Question about LdapOverlay and Windows Active Directory

Hi there,

Has anyone gotten the LdapOverlay working with Windows Active Directory ?
Basically I would like to authenticate user against Windows AD without
doing it thru Apache.
I followed the steps in the section LDAP at RT Wiki, but couldn’t get it
working yet.
Any tips, suggestions or working samples will be appreciated.

Thanks,
Dário

There were two ways of doing it in the Wiki…one I failed miserably with, the one that worked for me was this one:

http://wiki.bestpractical.com/?LDAP-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Dario Luis Coneglian Oliveros
Sent: Thursday, July 20, 2006 1:41 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] Question about LdapOverlay and Windows Active Directory

Hi there,

Has anyone gotten the LdapOverlay working with Windows Active Directory ?
Basically I would like to authenticate user against Windows AD without
doing it thru Apache.
I followed the steps in the section LDAP at RT Wiki, but couldn’t get it
working yet.
Any tips, suggestions or working samples will be appreciated.

Thanks,
Dário

http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

We’re hiring! Come hack Perl for Best Practical: http://bestpractical.com/about/jobs.html

Hi Helmuth,
That’s the one I looked at, but even though I could not get it working.
Whenever I try to login, I got the following error:
RT::User::IsLDAPPassword search for
(&(sAMAccountName=oliveros)(objectclass=posixAccount)) failed:
LDAP_REFERRAL 10 (/l/disk0/tools/rt/local/lib/RT/User_Local.pm:177
I am not sure whether it’s just a configuration problem or not.
Do you happen to know what this error means ?
FYI the only step I did not follow in the “New Installs” section of
http://wiki.bestpractical.com/?LDAP was #4, which is optional.
Thanks,
Dário

Helmuth Ramirez wrote:

One thing that got me (due to my COMPLETE LAMP newness) was installing the Net::LDAP module. The other thing I did differently was my objectclass=user not PosixAccountFrom: Dario Luis Coneglian Oliveros [mailto:oliveros@cpqd.com.br]
Sent: Thursday, July 20, 2006 2:13 PM
To: Helmuth Ramirez
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Question about LdapOverlay and Windows Active Directory

Hi Helmuth,
That’s the one I looked at, but even though I could not get it working.
Whenever I try to login, I got the following error:
RT::User::IsLDAPPassword search for
(&(sAMAccountName=oliveros)(objectclass=posixAccount)) failed:
LDAP_REFERRAL 10 (/l/disk0/tools/rt/local/lib/RT/User_Local.pm:177
I am not sure whether it’s just a configuration problem or not.
Do you happen to know what this error means ?
FYI the only step I did not follow in the “New Installs” section of
http://wiki.bestpractical.com/?LDAP was #4, which is optional.
Thanks,
Dário

Helmuth Ramirez wrote:

There were two ways of doing it in the Wiki…one I failed miserably with, the one that worked for me was this one:

http://wiki.bestpractical.com/?LDAP

-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Dario Luis Coneglian Oliveros
Sent: Thursday, July 20, 2006 1:41 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] Question about LdapOverlay and Windows Active Directory

Hi there,

Has anyone gotten the LdapOverlay working with Windows Active Directory ?
Basically I would like to authenticate user against Windows AD without
doing it thru Apache.
I followed the steps in the section LDAP at RT Wiki, but couldn’t get it
working yet.
Any tips, suggestions or working samples will be appreciated.

Thanks,
Dário


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

We’re hiring! Come hack Perl for Best Practical: http://bestpractical.com/about/jobs.html

I used the Mosemann overlay listed on the : http://wiki.bestpractical.com/index.cgi?LdapSummary
Page. It also comes with a perl script that will search your existing userbase and attempt to convert them to AD type accounts.

Integration was easy, but configuration got me for a bit until I realized:

– Windows 2003 Active Directory has no anonymous ldap queries, thus ldapsearch & Net::LDAP wont bind properly. I had to create a separate account that had read permission on the directory before I could get it to work. Once I got binding working, the RT config didn’t work properly, that is when I realized that I had to configure LdapUser with the proper distinguished name instead of just a username. So:

Set($LdapUser, ‘cn=ADbindUser,cn=Users,dc=corp,dc=domainname,dc=com’);
Set($LdapPass, ‘ADbindUserPassword’);

Once I fixed those, I was up and authenticating. I also tried the LDAP at /index.cgi?LDAP, and couldn’t get it to work at all.

