Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Request Tracker: Users

RT::Authen::ExternalAuth with AD...

 

 

Request Tracker users RSS feed   Index | Next | Previous | View Threaded


ges at wingfoot

Apr 19, 2012, 11:48 AM

Post #1 of 7 (945 views)
Permalink
RT::Authen::ExternalAuth with AD...

Greetings.. :)

I'm at $work, trying to set up AD authentication for RT 4.0.5.

I'm getting the following error:

[Thu Apr 19 18:38:57 2012] [critical]:
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind:
LDAP_INVALID_CREDENTIALS 49
(/data/IH-Websites/rt/sbin/../local/lib/RT/Authen/ExternalAuth/LDAP.pm:492)
[Thu Apr 19 18:38:57 2012] [error]: FAILED LOGIN for gsieb from 10.200.4.5
(/data/IH-Websites/rt/sbin/../lib/RT/Interface/Web.pm:665)

We created a user to authenticate to AD for RT to use (RT_AD_USER).

The goal is to be able to log in as USERNAME (as opposed to
USERNAME [at] intranet).

Any help would be greatly appreciated. I have to have this live by EOB
today.. (yay for last minute projects)!

Thanks in advance, everyone. My RT_SiteConfig.pm follows...

Best,
--Glenn


RT_SiteConfig.pm:

Set( $rtname, '$WORK.TLD');
Set( $Organization , '$WORK.TLD');
Set( $UseTransactionBatch , 1);
@EmailInputEncodings = qw(utf-8 big5 us-ascii);
Set( $WebBaseURL, 'https://helpdesk.$WORK.TLD');
Set( $WebDomain, 'helpdesk.$WORK.TLD');
Set( $CompanySpecific , '$WORK');
Set( $DatabaseUser , 'rt_user');
Set( $DatabasePassword , 'rt_user_password');
Set( $NotifyActor , 0);
Set( $WebPath , "");
Set( $WebURL , $WebBaseURL . $WebPath . "/");
Set( $WebImagesURL , $WebPath . "/NoAuth/images/");
Set( $CorrespondAddress , 'help@$WORK.TLD');
Set( $CommentAddress , 'help-comment@$WORK.TLD');
Set( $SendmailPath , "/usr/local/sbin/sendmail");
Set( $Timezone , 'US/Eastern');
Set( $ParseNewMessageForTicketCcs, 1);
Set( $RTAddressRegexp , '^(help|help-comment)+\@$WORK\.TLD$');
Set( $LogToSyslog, "info");
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
Set( $ExternalAuthPriority, ['eFS_LDAP']);
Set( $ExternalServiceUsesSSLorTLS, 0);
Set( $AutoCreateNonExternalUsers, 0);
Set( $ExternalInfoPriority, ['eFS_LDAP']);
Set( $ExternalSettings, {'eFS_LDAP' => {
'type' => 'ldap',
'server' => 'DC01.intranet.local',
'user' => 'RT_AD_USER',
'pass' => 'RT_AD_USER_PASS',
'base' => 'dc=intranet,dc=local',
'filter' => '(objectClass=*)',
'd_filter' => '(objectclass=pwdPolicy)',
'tls' => 0,
'ssl_version' => 3,
'net_ldap_args' => [ version => 3 ],
'attr_match_list' => [ 'Name', 'EmailAddress' ],
'attr_map' => {
'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'ExternalAuthId' => 'sAMAccountName',
'Gecos' => 'sAMAccountName',
}
},
});


1;


ges at wingfoot

Apr 19, 2012, 3:46 PM

Post #2 of 7 (904 views)
Permalink
Re: RT::Authen::ExternalAuth with AD... [In reply to]

Thanks to jibsheet & Paul in the IRC channel for their help!

Best,
--Glenn


jblaine at kickflop

Apr 19, 2012, 6:23 PM

Post #3 of 7 (893 views)
Permalink
Re: RT::Authen::ExternalAuth with AD... [In reply to]

Share the solution?

On 4/19/2012 6:46 PM, Glenn Sieb wrote:
> Thanks to jibsheet& Paul in the IRC channel for their help!
>
> Best,
> --Glenn
>
>
>


ges at wingfoot

Apr 19, 2012, 7:57 PM

Post #4 of 7 (904 views)
Permalink
Re: RT::Authen::ExternalAuth with AD... [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 4/19/12 9:23 PM, Jeff Blaine wrote:
> Share the solution?

