes

‘attr_map’
=> { ‘Name’ => ‘sAMAccountName’,

‘EmailAddress’ => ‘mail’,

‘Organization’ => ‘physicalDeliveryOfficeName’,

‘RealName’ => ‘displayName’,

‘ExternalAuthId’ => ‘sAMAccountName’,

‘Gecos’ => ‘sAMAccountName’,

‘WorkPhone’ => ‘telephoneNumber’,

‘Address1’ => ‘streetAddress’,

‘City’ => ‘l’,

‘State’ => ‘st’,

‘Zip’ => ‘postalCode’,

‘Country’ => ‘co’

}
}
}
);


RT Training Sessions
(http://bestpractical.com/services/training.html)

  • Chicago, IL, USA — September 26& 27, 2011
  • San Francisco, CA, USA — October 18& 19, 2011
  • Washington DC, USA — October 31& November 1, 2011
  • Melbourne VIC, Australia — November 28& 29, 2011
  • Barcelona, Spain — November 28& 29, 2011

RT Training Sessions
(http://bestpractical.com/services/training.html)

  • Chicago, IL, USA — September 26& 27, 2011
  • San Francisco, CA, USA — October 18& 19, 2011
  • Washington DC, USA — October 31& November 1, 2011
  • Melbourne VIC, Australia — November 28& 29, 2011
  • Barcelona, Spain — November 28& 29, 2011

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA — September 26& 27, 2011
  • San Francisco, CA, USA — October 18& 19, 2011
  • Washington DC, USA — October 31& November 1, 2011
  • Melbourne VIC, Australia — November 28& 29, 2011
  • Barcelona, Spain — November 28& 29, 2011

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA — September 26 & 27, 2011
  • San Francisco, CA, USA — October 18 & 19, 2011
  • Washington DC, USA — October 31 & November 1, 2011
  • Melbourne VIC, Australia — November 28 & 29, 2011
  • Barcelona, Spain — November 28 & 29, 2011

View this message in context: http://old.nabble.com/Has-anyone-sucessfully-configured-LDAP-to-authenticate-against-AD-with-version-4.0.1--tp32358024p32360916.html

Josh,

I have been just barely following this thread, so please forgive me if I’m off base here.

I think an issue is this:

‘attr_match_list’ => [ ‘ExternalAuthId’,‘EmailAddress’ ],

And your LDAP is failing because:

(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/E
xternalAuth.pm:458) [Mon Aug 29 23:15:41 2011] [debug]: Attempting to
use this canonicalization key: ExternalAuthId
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/E
xternalAuth.pm:472) [Mon Aug 29 23:15:41 2011] [debug]: This
attribute (
ExternalAuthId ) is
null or incorrectly defined in the attr_map for this service (
Active_Directory )

Your AD schema does not have an “ExternalAuthID” field in it.

You have ExternalAuthID mapped to sAMAccountName. What happens if you try:

‘attr_match_list’ => [ ‘sAMAccountName’,‘EmailAddress’ ],

James Zuelow
Systems Operations Manager
City and Borough of Juneau MIS
(907) 586-0236

Josh,

I have been just barely following this thread, so please forgive me if I’m off base here.

I think an issue is this:

‘attr_match_list’ => [ ‘ExternalAuthId’,‘EmailAddress’ ],

attr_match_list is documented as

The list of RT attributes that uniquely identify a user

not an LDAP aatribute.

The error message you point to means that the user was aunable to be
canonicalized from LDAP. If it was supposed to be there, then the
search args are wrong (or the user logging into RT doesn’t have rights
on LDAP to canonicalize themselves). If the user wasn’t supposed to be
in LDAP, but should be created, then the user wants to read the docs for
AutoCreateNonExternalUsers.

-kevin