I too was going down this path. What ended up working for me is creating local accounts on rt first, then ldap authentication worked. The other problem I ran into is the "give permissions for everyone to create ticket" error when this plugin was activated. Double checked all permissions, and ensured that everyone could create a ticket for the given queue and had no luck.
For now I've rolled back the use of the plugin and I am just using local accounts :( -a On Wed, Oct 15, 2008 at 4:17 PM, Rich West <[EMAIL PROTECTED]> wrote: > I'm going down the route of integrating a new RT 3.8.1 install in to a > Windows 2003 Active Directory environment, and after going through the > wiki web of information, I found that the "proper" method is now > RT::Authen::ExternalAuth. That was, unfortunately, after I tried > several other methods. :( > > Anyhow, I saw a couple of postings on the list (specifically: > http://lists.bestpractical.com/pipermail/rt-users/2008-July/052959.html), > and managed to get things configured, but not functioning. :( > > I am able to successfully ldapsearch : > ldapsearch -LLL -x -D "CN=Administrator,OU=IT > Department,OU=Users,DC=ourdomain,DC=local" -w ourpasswd -h > ad.ourdomain.local "(objectClass=Person)" -b "dc=ourdomain,dc=local" > > And I tried a couple of different variants for searching with command > line success: (objectClass=*), (sAMAccountName=user) > > However, I cannot seem to get it to work for RT. I'm getting "Your > username or password is incorrect" after only a few seconds of > processing. Probably the thing preventing me from debugging this > further is.. well.. I'm not sure how to turn up the volume on the > debugging. The most I am seeing in the logs is the login failure. > > Any ideas? > > Thanks! > -Rich > > > > RT_SiteConfig.pm contains: > # The order in which the services defined in ExternalSettings > # should be used to authenticate users. User is authenticated > # if successfully confirmed by any service - no more services > # are checked. > Set($ExternalAuthPriority, [ 'My_LDAP' > ] > ); > > # The order in which the services defined in ExternalSettings > # should be used to get information about users. This includes > # RealName, Tel numbers etc, but also whether or not the user > # should be considered disabled. > # Once user info is found, no more services are checked. > Set($ExternalInfoPriority, [ > 'My_LDAP' > ] > ); > > # If this is set to true, then the relevant packages will > # be loaded to use SSL/TLS connections. At the moment, > # this just means "use Net::SSLeay;" > Set($ExternalServiceUsesSSLorTLS, 0); > > # If this is set to 1, then users should be autocreated by RT > # as internal users if they fail to authenticate from an > # external service. > Set($AutoCreateNonExternalUsers, 1); > > # These are the full settings for each external service as a HashOfHashes > # Note that you may have as many external services as you wish. They will > # be checked in the order specified in the Priority directives above. > # e.g. > # > > Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP','Other-DB']); > # > Set($ExternalSettings, { > # AN EXAMPLE LDAP SERVICE > 'My_LDAP' => { ## GENERIC SECTION > # The type of service (db/ldap/cookie) > 'type' => 'ldap', > # Should the service be used for authentication? > 'auth' => 1, > # Should the service be used for information? > 'info' => 1, > # The server hosting the service > 'server' => 'ad.ourdomain.local', > ## SERVICE-SPECIFIC SECTION > # If you can bind to your LDAP server anonymously you > should > # remove the user and pass config lines, otherwise > specify them here: > # > # The username RT should use to connect to the LDAP server > 'user' => 'CN=Administrator,OU=IT > Department,OU=Users,DC=ourdomain,DC=local', > # The password RT should use to connect to the LDAP server > 'pass' => 'ourpasswd', > # > # The LDAP search base > 'base' => 'dc=ourdomain,dc=local', > # The filter to use to match RT-Users > 'filter' => '(objectclass=Person)', > # The filter that will only match disabled users > # 'd_filter' => > '(serAccountControl:1.2.840.113556.1.4.803:=2)', > 'd_filter' => > '(&(objectCategory=person)(objectClass=user) > (userAccountControl:1.2.840.113556.1.4.803:=2))', > # Should we try to use TLS to encrypt connections? > 'tls' => 0, > # What other args should I pass to > Net::LDAP->new($host,@args)? > 'net_ldap_args' => [ version => 3 ], > # Does authentication depend on group membership? What > group name? > 'group' => '', > # What is the attribute for the group object that > determines membership? > 'group_attr' => '', > ## RT ATTRIBUTE MATCHING SECTION > # The list of RT attributes that uniquely identify a user > 'attr_match_list' => [ 'Name', > 'EmailAddress', > 'RealName', > 'WorkPhone', > 'Address2' > ], > # The mapping of RT attributes on to LDAP attributes > 'attr_map' => { 'Name' => > 'sAMAccountName', > 'EmailAddress' => > 'mail', > 'Organization' => > 'physicalDeliveryOfficeName', > 'RealName' => 'cn', > 'ExternalAuthId' => > 'sAMAccountName', > 'Gecos' => > 'sAMAccountName', > 'WorkPhone' => > 'telephoneNumber', > 'Address1' => > 'streetAddress', > 'City' => 'l', > 'State' => 'st', > 'Zip' => 'postalCode', > 'Country' => 'co' > } > } > } > ); > 1; > > _______________________________________________ > http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users > > Community help: http://wiki.bestpractical.com > Commercial support: [EMAIL PROTECTED] > > > Discover RT's hidden secrets with RT Essentials from O'Reilly Media. > Buy a copy at http://rtbook.bestpractical.com >
_______________________________________________ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com