Hope that helps,
-JayFrom: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Helmuth Ramirez
Sent: Thursday, July 20, 2006 11:20 AM
To: Dario Luis Coneglian Oliveros
Cc: rt-users@lists.bestpractical.com
Subject: RE: [rt-users] Question about LdapOverlay and Windows Active Directory

One thing that got me (due to my COMPLETE LAMP newness) was installing the Net::LDAP module. The other thing I did differently was my objectclass=user not PosixAccount

From: Dario Luis Coneglian Oliveros [mailto:oliveros@cpqd.com.br]
Sent: Thursday, July 20, 2006 2:13 PM
To: Helmuth Ramirez
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Question about LdapOverlay and Windows Active Directory

Hi Helmuth,
That’s the one I looked at, but even though I could not get it working.
Whenever I try to login, I got the following error:
RT::User::IsLDAPPassword search for
(&(sAMAccountName=oliveros)(objectclass=posixAccount)) failed:
LDAP_REFERRAL 10 (/l/disk0/tools/rt/local/lib/RT/User_Local.pm:177
I am not sure whether it’s just a configuration problem or not.
Do you happen to know what this error means ?
FYI the only step I did not follow in the “New Installs” section of
http://wiki.bestpractical.com/?LDAP was #4, which is optional.
Thanks,
Dário

Helmuth Ramirez wrote:

There were two ways of doing it in the Wiki…one I failed miserably with, the one that worked for me was this one:

http://wiki.bestpractical.com/?LDAP

-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Dario Luis Coneglian Oliveros
Sent: Thursday, July 20, 2006 1:41 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] Question about LdapOverlay and Windows Active Directory

Hi there,

Has anyone gotten the LdapOverlay working with Windows Active Directory ?
Basically I would like to authenticate user against Windows AD without
doing it thru Apache.
I followed the steps in the section LDAP at RT Wiki, but couldn’t get it
working yet.
Any tips, suggestions or working samples will be appreciated.

Thanks,
Dário


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

We’re hiring! Come hack Perl for Best Practical: http://bestpractical.com/about/jobs.html

http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

We’re hiring! Come hack Perl for Best Practical: http://bestpractical.com/about/jobs.html

I finally got it working !!! It was configuration data issues (cn, ou,
…). Thanks to everyone !!!
To solve that, I installed Softerra Ldap Browser to get the correct LDAP
settings and also to do some LDAP searchs. Special thanks to Joachim and
Helmuth.
Now everything looks fine, except for the user auto creation.
When trying to login with a LDAP user who does not exist in RT database
yet, the user authentication fails. Somehow the LDAP filter got messed
up and the sAMAccountName is not filled. Starting from the Auth
callback, the IsPassword method is called and it does, the filter gets
created before LDAP search.

autohandler/Auth callback:

unless ($session{‘CurrentUser’}) {
if (defined ($user) && defined ($pass) ) {
$session{‘CurrentUser’} = RT::CurrentUser->new();
$session{‘CurrentUser’}->Load($user);

    unless ($session{'CurrentUser'}->Id) {
    // IT GETS HERE IF USER DOES NOT EXIST IN RT DB
        my $UserObj = RT::User->new($RT::SystemUser);
        my ($val, $msg) = $UserObj->SetName($user);

        if ($UserObj->IsPassword($pass)) { // CALL IsPassword in User_Local.pm
...

User_Local.pm

sub IsLDAPPassword {

my $filter_string = ‘(&(’ . $RT::LdapAttrMap->{‘Name’} . ‘=’ .
$self->Name . ‘)’ . $ldap_filter . ‘)’;
// filter_string = (&(sAMAccountName=)(objectclass=user))

   ...

}

Not sure why sAMAccountName is empty. If I create the same user locally
in RT and log in again, the LDAP authentication will be OK.
Any help will be appreciated.

Regards,
Dário

Helmuth Ramirez wrote:

I noticed the user name is not being set in Auth callback.

my $UserObj = RT::User->new($RT::SystemUser);
my ($val, $msg) = $UserObj->SetName($user);

When printing $msg from above, I get ‘Can not modify system users’.
Any clues ?

