Intergration with LDAP

I’ve looked around and did not find anything relating to LDAP agent
authentication.

Does anyone have a document on how to setup RT to use LDAP for agent
login?

Nelson Pereira
Senior Network Administrator

Protus IP Solutions Inc.
npereira@protus.com
phone: 613.733.0000 ext.528
MyFax: 613.822.5083

Refer your friends and colleagues to MyFax!
Click here for more information.
http://www.myfax.com/referral_program.asp

http://www.myfax.com

Nelson Pereira wrote:

I�ve looked around and did not find anything relating to LDAP agent
authentication.

Does anyone have a document on how to setup RT to use LDAP for agent
login?

you mean ldap/AD server based authentication,
its in the wiki.

any specific questions ask away, and please post the relevant lines of
your config.

Chaim Rieger wrote:

Nelson Pereira wrote:

I�ve looked around and did not find anything relating to LDAP agent
authentication.

Does anyone have a document on how to setup RT to use LDAP for agent
login?

you mean ldap/AD server based authentication,
its in the wiki.

http://wiki.bestpractical.com/view/LDAP
http://wiki.bestpractical.com/view/ExternalAuth
Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com

I want to know if RT has the ability to lookup a user in Active
Directory to allow the user to login to RT using his Active Directory
Username/Password…From: Chaim Rieger [mailto:chaim.rieger@gmail.com]
Sent: Tuesday, April 08, 2008 10:59 AM
To: Nelson Pereira
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Intergration with LDAP

Nelson Pereira wrote:

I’ve looked around and did not find anything relating to LDAP agent
authentication.

Does anyone have a document on how to setup RT to use LDAP for agent
login?

you mean ldap/AD server based authentication,
its in the wiki.

any specific questions ask away, and please post the relevant lines of
your config.

Nelson Pereira wrote:

I want to know if RT has the ability to lookup a user in Active
Directory to allow the user to login to RT using his Active Directory
Username/Password…

Nelson… read the wiki pages that I gave you direct links to.

http://wiki.bestpractical.com/view/LDAP
http://wiki.bestpractical.com/view/ExternalAuth

I mean REALLY read them.
Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com

Nelson Pereira wrote:

I want to know if RT has the ability to lookup a user in Active
Directory to allow the user to login to RT using his Active Directory
Username/Password…

as far as i know (and somebody out there correct me if i am wrong)
users must be in the RT db, (see note 1) passwords are matched against
AD/LDAP and are not stored locally.
Note 1; this is easy to get around, have all your users send an email to
RT, which will then create usernames for them, then map these usernames
to the proper mappings in AD.

Chaim Rieger wrote:

Nelson Pereira wrote:

I want to know if RT has the ability to lookup a user in Active
Directory to allow the user to login to RT using his Active Directory
Username/Password…

as far as i know (and somebody out there correct me if i am wrong)
users must be in the RT db, (see note 1) passwords are matched against
AD/LDAP and are not stored locally.
Note 1; this is easy to get around, have all your users send an email to
RT, which will then create usernames for them, then map these usernames
to the proper mappings in AD.

As per the links pasted before… this is all covered.

Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com

Ok, So I read the instruction on the link given although I still cannot
login with a valid Active Directory account…

Installed the CPAN module…

I made the changes in the RT_SiteConfig.pm, restarted the webserver (OK)

Try to login and I get this error in /var/log/httpd/error_log

[Tue Apr 8 17:07:02 2008] [error]: Could not record email: RT couldn’t
find the queue: general
(/opt/rt3/share/html/REST/1.0/NoAuth/mail-gateway:75)

[Tue Apr 8 17:07:13 2008] [critical]: RT::User::_GetBoundLdapObj Can’t
bind: LDAP_INVALID_CREDENTIALS 49
(/opt/rt3/local/lib/RT/User_Vendor.pm:1056)

What is this saying?

