[rt-users] External Authentication with LDAPS

Anthony BRODARD brodard.anthony at gmail.com
Wed Aug 4 02:56:21 EDT 2010


It works!

I've configured the connection without SSL (port 389) and it works fine.

So, I've modify the file *
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm
*
*
*
I add this perl module:

*use Net::LDAPS;*


And modify the function _GetBoundLdapObj  ( l.422):

sub _GetBoundLdapObj {
    # Config as hashref
    my $config = shift;
    # Figure out what's what
    my $ldap_server     = $config->{'server'};
    *my $ldap_port     = $config->{'port'};*
*    my $ldap_ca_path     = $config->{'ca_path'};*
    my $ldap_user       = $config->{'user'};
    my $ldap_pass       = $config->{'pass'};
    my $ldap_tls        = $config->{'tls'};
    my $ldap_ssl_ver    = $config->{'ssl_version'};
    my $ldap_args       = $config->{'net_ldap_args'};
 *    my $ldap = new Net::LDAPS($ldap_server, @$ldap_args, $ldap_port,
$ldap_ca_path);*
    unless ($ldap) {
        $RT::Logger->critical(  (caller(0))[3],
                                ": Cannot connect to",
                                $ldap_server);
        return undef;
    }

RT_SiteConfig.pm:

Set( @Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalAuthPriority,  ['My_LDAP']);
Set($ExternalInfoPriority,  ['My_LDAP']);
Set($ExternalServiceUsesSSLorTLS,   1);
Set($AutoCreateNonExternalUsers,    1);
Set($ExternalSettings,      {   'My_LDAP' =>  {
        'type' => 'ldap',
        'server' => 'ldap.domain.tld',
   *     'port' => '636',*
*        'ca_path' => '/etc/ssl/certs/',*
        'user' => 'cn=xxx,o=xxx,dc=xxx,dc=xxx',
        'pass' => 'xxxxxx',
        'base' => 'dc=xxx,dc=xxx',
        'filter' => '(uid=*)',
        'd_filter' => '(objectClass=pwdPolicy)',
        'tls' => 1,
        'ssl_version' => 3,
        'net_ldap_args' => [ version => 3 ],
#       'group' =>
#       'group_attr' =>
        'attr_match_list' => ['Name','EmailAddress'],
        'attr_map' => { 'Name' => 'uid',
                         'EmailAddress' => 'mail'},
        }
});


