[rt-users] RT::Authen::ExternalAuth debugging
Alan Cheng
chenga at ias.edu
Thu Oct 16 00:46:27 EDT 2008
Rich,
(1) You should see something similar in your RT log if it is indeed
trying to authenticate against your AD.
[Thu Oct 16 00:25:12 2008] [info]: RT::User::IsExternalPassword External
Auth OK
( MY_LDAP ): alan (/usr/local/rt381/bin/../local/lib/RT/User_Vendor.pm:281)
[Thu Oct 16 00:25:12 2008] [debug]: RT::User::IsPassword External auth
SUCCEEDED
(/usr/local/rt381/bin/../local/lib/RT/User_Vendor.pm:360)
(2) Backup your RT_SiteConfig.pm and reduce the match_list to something
like this and test again:
# The list of RT attributes that uniquely identify a user
'attr_match_list' => [ 'Name',
'EmailAddress',
],
It took me some efforts to get LDAP authentication against SUN Directory
Server 6.3 to work so keep trying! :)
http://www.gossamer-threads.com/lists/rt/users/79313?search_string=TLS;#79313
Good Luck!
Alan
Rich West wrote:
> Thanks for the debug link and the quick help! I wasn't sure what value
> to put in there, but, alas, the Wiki to the rescue. :)
>
> Those links were the ones that I followed. It just doesn't seem to
> even attempt an AD auth ("testuser" exists in AD):
> [Wed Oct 15 22:42:06 2008] [error]: FAILED LOGIN for testuser from
> 10.100.10.6
> (/var/www/html/help.ourdomain.local/share/html/autohandler:265)
>
> I have this bizarre feeling like I am missing just one important piece
> of the puzzle...
>
> -Rich
>
> Eli Altman wrote:
>>
>> Andrew, if you’d like to get ExternalAuth working there are scores of
>> people who have set it up successfully.. so don’t give up. I have
>> 3.8.1 with AuthenExternalAuth LDAP working just fine. It also
>> autocreates users in the RT db as needed. Rich, here is the link for
>> the logging debug setup:
>>
>>
>>
>> http://wiki.bestpractical.com/view/Debug
>>
>>
>>
>> Here is the instruction lineup, read them all carefully.
>>
>>
>>
>> http://wiki.bestpractical.com/view/ExternalAuth - Read the
>> “Post-Install” section
>>
>>
>>
>> http://www.gossamer-threads.com/lists/rt/users/77286
>>
>> http://www.gossamer-threads.com/lists/rt/users/77139?search_string=ldap%
>> <http://www.gossamer-threads.com/lists/rt/users/77139?search_string=ldap%25>
>>
>>
>>
>> If you go to the #rt irc channel I’d be happy to help solve
>> ExternalAuth issues.
>>
>>
>>
>> Elias (whitman on #rt)
>>
>>
>>
>> *From:* rt-users-bounces at lists.bestpractical.com
>> [mailto:rt-users-bounces at lists.bestpractical.com] *On Behalf Of
>> *Andrew Konkol
>> *Sent:* Wednesday, October 15, 2008 2:33 PM
>> *To:* rt-users at lists.bestpractical.com
>> *Subject:* Re: [rt-users] RT::Authen::ExternalAuth debugging
>>
>>
>>
>> I too was going down this path. What ended up working for me is
>> creating local accounts on rt first, then ldap authentication worked.
>> The other problem I ran into is the "give permissions for everyone to
>> create ticket" error when this plugin was activated. Double checked
>> all permissions, and ensured that everyone could create a ticket for
>> the given queue and had no luck.
>>
>> For now I've rolled back the use of the plugin and I am just using
>> local accounts :(
>>
>> -a
>>
>> On Wed, Oct 15, 2008 at 4:17 PM, Rich West <Rich.West at wesmo.com
>> <mailto:Rich.West at wesmo.com>> wrote:
>>
>> I'm going down the route of integrating a new RT 3.8.1 install in to a
>> Windows 2003 Active Directory environment, and after going through the
>> wiki web of information, I found that the "proper" method is now
>> RT::Authen::ExternalAuth. That was, unfortunately, after I tried
>> several other methods. :(
>>
>> Anyhow, I saw a couple of postings on the list (specifically:
>> http://lists.bestpractical.com/pipermail/rt-users/2008-July/052959.html),
>> and managed to get things configured, but not functioning. :(
>>
>> I am able to successfully ldapsearch :
>> ldapsearch -LLL -x -D "CN=Administrator,OU=IT
>> Department,OU=Users,DC=ourdomain,DC=local" -w ourpasswd -h
>> ad.ourdomain.local "(objectClass=Person)" -b "dc=ourdomain,dc=local"
>>
>> And I tried a couple of different variants for searching with command
>> line success: (objectClass=*), (sAMAccountName=user)
>>
>> However, I cannot seem to get it to work for RT. I'm getting "Your
>> username or password is incorrect" after only a few seconds of
>> processing. Probably the thing preventing me from debugging this
>> further is.. well.. I'm not sure how to turn up the volume on the
>> debugging. The most I am seeing in the logs is the login failure.
