LdapSiteConfigSettings

From Request Tracker Wiki
Jump to navigation Jump to search



This page 'LdapSiteConfigSettings' is tagged as OUTDATED
This page contains out of date and possibly misleading information or instructions such as installation methods or configuration examples that no longer apply. Please consider this warning when reading the page below.
If you have checked or updated this page and found the content to be suitable, please remove this notice by editing the page and remove the Outdated template tag.


Introduction

This code is part of the LDAP integration overlay; you'll also need LdapUserLocalOverlay and, optionally, LdapAutocreateAuthCallback.

Configuration

Put these in your site configuration file, [=${RTHOME}/etc/RT_SiteConfig.pm]

### What auth methods do you like and in what order?
  
  Set($AuthMethods, ['LDAP', 'Internal']);
  
  ### LDAP Settings
  #
  # There are two different branches of this: LdapAuth* and LdapInfo*;
  # additionally, most of the old Ldap* variables are honored, too.
  #
  # This means if you only have one LDAP server/config you can just set
  # "LdapServer", "LdapUser", etc. and they will be used for both
  # authentication and information
  
  ### Enable/Disable LDAP services
  Set($LdapExternalAuth, 1);
  Set($LdapExternalInfo, 1);
  
  ### Common Settings: affecting both auth and info services
  
  # Should we create accounts for users who aren't in LDAP?
  Set($LdapAutoCreateNonLdapUsers, 1);
  
  # Map RT attributes to LDAP attributes
  #
  ### THE MAPPING BELOW WILL NOT WORK FOR YOU UNLESS YOU CHANGE
  ### IT TO MATCH YOUR LDAP SCHEMA! See http://wiki.bestpractical.com/view/LdapAttrMap
  ### to learn how to set this variable properly for either LDAP or Windows
  ### Active Directory.
  Set($LdapAttrMap, {'Name' => 'uid',
                     'EmailAddress' => 'mail',
                     'Organization' => 'o',
                     'RealName' => 'cn',
                     'ExternalContactInfoId' => 'dn',
                     'ExternalAuthId' => 'uid',
                     'Gecos' => 'uid',
                     'WorkPhone' => 'telephoneNumber',
                     'Address1' => 'ou',
                     'Address2' => 'physicalDeliveryOfficeName'}
  );
  
  # A list of RT attrs which can uniquely identify a user,
  # ordered from most to least preferred.
  Set($LdapRTAttrMatchList, ['ExternalContactInfoId', 'Name',
                             'EmailAddress', 'RealName',
                             'WorkPhone', 'Address2']
  );
  
  # A list of LDAP attrs to examine when canonicalizing email addresses,
  # ordered from most to least preferred
  Set($LdapEmailAttrMatchList, ['mail', 'mailRoutingAddress',
                                'mailAlternateAddress']
  );
  
  # A list of prefixes to apply to email address matches.
  # Windows 2003 AD uses prefixes or smtp: or SMTP:.
  # If not required just leave ''
  Set($LdapEmailAttrMatchPrefix, ['', 'smtp:', 'SMTP:'] );
  
  # The basics; if set, these override $RT::LdapAuth* and $RT::LdapInfo*
  Set($LdapServer, 'ldap.example.com');
  Set($LdapBase, 'ou=People,dc=example,dc=com');
  Set($LdapFilter, '(objectclass=posixAccount)');
  #   Windows 2003 Active Directory does not allow anonymous LDAP binding
  #   thus you must pass Net::LDAP a username and password that has
  #   access to read the directory.
  #
  #   You may also need to specify the full distinguished name instead of
  #   just a username for LdapUser below.
  #   e.g. cn=Username,cn=Users,dc=yourdomain,dc=com
  #
  #Set($LdapUser, '');
  #Set($LdapPass, '');
  
  # This filter is used by RT::User::UpdateFromLdap to test whether an
  # LDAP user's RT account should be disabled. Any user whose LDAP record
  # passes this filter (returns true) will be disabled at login
  Set($LdapDisableFilter, '(employmentStatus=Terminated)');
  
  # If you set these, only members of this group can auth via LDAP
  #Set($LdapGroup, 'cn=RT,ou=Group,dc=example,dc=com');
  #Set($LdapGroupAttr, 'uniqueMember');
  
