Problems getting LDAP authentication working

I’m trying to setup LDAP through the RT-Authen-ExternalAuth plugin.

I have gotten far enough to login as a user via LDAP but I want to restrict login’s to a specific group within my Windows AD. I can’t seem to get that part working. I know its something I’m doing wrong but I’m not seeing what it is.

So, what I want is to allow users within a group “CSER” to be able to login and create tickets. I want another group “ITAdmin” to be equivalent to the RTAdmin. How do I set this up?

Here is my current configuration:

Set( $rtname, ‘XXXXXX.ca’);
Set($LogToFileNamed, “/var/tmp/rt3.error”);
Set($LogToFile, ‘debug’);
Set($ExternalAuthPriority,[‘My_LDAP’]);
Set($ExternalInfoPriority,[‘My_LDAP’]);
Set(@Plugins,qw(RT::Authen::ExternalAuth));
Set($ExternalSettings, {
‘My_LDAP’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
‘auth’ => 1,
‘info’ => 1,
# The server hosting the service
’server’ => ‘XXX.XXX.XXX.XXX’,
# The username RT should use to connect to the LDAP server
’user’ => ‘XXXXXX’,
# The password RT should use to connect to the LDAP server
’pass’ => ‘XXXXXX’,
‘base’ => ‘XXXXXX’,
‘filter’ => ‘(objectClass=Person)’,
# A catch-all example filter: ‘(objectClass=*)’
# The filter that will only match disabled users
’d_filter’ => ‘(userAccountConrol:1.2.840.113556.1.4.803:=2)’,
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# SSL Version to provide to Net::SSLeay if using SSL
’ssl_version’ => 3,
# What other args should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 ],
# Does authentication depend on group membership? What group name?
‘group’ => ‘CSER’,
# What is the attribute for the group object that determines membership?
‘group_attr’ => ‘’,
‘attr_match_list’ => [ ‘Name’,
‘EmailAddress’,
],
‘attr_map’ => { ‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
}
}
}
);
1;

With the above configuration I am able to login after I get an error because of the blank group_attr. What exactly is supposed to be there? Every attempt to put something there causes the login to fail. Sample debug follows:

[Mon Jun 1 19:20:27 2009] [debug]: RT’s GnuPG libraries couldn’t successfully read your configured GnuPG home directory (/opt/rt3/var/data/gpg). PGP support has been disabled (/opt/rt3/bin/…/lib/RT/Config.pm:339)
[Mon Jun 1 19:20:32 2009] [debug]: Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[Mon Jun 1 19:20:32 2009] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Jun 1 19:20:32 2009] [debug]: Calling UserExists with $username (gagel) and $service (My_LDAP) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Mon Jun 1 19:20:32 2009] [debug]: UserExists params:
username: gagel , service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Mon Jun 1 19:20:32 2009] [debug]: LDAP Search === Base: ou=XXXXX=ca == Filter: (i(objectClass=Person)(sAMAccountName=XXXXX)) == Attrs: mail,sAMAccountName (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Mon Jun 1 19:20:32 2009] [debug]: Password validation required for service - Executing… (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
[Mon Jun 1 19:20:32 2009] [debug]: Trying external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
[Mon Jun 1 19:20:32 2009] [debug]: LDAP Search === Base: ou=XXXXXX=ca == Filter: (l(sAMAccountName=XXXXX)(objectClass=Person)) == Attrs: dn (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
[Mon Jun 1 19:20:32 2009] [debug]: Found LDAP DN: CN=XXXX,OU=XXXXXX=ca (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
[Mon Jun 1 19:20:32 2009] [debug]: RT’s GnuPG libraries couldn’t successfully read your configured GnuPG home directory (/opt/rt3/var/data/gpg). PGP support has been disabled (/opt/rt3/bin/…/lib/RT/Config.pm:339)
[Mon Jun 1 19:20:32 2009] [debug]: Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[Mon Jun 1 19:20:32 2009] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Jun 1 19:20:32 2009] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Mon Jun 1 19:20:32 2009] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)

What am I doing wrong?

Kevin W. Gagel
Network Administrator
Local 5448
My blog:
http://mail.cnc.bc.ca/blogs/gagel
My shared files:
http://mail.cnc.bc.ca/users/gagel

Mon 01 Jun 2009 20:26:02 GMT
Kevin Gagel wrote:

I’m trying to setup LDAP through the RT-Authen-ExternalAuth plugin.

I have gotten far enough to login as a user via LDAP but I want to
restrict login’s to a specific group within my Windows AD.

Try these:

                                                    # Does

authentication depend on group membership? What group name?

‘group’ => ‘cn=CSER,’,
# What is the
attribute for the group object that determines membership?

‘group_attr’ => ‘member’,

Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com