Problem configuring LDAP with AD

Hi there,

I’ve got RT set up and working fine on Ubuntu 6.06 Server, but we use AD
here (2003 SBS) and I’d like to get user accounts to be created
automatically. I’ve applied the LDAP overlay and made the changes to the
RT_SiteConfig.pm file (reproduced below), along with the auto-creation
overlay. Unfortunately, I’m still having problems getting it to recognise
my own domain account:

Oct 18 12:59:17 tracker RT: Transaction->Create couldn’t, as you didn’t
specify an object type and id
(/usr/share/request-tracker3.4/lib/RT/Record.pm:1451)
Oct 18 12:59:17 tracker RT: Trying LDAP authentication
Oct 18 12:59:17 tracker RT: RT::User::IsLDAPPassword search for
(&(sAMAccountName=Andrew Hodgson)(objectclass=inetOrgPerson)) failed:
LDAP_OPERATIONS_ERROR 1
Oct 18 12:59:17 tracker RT: RT::User::IsPassword auth method
IsLDAPPassword FAILED
Oct 18 12:59:17 tracker RT: RT::User::IsInternalPassword AUTH FAILED (no
passwd): Andrew Hodgson
(/usr/share/request-tracker3.4/lib/RT/User_Local.pm:232)
Oct 18 12:59:17 tracker RT: RT::User::IsPassword auth method
IsInternalPassword FAILED
Oct 18 12:59:17 tracker RT: FAILED LOGIN for Andrew Hodgson from
192.168.0.238 (/usr/share/request-tracker3.4/html/autohandler:191)

I’ve tweaked LdapFilter and settled on inetOrgPerson, from researches
around the 'net, but I’m still getting the LDAP_OPERATIONS_ERROR 1, so
that might not be the root problem. The first line stumps me somewhat,
talking about “object type and id”.

I know this problem is essentially solved, I just need a little help
getting over the line! Here’s my /etc/request-tracker3.4/RT_SiteConfig.pm:

RT_SiteConfig.pm

These are the bits you absolutely must edit.

To find out how, please read

/usr/share/doc/request-tracker3.4/INSTALL.Debian

THE BASICS:

Set($rtname, ‘tracker.betgenius.local’);
Set($Organization, ‘betgenius.com’);

Set($CorrespondAddress , ‘rt@betgenius.com’);
Set($CommentAddress , ‘rt-comment@betgenius.com’);

Set($Timezone , ‘Europe/London’); # obviously choose what suits you

THE DATABASE:

Set($DatabaseType, ‘Pg’); # e.g. Pg or mysql

These are the settings we used above when creating the RT database,

you MUST set these to what you chose in the section above.

Set($DatabaseUser , ‘rtuser’);
Set($DatabasePassword , ‘strongarm’);
Set($DatabaseName , ‘rtdb’);

THE WEBSERVER:

Set($WebPath , “/rt”);
Set($WebBaseURL , “http://tracker”);

Set($DatabaseHost , ‘localhost’);
Set($DatabaseRTHost , ‘localhost’);

LDAP Settings

There are two different branches of this: LdapAuth* and LdapInfo*;

additionally, most of the old Ldap* variables are honored, too.

This means if you only have one LDAP server/config you can just set

“LdapServer”, “LdapUser”, etc. and they will be used for both

authentication and information

Enable/Disable LDAP services

Set($LdapExternalAuth, 1);
Set($LdapExternalInfo, 1);

Common Settings: affecting both auth and info services

Should we create accounts for users who aren’t in LDAP?

Set($LdapAutoCreateNonLdapUsers, 1);

Map RT attributes to LDAP attributes

THE MAPPING BELOW WILL NOT WORK FOR YOU UNLESS YOU CHANGE

IT TO MATCH YOUR LDAP SCHEMA! See

http://wiki.bestpractical.com/?LdapAttrMap

to learn how to set this variable properly for either LDAP or Windows

Active Directory.

Set($LdapAttrMap, {‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalContactInfoId’ => ‘dn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘1’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’}
);

A list of RT attrs which can uniquely identify a user,

ordered from most to least preferred.

Set($LdapRTAttrMatchList, [‘ExternalContactInfoId’, ‘Name’,
‘EmailAddress’, ‘RealName’,
‘WorkPhone’, ‘Address2’]
);

A list of LDAP attrs to examine when canonicalizing email addresses,

ordered from most to least preferred

Set($LdapEmailAttrMatchList, [‘mail’, ‘mailRoutingAddress’,
‘mailAlternateAddress’]
);

A list of prefixes to apply to email address matches.

Windows 2003 AD uses prefixes or smtp: or SMTP:.

If not required just leave ‘’

Set($LdapEmailAttrMatchPrefix, [‘’, ‘smtp:’, ‘SMTP:’] );

The basics; if set, these override $RT::LdapAuth* and $RT::LdapInfo*

Set($LdapServer, ‘officeserver.betgenius.local’);
Set($LdapBase, ‘ou=“Active Users”,dc=betgenius,dc=local’);
Set($LdapFilter, ‘(objectclass=inetOrgPerson)’);

Windows 2003 Active Directory does not allow anonymous LDAP binding

thus you must pass Net::LDAP a username and password that has

access to read the directory.

