I found another guide that outlines how to setup ExternalAuth for AD on the wiki
http://wiki.bestpractical.com/view/CentOS5InstallPlusSome Others following this thread might find it useful... I did learn that you're looking for the full cn/ou path for your user, not just a username...(I forgot that's how LDAP finds users).... Haris you might want to check that in your config... didn't help me *shrug* but might help you. Thanks! Mike. On Fri, Jul 23, 2010 at 9:18 AM, Mike Johnson <[email protected]> wrote: > Hi Haris, > > No go yet. > > Kenneth did send some info for me to check out, perhaps it may help you... > > **Kenneth's email cut/pasted** > Mike, > First off, check to see how you've set $WebExternalAuto. I'm not sure how > that would affect LDAP if it was turned on. > Second, I'll assume you've set your "Plugins" appropriately to include > "RT::Authen::ExternalAuth". > Thirdly, you have to make sure certain LDAP parameters are consistent (ie. > if you're using TLS, etc.). > Below is what we use for our list of parameters: > > Set($ExternalAuthPriority, [ 'My_LDAP' ] ); > Set($ExternalInfoPriority, [ 'My_LDAP' ] ); > Set($ExternalServiceUsesSSLorTLS, 1); > Set($AutoCreateNonExternalUsers, 0); > > Set( > $ExternalSettings, > { > 'My_LDAP' => > { > ‘type’ => 'ldap', > ‘server’ => 'ldap.lbl.gov’, > ‘user’ => ‘’, > ‘pass’ => ‘’, > ‘base’ => 'ou=People,o=name of our company,c=US’, > ‘filter’ => '(&(status that equals active)(|(dicision > code)))’, > ‘d_filter’ => '(!(|(lblEmpStat=Staff)(lblEmpStat=Guest)))', > ‘tls’ => 1, > ‘net_ldap_args’ => [ version => 3], > ‘attr_match_list’ => ['Name', > 'EmailAddress', > 'RealName', > 'uid' > ], > ‘attr_map’ => {'Name' => 'uid', > 'EmailAddress' => > 'mail', > 'Organization' => > ‘o’, > 'RealName' => > 'cn', > 'ExternalAuthId' => > 'uid', > 'Gecos' > => 'uid', > 'WorkPhone' => > 'telephonenumber', > 'Address1' => > 'lblmailstop', > 'Address2' => > 'postaladdress’ > } > } > } > ); > 1; > > I don't think the attr_map would affect this, but your match list could. > Anyway, check it all out cause if there are any inconsistencies (like TLS > being used and on), it will fail. > Hope this helps. > Kenn > LBNL > > *** end cut/paste** > > On Thu, Jul 22, 2010 at 7:23 PM, M.F.Haris <[email protected]> wrote: > >> hi Mike, >> I am also facing the same problem and i have checked my configuration over >> and over, also compared with some available on internet. >> in my case i didn't enter any attribute with blank value like 'group' >> attribute in your case. but rest of the things are similar to what i have >> entered. >> >> I get a message 'Failed to Login with user (myuser) ... ' >> >> do you get the same error message? please share your experience if you are >> able to solve this crap. >> >> thanks >> Haris >> >> >> On Thu, Jul 22, 2010 at 3:59 PM, Mike Johnson <[email protected]>wrote: >> >>> Hi everyone, >>> >>> Where do I start debugging my setup?? >>> >>> I have CentOS5.5, RT3.8.8, ExternalAuth 0.8 attempting to connect to an >>> Active Drectory LDAP. >>> >>> Everything loads fine(I get no errors from my config files). I've loaded >>> the ExternalAuth plugin, but when I attempt to login to the UI with an LDAP >>> user, I get an invalid user/pass. The only error/logging I can find >>> anywhere is in syslog and that just tells me the same thing... >>> >>> I'm connecting to an Active Directory server, and with some >>> googling/rt-users searching I found the following settings to use. >>> >>> 'filter' => '(objectCategory=User)', >>> 'd_filter' => >>> '(userAccountControl:1.2.840.113556.1.4.803:=2)', >>> >>> >>> I've left group and group_attr blank(is that allowed?) as I want all >>> users found under my base DN to be able to use RT. >>> >>> In the attr_match_list I have name and email address only >>> In attr_map I have the sAMAccountName mail and cn mapped to their >>> respective places in RT. >>> >>> I've tested the user/pass I'm using(our LDAP is setup to not allow >>> anonymous unfortunately, so I have to use an account to bind. >>> >>> I can't seem to find where ExternalAuth would toss an error out for me to >>> read if it's failling because of the arguments I've set... >>> >>> Any help would be appreciated. >>> -- >>> Mike Johnson >>> Datatel Programmer/Analyst >>> Northern Ontario School of Medicine >>> 955 Oliver Road >>> Thunder Bay, ON P7B 5E1 >>> Phone: (807) 766-7331 >>> Email: [email protected] >>> >>> >>> Discover RT's hidden secrets with RT Essentials from O'Reilly Media. >>> Buy a copy at http://rtbook.bestpractical.com >>> >> >> > > > -- > Mike Johnson > Datatel Programmer/Analyst > Northern Ontario School of Medicine > 955 Oliver Road > Thunder Bay, ON P7B 5E1 > Phone: (807) 766-7331 > Email: [email protected] > -- Mike Johnson Datatel Programmer/Analyst Northern Ontario School of Medicine 955 Oliver Road Thunder Bay, ON P7B 5E1 Phone: (807) 766-7331 Email: [email protected]
Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
