LDAP Summary and supported implementations

Hello!

If you’re pondering LDAP and RT, please be sure to read the summary of
LDAP implementations in the BP wiki:

http://wiki.bestpractical.com/?LdapSummary

Also, I’ve seen some notes implying there’s no “supported” LDAP
implementation; while there’s not one that Best Practical supports,
there is one that I support:

http://wiki.bestpractical.com/?LDAP

…though my support level has been a bit low lately due to lack of
sleep and a backlog of diapers to change. ;]

Cheers!

–j
Jim Meyer, Geek at Large purp@acm.org

Jim,

I understand that you use OpenLDAP yourself, but have you heard from
anyone that managed to get your LDAP implementation working with Active
Directory? Jim or anyone else on the list, could I see some example
LdapSiteConfigSettings specifically for AD?

Thanks.

-Matt-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Jim Meyer
Sent: Wednesday, April 19, 2006 5:19 PM
To: RT Users Mailing List
Subject: [rt-users] LDAP Summary and supported implementations

Hello!

If you’re pondering LDAP and RT, please be sure to read the summary of
LDAP implementations in the BP wiki:

http://wiki.bestpractical.com/?LdapSummary

Also, I’ve seen some notes implying there’s no “supported” LDAP
implementation; while there’s not one that Best Practical supports,
there is one that I support:

http://wiki.bestpractical.com/?LDAP

…though my support level has been a bit low lately due to lack of
sleep and a backlog of diapers to change. ;]

Cheers!

–j
Jim Meyer, Geek at Large purp@acm.org
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

We’re hiring! Come hack Perl for Best Practical:

Hi Jim I am interested in using LDap a lot but have not much
experience with RT.
any howto or stepby step install for this?
if there is not, I will be willing to help.

Thanks.

Matt Nichols wrote:

cfernandez.vcf (572 Bytes)

Matt:

I’ve gotten this working with AD. The trick for AD is making sure you
search for “sAMAccountName” instead of “uid”.

Here are the bare essentials you’ll need:

Set($LdapUser, ‘cn=,CN=Users,dc=,dc=com’); # LDAP
bind user
Set($LdapPass, ‘’); # LDAP
bind user pass
Set($LdapUidAttr, ‘sAMAccountName’); #
attribute for RT account name
Set($LdapFilter, ‘objectclass=user’); # filter LDAP
entries (e.g., only people)
Set($LdapNameAttr, ‘cn’); #
attribute for RT user name
Set($LdapMailAttr, ‘mail’); #
attribute for RT email addy

Note that “Users” requires the capital U…

Bear in mind this won’t auto-populate the RT database from the LDAP
database. Your users will fail unless they already have an RT account.

The Moseman contribution allows for setting up accounts on-the-fly, but
I’ve had some difficulty in getting it to pull in all the LDAP (AD)
records (SQL errors are reported in the logging). I haven’t been able to
put in much time in debugging…

The Mehl contribution does a better job and has good instructions, but has
the drawback of requiring mod_ntlm and the NT LanMan hash vulnerability.

Hope this helps.

Eric N. Valor
Sr. Systems Administrator
DaimlerChrysler Research & Technology North America, Inc.
eric.valor@daimlerchrysler.com
1510 Page Mill Road, Palo Alto, CA 94304
CIMS 931-00-00
650-845-2536

: This Space Intentionally Left Blank :

Do you define an LdapBase variable in your config?

Thanks again.

-MattFrom: eric.valor@daimlerchrysler.com
[mailto:eric.valor@daimlerchrysler.com]
Sent: Thursday, April 20, 2006 2:47 PM
To: Matt Nichols
Cc: rt-users@lists.bestpractical.com
Subject: RE: [rt-users] LDAP Summary and supported implementations

Matt:

I’ve gotten this working with AD. The trick for AD is making sure you
search for “sAMAccountName” instead of “uid”.