You may also need to specify the full distinguished name instead of

just a username for LdapUser below.

e.g. cn=Username,cn=Users,dc=yourdomain,dc=com

#Set($LdapUser, ‘cn=Scanner,ou=UsersCreatedByUs,dc=betgenius,dc=local’);
#Set($LdapPass, ‘scanner’);

This filter is used by RT::User::UpdateFromLdap to test whether an

LDAP user’s RT account should be disabled. Any user whose LDAP record

passes this filter (returns true) will be disabled at login

Set($LdapDisableFilter, ‘(employmentStatus=Terminated)’);

If you set these, only members of this group can auth via LDAP

#Set($LdapGroup, ‘cn=RT,ou=Group,dc=example,dc=com’);
#Set($LdapGroupAttr, ‘uniqueMember’);

These turn on SSL for LDAP

#Set($LdapTLS, 0);
#Set($LdapSSLVersion, 3);

1;

EOF

Thanks,

Andrew Hodgson

Hi again,

I’ve tweaked LdapFilter and settled on inetOrgPerson, from researches
around the 'net, but I’m still getting the LDAP_OPERATIONS_ERROR 1, so
that might not be the root problem. The first line stumps me somewhat,
talking about “object type and id”.

I know this problem is essentially solved, I just need a little help
getting over the line! Here’s my /etc/request-tracker3.4/RT_SiteConfig.pm:

Sorry, perhaps I wasn’t specific enough: I’m looking for help
determining the cause of the “LDAP_OPERATIONS_ERROR 1”, and anything
else that might be causing the log output I posted. Here it is again:

Oct 18 12:59:17 tracker RT: Transaction->Create couldn’t, as you didn’t specify an object type and id (/usr/share/request-tracker3.4/lib/RT/Record.pm:1451)
Oct 18 12:59:17 tracker RT: Trying LDAP authentication
Oct 18 12:59:17 tracker RT: RT::User::IsLDAPPassword search for (&(sAMAccountName=Andrew Hodgson)(objectclass=inetOrgPerson)) failed: LDAP_OPERATIONS_ERROR 1
Oct 18 12:59:17 tracker RT: RT::User::IsPassword auth method IsLDAPPassword FAILED
Oct 18 12:59:17 tracker RT: RT::User::IsInternalPassword AUTH FAILED (no passwd): Andrew Hodgson (/usr/share/request-tracker3.4/lib/RT/User_Local.pm:232)
Oct 18 12:59:17 tracker RT: RT::User::IsPassword auth method IsInternalPassword FAILED
Oct 18 12:59:17 tracker RT: FAILED LOGIN for Andrew Hodgson from 192.168.0.238 (/usr/share/request-tracker3.4/html/autohandler:191)

If anyone could give me any pointers, it would be appreciated. I need
tickets!

Andrew

AFAIK, “inetOrgPerson” doesn’t exist in Active Directory.

Use the LDAPAttrMap I posted to the Wiki at
http://wiki.bestpractical.com/index.cgi?LdapAttrMap

In your RT_SiteConfig.pm make sure you have the correct MatchList and
base:

A list of RT attrs which can uniquely identify a user,

# ordered from most to least preferred.

Set($LdapRTAttrMatchList, [‘Name’, ‘ExternalContactInfoId’,
‘EmailAddress’, ‘RealName’,
‘WorkPhone’, ‘Address1’]
);

A list of LDAP attrs to examine when canonicalizing email addresses,

# ordered from most to least preferred

Set($LdapEmailAttrMatchList, [‘mail’, ‘mailRoutingAddress’,
‘mailAlternateAddress’]
);

Basic Setup

Set($LdapServer, ‘..com’); # LDAP server for
authentication
Set($LdapBase, ‘cn=Users,dc=,dc=com’); # search
base
Set($LdapFilter, “(objectclass=user)”); # filter
LDAP entries (e.g., only people)

Eric N. Valor
Information Technology Manager
DaimlerChrysler Research & Technology North America, Inc.
eric.valor@daimlerchrysler.com
1510 Page Mill Road, Palo Alto, CA 94304
CIMS 931-00-00
650-845-2536

: This Space Intentionally Left Blank :

rt-users-request@lists.bestpractical.com
Sent by: rt-users-bounces@lists.bestpractical.com
10/19/2006 09:00 AM
Please respond to
rt-users@lists.bestpractical.com

To
rt-users@lists.bestpractical.com
cc

Subject
RT-Users Digest, Vol 31, Issue 50

Hi again,

I’ve tweaked LdapFilter and settled on inetOrgPerson, from researches
around the 'net, but I’m still getting the LDAP_OPERATIONS_ERROR 1, so
that might not be the root problem. The first line stumps me somewhat,
talking about “object type and id”.