My RT_SiteConfig.pm

###################### LDAP AUthentication###########################

Order in which the services defined in ExternalSettings

should be used to authenticate users. User is authenticated

if successfully confirmed by any service - no more services

are checked.

Set($ExternalAuthPriority, [ ‘My_LDAP’,

                            'My_MySQL'

                        ]

);

The order in which the services defined in ExternalSettings

should be used to get information about users. This includes

RealName, Tel numbers etc, but also whether or not the user

should be considered disabled.

Once user info is found, no more services are checked.

Set($ExternalInfoPriority, [ ‘My_MySQL’,

                            'My_LDAP'

                        ]

);

If this is set to true, then the relevant packages will

be loaded to use SSL/TLS connections. At the moment,

this just means “use Net::SSLeay;”

Set($ExternalServiceUsesSSLorTLS, 0);

If this is set to 1, then users should be autocreated by RT

as internal users if they fail to authenticate from an

external service.

Set($AutoCreateNonExternalUsers, 1);

These are the full settings for each external service as a

HashOfHashes

Note that you may have as many external services as you wish. They

will

be checked in the order specified in the Priority directives above.

e.g.

Set(ExternalAuthPriority,[‘My_LDAP’,‘My_MySQL’,‘My_Oracle’,‘SecondaryLDA
P’,‘Other-DB’]);

Set($ExternalSettings, { # A LDAP SERVICE

                            'My_LDAP'       =>  {   ## GENERIC

SECTION

                                                    # The type of

service (db/ldap/cookie)

                                                    'type'

=> ‘ldap’,

                                                    # Should the

service be used for authentication?

                                                    'auth'

=> 1,

                                                    # Should the

service be used for information?

                                                    'info'

=> 1,

                                                    # The server

hosting the service

                                                    'server'

=> ‘my.domain.name’,

SERVICE-SPECIFIC SECTION

                                                    # If you can

bind to your LDAP server anonymously you should

                                                    # remove the

user and pass config lines, otherwise specify them here:

                                                    # The username

RT should use to connect to the LDAP server

                                                    'user'

=> ‘myldapuser’,

                                                    # The password

RT should use to connect to the LDAP server

                                                    'pass'

=> ‘myladappass$’,

                                                    # The LDAP

search base

                                                    'base'

=> ‘cn=Users,dc=protus,dc=org’,

                                                    # The filter to

use to match RT-Users

                                                    'filter'

=> ‘(FILTER_STRING)’,

                                                    # The filter

that will only match disabled users

                                                    'd_filter'

=> ‘(FILTER_STRING)’,

                                                    # Should we try

to use TLS to encrypt connections?

                                                    'tls'

=> 0,

                                                    # What other

args should I pass to Net::LDAP->new($host,@args)?

                                                    'net_ldap_args'

=> [ version => 3 ],

                                                    # Does

authentication depend on group membership? What group name?

                                                    'group'

=> ‘GROUP_NAME’,

                                                    # What is the

attribute for the group object that determines membership?

                                                    'group_attr'

=> ‘GROUP_ATTR’,

                                                    ## RT ATTRIBUTE

MATCHING SECTION

                                                    # The list of RT

attributes that uniquely identify a user

‘attr_match_list’ => [ ‘Name’,

‘EmailAddress’,

‘RealName’,

‘WorkPhone’,

‘Address2’

],

                                                    # The mapping of

RT attributes on to LDAP attributes

                                                    'attr_map'

=> { ‘Name’ => ‘sAMAccountName’,

‘EmailAddress’ => ‘mail’,

‘Organization’ => ‘physicalDeliveryOfficeName’,

‘RealName’ => ‘cn’,

‘ExternalAuthId’ => ‘sAMAccountName’,

‘Gecos’ => ‘sAMAccountName’,

‘WorkPhone’ => ‘telephoneNumber’,

‘Address1’ => ‘streetAddress’,

‘City’ => ‘l’,

‘State’ => ‘st’,

‘Zip’ => ‘postalCode’,

‘Country’ => ‘co’

}

                                                }

                            }

);

1;

Nelson Pereira

answers are inline

Nelson Pereira wrote:

[Tue Apr 8 17:07:02 2008] [error]: Could not record email: RT
couldn’t find the queue: general
(/opt/rt3/share/html/REST/1.0/NoAuth/mail-gateway:75)

did you setup your email/aliases for each queue?

