I'm trying to setup LDAP through the RT-Authen-ExternalAuth plugin.
I have gotten far enough to login as a user via LDAP but I want to restrict
login's to a specific group within my Windows AD. I can't seem to get that part
working. I know its something I'm doing wrong but I'm not seeing what it is.
So, what I want is to allow users within a group "CSER" to be able to login and
create tickets. I want another group "ITAdmin" to be equivalent to the RTAdmin.
How do I set this up?
Here is my current configuration:
Set( $rtname, 'XX.ca');
Set($LogToFileNamed, "/var/tmp/rt3.error");
Set($LogToFile, 'debug');
Set($ExternalAuthPriority,['My_LDAP']);
Set($ExternalInfoPriority,['My_LDAP']);
Set(@Plugins,qw(RT::Authen::ExternalAuth));
Set($ExternalSettings, {
'My_LDAP' => { ## GENERIC SECTION
# The type of service
(db/ldap/cookie)
'type' => 'ldap',
'auth' => 1,
'info' => 1,
# The server hosting
the service
'server'
=> 'XXX.XXX.XXX.XXX',
# The username RT
should use to connect to the LDAP server
'user'
=> 'XX',
# The password RT
should use to connect to the LDAP server
'pass'
=> 'XX',
'base' =>
'XX',
'filter'
=> '(objectClass=Person)',
# A catch-all example
filter: '(objectClass=*)'
#
# The filter that will
only match disabled users
'd_filter'
=> '(userAccountConrol:1.2.840.113556.1.4.803:=2)',
# Should we try to use
TLS to encrypt connections?
'tls'
=> 0,
# SSL Version to
provide to Net::SSLeay *if* using SSL
'ssl_version'
=> 3,
# What other args
should I pass to Net::LDAP->new($host,@args)?
'net_ldap_args'
=> [version => 3 ],
# Does authentication
depend on group membership? What group name?
'group'
=> 'CSER',
# What is the attribute
for the group object that determines membership?
'group_attr'
=> '',
'attr_match_list'
=> ['Name',
'EmailAddress',
],
'attr_map'
=> { 'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
}
}
}
);
1;
With the above configuration I am able to login after I get an error because of
the blank group_attr. What exactly is supposed to be there? Every attempt to
put something there causes the login to fail. Sample debug follows:
[Mon Jun 1 19:20:27 2009] [debug]: RT's GnuPG libraries couldn't successfully
read your configured GnuPG home directory (/opt/rt3/var/data/gpg). PGP support
has been disabled (/opt/rt3/bin/../lib/RT/Config.pm:339)
[Mon Jun 1 19:20:32 2009] [debug]: Reloading RT::User to work around a bug in
RT-3.8.0 and RT-3.8.1
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[Mon Jun 1 19:20:32 2009] [debug]: Attempting to use external auth service:
My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