  # These turn on SSL for LDAP
  #Set($LdapTLS, 0);
  #Set($LdapSSLVersion, 3);
  
  ### IF YOU USE THE SAME LDAP SERVER FOR AUTH AND INFO STOP HERE ###
  
  ### Authentication settings
  
  #
  # These are used only if their $RT::Ldap* analogs are not set;
  # if you want one of these variables to be honored, you must comment
  # out the corresponding $RT::Ldap* variable above
  
  #Set($LdapAuthServer, 'ldap.example.com');
  #Set($LdapAuthBase, 'ou=People,dc=example,dc=com');
  #Set($LdapAuthFilter, "(objectclass=posixAccount)");
  #Set($LdapAuthUser, '');
  #Set($LdapAuthPass, '');
  
  # This filter is used by RT::User::UpdateFromLdap to test whether an
  # LDAP user's RT account should be disabled. Any user whose LDAP record
  # passes this filter (returns true) will be disabled at login
  # Set($LdapAuthDisableFilter, '(employmentStatus=Terminated)');
  
  
  # If you set these, only members of this group can auth via LDAP
  #Set($LdapAuthGroup, 'cn=RT,ou=Group,dc=example,dc=com');
  #Set($LdapAuthGroupAttr, 'uniqueMember');
  # These turn on SSL for LDAP
  #Set($LdapAuthTLS, 0);
  #Set($LdapAuthSSLVersion, 3);
  
  
  ### Information settings
  
  #
  # These are used only if their $RT::Ldap* analogs are not set;
  # if you want one of these variables to be honored, you must comment
  # out the corresponding $RT::Ldap* variable above
  
  
  #Set($LdapInfoServer, 'ldap.example.com');
  #Set($LdapInfoBase, 'ou=People,dc=example,dc=com');
  #Set($LdapInfoFilter, "(objectclass=posixAccount)");
  #Set($LdapInfoUser, '');
  #Set($LdapInfoPass, '');
  
  # This filter is used by RT::User::UpdateFromLdap to test whether an
  # LDAP user's RT account should be disabled. Any user whose LDAP record
  # passes this filter (returns true) will be disabled at login
  # Set($LdapInfoDisableFilter, '(employmentStatus=Terminated)');
  
  # These turn on SSL for LDAP
  #Set($LdapInfoTLS, 0);
  #Set($LdapInfoSSLVersion, 3);
  

Configuration for Zimbra Collaboration Suite

  • The following settings work for Zimbra 4.5.6
Set($AuthMethods, ['LDAP', 'Internal']);
  Set($LdapExternalAuth, 1);
  Set($LdapExternalInfo, 1);
  Set($LdapAutoCreateNonLdapUsers, 0);
  Set($LdapAttrMap, {'Name' => 'uid',
                    'EmailAddress' => 'mail',
                    'Organization' => 'ou',
                    'RealName' => 'cn',
                    'ExternalContactInfoId' => 'dn',
                    'ExternalAuthId' => 'uid',
                    'WorkPhone' => 'telephoneNumber',
                    'Signature' => 'zimbraPrefMailSignature'}
  );
  Set($LdapRTAttrMatchList, ['ExternalContactInfoId', 'Name',
                            'EmailAddress', 'RealName',
                            'WorkPhone', 'Address2']
  );
  Set($LdapEmailAttrMatchList, ['mail', 'zimbraMailAlias']);
  Set($LdapEmailAttrMatchPrefix, ['', 'smtp:', 'SMTP:'] );
  Set($LdapServer, 'ldap.example.com');
  Set($LdapBase, 'ou=people,dc=example,dc=com');
  Set($LdapFilter, '(objectclass=organizationalPerson)');
  Set($LdapDisableFilter, '(zimbraMailStatus=disabled)');
  Set($LdapTLS, 1);
  Set($LdapSSLVersion, 3);
  

Active Directory LDAPS

The following lines need to be added to switch LDAP over from regular port 389 LDAP traffic to using SSL-encrypted LDAPS on port 636:

Set($LdapServer, 'ldaps://myDomainController.xxxxxxx.com');
Set($LdapTLS, 1);
Set($LdapSSLVersion, 3);

This worked with a Windows 2003 Domain Controller. No certs needed to be manually accepted.