I'm trying to setup LDAP through the RT-Authen-ExternalAuth plugin.
I have gotten far enough to login as a user via LDAP but I want to restrict
login's to a specific group within my Windows AD. I can't seem to get that part
working. I know its something I'm doing wrong but I'm not seeing what it is.
So, what I want is to allow users within a group "CSER" to be able to login and
create tickets. I want another group "ITAdmin" to be equivalent to the RTAdmin.
How do I set this up?
Here is my current configuration:
Set( $rtname, 'XXXXXX.ca');
Set($LogToFileNamed, "/var/tmp/rt3.error");
Set($LogToFile, 'debug');
Set($ExternalAuthPriority,['My_LDAP']);
Set($ExternalInfoPriority,['My_LDAP']);
Set(@Plugins,qw(RT::Authen::ExternalAuth));
Set($ExternalSettings, {
'My_LDAP' => { ## GENERIC SECTION
# The type of service
(db/ldap/cookie)
'type' => 'ldap',
'auth' => 1,
'info' => 1,
# The server hosting
the service
'server'
=> 'XXX.XXX.XXX.XXX',
# The username RT
should use to connect to the LDAP server
'user'
=> 'XXXXXX',
# The password RT
should use to connect to the LDAP server
'pass'
=> 'XXXXXX',
'base' =>
'XXXXXX',
'filter'
=> '(objectClass=Person)',
# A catch-all example
filter: '(objectClass=*)'
#
# The filter that will
only match disabled users
'd_filter'
=> '(userAccountConrol:1.2.840.113556.1.4.803:=2)',
# Should we try to use
TLS to encrypt connections?
'tls'
=> 0,
# SSL Version to
provide to Net::SSLeay *if* using SSL
'ssl_version'
=> 3,
# What other args
should I pass to Net::LDAP->new($host,@args)?
'net_ldap_args'
=> [ version => 3 ],
# Does authentication
depend on group membership? What group name?
'group'
=> 'CSER',
# What is the attribute
for the group object that determines membership?
'group_attr'
=> '',
'attr_match_list'
=> [ 'Name',
'EmailAddress',
],
'attr_map'
=> { 'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
}
}
}
);
1;
With the above configuration I am able to login after I get an error because of
the blank group_attr. What exactly is supposed to be there? Every attempt to
put something there causes the login to fail. Sample debug follows:
[Mon Jun 1 19:20:27 2009] [debug]: RT's GnuPG libraries couldn't successfully
read your configured GnuPG home directory (/opt/rt3/var/data/gpg). PGP support
has been disabled (/opt/rt3/bin/../lib/RT/Config.pm:339)
[Mon Jun 1 19:20:32 2009] [debug]: Reloading RT::User to work around a bug in
RT-3.8.0 and RT-3.8.1
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[Mon Jun 1 19:20:32 2009] [debug]: Attempting to use external auth service:
My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Jun 1 19:20:32 2009] [debug]: Calling UserExists with $username (gagel)
and $service (My_LDAP)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Mon Jun 1 19:20:32 2009] [debug]: UserExists params:
username: gagel , service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Mon Jun 1 19:20:32 2009] [debug]: LDAP Search === Base: ou=XXXXX=ca ==
Filter: (i(objectClass=Person)(sAMAccountName=XXXXX)) == Attrs:
mail,sAMAccountName
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Mon Jun 1 19:20:32 2009] [debug]: Password validation required for service -
Executing...
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
[Mon Jun 1 19:20:32 2009] [debug]: Trying external auth service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
[Mon Jun 1 19:20:32 2009] [debug]: LDAP Search === Base: ou=XXXXXX=ca ==
Filter: (l(sAMAccountName=XXXXX)(objectClass=Person)) == Attrs: dn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
[Mon Jun 1 19:20:32 2009] [debug]: Found LDAP DN: CN=XXXX,OU=XXXXXX=ca
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
[Mon Jun 1 19:20:32 2009] [debug]: RT's GnuPG libraries couldn't successfully
read your configured GnuPG home directory (/opt/rt3/var/data/gpg). PGP support
has been disabled (/opt/rt3/bin/../lib/RT/Config.pm:339)
[Mon Jun 1 19:20:32 2009] [debug]: Reloading RT::User to work around a bug in
RT-3.8.0 and RT-3.8.1
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[Mon Jun 1 19:20:32 2009] [debug]: Attempting to use external auth service:
My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Jun 1 19:20:32 2009] [debug]: SSO Failed and no user to test with.
Nexting
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Mon Jun 1 19:20:32 2009] [debug]: Autohandler called ExternalAuth. Response:
(0, No User)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
What am I doing wrong?
Kevin W. Gagel
Network Administrator
Local 5448
My blog:
http://mail.cnc.bc.ca/blogs/gagel
My shared files:
http://mail.cnc.bc.ca/users/gagel
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
Community help: http://wiki.bestpractical.com
Commercial support: sa...@bestpractical.com
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