I know this problem is essentially solved, I just need a little help
getting over the line! Here’s my
/etc/request-tracker3.4/RT_SiteConfig.pm:

Sorry, perhaps I wasn’t specific enough: I’m looking for help
determining the cause of the “LDAP_OPERATIONS_ERROR 1”, and anything
else that might be causing the log output I posted. Here it is again:

Oct 18 12:59:17 tracker RT: Transaction->Create couldn’t, as you didn’t
specify an object type and id
(/usr/share/request-tracker3.4/lib/RT/Record.pm:1451)
Oct 18 12:59:17 tracker RT: Trying LDAP authentication
Oct 18 12:59:17 tracker RT: RT::User::IsLDAPPassword search for
(&(sAMAccountName=Andrew Hodgson)(objectclass=inetOrgPerson)) failed:
LDAP_OPERATIONS_ERROR 1
Oct 18 12:59:17 tracker RT: RT::User::IsPassword auth method
IsLDAPPassword FAILED
Oct 18 12:59:17 tracker RT: RT::User::IsInternalPassword AUTH FAILED (no
passwd): Andrew Hodgson
(/usr/share/request-tracker3.4/lib/RT/User_Local.pm:232)
Oct 18 12:59:17 tracker RT: RT::User::IsPassword auth method
IsInternalPassword FAILED
Oct 18 12:59:17 tracker RT: FAILED LOGIN for Andrew Hodgson from
192.168.0.238 (/usr/share/request-tracker3.4/html/autohandler:191)

If anyone could give me any pointers, it would be appreciated. I need
tickets!

Andrew

eric.valor@daimlerchrysler.com wrote:

AFAIK, “inetOrgPerson” doesn’t exist in Active Directory.

I’ve changed it to “user”, which is one of the choices I can see in
ADSIEdit (the others are organizationalPerson, top, person.)

Use the LDAPAttrMap I posted to the Wiki at
Request Tracker Wiki

I have done, thank you for the page. I used this page when I set up the
LDAP overlay originally.

In your RT_SiteConfig.pm make sure you have the correct MatchList and base:

Check. My base is an OU (ou=ActiveUsers,dc=domain,dc=local).

A list of RT attrs which can uniquely identify a user,

# ordered from most to least preferred.

Set($LdapRTAttrMatchList, [‘Name’, ‘ExternalContactInfoId’,
‘EmailAddress’, ‘RealName’,
‘WorkPhone’, ‘Address1’]

The final entry was set to Address2, so I’ve changed it to “1”.

<snip…all in check>

I’ve doubled checked the configuration and I still get the
LDAP_OPERATIONS_ERROR 1. I’ve tried it with different credentials, and
different settings for objectClass, but as far as I can see there’s no
effect.

Any further help appreciated,

Andrew

I’m not an expert in AD or LDAP, but “ou=ActiveUsers,dc=domain,dc=local”
doesn’t look right to me. I don’t see “ActiveUsers” in either my 2k or
2k3 domain controllers’ schemas. Also, I think your base should be
“cn=,dc=,dc=” format not “ou=,dc=,dc=”.

Can you run “ldapsearch” on your RT box? The output from ldapsearch -x
-h -b “cn=Users,dc=,dc=<com|net|etc>” -D
-w sAMAccountName= would be helpful.

Eric N. Valor
Information Technology Manager
DaimlerChrysler Research & Technology North America, Inc.
eric.valor@daimlerchrysler.com
1510 Page Mill Road, Palo Alto, CA 94304
CIMS 931-00-00
650-845-2536

: This Space Intentionally Left Blank :

Andrew Hodgson andrew@plaintalkit.com
10/24/2006 11:58 AM

To
rt-users@lists.bestpractical.com
cc
eric.valor@daimlerchrysler.com
Subject
Re: [rt-users] Problem configuring LDAP with AD

eric.valor@daimlerchrysler.com wrote:

AFAIK, “inetOrgPerson” doesn’t exist in Active Directory.

I’ve changed it to “user”, which is one of the choices I can see in
ADSIEdit (the others are organizationalPerson, top, person.)

Use the LDAPAttrMap I posted to the Wiki at
Request Tracker Wiki

I have done, thank you for the page. I used this page when I set up the
LDAP overlay originally.

In your RT_SiteConfig.pm make sure you have the correct MatchList and
base:

Check. My base is an OU (ou=ActiveUsers,dc=domain,dc=local).

A list of RT attrs which can uniquely identify a user,

# ordered from most to least preferred.

Set($LdapRTAttrMatchList, [‘Name’, ‘ExternalContactInfoId’,
‘EmailAddress’, ‘RealName’,
‘WorkPhone’, ‘Address1’]

The final entry was set to Address2, so I’ve changed it to “1”.

<snip…all in check>

I’ve doubled checked the configuration and I still get the
LDAP_OPERATIONS_ERROR 1. I’ve tried it with different credentials, and
different settings for objectClass, but as far as I can see there’s no
effect.

Any further help appreciated,

Andrew