[Tue Apr 8 17:07:13 2008] [critical]: RT::User::_GetBoundLdapObj
Can’t bind: LDAP_INVALID_CREDENTIALS 49
(/opt/rt3/local/lib/RT/User_Vendor.pm:1056)

rt cant bind to your ldap server with the credentials you provided,
turn logging to debug and see what you get in regard to ldap errors.

How do I disable this functionality as this has made my RT unusable…
I’m getting all sorts of issues in the httpd logs…:

[Tue Apr 8 17:19:02 2008] [critical]: RT::User::_GetBoundLdapObj Can’t
bind: LDAP_INVALID_CREDENTIALS 49
(/opt/rt3/local/lib/RT/User_Vendor.pm:1056)

[Tue Apr 8 17:19:02 2008] [critical]: RT::User::_GetBoundLdapObj Can’t
bind: LDAP_INVALID_CREDENTIALS 49
(/opt/rt3/local/lib/RT/User_Vendor.pm:1056)

[Tue Apr 8 17:19:02 2008] [critical]: RT::User::_GetBoundLdapObj Can’t
bind: LDAP_INVALID_CREDENTIALS 49
(/opt/rt3/local/lib/RT/User_Vendor.pm:1056)

[Tue Apr 8 17:19:02 2008] [crit]: User creation failed in mailgateway:
Could not set user info (/opt/rt3/lib/RT/Interface/Email.pm:243)

[Tue Apr 8 17:19:02 2008] [crit]: User ‘npereira@domain.com’ could not
be loaded in the mail gateway (/opt/rt3/lib/RT/Interface/Email.pm:243)

[Tue Apr 8 17:19:02 2008] [error]: RT could not load a valid user, and
RT’s configuration does not allow

for the creation of a new user for this email (npereira@domain.com).

You might need to grant ‘Everyone’ the right ‘CreateTicket’ for the

queue general. (/opt/rt3/lib/RT/Interface/Email.pm:243)

[Tue Apr 8 17:19:03 2008] [error]: Could not record email: Could not
load a valid user (/opt/rt3/share/html/REST/1.0/NoAuth/mail-gateway:75)

How do I remove this and go back to the standard standalone MySQL
auth…?From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Nelson
Pereira
Sent: Tuesday, April 08, 2008 1:05 PM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Intergration with LDAP

Ok, So I read the instruction on the link given although I still cannot
login with a valid Active Directory account…

Installed the CPAN module…

I made the changes in the RT_SiteConfig.pm, restarted the webserver (OK)

Try to login and I get this error in /var/log/httpd/error_log

[Tue Apr 8 17:07:02 2008] [error]: Could not record email: RT couldn’t
find the queue: general
(/opt/rt3/share/html/REST/1.0/NoAuth/mail-gateway:75)

[Tue Apr 8 17:07:13 2008] [critical]: RT::User::_GetBoundLdapObj Can’t
bind: LDAP_INVALID_CREDENTIALS 49
(/opt/rt3/local/lib/RT/User_Vendor.pm:1056)

What is this saying?

My RT_SiteConfig.pm

###################### LDAP AUthentication###########################

Order in which the services defined in ExternalSettings

should be used to authenticate users. User is authenticated

if successfully confirmed by any service - no more services

are checked.

Set($ExternalAuthPriority, [ ‘My_LDAP’,

                            'My_MySQL'

                        ]

);

The order in which the services defined in ExternalSettings

should be used to get information about users. This includes

RealName, Tel numbers etc, but also whether or not the user

should be considered disabled.

