I’m going down the route of integrating a new RT 3.8.1 install in to a
Windows 2003 Active Directory environment, and after going through the
wiki web of information, I found that the “proper” method is now
RT::Authen::ExternalAuth. That was, unfortunately, after I tried
several other methods.
Anyhow, I saw a couple of postings on the list (specifically:
[rt-users] RT version 3.8.0 and RT-Authen-ExternalAuth-0.05),
and managed to get things configured, but not functioning.
I am able to successfully ldapsearch :
ldapsearch -LLL -x -D “CN=Administrator,OU=IT
Department,OU=Users,DC=ourdomain,DC=local” -w ourpasswd -h
ad.ourdomain.local “(objectClass=Person)” -b “dc=ourdomain,dc=local”
And I tried a couple of different variants for searching with command
line success: (objectClass=*), (sAMAccountName=user)
However, I cannot seem to get it to work for RT. I’m getting “Your
username or password is incorrect” after only a few seconds of
processing. Probably the thing preventing me from debugging this
further is… well… I’m not sure how to turn up the volume on the
debugging. The most I am seeing in the logs is the login failure.
Any ideas?
Thanks!
-Rich
RT_SiteConfig.pm contains:
The order in which the services defined in ExternalSettings
should be used to authenticate users. User is authenticated
if successfully confirmed by any service - no more services
are checked.
Set($ExternalAuthPriority, [ ‘My_LDAP’
]
);
The order in which the services defined in ExternalSettings
should be used to get information about users. This includes
RealName, Tel numbers etc, but also whether or not the user
should be considered disabled.
Once user info is found, no more services are checked.
Set($ExternalInfoPriority, [
‘My_LDAP’
]
);
If this is set to true, then the relevant packages will
be loaded to use SSL/TLS connections. At the moment,
this just means “use Net::SSLeay;”
Set($ExternalServiceUsesSSLorTLS, 0);
If this is set to 1, then users should be autocreated by RT
as internal users if they fail to authenticate from an
external service.
Set($AutoCreateNonExternalUsers, 1);
These are the full settings for each external service as a HashOfHashes
Note that you may have as many external services as you wish. They will
be checked in the order specified in the Priority directives above.
e.g.
Set(ExternalAuthPriority,[‘My_LDAP’,‘My_MySQL’,‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’]);
Set($ExternalSettings, {
# AN EXAMPLE LDAP SERVICE
‘My_LDAP’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# Should the service be used for authentication?
‘auth’ => 1,
# Should the service be used for information?
‘info’ => 1,
# The server hosting the service
‘server’ => ‘ad.ourdomain.local’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you
should
# remove the user and pass config lines, otherwise
specify them here:
# The username RT should use to connect to the LDAP server
‘user’ => ‘CN=Administrator,OU=IT
Department,OU=Users,DC=ourdomain,DC=local’,
# The password RT should use to connect to the LDAP server
‘pass’ => ‘ourpasswd’,
# The LDAP search base
‘base’ => ‘dc=ourdomain,dc=local’,
# The filter to use to match RT-Users
‘filter’ => ‘(objectclass=Person)’,
# The filter that will only match disabled users
‘d_filter’ =>
‘(serAccountControl:1.2.840.113556.1.4.803:=2)’,
‘d_filter’ =>
‘(&(objectCategory=person)(objectClass=user)
(userAccountControl:1.2.840.113556.1.4.803:=2))’,
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# What other args should I pass to
Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 ],
# Does authentication depend on group membership? What
group name?
‘group’ => ‘’,
# What is the attribute for the group object that
determines membership?
‘group_attr’ => ‘’,
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
‘attr_match_list’ => [ ‘Name’,
‘EmailAddress’,
‘RealName’,
‘WorkPhone’,
‘Address2’
],
# The mapping of RT attributes on to LDAP attributes
‘attr_map’ => { ‘Name’ =>
‘sAMAccountName’,
‘EmailAddress’ =>
‘mail’,
‘Organization’ =>
‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ =>
‘sAMAccountName’,
‘Gecos’ =>
‘sAMAccountName’,
‘WorkPhone’ =>
‘telephoneNumber’,
‘Address1’ =>
‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
}
}
}
);
1;