Hello, I've been staring at this for hours now and I'm not getting anywhere.
CentOS 5.9, RT 4.0.10, RT-Authen-ExternalAuth 0.13 RT is installed and I can connect to it from a browser, can login as root, trying to login as a domain user and it's saying my password is wrong. I've got logging enabled (best as I can find out how to...), but I can't see any LDAP messages, just failed logins. RT_SiteConfig.pm: # Any configuration directives you include here will override # RT's default configuration file, RT_Config.pm # # To include a directive here, just copy the equivalent statement # from RT_Config.pm and change the value. We've included a single # sample value below. # # This file is actually a perl module, so you can include valid # perl code, as well. # # The converse is also true, if this file isn't valid perl, you're # going to run into trouble. To check your SiteConfig file, use # this comamnd: # # perl -c /path/to/your/etc/RT_SiteConfig.pm # # You must restart your webserver after making changes to this file. # You must install Plugins on your own, this is only an example # of the correct syntax to use when activating them. # There should only be one @Plugins declaration in your config file. #Set(@Plugins,(qw(RT::Extension::QuickDelete RT::Extension::CommandByMail RT::Authen::ExternalAuth))); Set($LogToFile, 'debug'); Set($LogDir, '/var/log/rt'); Set( $CommentAddress, 'rt-comm...@domain.com' ); Set( $CorrespondAddress, 'rt-corresp...@domain.com' ); Set( $DatabaseHost, 'localhost' ); Set( $DatabaseName, 'rt4' ); Set( $DatabasePassword, 'password' ); Set( $DatabasePort, '' ); Set( $DatabaseRequireSSL, '' ); Set( $DatabaseType, 'mysql' ); Set( $DatabaseUser, 'rt_user' ); Set( $Organization, 'domain.com' ); Set( $OwnerEmail, 'it-supp...@domain.com' ); Set( $SendmailPath, '/usr/sbin/sendmail' ); Set( $WebDomain, '10.x.x.x' ); Set( $WebPort, '80' ); Set( $rtname, 'domain.com' ); #ExtAuth: Set($ExternalAuthPriority, [ 'My_LDAP' ] ); Set($ExternalInfoPriority, [ 'My_LDAP' ] ); Set($ExternalServiceUsesSSLorTLS, 0); Set($AutoCreateNonExternalUsers, 1); Set($ExternalSettings, { # AN EXAMPLE LDAP SERVICE 'My_LDAP' => { ## GENERIC SECTION # The type of service (db/ldap/cookie) 'type' => 'ldap', # The server hosting the service 'server' => 'ad01.domain.local', ## SERVICE-SPECIFIC SECTION # If you can bind to your LDAP server anonymously you should # remove the user and pass config lines, otherwise specify them here: # # The username RT should use to connect to the LDAP server 'user' => 'ad-rt-user', # The password RT should use to connect to the LDAP server 'pass' => 'password', # # The LDAP search base 'base' => 'ou=OrgUnit,dc=domain,dc=local', # # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES! # YOU **MUST** SPECIFY A filter AND A d_filter!! # # The filter to use to match RT-Users 'filter' => '(sAMAccountType=805306368)', # A catch-all example filter: '(objectClass=*)' # # The filter that will only match disabled users 'd_filter' => '(&(sAMAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=2))', # A catch-none example d_filter: '(objectClass=FooBarBaz)' # # Should we try to use TLS to encrypt connections? 'tls' => 0, # SSL Version to provide to Net::SSLeay *if* using SSL 'ssl_version' => 3, # What other args should I pass to Net::LDAP->new($host,@args)? 'net_ldap_args' => [ version => 3 ], # Does authentication depend on group membership? What group name? 'group' => 'RTusers', # What is the scope of the group search? (base, one, sub) # Optional; defaults to 'base', which is good enough for most cases. 'sub' is appropriate when you have nested groups 'group_scope' => 'base', # What is the attribute for the group object that determines membership? 'group_attr' => 'member', # What is the attribute of the user entry that should be matched against group_attr above? (Optional; defaults to 'dn') #'group_attr_value' => 'GROUP_ATTR_VALUE', ## RT ATTRIBUTE MATCHING SECTION # The list of RT attributes that uniquely identify a user # This example shows what you *can* specify.. I recommend reducing this # to just the Name and EmailAddress to save encountering problems later. 'attr_match_list' => [ 'Name', 'EmailAddress', 'RealName' ], # The mapping of RT attributes on to LDAP attributes 'attr_map' => { 'Name' => 'sAMAccountName', 'EmailAddress' => 'mail', 'RealName' => 'cn', 'ExternalAuthId' => 'sAMAccountName', 'Gecos' => 'sAMAccountName' } }, } ); 1; Can someone please point me in the right direction, whether it's more detailed documentation on how to configure AD authentication, or hints as to where I may be going wrong? Many thanks in advance,
-- RT Training in Seattle, June 19-20: http://bestpractical.com/training