Once user info is found, no more services are checked.

Set($ExternalInfoPriority, [ ‘My_MySQL’,

                            'My_LDAP'

                        ]

);

If this is set to true, then the relevant packages will

be loaded to use SSL/TLS connections. At the moment,

this just means “use Net::SSLeay;”

Set($ExternalServiceUsesSSLorTLS, 0);

If this is set to 1, then users should be autocreated by RT

as internal users if they fail to authenticate from an

external service.

Set($AutoCreateNonExternalUsers, 1);

These are the full settings for each external service as a

HashOfHashes

Note that you may have as many external services as you wish. They

will

be checked in the order specified in the Priority directives above.

e.g.

Set(ExternalAuthPriority,[‘My_LDAP’,‘My_MySQL’,‘My_Oracle’,‘SecondaryLDA
P’,‘Other-DB’]);

Set($ExternalSettings, { # A LDAP SERVICE

                            'My_LDAP'       =>  {   ## GENERIC

SECTION

                                                    # The type of

service (db/ldap/cookie)

                                                    'type'

=> ‘ldap’,

                                                    # Should the

service be used for authentication?

                                                    'auth'

=> 1,

                                                    # Should the

service be used for information?

                                                    'info'

=> 1,

                                                    # The server

hosting the service

                                                    'server'

=> ‘my.domain.name’,

SERVICE-SPECIFIC SECTION

                                                    # If you can

bind to your LDAP server anonymously you should

                                                    # remove the

user and pass config lines, otherwise specify them here:

                                                    # The username

RT should use to connect to the LDAP server

                                                    'user'

=> ‘myldapuser’,

                                                    # The password

RT should use to connect to the LDAP server

                                                    'pass'

=> ‘myladappass$’,

                                                    # The LDAP

search base

                                                    'base'

=> ‘cn=Users,dc=protus,dc=org’,

                                                    # The filter to

use to match RT-Users

                                                    'filter'

=> ‘(FILTER_STRING)’,

                                                    # The filter

that will only match disabled users

                                                    'd_filter'

=> ‘(FILTER_STRING)’,

                                                    # Should we try

to use TLS to encrypt connections?

                                                    'tls'

=> 0,

                                                    # What other

args should I pass to Net::LDAP->new($host,@args)?

                                                    'net_ldap_args'

=> [ version => 3 ],

                                                    # Does

authentication depend on group membership? What group name?

                                                    'group'

=> ‘GROUP_NAME’,

                                                    # What is the

attribute for the group object that determines membership?

                                                    'group_attr'

=> ‘GROUP_ATTR’,

                                                    ## RT ATTRIBUTE

MATCHING SECTION

                                                    # The list of RT

attributes that uniquely identify a user

‘attr_match_list’ => [ ‘Name’,

‘EmailAddress’,

‘RealName’,

‘WorkPhone’,

‘Address2’

],

                                                    # The mapping of

RT attributes on to LDAP attributes

                                                    'attr_map'

=> { ‘Name’ => ‘sAMAccountName’,

‘EmailAddress’ => ‘mail’,

‘Organization’ => ‘physicalDeliveryOfficeName’,

‘RealName’ => ‘cn’,

‘ExternalAuthId’ => ‘sAMAccountName’,

‘Gecos’ => ‘sAMAccountName’,

‘WorkPhone’ => ‘telephoneNumber’,

‘Address1’ => ‘streetAddress’,

‘City’ => ‘l’,

‘State’ => ‘st’,

‘Zip’ => ‘postalCode’,

‘Country’ => ‘co’

}

                                                }

                            }

);

1;

Nelson Pereira

I use fetchmail and it worked fine prior to installing this LDAP
functionality… Now I don’t seem to be able to go back…

I will turn on debug…Sent: Tuesday, April 08, 2008 1:22 PM
To: Nelson Pereira
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Intergration with LDAP

answers are inline

Nelson Pereira wrote:

[Tue Apr 8 17:07:02 2008] [error]: Could not record email: RT
couldn’t find the queue: general
(/opt/rt3/share/html/REST/1.0/NoAuth/mail-gateway:75)

did you setup your email/aliases for each queue?

