LdapSiteConfigSettingsForActiveDirectory

From Request Tracker Wiki
Jump to navigation Jump to search

NOTICE

This is very out of date and based on old versions of RT. For modern equivalents, see RT::Authen::ExternalAuth and the LDAPImport extension.

Introduction

This code is part of the LDAP integration overlay; you'll also need LdapUserLocalOverlay and, optionally, LdapAutocreateAuthCallback.

2007/09/28 - Edward Kovarski; It has been adjusted for a Windows 2003 Active Directory Environment

  • 2007/10/31 - Mario Leal; Using this code I was unable to authenticate until I changed:
Set($LdapFilter, '(objectclass=posixAccount)');
To:
Set($LdapFilter, '(objectclass=*)');

Setup

Be sure to set the following variables for your environment,

LdapServer LdapBase LdapUser LdapPass

Configuration

Put these in your site configuration file, [=${RTHOME}/etc/RT_SiteConfig.pm]

### What auth methods do you like and in what order?
 
 Set($AuthMethods, ['LDAP', 'Internal']);
 
 ### LDAP Settings
 #
 # There are two different branches of this: LdapAuth* and LdapInfo*;
 # additionally, most of the old Ldap* variables are honored, too.
 #
 # This means if you only have one LDAP server/config you can just set
 # "LdapServer", "LdapUser", etc. and they will be used for both
 # authentication and information
 
 ### Enable/Disable LDAP services
 Set($LdapExternalAuth, 1);
 Set($LdapExternalInfo, 1);
 
 ### Common Settings: affecting both auth and info services
 
 # Should we create accounts for users who aren't in LDAP?
 Set($LdapAutoCreateNonLdapUsers, 1);
 
 # Should we assign the privileged rights to the user?
 Set($AutoCreate, {Privileged => 1});
 
 # Map RT attributes to LDAP attributes
 #
 # The mapping below is known to work in Windows 2003 w/Active Directory
 #
 ####
 #### NOTE
 ####
 #### You have the following options for the user id with Active Directory,
 ####
 #### 'mail'
 #### Users email address, user@mydomain.com
 ####
 #### 'userPrincipalName'
 #### New user logon name stored in the following format, user@ad_domain.com
 ####
 #### 'sAMAccountName' (Default for this config)
 #### Also known as the pre-Windows 2000 Logon Name
 
 

Set( $LdapAttrMap, {

'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'Organization' => 'physicalDeliveryOfficeName',
'RealName' => 'cn',
'ExternalContactInfoId' => 'dn',
'ExternalAuthId' => 'sAMAccountName',
'Gecos' => 'sAMAccountName',
'HomePhone' => 'homePhone',
'WorkPhone' => 'telephoneNumber',
'MobilePhone' => 'mobile',
'PagerPhone' => 'pager',
'Address1' => 'streetAddress',
'Address2' => 'postOfficeBox',
'City' => 'l',
'State' => 'st',
'Zip' => 'postalCode',
'Country' => 'co',
'FreeformContactInfo' => 'info',
}

);

# A list of RT attrs which can uniquely identify a user,
 # ordered from most to least preferred.
 Set($LdapRTAttrMatchList, ['ExternalContactInfoId', 'Name',
                            'EmailAddress', 'RealName',
                            'WorkPhone', 'Address2']
 );
 
 # A list of LDAP attrs to examine when canonicalizing email addresses,
 # ordered from most to least preferred
 Set($LdapEmailAttrMatchList, ['mail', 'mailRoutingAddress',
                               'mailAlternateAddress']
 );
 
 # A list of prefixes to apply to email address matches.
 # Windows 2003 AD uses prefixes or smtp: or SMTP:.
 # If not required just leave ''
 Set($LdapEmailAttrMatchPrefix, ['', 'smtp:', 'SMTP:'] );
 
 # The basics; if set, these override $RT::LdapAuth* and $RT::LdapInfo*
 Set($LdapServer, 'ldap.example.com');
 Set($LdapBase, 'ou=People,dc=example,dc=com');
 Set($LdapFilter, '(objectclass=posixAccount)');
 
 #   Windows 2003 Active Directory does not allow anonymous LDAP binding
 #   thus you must pass Net::LDAP a username and password that has
 #   access to read the directory.
 #
 #   You may also need to specify the full distinguished name instead of
 #   just a username for LdapUser below.
 #   e.g. cn=Username,cn=Users,dc=yourdomain,dc=com
 #
 Set($LdapUser, 'ldapuser@ad.domain.com');
 Set($LdapPass, 'password');
 
 # This filter is used by RT::User::UpdateFromLdap to test whether an
 # LDAP user's RT account should be disabled. Any user whose LDAP record
 # passes this filter (returns true) will be disabled at login
 Set($LdapDisableFilter, '(employmentStatus=Terminated)');
 
 # If you set these, only members of this group can auth via LDAP
 #Set($LdapGroup, 'cn=RT,ou=Group,dc=example,dc=com');
 #Set($LdapGroupAttr, 'uniqueMember');
 
 # These turn on SSL for LDAP
 #Set($LdapTLS, 0);
 #Set($LdapSSLVersion, 3);
 
 ### IF YOU USE THE SAME LDAP SERVER FOR AUTH AND INFO STOP HERE ###
 
 ### Authentication settings
 
 #
 # These are used only if their $RT::Ldap* analogs are not set;
 # if you want one of these variables to be honored, you must comment
 # out the corresponding $RT::Ldap* variable above
 
 #Set($LdapAuthServer, 'ldap.example.com');
 #Set($LdapAuthBase, 'ou=People,dc=example,dc=com');
 #Set($LdapAuthFilter, "(objectclass=posixAccount)");
 #Set($LdapAuthUser, '');
 #Set($LdapAuthPass, '');
 
 # This filter is used by RT::User::UpdateFromLdap to test whether an
 # LDAP user's RT account should be disabled. Any user whose LDAP record
 # passes this filter (returns true) will be disabled at login
 # Set($LdapAuthDisableFilter, '(employmentStatus=Terminated)');
 
 
 # If you set these, only members of this group can auth via LDAP
 #Set($LdapAuthGroup, 'cn=RT,ou=Group,dc=example,dc=com');
 #Set($LdapAuthGroupAttr, 'uniqueMember');
 # These turn on SSL for LDAP
 #Set($LdapAuthTLS, 0);
 #Set($LdapAuthSSLVersion, 3);
 
 
 ### Information settings
 
 #
 # These are used only if their $RT::Ldap* analogs are not set;
 # if you want one of these variables to be honored, you must comment
 # out the corresponding $RT::Ldap* variable above
 
 
 #Set($LdapInfoServer, 'ldap.example.com');
 #Set($LdapInfoBase, 'ou=People,dc=example,dc=com');
 #Set($LdapInfoFilter, "(objectclass=posixAccount)");
 #Set($LdapInfoUser, '');
 #Set($LdapInfoPass, '');
 
 # This filter is used by RT::User::UpdateFromLdap to test whether an
 # LDAP user's RT account should be disabled. Any user whose LDAP record
 # passes this filter (returns true) will be disabled at login
 # Set($LdapInfoDisableFilter, '(employmentStatus=Terminated)');
 
 # These turn on SSL for LDAP
 #Set($LdapInfoTLS, 0);
 #Set($LdapInfoSSLVersion, 3);