In the LDAP definition of RT_SiteConfig, where you set up the user to
query as, and such, the ldap user login wasn't working until we added
the @domain.ou bit to the end of it.

So if the AD domain is dc=intranet,dc=local, the user had to be
user [at] intranet then it started working.

And there was much rejoicing in the office when it did.. :-)

Best,
- --Glenn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+Q0JgACgkQf5MxTDXTimGssQCfbvzngA/izrXfwr9JWO6Yo8Xz
Nv4An3umOoIb/OQ/hIzpvEECAx6j271q
=EEfV
-----END PGP SIGNATURE-----


jvdwege at xs4all

Apr 19, 2012, 11:52 PM

Post #5 of 7 (902 views)
Permalink
Re: RT::Authen::ExternalAuth with AD... [In reply to]

Glenn Sieb wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 4/19/12 9:23 PM, Jeff Blaine wrote:
>
>> Share the solution?
>>
>
> In the LDAP definition of RT_SiteConfig, where you set up the user to
> query as, and such, the ldap user login wasn't working until we added
> the @domain.ou bit to the end of it.
>
> So if the AD domain is dc=intranet,dc=local, the user had to be
> user [at] intranet then it started working.
>
I'm also using AD and I don't have to add the @domain.local to my login.
I had a look at your RT_SiteConfig but didn't see the obvious. Will
check later to see what difference there is between my and yours.

Joop


falcone at bestpractical

Apr 20, 2012, 5:49 AM

Post #6 of 7 (896 views)
Permalink
Re: RT::Authen::ExternalAuth with AD... [In reply to]

On Fri, Apr 20, 2012 at 08:52:34AM +0200, Joop wrote:
> Glenn Sieb wrote:
> >On 4/19/12 9:23 PM, Jeff Blaine wrote:
> >>Share the solution?
> >
> >In the LDAP definition of RT_SiteConfig, where you set up the user to
> >query as, and such, the ldap user login wasn't working until we added
> >the @domain.ou bit to the end of it.
> >
> >So if the AD domain is dc=intranet,dc=local, the user had to be
> >user [at] intranet then it started working.
> I'm also using AD and I don't have to add the @domain.local to my
> login. I had a look at your RT_SiteConfig but didn't see the
> obvious. Will check later to see what difference there is between my
> and yours.

AD varies wildly. Sometimes a username is enough, sometimes you need
username [at] real and sometimes you need a full DN. If you're lucky, you
can get an AD Admin to read the logs, but most of the time you just
have to try all three until it works.

This is why the list often suggests testing with ldapsearch to debug
auth problems.

-kevin


ges at wingfoot

Apr 21, 2012, 8:49 AM

Post #7 of 7 (871 views)
Permalink
Re: RT::Authen::ExternalAuth with AD... [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 4/20/12 2:52 AM, Joop wrote:
> Glenn Sieb wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> On 4/19/12 9:23 PM, Jeff Blaine wrote:
>>
>>> Share the solution?
>>>
>>
>> In the LDAP definition of RT_SiteConfig, where you set up the
>> user to query as, and such, the ldap user login wasn't working
>> until we added the @domain.ou bit to the end of it.
>>
>> So if the AD domain is dc=intranet,dc=local, the user had to be
>> user [at] intranet then it started working.
>>
> I'm also using AD and I don't have to add the @domain.local to my
> login. I had a look at your RT_SiteConfig but didn't see the
> obvious. Will check later to see what difference there is between
> my and yours.

Unsure--the one I posted to pastebin was the one that wasn't working.

I'm just happy it's working :) I'm also happy we were able to demo
this to the company on Friday afternoon, and it was a big hit.

Now to figure out Approvals.. :)

Best,
- --Glenn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+S1vMACgkQf5MxTDXTimEI3wCeLaCWQ3b7fAtxyMIthvc0ATk+
ejYAn2TBnBhn6DVS4hibyhfRq1NEbdpI
=AMs6
-----END PGP SIGNATURE-----

Request Tracker users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.