[Tue Apr 8 17:07:13 2008] [critical]: RT::User::_GetBoundLdapObj
Can’t bind: LDAP_INVALID_CREDENTIALS 49
(/opt/rt3/local/lib/RT/User_Vendor.pm:1056)

rt cant bind to your ldap server with the credentials you provided,
turn logging to debug and see what you get in regard to ldap errors.

Try this. In RT_SiteConfig.pm
Set($WebFallbackToInternalAuth , 1); (or maybe it needs to be True.
can’t recall.)

Nelson Pereira wrote:

Ok, so I setup debug in RT and this is what it gives me…

[Tue Apr 8 17:41:10 2008] [warning]: Transaction->Create couldn’t, as
you didn’t specify an object type and id
(/opt/rt3/lib/RT/Record.pm:1486)
[Tue Apr 8 17:41:10 2008] [debug]: RT::User::IsExternalPassword Trying
External authentication (/opt/rt3/local/lib/RT/User_Vendor.pm:52)
[Tue Apr 8 17:41:10 2008] [debug]: Attempting to use external auth
service: My_LDAP (/opt/rt3/local/lib/RT/User_Vendor.pm:63)
[Tue Apr 8 17:41:10 2008] [critical]: RT::User::_GetBoundLdapObj Can’t
bind: LDAP_INVALID_CREDENTIALS 49
(/opt/rt3/local/lib/RT/User_Vendor.pm:1056)
[Tue Apr 8 17:41:10 2008] [info]: RT::User::IsExternalPassword External
Auth Failed: npereira (/opt/rt3/local/lib/RT/User_Vendor.pm:294)
[Tue Apr 8 17:41:10 2008] [debug]: RT::User::IsPassword External auth
FAILED (/opt/rt3/local/lib/RT/User_Vendor.pm:360)
[Tue Apr 8 17:41:10 2008] [info]: RT::User::IsInternalPassword AUTH
FAILED (no passwd): npereira (/opt/rt3/local/lib/RT/User_Vendor.pm:305)
[Tue Apr 8 17:41:10 2008] [debug]: RT::User::IsPassword Internal auth
FAILED (/opt/rt3/local/lib/RT/User_Vendor.pm:366)

What Im wondering, is what are theses 2 bellow lines and do I need them?
# The filter to use to match RT-Users
‘filter’ => ‘',
# The filter that will only match disabled users
‘d_filter’ => '
’,From: Chaim Rieger [mailto:chaim.rieger@gmail.com]
Sent: Tuesday, April 08, 2008 1:22 PM
To: Nelson Pereira
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Intergration with LDAP

answers are inline

Nelson Pereira wrote:

[Tue Apr 8 17:07:02 2008] [error]: Could not record email: RT
couldn’t find the queue: general
(/opt/rt3/share/html/REST/1.0/NoAuth/mail-gateway:75)

did you setup your email/aliases for each queue?

[Tue Apr 8 17:07:13 2008] [critical]: RT::User::_GetBoundLdapObj
Can’t bind: LDAP_INVALID_CREDENTIALS 49
(/opt/rt3/local/lib/RT/User_Vendor.pm:1056)

rt cant bind to your ldap server with the credentials you provided,
turn logging to debug and see what you get in regard to ldap errors.