Sincere thanks for your help Mike

Best regards,
Anthony

0/8/3 Mike Johnson <mike.johnson at nosm.ca>

> filter is your LDAP query string to determine if a particular CN is a
> user.  If you are connecting to an AD it would be (&(objectCategory=User)
> (Object Class=Person))
>
> d_filter is your LDAP query to determine disabled users.  If you are
> connecting to an AD it would be a bitmask like so
> (userAccountControl:1.2.840.113556.1.4.803:=2)
>
> group is your LDAP CN that all your RT users would be a part of.  This
> should be the full CN
>
> group_attr is the attribute of the user CN that determines what groups they
> are in.  In AD this would be member
>
>
> One thing I would test is getting an LDAP browser and connecting using the
> same info you are attempting to connect with in RT, verify the user you are
> using works...
>
> Then troubleshoot from there..
>
> Good luck!
> Mike.
>
> On Mon, Aug 2, 2010 at 8:08 AM, Anthony BRODARD <brodard.anthony at gmail.com
> > wrote:
>
>> And here, another logs generate with debug:
>>
>>
>>  [Mon Aug  2 12:05:00 2010] [critical]:
>> RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to
>> ldap.blanked.fr(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:437)
>> [Mon Aug  2 12:05:00 2010] [debug]: Autohandler called ExternalAuth.
>> Response: (0, No User)
>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
>> [Mon Aug  2 12:05:00 2010] [error]: FAILED LOGIN for anthony.brodard from
>> 10.1.104.30 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)
>> [Mon Aug  2 12:05:01 2010] [debug]: Reloading RT::User to work around a
>> bug in RT-3.8.0 and RT-3.8.1
>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
>> [Mon Aug  2 12:05:01 2010] [debug]: Attempting to use external auth
>> service: My_LDAP
>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
>> [Mon Aug  2 12:05:01 2010] [debug]: SSO Failed and no user to test with.
>> Nexting
>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
>> [Mon Aug  2 12:05:01 2010] [debug]: Autohandler called ExternalAuth.
>> Response: (0, No User)
>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
>> [Mon Aug  2 12:05:01 2010] [crit]: Apache2::RequestIO::rflush: (103)
>> Software caused connection abort at
>> /usr/local/share/perl/5.10.0/HTML/Mason/ApacheHandler.pm line 1020
>> (/opt/rt3/bin/webmux.pl:168)
>> [Mon Aug  2 12:05:01 2010] [debug]: Attempting to use external auth
>> service: My_LDAP
>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
>> [Mon Aug  2 12:05:01 2010] [debug]: Calling UserExists with $username
>> (anthony.brodard) and $service (My_LDAP)
>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
>> [Mon Aug  2 12:05:01 2010] [debug]: UserExists params:
>> username: anthony.brodard , service: My_LDAP
>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
>> [Mon Aug  2 12:05:01 2010] [crit]: Apache2::RequestIO::rflush: (103)
>> Software caused connection abort at
>> /usr/local/share/perl/5.10.0/HTML/Mason/ApacheHandler.pm line 1020
>> (/opt/rt3/bin/webmux.pl:168)
>>
>>
>>   2010/7/29 Mike Johnson <mike.johnson at nosm.ca>
>>
>>>   make sure you reply to the list, very important to share all this so
>>> others can learn.
>>>
>>> The only thing I could think of is your LDAP settings are incorrect
>>> somewhere.
>>>
>>> Some things I found when I was setting things up
>>>
>>>
>>> 1. user = the fully qualified CN of the user(ie CN=Mike
>>> Johnson,OU=Users,OU=mycompany,OU=mydomain,OU=local
>>> 2. filter and d_filter have to have valid settings
>>> 3. Group/Group_Attr had to have settings.
>>>
>>> I was binding to an AD, so I'm not 100% on 3 if it isn't an AD... but 1
>>> and 2 hold true for any LDAP.
>>>
>>> HTH
>>> Mike.
>>>
>>>   On Thu, Jul 29, 2010 at 9:38 AM, Anthony BRODARD <
>>> brodard.anthony at gmail.com> wrote:
>>>
>>>> TLS argument is already sets to 1.
>>>>
>>>> I don't know how to see if it's the ldap's server which refuses the
>>>> connection, or it's an other problem.
>>>>
>>>>
>>>>
>>>> 2010/7/29 Mike Johnson <mike.johnson at nosm.ca>
>>>>
>>>>  Oops, looking at it again, i was looking at the mysql config part, not
>>>>> ldap.
>>>>>
>>>>> i think the only way you can adjust what port you are connecting to
>>>>> through LDAP is specifying if it's TLS or not(I believe TLS is 636? google
>>>>> to confirm).
>>>>>
>>>>> You said you are supposed to be connecting on 636, so set the tls
>>>>> argument in your LDAP settings to 1.
>>>>>
>>>>> restart apache and give it a shot.
>>>>>
>>>>> Good luck!
>>>>> Mike.
>>>>>
>>>>>   On Thu, Jul 29, 2010 at 8:48 AM, Mike Johnson <mike.johnson at nosm.ca>wrote:
>>>>>
>>>>>> If you read the ExternalAuth's RT_SiteConfig.pm in
>>>>>> /RTROOT/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm
>>>>>>
>>>>>> It shows you how to set the port you are connecting on.
>>>>>>
>>>>>> Set that to the port your LDAP server is listening to.
>>>>>>
>>>>>> Good luck
>>>>>> MIke.
>>>>>>
>>>>>>
>>>>
>>>
>>>
>>>  --
>>> Mike Johnson
>>> Datatel Programmer/Analyst
>>> Northern Ontario School of Medicine
>>> 955 Oliver Road
>>> Thunder Bay, ON   P7B 5E1
>>> Phone: (807) 766-7331
>>> Email: mike.johnson at nosm.ca
>>>
>>>
>>> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
>>> Buy a copy at http://rtbook.bestpractical.com
>>>
>>
>>
>
>
> --
> Mike Johnson
> Datatel Programmer/Analyst
> Northern Ontario School of Medicine
> 955 Oliver Road
> Thunder Bay, ON   P7B 5E1
> Phone: (807) 766-7331
> Email: mike.johnson at nosm.ca
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20100804/80657dca/attachment.htm>


More information about the rt-users mailing list