LDAP_Overlay Questions

Hi All,

I have a brand spanking new install of RT 3.4.2 and have the ldap_overlay authenticating against my AD controllers and can log into RT’s web interface just fine (using my AD creds). I do,however, have a couple of issues to nut out:

  1. When the account is auto-created (from the user logging in via the web interface), the email address of the AD user is not populated into RT. Is there a way to do this automatically? The next step is to use the mailgate to enable email, but I wanted to make sure the web side was working first.

  2. If a user is auto-created using the web interface and I check the box in their account that “Lets this user be granted rights”, when the user logs in, they don’t have super-user rights like the root user does. Like they can’t see the queue (just the default general one that’s created), nor can they see the configuration tab. Is there a way to make that user a super-user like the root account?

Thanks for your help

-Stevo

Perfect - thanks Iris…

Now onto the harder question below (#1). Does anyone have experience with
this?? I checked my RT_SiteConfig file and I have the following mappings in
place:

$LdapMap = { # map LDAP attributes to RT3

‘RT user paramater’ => ‘LDAP entry’,

'Name'                => $RT::LdapUidAttr,
'EmailAddress'        => 'mail',
'RealName'            => 'cn',

};

But I’m not getting the EmailAddress or RealName mapping over… just the
username!

Any ideas?

-Steve----- Original Message -----
From: Brookes, Iris
To: Stevo
Sent: Thursday, May 26, 2005 1:51 PM
Subject: RE: [rt-users] LDAP_Overlay Questions

You can set the user to super user thur

Configuration ==> Global ==> User Rights

Regards,

Iris Brookes

-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com]On Behalf Of Stevo
Sent: Thursday, May 26, 2005 4:24 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] LDAP_Overlay Questions

Hi All,

I have a brand spanking new install of RT 3.4.2 and have the ldap_overlay
authenticating against my AD controllers and can log into RT’s web interface
just fine (using my AD creds). I do,however, have a couple of issues to nut
out:

  1. When the account is auto-created (from the user logging in via the web
    interface), the email address of the AD user is not populated into RT. Is
    there a way to do this automatically? The next step is to use the mailgate
    to enable email, but I wanted to make sure the web side was working first.

  2. If a user is auto-created using the web interface and I check the box in
    their account that “Lets this user be granted rights”, when the user logs
    in, they don’t have super-user rights like the root user does. Like they
    can’t see the queue (just the default general one that’s created), nor can
    they see the configuration tab. Is there a way to make that user a
    super-user like the root account?

Thanks for your help

-Stevo

a message of 103 lines which said:

  1. When the account is auto-created (from the user logging in via
    the web interface), the email address of the AD user is not
    populated into RT.

I believe that the LDAP overlay only takes care of authentication and
therefore creates only the minimum attributes.

I copy the LDAP database in the RT base every night to get the other
attributes. (With rtimportldap, that we maintain locally, the original
seems no longer maintained.)

Hello Stevo,

For Active Directory, have you tried setting…?
‘RealName’ => ‘displayName’,

I am having problems getting the LDAP Overlay from Mosemann to work
with AD on Windows 2003. I am able to get ldapsearch working with
these settings. I can also get the sample script in Authen::Smb’s man
page working. Unfortunately, RT will not authenticate with LDAP or
SMB.

Since I prefer to get LDAP working, here are those settings…

$LdapServer=“foobar.mydomain.com”; # replaced real domain with mydomain
$LdapUser=“Bind LDAP”; # works w/ ldapsearch command
$LdapPass=“secret”;
$LdapBase=“cn=Users,dc=mydomain,dc=com”;
$LdapUidAttr=“sAMAccountName”; # is this right?
$LdapFilter="(objectclass=user)"; # works with ldapsearch
$LdapMap = {
‘Name’ => $RT::LdapUidAttr,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘displayName’, # works?
};----- Original Message -----
List: rt-users
Subject: Re: [rt-users] LDAP_Overlay Questions
From: “Stevo” <checkpoint () ozbergs ! com>
Date: 2005-05-26 20:56:36
Message-ID: <00f101c56235$6835c430$6750230a () omneon ! local>
[Download message RAW]

Perfect - thanks Iris…

Now onto the harder question below (#1). Does anyone have experience with
this?? I checked my RT_SiteConfig file and I have the following mappings in
place:

$LdapMap = { # map LDAP attributes to RT3

‘RT user paramater’ => ‘LDAP entry’,

'Name'                => $RT::LdapUidAttr,
'EmailAddress'        => 'mail',
'RealName'            => 'cn',

};

But I’m not getting the EmailAddress or RealName mapping over… just the
username!

Any ideas?

-Steve

----- Original Message -----
From: Brookes, Iris
To: Stevo
Sent: Thursday, May 26, 2005 1:51 PM
Subject: RE: [rt-users] LDAP_Overlay Questions

You can set the user to super user thur

Configuration ==> Global ==> User Rights

Regards,

Iris Brookes

-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com]On Behalf Of Stevo
Sent: Thursday, May 26, 2005 4:24 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] LDAP_Overlay Questions

Hi All,

I have a brand spanking new install of RT 3.4.2 and have the ldap_overlay
authenticating against my AD controllers and can log into RT’s web interface
just fine (using my AD creds). I do,however, have a couple of issues to nut
out:

  1. When the account is auto-created (from the user logging in via the web
    interface), the email address of the AD user is not populated into RT. Is
    there a way to do this automatically? The next step is to use the mailgate
    to enable email, but I wanted to make sure the web side was working first.

  2. If a user is auto-created using the web interface and I check the box in
    their account that “Lets this user be granted rights”, when the user logs
    in, they don’t have super-user rights like the root user does. Like they
    can’t see the queue (just the default general one that’s created), nor can
    they see the configuration tab. Is there a way to make that user a
    super-user like the root account?

Thanks for your help

-Stevo