[rt-users] ldap externalauth problem

Kenneth Crocker kfcrocker at lbl.gov
Mon Sep 27 14:00:09 EDT 2010


Val,

I think it is your LDAP external settings. We use the LDAP UserID that one
signs in with as the name and we use TLS. Anyway, this is what we have. I'm
remove sensitive stuff, but I think there will be enough to correlate:

# User is authenticated if successfully confirmed by any service

#  *No more services are checked*

#

*Set($ExternalAuthPriority,  [ 'My_LDAP' ] );*

*Set($ExternalInfoPriority,  [ 'My_LDAP' ] );*

*Set($ExternalServiceUsesSSLorTLS, 1);*

*Set($AutoCreateNonExternalUsers, 0);*

#

# These are the full settings for each external service as a HashOfHashes

# No more services are checked

#

*Set(*

*    $ExternalSettings,*

*      {*

*        'My_LDAP' =>*

*           {*

*            ‘type’        => 'ldap',*

*            ‘server’     => 'our server’,*

*            ‘user’        =>  ‘’,*

*            ‘pass’        =>  ‘’,*

*            ‘base’        => 'ou=People,o=company name,c=US’,*

*            ‘filter’       =>
'(&(xxxstatus=A)(|(xxxpan=CF*)(xxxpan=EH*)(xxxpan=HR*)(xxxpan=IC*)))’, #
division prefixes we use as a filter on top of "active" stastus*

*            ‘d_filter’   => '(!(|(xxxEmpStat=Staff)(xxxEmpStat=Guest)))', #
staff or guest*

*            ‘tls’            => 1,*

*            ‘net_ldap_args’    => [ version => 3],*

*            ‘attr_match_list’  => ['Name',*

*                                                 'EmailAddress',*

*                                                 'RealName',*

*                                                 'uid'*

*                                                ],*

*            ‘attr_map’            =>  {'Name'                  => 'uid',*

*                                                  'EmailAddress'    =>
'mail',*

*                                                  'Organization'      =>
‘o’,*

*                                                  'RealName'           =>
'cn',*

*                                                  'ExternalAuthId'  =>
'uid',*

*                                                  'Gecos'
                  => 'uid',*

*                                                  'WorkPhone'         =>
'telephonenumber',*

*                                                  'Address1'             =>
'xxxmailstop',*

*                                                  'Address2'             =>
'postaladdress’*

*                                                 }*

*           }*

*      }*

*   );*
*1;*

An explanation of our settings:

We are stating that we use LDAP for both authorization AND the Info we pull.
We turn on External Service using SSL or TLS.
We do *NOT* autocreate users that do not pass the LDAP auth process.
We do not specify any user or pass.
We specify the LDAP ou, o, & c values.
We specify an additional filter. For us, the status (for the user signing
in) must be active on the LDAP table AND, in addition, we specifiy division
codes. We only want certain company employees from specified division to be
able to use RT.
We specify a "disable" filter for any user signing on if they are not
classified as staff or a guest.
We specify the argument version we use.
We specify what LDAP attributes we want to match against when authorizing.
We specify what LDAP info we want to download into the RT USER Table:
- Name will be the LDAP UserID they sign on with
- Email address is the LDAP email address associated with this LDAP UserId.
- Organization info will be what we set in 'o' to earlier (base=>o= company
name).
- and on.

Notice we use the same LDAP UserId (uid) for Name, ExternalAuthID and Gecos.

I guess the main thing to look for is *a consistency* in what LDAP fields
you use for Auth and what you save. If I say I use the *LDAP 'uid"* for *
Name*, then I must make sure that all references to *Name* are expecting
that it be the LDAP UserID (*'uid*').

That's the best advice I can give you. Hope it's enough.