>>
>> Any ideas?
>>
>> Thanks!
>> -Rich
>>
>>
>>
>> RT_SiteConfig.pm contains:
>> # The order in which the services defined in ExternalSettings
>> # should be used to authenticate users. User is authenticated
>> # if successfully confirmed by any service - no more services
>> # are checked.
>> Set($ExternalAuthPriority, [ 'My_LDAP'
>> ]
>> );
>>
>> # The order in which the services defined in ExternalSettings
>> # should be used to get information about users. This includes
>> # RealName, Tel numbers etc, but also whether or not the user
>> # should be considered disabled.
>> # Once user info is found, no more services are checked.
>> Set($ExternalInfoPriority, [
>> 'My_LDAP'
>> ]
>> );
>>
>> # If this is set to true, then the relevant packages will
>> # be loaded to use SSL/TLS connections. At the moment,
>> # this just means "use Net::SSLeay;"
>> Set($ExternalServiceUsesSSLorTLS, 0);
>>
>> # If this is set to 1, then users should be autocreated by RT
>> # as internal users if they fail to authenticate from an
>> # external service.
>> Set($AutoCreateNonExternalUsers, 1);
>>
>> # These are the full settings for each external service as a HashOfHashes
>> # Note that you may have as many external services as you wish. They will
>> # be checked in the order specified in the Priority directives above.
>> # e.g.
>> #
>> Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP','Other-DB']);
>> #
>> Set($ExternalSettings, {
>> # AN EXAMPLE LDAP SERVICE
>> 'My_LDAP' => { ## GENERIC SECTION
>> # The type of service (db/ldap/cookie)
>> 'type' => 'ldap',
>> # Should the service be used for authentication?
>> 'auth' => 1,
>> # Should the service be used for information?
>> 'info' => 1,
>> # The server hosting the service
>> 'server' => 'ad.ourdomain.local',
>> ## SERVICE-SPECIFIC SECTION
>> # If you can bind to your LDAP server anonymously you
>> should
>> # remove the user and pass config lines, otherwise
>> specify them here:
>> #
>> # The username RT should use to connect to the LDAP server
>> 'user' => 'CN=Administrator,OU=IT
>> Department,OU=Users,DC=ourdomain,DC=local',
>> # The password RT should use to connect to the LDAP server
>> 'pass' => 'ourpasswd',
>> #
>> # The LDAP search base
>> 'base' => 'dc=ourdomain,dc=local',
>> # The filter to use to match RT-Users
>> 'filter' => '(objectclass=Person)',
>> # The filter that will only match disabled users
>> # 'd_filter' =>
>> '(serAccountControl:1.2.840.113556.1.4.803:=2)',
>> 'd_filter' =>
>> '(&(objectCategory=person)(objectClass=user)
>> (userAccountControl:1.2.840.113556.1.4.803:=2))',
>> # Should we try to use TLS to encrypt connections?
>> 'tls' => 0,
>> # What other args should I pass to
>> Net::LDAP->new($host, at args)?
>> 'net_ldap_args' => [ version => 3 ],
>> # Does authentication depend on group membership? What
>> group name?
>> 'group' => '',
>> # What is the attribute for the group object that
>> determines membership?
>> 'group_attr' => '',
>> ## RT ATTRIBUTE MATCHING SECTION
>> # The list of RT attributes that uniquely identify a user
>> 'attr_match_list' => [ 'Name',
>> 'EmailAddress',
>> 'RealName',
>> 'WorkPhone',
>> 'Address2'
>> ],
>> # The mapping of RT attributes on to LDAP attributes
>> 'attr_map' => { 'Name' =>
>> 'sAMAccountName',
>> 'EmailAddress' =>
>> 'mail',
>> 'Organization' =>
>> 'physicalDeliveryOfficeName',
>> 'RealName' => 'cn',
>> 'ExternalAuthId' =>
>> 'sAMAccountName',
>> 'Gecos' =>
>> 'sAMAccountName',
>> 'WorkPhone' =>
>> 'telephoneNumber',
>> 'Address1' =>
>> 'streetAddress',
>> 'City' => 'l',
>> 'State' => 'st',
>> 'Zip' => 'postalCode',
>> 'Country' => 'co'
>> }
>> }
>> }
>> );
>> 1;
>>
>> _______________________________________________
>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>
>> Community help: http://wiki.bestpractical.com
>> Commercial support: sales at bestpractical.com
>> <mailto:sales at bestpractical.com>
>>
>>
>> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
>> Buy a copy at http://rtbook.bestpractical.com
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>
>> Community help: http://wiki.bestpractical.com
>> Commercial support: sales at bestpractical.com
>>
>>
>> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
>> Buy a copy at http://rtbook.bestpractical.com
> ------------------------------------------------------------------------
>
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
>
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20081016/43bf6450/attachment.htm>
More information about the rt-users
mailing list