Nelson Pereira wrote:

What Im wondering, is what are theses 2 bellow lines and do I need them?
# The filter to use to match RT-Users
’filter’ => ‘’,
# The filter that will only match disabled users
’d_filter’ => '
’,

shouldnt filter be cn=*

Getting the same errors even with the filter set to cn=*

Nelson PereiraFrom: Chaim Rieger [mailto:chaim.rieger@gmail.com]
Sent: Tuesday, April 08, 2008 1:49 PM
To: Nelson Pereira
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Intergration with LDAP

Nelson Pereira wrote:

What Im wondering, is what are theses 2 bellow lines and do I need
them?
# The filter to use to match RT-Users
‘filter’ => ‘',
# The filter that will only match disabled users
‘d_filter’ => '
’,

shouldnt filter be cn=*

Nelson Pereira wrote:

Ok, So I read the instruction on the link given although I still cannot
login with a valid Active Directory account…

Installed the CPAN module�

I made the changes in the RT_SiteConfig.pm, restarted the webserver (OK)

Try to login and I get this error in /var/log/httpd/error_log

[Tue Apr 8 17:07:02 2008] [error]: Could not record email: RT couldn’t
find the queue: general
(/opt/rt3/share/html/REST/1.0/NoAuth/mail-gateway:75)

This is nothing to do with the ExternalAuth extension.

[Tue Apr 8 17:07:13 2008] [critical]: RT::User::_GetBoundLdapObj Can’t
bind: LDAP_INVALID_CREDENTIALS 49
(/opt/rt3/local/lib/RT/User_Vendor.pm:1056)

What is this saying?

The error given here is throw directly from Net::LDAP (the perl module
used to perform LDAP communication). The error means that the username
and password you have given to make a connection to the LDAP server in
order to search for users is not valid.

This is similar to the rt-user you create to allow RT to use its own
database. You should have a specified account on your LDAP server that
RT is given to let it search for users.

Alternatively, you can allow “anonymous binding” in your LDAP server
that will allow anyone to search it without a username and password. If
you allow anonymous binding, you simply don’t specify a user or pass for
the ldap server.

#####################################################################
###################### LDAP AUthentication###########################
#####################################################################

Order in which the services defined in ExternalSettings

should be used to authenticate users. User is authenticated

if successfully confirmed by any service - no more services

are checked.

Set($ExternalAuthPriority, [ ‘My_LDAP’,
‘My_MySQL’
]
);

You are not using an external MySQL authentication service, so you
should not be specifying one. The above line needs to be reduced to this:

Set($ExternalAuthPriority, [‘My_LDAP’]);

Although you can call the service whatever you want, it doesn’t need to
be My_LDAP, just as long as you change the name in the ExternalSettings
paramater.

The order in which the services defined in ExternalSettings

should be used to get information about users. This includes

RealName, Tel numbers etc, but also whether or not the user

should be considered disabled.

Once user info is found, no more services are checked.

Set($ExternalInfoPriority, [ ‘My_MySQL’,

                            'My_LDAP'

                        ]

);

Again, you’re not using an SQL information service. Reduce it to:

Set($ExternalInfoPriority, [‘My_LDAP’]);

If this is set to true, then the relevant packages will

be loaded to use SSL/TLS connections. At the moment,

this just means “use Net::SSLeay;”

Set($ExternalServiceUsesSSLorTLS, 0);

Although there’s no harm in clearly specifying this as 0, it’s not required.

If this is set to 1, then users should be autocreated by RT

as internal users if they fail to authenticate from an

external service.

Set($AutoCreateNonExternalUsers, 1);

Are you sure that you want to allow the automatic creation of users who
fail to authenticate by LDAP or by RT’s own internals? You might want
to, but it’s worth knowing if you are sure.

These are the full settings for each external service as a HashOfHashes

Note that you may have as many external services as you wish. They will

be checked in the order specified in the Priority directives above.

e.g.

Set($ExternalSettings, { # A LDAP SERVICE

                            'My_LDAP'       =>  {   ## GENERIC 

SECTION

‘type’ => ‘ldap’,

Should the service be used for authentication?

‘auth’ => 1,

Should the service be used for information?

‘info’ => 1,

The server hosting the service

‘server’ => ‘my.domain.name’,

Have you set the server to your AD server’s name? This is still what I
set it to in the example.