Here are the bare essentials you’ll need:

Set($LdapUser, ‘cn=,CN=Users,dc=,dc=com’); #
LDAP bind user
Set($LdapPass, ‘’); # LDAP
bind user pass
Set($LdapUidAttr, ‘sAMAccountName’); #
attribute for RT account name
Set($LdapFilter, ‘objectclass=user’); # filter
LDAP entries (e.g., only people)
Set($LdapNameAttr, ‘cn’); #
attribute for RT user name
Set($LdapMailAttr, ‘mail’); #
attribute for RT email addy

Note that “Users” requires the capital U…

Bear in mind this won’t auto-populate the RT database from the LDAP
database. Your users will fail unless they already have an RT account.

The Moseman contribution
http://www.mosemann.com/software/LDAPSMB1.2_RT3.tar.gz allows for
setting up accounts on-the-fly, but I’ve had some difficulty in getting
it to pull in all the LDAP (AD) records (SQL errors are reported in the
logging). I haven’t been able to put in much time in debugging…

The Mehl contribution http://blank.org/memory/output/rt-ad-sso.html
does a better job and has good instructions, but has the drawback of
requiring mod_ntlm and the NT LanMan hash vulnerability.

Hope this helps.

Eric N. Valor
Sr. Systems Administrator
DaimlerChrysler Research & Technology North America, Inc.
eric.valor@daimlerchrysler.com
1510 Page Mill Road, Palo Alto, CA 94304
CIMS 931-00-00
650-845-2536

: This Space Intentionally Left Blank :

Oh crap… how’d that miss the cut-n-paste?

Set($LdapBase, ‘cn=Users,dc=,dc=com’); # search
base

:slight_smile:

(again, note the Capital U in “Users”)

Eric N. Valor
Sr. Systems Administrator
DaimlerChrysler Research & Technology North America, Inc.
eric.valor@daimlerchrysler.com
1510 Page Mill Road, Palo Alto, CA 94304
CIMS 931-00-00
650-845-2536

: This Space Intentionally Left Blank :

“Matt Nichols” mnichols@wayport.net
04/20/2006 12:59 PM

To
eric.valor@daimlerchrysler.com
cc
rt-users@lists.bestpractical.com
Subject
RE: [rt-users] LDAP Summary and supported implementations

Do you define an LdapBase variable in your config?

Thanks again.

-MattFrom: eric.valor@daimlerchrysler.com
[mailto:eric.valor@daimlerchrysler.com]
Sent: Thursday, April 20, 2006 2:47 PM
To: Matt Nichols
Cc: rt-users@lists.bestpractical.com
Subject: RE: [rt-users] LDAP Summary and supported implementations

Matt:

I’ve gotten this working with AD. The trick for AD is making sure you
search for “sAMAccountName” instead of “uid”.

Here are the bare essentials you’ll need:

Set($LdapUser, ‘cn=,CN=Users,dc=,dc=com’); # LDAP
bind user
Set($LdapPass, ‘’); # LDAP
bind user pass
Set($LdapUidAttr, ‘sAMAccountName’); #
attribute for RT account name
Set($LdapFilter, ‘objectclass=user’); # filter LDAP
entries (e.g., only people)
Set($LdapNameAttr, ‘cn’); #
attribute for RT user name
Set($LdapMailAttr, ‘mail’); #
attribute for RT email addy

Note that “Users” requires the capital U…

Bear in mind this won’t auto-populate the RT database from the LDAP
database. Your users will fail unless they already have an RT account.

The Moseman contribution allows for setting up accounts on-the-fly, but
I’ve had some difficulty in getting it to pull in all the LDAP (AD)
records (SQL errors are reported in the logging). I haven’t been able to
put in much time in debugging…

The Mehl contribution does a better job and has good instructions, but has
the drawback of requiring mod_ntlm and the NT LanMan hash vulnerability.

Hope this helps.

