I have the RT-Authen-ExternalAuth module running nicely on our RT server
and am using LDAP for all authentication, but I’ve run into a little
problem I was hoping someone could shed some light on. I need to
authenticate users in a separate domain in the same AD forest, and I
found using ldapsearch that using port 3268 (Microsoft’s Global Catalog
port) is the only way the ldapsearch will query the other domain (there
was a problem with not following ldap referrals). However, using
RT-Authen-ExternalAuth I could not find any record of a variable that
will let you designate the ldap port, and when I try to modify the
LdapServer variable from: Set($LdapServer, ‘ldap.test.com’) to:
Set($LdapServer, ‘ldap.test.com:3268’) authentication fails for both
domains.
Does anyone know how I could go about modifying this? If all else fails
I’m going to try using apache’s ldap module for authentication and
change the ldap port there, but I’d rather stick with the RT solution.
Thanks for any input!
John Rodger wrote:
I have the RT-Authen-ExternalAuth module running nicely on our RT server
and am using LDAP for all authentication, but I’ve run into a little
problem I was hoping someone could shed some light on. I need to
authenticate users in a separate domain in the same AD forest, and I
found using ldapsearch that using port 3268 (Microsoft’s Global Catalog
port) is the only way the ldapsearch will query the other domain (there
was a problem with not following ldap referrals). However, using
RT-Authen-ExternalAuth I could not find any record of a variable that
will let you designate the ldap port, and when I try to modify the
LdapServer variable from: Set($LdapServer, ‘ldap.test.com’) to:
Set($LdapServer, ‘ldap.test.com:3268’) authentication fails for both
domains.
Does anyone know how I could go about modifying this? If all else fails
I’m going to try using apache’s ldap module for authentication and
change the ldap port there, but I’d rather stick with the RT solution.
A simple config option is required. It’s just not as easy to find as
it’s technically a Net::LDAP config option not an ExternalAuth one:
In your RT_SiteConfig.pm:
- ‘net_ldap_args’ => [ version => 3 ],
- ‘net_ldap_args’ => [ version => 3, port => 3268 ],
Kind Regards,
Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
Thanks Mike! Made the change you mentioned, and it works like a charm,
autocreated users with AD info and all.
Last problem, some of our users have the same uid in both domains; this
causes a conflict and a failed login. Bad planning will always hurt in
the end…From: mpeac@jennic.com [mailto:mpeac@jennic.com] On Behalf Of Mike
Peachey
Sent: Wednesday, October 08, 2008 3:31 PM
To: John Rodger
Cc: rt-devel@lists.bestpractical.com
Subject: Re: [Rt-devel] RT-Authen-ExternalAuth custom LDAP port
John Rodger wrote:
I have the RT-Authen-ExternalAuth module running nicely on our RT
server and am using LDAP for all authentication, but I’ve run into a
little problem I was hoping someone could shed some light on. I need
to authenticate users in a separate domain in the same AD forest, and
I found using ldapsearch that using port 3268 (Microsoft’s Global
Catalog
port) is the only way the ldapsearch will query the other domain
(there was a problem with not following ldap referrals). However,
using RT-Authen-ExternalAuth I could not find any record of a variable
that will let you designate the ldap port, and when I try to modify
the LdapServer variable from: Set($LdapServer, ‘ldap.test.com’) to:
Set($LdapServer, ‘ldap.test.com:3268’) authentication fails for both
domains.
Does anyone know how I could go about modifying this? If all else
fails I’m going to try using apache’s ldap module for authentication
and change the ldap port there, but I’d rather stick with the RT
solution.
A simple config option is required. It’s just not as easy to find as
it’s technically a Net::LDAP config option not an ExternalAuth one:
In your RT_SiteConfig.pm:
- ‘net_ldap_args’ => [ version => 3 ],
- ‘net_ldap_args’ => [ version => 3, port => 3268 ],
Kind Regards,
Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK Comp Reg No: 3191371
John Rodger wrote:
Thanks Mike! Made the change you mentioned, and it works like a charm,
autocreated users with AD info and all.
Last problem, some of our users have the same uid in both domains; this
causes a conflict and a failed login. Bad planning will always hurt in
the end…
I have yet to find a proper way to deal with multiple users with the
same details. I can only advise trying to get it to work off e-mail
addresses alone if the addresses are different in each domain. You would
have to strip down attr_match_list to just the e-mail address, or to
just one other piece of information about the user, but with uids and
e-mails you need to be careful 'cause RT still needs to make sure all
its internal users can be uniquely identified.
It’s tricky, what more can I say?
Kind Regards,
Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
I have the RT-Authen-ExternalAuth module running nicely on our RT server
and am using LDAP for all authentication, but I’ve run into a little
problem I was hoping someone could shed some light on. I need to
authenticate users in a separate domain in the same AD forest, and I
found using ldapsearch that using port 3268 (Microsoft’s Global Catalog
port) is the only way the ldapsearch will query the other domain (there
was a problem with not following ldap referrals). However, using
RT-Authen-ExternalAuth I could not find any record of a variable that
will let you designate the ldap port, and when I try to modify the
LdapServer variable from: Set($LdapServer, ‘ldap.test.com’) to:
Set($LdapServer, ‘ldap.test.com:3268’) authentication fails for both
domains.
Does anyone know how I could go about modifying this? If all else fails
I’m going to try using apache’s ldap module for authentication and
change the ldap port there, but I’d rather stick with the RT solution.
Thanks for any input!
John Rodger wrote:
I have the RT-Authen-ExternalAuth module running nicely on our RT server
and am using LDAP for all authentication, but I’ve run into a little
problem I was hoping someone could shed some light on. I need to
authenticate users in a separate domain in the same AD forest, and I
found using ldapsearch that using port 3268 (Microsoft’s Global Catalog
port) is the only way the ldapsearch will query the other domain (there
was a problem with not following ldap referrals). However, using
RT-Authen-ExternalAuth I could not find any record of a variable that
will let you designate the ldap port, and when I try to modify the
LdapServer variable from: Set($LdapServer, ‘ldap.test.com’) to:
Set($LdapServer, ‘ldap.test.com:3268’) authentication fails for both
domains.
Does anyone know how I could go about modifying this? If all else fails
I’m going to try using apache’s ldap module for authentication and
change the ldap port there, but I’d rather stick with the RT solution.
A simple config option is required. It’s just not as easy to find as
it’s technically a Net::LDAP config option not an ExternalAuth one:
In your RT_SiteConfig.pm:
- ‘net_ldap_args’ => [ version => 3 ],
- ‘net_ldap_args’ => [ version => 3, port => 3268 ],
Kind Regards,
Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street,
Sheffield,
S1 4QT,
UK Comp Reg No: 3191371 - Registered In England