If you can bind to your LDAP server anonymously you should

remove the user and pass config lines, otherwise specify them here:

The username RT should use to connect to the LDAP server

‘user’ => ‘myldapuser’,

The password RT should use to connect to the LDAP server

‘pass’ => ‘myladappass$’,

Do you want to bind to the server anonymously, or do you need to specify
a username and password? If you have an RT user on the LDAP server to
use, specify the username and password here. Otherwise, remove these lines.

The LDAP search base

‘base’ => ‘cn=Users,dc=protus,dc=org’,

This one actually looks right. Although you should tell your AD
administrator that they ought to create an Organisational Unit for your
organisation and create Users and Groups beneath it so that the
system/admin users and groups remain in the original place, but “users”
can then be kept easily organised within the OU.

The filter to use to match RT-Users

‘filter’ => ‘(FILTER_STRING)’,

If you want EVERY SINGLE CONTAINER in cn=Users,dc=protus,dc=org to be
allowed access to RT as a user then your filter string should read like
this:

‘filter’ => ‘(objectClass=*)’,

Or if you only want objects classed as Person to be considered valid
users then:

‘filter’ => ‘(objectClass=Person)’,

Or ANY other valid LDAP filter expression (look it up!)

The filter that will only match disabled users

‘d_filter’ => ‘(FILTER_STRING)’,

If you want some users that match the filter above to be considered
disabled then you need to specify the filter for them here, otherwise
remove this line.

For Active Directory, it is recommended that you use this:

‘d_filter’ => ‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,

which will consider all users who are disabled in Active Directory as
disabled in RT.

Should we try to use TLS to encrypt connections?

‘tls’ => 0,

Self-explanatory – leave it be.

What other args should I pass to Net::LDAP->new($host,@args)?

‘net_ldap_args’ => [ version => 3 ],

For Active Directory, leave this alone.

Does authentication depend on group membership? What group name?

‘group’ => ‘GROUP_NAME’,

If users have to be a member of an active directory group to access RT,
specify it here… otherwise REMOVE it.

What is the attribute for the group object that determines membership?

‘group_attr’ => ‘GROUP_ATTR’,

If you allow access by groups as above, then you really should know
this, or ask your LDAP administrator. Otherwise, remove it.

For Active Directory, leave all of the rest of these settings alone.

                                                    ## RT ATTRIBUTE

MATCHING SECTION

                                                    # The list of RT

attributes that uniquely identify a user

‘attr_match_list’ => [ ‘Name’,

                                              'EmailAddress',

‘RealName’,

  'WorkPhone',

‘Address2’

],

                                                    # The mapping of

RT attributes on to LDAP attributes

‘attr_map’ => { ‘Name’ => ‘sAMAccountName’,

                  'EmailAddress' => 'mail',

‘Organization’ => ‘physicalDeliveryOfficeName’,

                    'RealName' => 'cn',

‘ExternalAuthId’ => ‘sAMAccountName’,

      'Gecos' => 'sAMAccountName',

‘WorkPhone’ => ‘telephoneNumber’,

‘Address1’ => ‘streetAddress’,

‘City’ => ‘l’,

‘State’ => ‘st’,

            'Zip'

=> ‘postalCode’,

‘Country’ => ‘co’

                                             }

                                                }

                            }

);

1;

Ok?

As for removing the ExternalAuth extension, you would need to remove:
$RTHOME/share/html/Callbacks/ExternalAuth
$RTHOME/local/etc/ExternalAuth/RT_SiteConfig.pm
$RTHOME/local/lib/RT/Authen/ExternalAuth.pm
$RTHOME/local/lib/RT/User_Vendor.pm

The top two might be Authen-ExternalAuth directories… I can’t remember,
but am not in a position to check right now. It should be obvious in
your installation.

