>-----Original Message----- >From: Mike Peachey [mailto:mike.peac...@jennic.com] >Sent: 14 May 2010 10:33 >To: Julian Grunnell; rt-users@lists.bestpractical.com >Subject: Re: [rt-users] RT & mysql / LDAP Auth > >Julian Grunnell wrote: > >> Right, thanks - that makes sense now. I misunderstood the use of this >> and thought you had to define ALL the authentication methods you >wanted >> to use. So I have removed the MySQL section completely from the config >> and tried again with different results. Using my LDAP credentials I >> still get "Your username or password is incorrect" BUT RT has created >me >> as a user, the "Let this user be granted rights" box is unchecked and >> I'm NOT a member of any Groups. The logs created when this was done >are: > >1. It found you and loaded your information from LDAP just as it should. >2. ExternalAuth cannot currently add you to any internal RT groups based >on LDAP information, this must be done in the RT administration panels. >3. If you want LDAP users to be automatically assigned "Let this user be >granted rights" then you may do so with this config setting: > Set($AutoCreate, {Privileged => 1}); >Otherwise it will need setting manually along with group membership. > > >The only thing that is now failing for you is authentication and the >reason is now obvious: > >Your config >####################################################################### ># Does authentication depend on group membership? What group name? >'group' => 'GROUP_NAME', ># What is the attribute for the group object that determines membership? >'group_attr' => 'GROUP_ATTR', >####################################################################### > >Your log >####################################################################### >[Fri May 14 08:22:42 2010] > >[critical]: > >Search for (GROUP_ATTR=CN=Julian >Grunnell,OU=Technical,OU=Users,OU=Leeds,OU=Webfusion,OU=Hosting,OU=Corp , >DC=internal,DC=hosteurope,DC=com) > > >failed: LDAP_INVALID_DN_SYNTAX 34 > >####################################################################### > >You have told ExternalAuth that all ldap users must be in an ldap group >named GROUP_NAME and that in order to confirm that the users are a >member of that group, the members should be in the GROUP_ATTR attribute >of that group. > >If you simply comment out group and group_attr it should work fine. If >in future you wish to restrict access by group, ensure the group name is >specified in full ldap dn form. >-- [>] Thanks Mike - appreciate your help with this, made the changes you suggest and it works a treat now. Now to look at the script that can convert to ldap style logins.
Julian. Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com