Kenn
LBNL


On Mon, Sep 27, 2010 at 10:19 AM, Val Polyakov <val at polyakov.me> wrote:

> ldapsearch works, i can find myself using:
>
> ldapsearch -LLL -x -H ldap://ADserver:389 -b
> 'ou=users,ou=yonkers,dc=mydomain,dc=org' -D 'cn=rt,ou=Service
> Accounts,ou=Users,ou=HIGHSECURITY,dc=mydomain,dc=org' -w 'rtPassword'
> '(&(ObjectClass=Person)(cn=Polyakov, Valeriy))'
>
>
> I also turned on debug loging for externalauth, and here's what I see in
> the log. the password im providing is correct, it seems to be able to find
> my account, but then I get an auth failure..  why ? :/
>
>
> [Mon Sep 27 17:11:18 2010] [debug]: Reloading RT::User to work around a
> bug in RT-3.8.0 and RT-3.8.1
>
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
> [Mon Sep 27 17:11:18 2010] [debug]: Attempting to use external auth
> service: My_LDAP
>
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
> [Mon Sep 27 17:11:18 2010] [debug]: Calling UserExists with $username
> (polyva) and $service (My_LDAP)
>
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
> [Mon Sep 27 17:11:18 2010] [debug]: UserExists params:
> username: polyva , service: My_LDAP
>
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
> [Mon Sep 27 17:11:18 2010] [debug]: LDAP Search ===  Base:
> ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter:
> (&(&(ObjectCategory=User))(sAMAccountName=polyva)) == Attrs:
>
> l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,mail
>
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
> [Mon Sep 27 17:11:18 2010] [debug]: Password validation required for
> service - Executing...
>
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
> [Mon Sep 27 17:11:18 2010] [debug]: Trying external auth service: My_LDAP
>
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
> [Mon Sep 27 17:11:18 2010] [debug]: LDAP Search ===  Base:
> ou=Users,ou=Yonkers,dc=consumer,dc=org == Filter:
> (&(sAMAccountName=polyva)(&(ObjectCategory=User))) == Attrs: dn
>
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
> [Mon Sep 27 17:11:18 2010] [debug]: Found LDAP DN: CN=Polyakov\,
> Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org
>
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
> [Mon Sep 27 17:11:18 2010] [debug]: LDAP Search ===  Base:
> ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter: (member=CN=Polyakov,
> Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org) == Attrs: dn
>
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
> [Mon Sep 27 17:11:18 2010] [info]: My_LDAP AUTH FAILED: polyva
>
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
> [Mon Sep 27 17:11:18 2010] [debug]: LDAP password validation result: 0
>
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
> [Mon Sep 27 17:11:18 2010] [debug]: Password Validation Check Result:  0
>
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
> [Mon Sep 27 17:11:18 2010] [debug]: Autohandler called ExternalAuth.
> Response: (0, Password Invalid)
>
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
> [Mon Sep 27 17:11:18 2010] [error]: FAILED LOGIN for polyva from
> 192.168.110.125 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)
>
>
>
> > Val,
> > Have you verified that ldapsearch works for you on this box?
> >
> > I used something like this to test:
> >
> >
> > ldapsearch -LLL -x -H ldap://<ldap server>:389 -b
> > 'DC=corp,DC=something,DC=com' -D 'ldapuser at corp.something.com' -w
> > '<ldapuser password>' '(&(ObjectClass=Person)(cn=<username to search
> > for))'
> >
> >
> > I had to request from our Windows AD guys to allow the ldapuser to be
> able
> > to read all user information.  I also had to have them open the firewall
> > to our server, because by default, they only allow certain servers to
> > query the AD servers.
> >
> > John
> >
> >