Kind Regards,

Mike Peachey, IT
Tel: +44 (0) 114 281 2655
Fax: +44 (0) 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
http://www.jennic.com
Confidential

Drew Barnes wrote:

Try this. In RT_SiteConfig.pm
Set($WebFallbackToInternalAuth , 1); (or maybe it needs to be True.
can’t recall.)

This config option is only for Apache authentication, so would not be
useful in this situation.
Kind Regards,

Mike Peachey, IT
Tel: +44 (0) 114 281 2655
Fax: +44 (0) 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
http://www.jennic.com
Confidential

Chaim Rieger wrote:

Nelson Pereira wrote:

What Im wondering, is what are theses 2 bellow lines and do I need them?
# The filter to use to match RT-Users
‘filter’ => ‘',
# The filter that will only match disabled users
‘d_filter’ => '
’,

shouldnt filter be cn=*

While I think I wrote the code so that it would be tolerant of the lack
of them, LDAP filters should ALWAYS be enclosed in parentheses:
(cn=*)

And, I’m not sure why, but it seems the preferred method of having an
LDAP “catch-all” filter is to use objectClass:
(objectClass=*)
Kind Regards,

Mike Peachey, IT
Tel: +44 (0) 114 281 2655
Fax: +44 (0) 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
http://www.jennic.com
Confidential

So what are you saying?

     # The filter to use to match RT-Users
     'filter'                    =>  '(cn=*)',
     # The filter that will only match disabled users
     'd_filter'                  =>  '(objectClass=*)',

???From: mpeac@jennic.com [mailto:mpeac@jennic.com] On Behalf Of Mike
Peachey
Sent: Tuesday, April 08, 2008 3:18 PM
To: Chaim Rieger
Cc: Nelson Pereira; rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Intergration with LDAP

Chaim Rieger wrote:

Nelson Pereira wrote:

What Im wondering, is what are theses 2 bellow lines and do I need
them?
# The filter to use to match RT-Users
‘filter’ => ‘',
# The filter that will only match disabled users
‘d_filter’ => '
’,

shouldnt filter be cn=*

While I think I wrote the code so that it would be tolerant of the lack
of them, LDAP filters should ALWAYS be enclosed in parentheses:
(cn=*)

And, I’m not sure why, but it seems the preferred method of having an
LDAP “catch-all” filter is to use objectClass:
(objectClass=*)
Kind Regards,

How do I go back to standard auth…
This is not working and im getting tight on time…

I tried removing the
Set($ExternalSettings,
But I’m getting all sorts of errors …

Nelson Pereira
Senior Network Administrator

Protus IP Solutions Inc.
npereira@protus.com
phone: 613.733.0000 ext.528
MyFax: 613.822.5083

Refer your friends and colleagues to MyFax!
Click here for more information. www.MyFax.comFrom: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Nelson
Pereira
Sent: Tuesday, April 08, 2008 3:20 PM
To: mike.peachey@jennic.com; Chaim Rieger
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Intergration with LDAP

So what are you saying?

     # The filter to use to match RT-Users
     'filter'                    =>  '(cn=*)',
     # The filter that will only match disabled users
     'd_filter'                  =>  '(objectClass=*)',

???

From: mpeac@jennic.com [mailto:mpeac@jennic.com] On Behalf Of Mike
Peachey
Sent: Tuesday, April 08, 2008 3:18 PM
To: Chaim Rieger
Cc: Nelson Pereira; rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Intergration with LDAP

Chaim Rieger wrote:

Nelson Pereira wrote:

What Im wondering, is what are theses 2 bellow lines and do I need
them?
# The filter to use to match RT-Users
‘filter’ => ‘',
# The filter that will only match disabled users
‘d_filter’ => '
’,

shouldnt filter be cn=*

While I think I wrote the code so that it would be tolerant of the lack
of them, LDAP filters should ALWAYS be enclosed in parentheses:
(cn=*)

And, I’m not sure why, but it seems the preferred method of having an
LDAP “catch-all” filter is to use objectClass:
(objectClass=*)
Kind Regards,

http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com