I'm trying to setup LDAP through the RT-Authen-ExternalAuth plugin. I have gotten far enough to login as a user via LDAP but I want to restrict login's to a specific group within my Windows AD. I can't seem to get that part working. I know its something I'm doing wrong but I'm not seeing what it is.
So, what I want is to allow users within a group "CSER" to be able to login and create tickets. I want another group "ITAdmin" to be equivalent to the RTAdmin. How do I set this up? Here is my current configuration: Set( $rtname, 'XXXXXX.ca'); Set($LogToFileNamed, "/var/tmp/rt3.error"); Set($LogToFile, 'debug'); Set($ExternalAuthPriority,['My_LDAP']); Set($ExternalInfoPriority,['My_LDAP']); Set(@Plugins,qw(RT::Authen::ExternalAuth)); Set($ExternalSettings, { 'My_LDAP' => { ## GENERIC SECTION # The type of service (db/ldap/cookie) 'type' => 'ldap', 'auth' => 1, 'info' => 1, # The server hosting the service 'server' => 'XXX.XXX.XXX.XXX', # The username RT should use to connect to the LDAP server 'user' => 'XXXXXX', # The password RT should use to connect to the LDAP server 'pass' => 'XXXXXX', 'base' => 'XXXXXX', 'filter' => '(objectClass=Person)', # A catch-all example filter: '(objectClass=*)' # # The filter that will only match disabled users 'd_filter' => '(userAccountConrol:1.2.840.113556.1.4.803:=2)', # Should we try to use TLS to encrypt connections? 'tls' => 0, # SSL Version to provide to Net::SSLeay *if* using SSL 'ssl_version' => 3, # What other args should I pass to Net::LDAP->new($host,@args)? 'net_ldap_args' => [ version => 3 ], # Does authentication depend on group membership? What group name? 'group' => 'CSER', # What is the attribute for the group object that determines membership? 'group_attr' => '', 'attr_match_list' => [ 'Name', 'EmailAddress', ], 'attr_map' => { 'Name' => 'sAMAccountName', 'EmailAddress' => 'mail', } } } ); 1; With the above configuration I am able to login after I get an error because of the blank group_attr. What exactly is supposed to be there? Every attempt to put something there causes the login to fail. Sample debug follows: [Mon Jun 1 19:20:27 2009] [debug]: RT's GnuPG libraries couldn't successfully read your configured GnuPG home directory (/opt/rt3/var/data/gpg). PGP support has been disabled (/opt/rt3/bin/../lib/RT/Config.pm:339) [Mon Jun 1 19:20:32 2009] [debug]: Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14) [Mon Jun 1 19:20:32 2009] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Mon Jun 1 19:20:32 2009] [debug]: Calling UserExists with $username (gagel) and $service (My_LDAP) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105) [Mon Jun 1 19:20:32 2009] [debug]: UserExists params: username: gagel , service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274) [Mon Jun 1 19:20:32 2009] [debug]: LDAP Search === Base: ou=XXXXX=ca == Filter: (i(objectClass=Person)(sAMAccountName=XXXXX)) == Attrs: mail,sAMAccountName (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304) [Mon Jun 1 19:20:32 2009] [debug]: Password validation required for service - Executing... (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155) [Mon Jun 1 19:20:32 2009] [debug]: Trying external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16) [Mon Jun 1 19:20:32 2009] [debug]: LDAP Search === Base: ou=XXXXXX=ca == Filter: (l(sAMAccountName=XXXXX)(objectClass=Person)) == Attrs: dn (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43) [Mon Jun 1 19:20:32 2009] [debug]: Found LDAP DN: CN=XXXX,OU=XXXXXX=ca (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75) [Mon Jun 1 19:20:32 2009] [debug]: RT's GnuPG libraries couldn't successfully read your configured GnuPG home directory (/opt/rt3/var/data/gpg). PGP support has been disabled (/opt/rt3/bin/../lib/RT/Config.pm:339) [Mon Jun 1 19:20:32 2009] [debug]: Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14) [Mon Jun 1 19:20:32 2009] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Mon Jun 1 19:20:32 2009] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92) [Mon Jun 1 19:20:32 2009] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26) What am I doing wrong? Kevin W. Gagel Network Administrator Local 5448 My blog: http://mail.cnc.bc.ca/blogs/gagel My shared files: http://mail.cnc.bc.ca/users/gagel
_______________________________________________ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com