Here is the RT_Siteconfig entries for ldapimport and external auth
For the Ldapimport extension
Set($LDAPHost,‘server.geneseo.edu’);
Set($LDAPUser, ‘cn=username,cn=Users,dc=w2k,dc=geneseo,dc=edu’);
Set($LDAPPassword, ‘password’);
Set($LDAPBase, ‘cn=Users,dc=w2k,dc=geneseo,dc=edu’);
Set($LDAPFilter, ‘(objectClass=*)’);
Set($LDAPMapping, {Name => ‘sAMAccountName’,
EmailAddress => ‘mail’,
RealName => ‘displayName’,
WorkPhone => ‘telephoneNumber’,
Organization => ‘department’,
Address1 => ‘street’
});
Set($LDAPGroupName,‘Imported Users’);
Set($LDAPSkipAutogeneratedGroup, 1);
Set($LDAPUpdateUsers,1);
Set($LDAPUpdateOnly,0);
Set($ExternalAuthPriority, [‘Geneseo_AD’]);
Set($ExternalInfoPriority, [‘Geneseo_AD’]);
Set($ExternalServiceUsesSSLorTLS, 0);
If this is set to 1, then users should be autocreated by RT
as internal users if they fail to authenticate from an
external service.
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings,{‘Geneseo_AD’ => { ## GENERIC SECTION
‘type’ => ‘ldap’,
‘server’ => ‘server.geneseo.edu’,
# The username RT should use to connect to the LDAP server
‘user’ => ‘cn=username,cn=users,dc=w2k,dc=geneseo,dc=edu’,
# The password RT should use to connect to the LDAP server
‘pass’ => ‘password’,
# The LDAP search base
‘base’ => ‘cn=Users,DC=w2k,DC=geneseo,DC=edu’,
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU MUST SPECIFY A filter AND A d_filter!!
# The filter to use to match RT-Users
‘filter’ => ‘(objectClass=)',
# A catch-all example filter: '(objectClass=)’
# The filter that will only match disabled users
‘d_filter’ => ‘(objectClass=FooBarBaz)’,
# A catch-none example d_filter: ‘(objectClass=FooBarBaz)’
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# SSL Version to provide to Net::SSLeay if using SSL
‘ssl_version’ => 3,
# What other args should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 ],
# Does authentication depend on group membership? What group name?
#‘group’ => ‘GROUP_NAME’,
# What is the attribute for the group object that determines membership?
#‘group_attr’ => ‘GROUP_ATTR’,
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you can specify… I recommend reducing this
# to just the Name and EmailAddress to save encountering problems later.
‘attr_match_list’ => [ ‘sAMAccountName’,
‘mail’
],
# The mapping of RT attributes on to LDAP attributes
‘attr_map’ => { ‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘department’,
‘RealName’ => ‘displayName’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
}
}
}
);On Jul 27, 2011, at 8:06 PM, Kevin Falcone wrote:
On Wed, Jul 27, 2011 at 07:48:11PM -0400, Shawn M Plummer wrote:
On Jul 27, 2011, at 5:40 PM, Kevin Falcone wrote:
You’ve left off a number of useful debugging messages from
CanonicalizeUserInfo which came right before this. Without those,
it’s hard to tell what’s going on
I set $LogToSyslog to debug in RT_Config and tried again. Is this what you were referring to? Or do I need to turn something on to get better messages from CanonicalizeUserInfo?
I’d expect to see the output of
$RT::Logger->debug( (caller(0))[3],
“called by”,
caller,
“with:”,
join(“, “, map {sprintf(”%s: %s”, $, $args->{$})}
sort(keys(%$args))));
and a reference to every Info service queried
You may want to post your RT-Authen-ExternalAuth config and version
-kevin
Here is everything I got from tailing /var/log/httpd/* and /var/log/message while I attempted to login with the new AD user I created today.
Jul 27 19:44:28 rtdevel RT: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: 0, EmailAddress: , Gecos: rttestuser, Name: rttestuser, Privileged: 0 (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
Jul 27 19:44:28 rtdevel RT: Couldn’t create user rttestuser: Could not set user info (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129)
==> /var/log/httpd/rt4devel_error_log <==
[Wed Jul 27 19:44:28 2011] [warn] [client 137.238.60.9] mod_fcgid: stderr: [Wed Jul 27 23:44:28 2011] [info]: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: 0, EmailAddress: , Gecos: rttestuser, Name: rttestuser, Privileged: 0 (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536), referer: https://rtdevel.geneseo.edu/NoAuth/Login.html
[Wed Jul 27 19:44:28 2011] [warn] [client 137.238.60.9] mod_fcgid: stderr: [Wed Jul 27 23:44:28 2011] [error]: Couldn’t create user rttestuser: Could not set user info (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129), referer: https://rtdevel.geneseo.edu/NoAuth/Login.html
[Wed Jul 27 19:44:28 2011] [warn] [client 137.238.60.9] mod_fcgid: stderr: [Wed Jul 27 23:44:28 2011] [error]: FAILED LOGIN for rttestuser f, referer: https://rtdevel.geneseo.edu/NoAuth/Login.html
==> /var/log/messages <==
Jul 27 19:44:28 rtdevel RT: FAILED LOGIN for rttestuser from 137.238.60.9 (/opt/rt4devel/sbin/…/lib/RT/Interface/Web.pm:655)
==> /var/log/httpd/rt4devel_error_log <==
[Wed Jul 27 19:44:31 2011] [warn] [client 137.238.60.9] mod_fcgid: stderr: rom 137.238.60.9 (/opt/rt4devel/sbin/…/lib/RT/Interface/Web.pm:655), referer: https://rtdevel.geneseo.edu/NoAuth/Login.html
==> /var/log/httpd/rt4devel_access_log <==
137.238.60.9 - - [27/Jul/2011:19:44:27 -0400] “POST /NoAuth/Login.html HTTP/1.1” 200 4534 “https://rtdevel.geneseo.edu/NoAuth/Login.html” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7) AppleWebKit/534.48.3 (KHTML, like Gecko) Version/5.1 Safari/534.48.3”
Shawn Plummer
Systems Manager
CIT SUNY Geneseo
"The mind can make substance, and people planets of its own with beings brighter than have been, and give a breath to forms which can outlive all flesh." -Lord Byron
--------
2011 Training: http://bestpractical.com/services/training.html
2011 Training: http://bestpractical.com/services/training.html