> >
> > On 09/27/2010 10:14 AM, Val Polyakov wrote:
> >
> >       Trying to get my RT 3.8.8 on RHEL5 to authenticate against our
> corporate
> > AD.
> >
> >       I followed this guide here:
> >       http://wiki.bestpractical.com/view/CentOS5InstallPlusSome
> >
> >       I also checked that apache has access to over here
> > (RT-Authen-ExternalAuth
> >       dir was chgrp -R'ed and chmod -R 770'ed):
> >
> >       [root at rt plugins]# pwd
> >       /opt/rt3/local/plugins
> >       [root at rt plugins]# ls -ltr
> >       total 4
> >       drwxrwx--- 5 root apache 4096 Sep 13 14:16 RT-Authen-ExternalAuth
> >       [root at rt plugins]# ps awwwux |grep httpd
> >       root      2313  0.1  4.1 348008 83360 ?        Ss   10:32   0:02
> >       /usr/sbin/httpd
> >       apache    2317  0.0  4.1 350272 82612 ?        S    10:32   0:00
> >       /usr/sbin/httpd
> >       apache    2318  0.0  4.1 350272 82616 ?        S    10:32   0:00
> >       /usr/sbin/httpd
> >       apache    2319  0.0  4.0 348204 82216 ?        S    10:32   0:00
> >       /usr/sbin/httpd
> >       apache    2320  0.0  4.1 350272 82684 ?        S    10:32   0:00
> >       /usr/sbin/httpd
> >       apache    2321  0.0  4.1 350928 83388 ?        S    10:32   0:00
> >       /usr/sbin/httpd
> >       apache    2322  0.0  4.1 350272 82616 ?        S    10:32   0:00
> >       /usr/sbin/httpd
> >       apache    2323  0.0  4.1 350272 82616 ?        S    10:32   0:00
> >       /usr/sbin/httpd
> >       apache    2324  0.0  4.1 350668 83172 ?        S    10:32   0:00
> >       /usr/sbin/httpd
> >       root      3537  0.0  0.0  61148   708 pts/0    R+   11:06   0:00
> grep
> > httpd
> >       [root at rt plugins]#
> >
> >       when I set this up and tried to login with my AD account for the
> first
> >       time, here's what I saw in /var/log/httpd/error_log :
> >
> >
> >       [root at rt autohandler]# tail -f /var/log/httpd/error_log
> >       [Mon Sep 27 14:32:29 2010] [info]:
> >       RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1:
> 101
> >       Truman Avenue, City: Yonkers, Country: United States, Disabled: 0,
> >       EmailAddress: vpolyakov at consumer.org, ExternalAuthId: POLYVA,
> Gecos:
> >       POLYVA, Name: POLYVA, Organization: 1-8D, Privileged: 0, RealName:
> >       Polyakov, Valeriy, State: NY, WorkPhone: (914) 378-2577, Zip: 10703
> >
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
> >       [Mon Sep 27 14:32:29 2010] [info]: Autocreated external user POLYVA
> ( 36
> > )
> >
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:132)
> >       [Mon Sep 27 14:32:29 2010] [info]: My_LDAP AUTH FAILED: polyva
> >
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
> >
> >       ....
> >
> >       And ever since then when I try to login I only see this:
> >
> >       [Mon Sep 27 14:52:31 2010] [info]: My_LDAP AUTH FAILED: polyva
> >
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
> >       [Mon Sep 27 14:52:31 2010] [error]: FAILED LOGIN for polyva from
> >       192.168.110.125 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)
> >
> >
> >       my /opt/rt3/etc/RT_SiteConfig.pm and
> >       /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc are attached
> >
> >
> >       Any suggestions?
> >
> >
> >
> >       RT Training in Washington DC, USA on Oct 25 & 26 2010
> >       Last one this year -- Learn how to get the most out of RT!
> >
> >
> > --
> > John Alberts
> > Hosted Services
> > Exlibris USA
> > john.alberts at exlibrisgroup.com
> > cell: 1-508-878-2197
> >
>
>
>
> RT Training in Washington DC, USA on Oct 25 & 26 2010
> Last one this year -- Learn how to get the most out of RT!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20100927/e745183c/attachment.htm>


More information about the rt-users mailing list