Eric N. Valor
Sr. Systems Administrator
DaimlerChrysler Research & Technology North America, Inc.
eric.valor@daimlerchrysler.com
1510 Page Mill Road, Palo Alto, CA 94304
CIMS 931-00-00
650-845-2536

: This Space Intentionally Left Blank :

Hello!On 4/20/06, Matt Nichols mnichols@wayport.net wrote:

I understand that you use OpenLDAP yourself, but have you heard from
anyone that managed to get your LDAP implementation working with Active
Directory? Jim or anyone else on the list, could I see some example
LdapSiteConfigSettings specifically for AD?

I do have notes in the install instructions of the LDAP page which
specify that, for Windows Active Directory, you must map the "Name"
attribute to “sAMAccountName”. In order to draw more attention to
that, though, I’ve added a wiki page to further explain how to set
$RT::LdapAttrMap properly:

http://wiki.bestpractical.com/?LdapAttrMap

Please let me know if that doesn’t help enough; also, please feel free
to extend the Active Directory chunk of that page as I don’t know the
first thing about it other than it seems to generate a lot of
questions here lately. ;]

Cheers!

–j
Jim Meyer, Geek at Large purp@acm.org

Hello!On 4/20/06, Christian Fernandez cfernandez@voicesignal.com wrote:

Hi Jim I am interested in using LDap a lot but have not much
experience with RT.
any howto or stepby step install for this?

There is, indeed, on the wiki page:

http://wiki.bestpractical.com/?LDAP

…under the “Installation” section. Please feel free to extend it,
though; that’s the joy of wiki. =]

Cheers!

–j
Jim Meyer, Geek at Large purp@acm.org

Jim,

I now have your overlay working to auth and lookup/autocreate users
against AD now. I have a couple of questions:

  1. It appears that the only way to have an account auto created is if a
    user sends an email to rt@rt.site.com (which opens a ticket in the
    general/default queue). While I think auto account creation on web login
    would be better this will still work fine. Is there a way around a
    ticket being created for the first email a user sends? I’d rather a user
    get an email saying their account has been created rather than a ticket
    opening up just to have an account created. (This will require people to
    go find and kill those dubious tickets).

  2. When a new user sends an email to RT right now, their account is
    created with the email address from ad/ldap. Is there a way to have the
    overlay create the account with just the user, rather than
    user@host.com?

Thanks for your work on this overlay.

-MattFrom: sciocco@gmail.com [mailto:sciocco@gmail.com] On Behalf Of Jim
Meyer
Sent: Thursday, April 20, 2006 11:31 PM
To: Matt Nichols
Cc: RT Users Mailing List
Subject: Re: [rt-users] LDAP Summary and supported implementations

Hello!

I understand that you use OpenLDAP yourself, but have you heard from
anyone that managed to get your LDAP implementation working with
Active
Directory? Jim or anyone else on the list, could I see some example
LdapSiteConfigSettings specifically for AD?

I do have notes in the install instructions of the LDAP page which
specify that, for Windows Active Directory, you must map the "Name"
attribute to “sAMAccountName”. In order to draw more attention to
that, though, I’ve added a wiki page to further explain how to set
$RT::LdapAttrMap properly:

http://wiki.bestpractical.com/?LdapAttrMap

Please let me know if that doesn’t help enough; also, please feel free
to extend the Active Directory chunk of that page as I don’t know the
first thing about it other than it seems to generate a lot of
questions here lately. ;]

Cheers!

–j
Jim Meyer, Geek at Large purp@acm.org

I’ve updated the Wiki with settings which should work with an Active
Directory server. If they don’t work for somebody, please let me know.
The output of “ldapsearch” against your ADS would be helpful in that case.

Eric N. Valor
Sr. Systems Administrator
DaimlerChrysler Research & Technology North America, Inc.
eric.valor@daimlerchrysler.com
1510 Page Mill Road, Palo Alto, CA 94304
CIMS 931-00-00
650-845-2536

: This Space Intentionally Left Blank :