[rt-users] External Authentication with LDAPS

Mike Johnson mike.johnson at nosm.ca
Tue Aug 3 09:07:39 EDT 2010 

filter is your LDAP query string to determine if a particular CN is a user.
If you are connecting to an AD it would be (&(objectCategory=User) (Object
Class=Person))

d_filter is your LDAP query to determine disabled users.  If you are
connecting to an AD it would be a bitmask like so
(userAccountControl:1.2.840.113556.1.4.803:=2)

group is your LDAP CN that all your RT users would be a part of.  This
should be the full CN

group_attr is the attribute of the user CN that determines what groups they
are in.  In AD this would be member


One thing I would test is getting an LDAP browser and connecting using the
same info you are attempting to connect with in RT, verify the user you are
using works...

Then troubleshoot from there..

Good luck!
Mike.

On Mon, Aug 2, 2010 at 8:08 AM, Anthony BRODARD
<brodard.anthony at gmail.com>wrote:

> And here, another logs generate with debug:
>
>
>  [Mon Aug  2 12:05:00 2010] [critical]:
> RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to
> ldap.blanked.fr(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:437)
> [Mon Aug  2 12:05:00 2010] [debug]: Autohandler called ExternalAuth.
> Response: (0, No User)
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
> [Mon Aug  2 12:05:00 2010] [error]: FAILED LOGIN for anthony.brodard from
> 10.1.104.30 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)
> [Mon Aug  2 12:05:01 2010] [debug]: Reloading RT::User to work around a bug
> in RT-3.8.0 and RT-3.8.1
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
> [Mon Aug  2 12:05:01 2010] [debug]: Attempting to use external auth
> service: My_LDAP
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
> [Mon Aug  2 12:05:01 2010] [debug]: SSO Failed and no user to test with.
> Nexting
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
> [Mon Aug  2 12:05:01 2010] [debug]: Autohandler called ExternalAuth.
> Response: (0, No User)
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
> [Mon Aug  2 12:05:01 2010] [crit]: Apache2::RequestIO::rflush: (103)
> Software caused connection abort at
> /usr/local/share/perl/5.10.0/HTML/Mason/ApacheHandler.pm line 1020
> (/opt/rt3/bin/webmux.pl:168)
> [Mon Aug  2 12:05:01 2010] [debug]: Attempting to use external auth
> service: My_LDAP
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
> [Mon Aug  2 12:05:01 2010] [debug]: Calling UserExists with $username
> (anthony.brodard) and $service (My_LDAP)
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
> [Mon Aug  2 12:05:01 2010] [debug]: UserExists params:
> username: anthony.brodard , service: My_LDAP
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
> [Mon Aug  2 12:05:01 2010] [crit]: Apache2::RequestIO::rflush: (103)
> Software caused connection abort at
> /usr/local/share/perl/5.10.0/HTML/Mason/ApacheHandler.pm line 1020
> (/opt/rt3/bin/webmux.pl:168)
>
>
>   2010/7/29 Mike Johnson <mike.johnson at nosm.ca>
>
>>   make sure you reply to the list, very important to share all this so
>> others can learn.
>>
>> The only thing I could think of is your LDAP settings are incorrect
>> somewhere.
>>
>> Some things I found when I was setting things up
>>
>>
>> 1. user = the fully qualified CN of the user(ie CN=Mike
>> Johnson,OU=Users,OU=mycompany,OU=mydomain,OU=local
>> 2. filter and d_filter have to have valid settings
>> 3. Group/Group_Attr had to have settings.
>>
>> I was binding to an AD, so I'm not 100% on 3 if it isn't an AD... but 1
>> and 2 hold true for any LDAP.
>>
>> HTH
>> Mike.
>>
>>   On Thu, Jul 29, 2010 at 9:38 AM, Anthony BRODARD <
>> brodard.anthony at gmail.com> wrote:
>>
>>> TLS argument is already sets to 1.
>>>
>>> I don't know how to see if it's the ldap's server which refuses the
>>> connection, or it's an other problem.
>>>
>>>
>>>
>>> 2010/7/29 Mike Johnson <mike.johnson at nosm.ca>
>>>
>>>  Oops, looking at it again, i was looking at the mysql config part, not
>>>> ldap.
>>>>
>>>> i think the only way you can adjust what port you are connecting to
>>>> through LDAP is specifying if it's TLS or not(I believe TLS is 636? google
>>>> to confirm).
>>>>
>>>> You said you are supposed to be connecting on 636, so set the tls
>>>> argument in your LDAP settings to 1.
>>>>
>>>> restart apache and give it a shot.
>>>>
>>>> Good luck!
>>>> Mike.
>>>>
>>>>   On Thu, Jul 29, 2010 at 8:48 AM, Mike Johnson <mike.johnson at nosm.ca>wrote:
>>>>
>>>>> If you read the ExternalAuth's RT_SiteConfig.pm in
>>>>> /RTROOT/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm
>>>>>
>>>>> It shows you how to set the port you are connecting on.
>>>>>
>>>>> Set that to the port your LDAP server is listening to.
>>>>>
>>>>> Good luck
>>>>> MIke.
>>>>>
>>>>>
>>>
>>
>>
>>  --
>> Mike Johnson
>> Datatel Programmer/Analyst
>> Northern Ontario School of Medicine
>> 955 Oliver Road
>> Thunder Bay, ON   P7B 5E1
>> Phone: (807) 766-7331
>> Email: mike.johnson at nosm.ca
>>
>>
>> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
>> Buy a copy at http://rtbook.bestpractical.com
>>
>
>


-- 
Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON   P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson at nosm.ca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20100803/4467cdff/attachment.htm>

More information about the rt-users mailing list