Hi, I've replicated our production setup and upgraded it to 4.0 without a problem. I've now thrown External Auth into the mix (new install via cpan), and I'm having mixed results.
We have 2 directory systems - Open Directory (openldap) and Active
Directory
AD authenticates fine, but OD just will not authenticate at all.
Here's my RT_SiteConfig.pm
Set($rtname, 'ourdomain');
Set($Organization , "ourdomain");
Set($WebPort, 80);# + ($< * 7274) % 32766 + ($< && 1024));
Set($WebDomain, 'rt2.ourdomain' );
my $port = RT->Config->Get('WebPort');
Set($WebBaseURL,
($port == 443? 'https': 'http') .'://'
. RT->Config->Get('WebDomain')
. ($port != 80 && $port != 443? ":$port" : '')
);
Set($MaxAttachmentSize , 10000000);
Set($MailCommand , 'sendmail');
Set($SendmailArguments , "-oi -t");
Set($CorrespondAddress , 'Request_Tracker');
Set($CommentAddress , 'Request_Tracker_Comment');
Set($HomePageRefreshInterval, 60);
Set(@Plugins,qw(RT::Authen::ExternalAuth));
Set($ExternalAuthPriority, [ 'My_AD',
'My_OD'
]
);
Set($ExternalInfoPriority, [ 'My_AD',
'My_OD'
]
);
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings, {
'My_OD' => { ## ODMaster
# The type of
service (db/ldap/cookie)
'type'
=> 'ldap',
# The server
hosting the service
'server'
=> 'osxmaster.b6fc.ac.uk',
# The LDAP search
base
'base'
=> 'cn=users,dc=osxmaster,dc=b6fc,dc=ac,dc=uk',
#
# ALL FILTERS MUST
BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU **MUST**
SPECIFY A filter AND A d_filter!!
#
# The filter to
use to match RT-Users
'filter'
=> '(description=staff)',
# A catch-all
example filter: '(objectClass=*)'
#
# The filter that
will only match disabled users
'd_filter'
=> '(description=parent)',
# A catch-none
example d_filter: '(objectClass=FooBarBaz)'
#
# Should we try to
use TLS to encrypt connections?
#'tls'
=> 0,
# SSL Version to
provide to Net::SSLeay *if* using SSL
#'ssl_version'
=> 3,
# What other args
should I pass to Net::LDAP->new($host,@args)?
#'net_ldap_args'
=> [ version => 3 ],
# Does
authentication depend on group membership? What group name?
#'group'
=> 'GROUP_NAME',
# What is the
attribute for the group object that determines membership?
#'group_attr'
=> 'GROUP_ATTR',
## RT ATTRIBUTE
MATCHING SECTION
# The list of RT
attributes that uniquely identify a user
# This example shows
what you *can* specify.. I recommend reducing
this
# to just the Name
and EmailAddress to save encountering problems later.
'attr_match_list'
=> [ 'Name',
'EmailAddress',
],
# The mapping of
RT attributes on to LDAP attributes
'attr_map'
=> { 'Name' => 'cn',
'EmailAddress' => 'mail',
}
},
'My_AD' => { ## ADMaster
# The type of
service (db/ldap/cookie)
'type'
=> 'ldap',
# The server
hosting the service
'server'
=> 'admaster.b6fc.ac.uk',
##
SERVICE-SPECIFIC SECTION
# If you can bind
to your LDAP server anonymously you should
# remove the user
and pass config lines, otherwise specify them here:
#
# The username RT
should use to connect to the LDAP server
'user'
=> 'blanked',
# The password RT
should use to connect to the LDAP server
'pass'
=> 'blanked',
#
# The LDAP search
base
'base'
=> 'OU=Staff,DC=b6fc,DC=ac,DC=uk',
#
# ALL FILTERS MUST
BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU **MUST**
SPECIFY A filter AND A d_filter!!
#
# The filter to
use to match RT-Users
'filter'
=> '(description=staff)',
# A catch-all
example filter: '(objectClass=*)'
#
# The filter that
will only match disabled users
'd_filter'
=> '(scriptPath=student.bat)',
# A catch-none
example d_filter: '(objectClass=FooBarBaz)'
#
# Should we try to
use TLS to encrypt connections?
#'tls'
=> 0,
# SSL Version to
provide to Net::SSLeay *if* using SSL
#'ssl_version'
=> 3,
# What other args
should I pass to Net::LDAP->new($host,@args)?
#'net_ldap_args'
=> [ version => 3 ],
# Does
authentication depend on group membership? What group name?
#'group'
=> 'All Staff'
# What is the
attribute for the group object that determines membership?
#'group_attr'
=> 'GROUP_ATTR',
## RT ATTRIBUTE
MATCHING SECTION
# The list of RT
attributes that uniquely identify a user
# This example shows
what you *can* specify.. I recommend reducing
this
# to just the Name
and EmailAddress to save encountering problems later.
'attr_match_list'
=> [ 'Name',
'EmailAddress',
],
# The mapping of
RT attributes on to LDAP attributes
'attr_map'
=> { 'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
}
}
}
#Set(@Plugins,(qw(Extension::QuickDelete RT::FM)));
);
1;
AD users log in, but then do not show up in the users section so I can't
assign them permissions.
OD users fail to log in with "Your username or password is incorrect"
The message in the log is: [Tue Jun 7 10:09:10 2011] [error]: Couldn't
create user Staffuser: Name in use
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129)
The name is not in use however - anyone got any ideas?
Thanks.
Regards,
Guy
This email and any attachments are confidential and are intended solely for the
use of the individual to whom it is addressed. If you are not the intended
recipient of this email and its attachments, you must take no action based upon
them, nor must you copy or show them to anyone. Please contact the sender if
you believe you have received this email in error. Emails are not secure and
cannot be guaranteed to be free of errors or viruses. It is your
responsibility to scan emails and attachments for viruses before opening them.
Any views or opinions expressed are solely those of the author and do not
necessarily represent those of The Blackpool Sixth Form College.
#####################################################################################
Scanned by MailMarshal - Marshal's comprehensive email content security
solution.
Download a free evaluation of MailMarshal at www.marshal.com
#####################################################################################