Dario Luis Coneglian Oliveros wrote:

How can I set anything in UserObj (see previous message) if the code
snippet below (User_Overlay.pm) does not allow that ?
sub _Set {

if ( ($self->Id == $RT::SystemUser->Id ) ||
($self->Id == $RT::Nobody->Id)) {
return ( 0, $self->loc(“Can not modify system users”) );
}

}
And if this cannot be set, then the LDAP filter will not be created
successfully since sAMAccountName value will be missing.
I wonder why some of you got the auto creation working.
To prove my theory, I commented out the lines above and the SetName
operation worked fine.
I think I am missing something, but can’t figure out what.
Please help me understand how you got the auto creation working.

Thanks,
Dário

Dario Luis Coneglian Oliveros wrote:

Dario:

I forget the contribution you are using, but if you are using the Meyer
contribution (my personal favorite… cheers Jim!), a user must first send
an email which will then initiate RT account generation.

I think Jim is working on another overlay to autocreate on web login, but
I’ll let him comment on that. If you’re not using the Meyer code, might I
suggest doing so since Jim is actively maintaining it and he is good about
responding to questions. I’ve been using it on my production system here
(don’t tell Corporate!) for the past few months and it’s been solid
(disclaimer: currently under 100 users with 5 queues).

Eric N. Valor
Information Technology Manager
DaimlerChrysler Research & Technology North America, Inc.
eric.valor@daimlerchrysler.com
1510 Page Mill Road, Palo Alto, CA 94304
CIMS 931-00-00
650-845-2536

: This Space Intentionally Left Blank :

Hi Eric,
First, thanks for the info.
FYI I am using Jim Meyer’s contribution as well. It’s really great.
Regarding user auto creation, I thought this could be done thru web :frowning:
Any tips on how to create user account via email ? I would appreciate
any info on that.
Thanks,
Dário

eric.valor@daimlerchrysler.com wrote:

Dario:

If you’re using Jim’s LDAPUserLocalOverlay
(http://wiki.bestpractical.com/index.cgi?LdapUserLocalOverlay) then just m
ake sure you have the user’s email set in the email field of their LDAP
record (“E-mail” in the Active Directory user’s properties, in the
"General" tab). When an email address sends a request to RT it is sought
for in the AD records. If found, an account is generated in RT and
afterwards that user can then log in via the web interface.

We had to go back and enter in our users’ email addies to their AD records
prior to rolling out RT.

Eric N. Valor
Information Technology Manager
DaimlerChrysler Research & Technology North America, Inc.
eric.valor@daimlerchrysler.com
1510 Page Mill Road, Palo Alto, CA 94304
CIMS 931-00-00
650-845-2536

: This Space Intentionally Left Blank :

Dario Luis Coneglian Oliveros oliveros@cpqd.com.br
07/21/2006 03:02 PM

To
eric.valor@daimlerchrysler.com
cc
rt-users@lists.bestpractical.com
Subject
Re: [rt-users] Question about LdapOverlay and Windows Active Directory

Hi Eric,
First, thanks for the info.
FYI I am using Jim Meyer’s contribution as well. It’s really great.
Regarding user auto creation, I thought this could be done thru web :frowning:
Any tips on how to create user account via email ? I would appreciate any
info on that.
Thanks,
Dário

eric.valor@daimlerchrysler.com wrote:

Dario:

I forget the contribution you are using, but if you are using the Meyer
contribution (my personal favorite… cheers Jim!), a user must first send
an email which will then initiate RT account generation.

I think Jim is working on another overlay to autocreate on web login, but
I’ll let him comment on that. If you’re not using the Meyer code, might I
suggest doing so since Jim is actively maintaining it and he is good about
responding to questions. I’ve been using it on my production system here
(don’t tell Corporate!) for the past few months and it’s been solid
(disclaimer: currently under 100 users with 5 queues).

Eric N. Valor
Information Technology Manager
DaimlerChrysler Research & Technology North America, Inc.
eric.valor@daimlerchrysler.com
1510 Page Mill Road, Palo Alto, CA 94304
CIMS 931-00-00
650-845-2536

: This Space Intentionally Left Blank :

Thanks for the info !
Last Friday I made some changes to Jim Meyer’s contribution to enable
auto account creation through web once a new user logs in.
I’ve tested in my local enviroment and it worked.
I will post it in this mailing list for validation. What do you think ?
Regards,
Dário

eric.valor@daimlerchrysler.com wrote: