[rt-users] rt4 and External Auth to AD 2008 non-ssl

Brian Murphy blmurphy at eiu.edu
Tue Aug 30 10:35:39 EDT 2011


I am making progress in that I am at least now getting some indication that the code is trying to authenticate my user in my active directory.

I now receive the following after I upgraded my RT::Auth::External to 0.09.

[debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Tue Aug 30 14:32:12 2011] [debug]: Calling UserExists with $username (blmurphy) and $service (EIUAD) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Tue Aug 30 14:32:12 2011] [debug]: UserExists params:
username: blmurphy , service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Tue Aug 30 14:32:12 2011] [debug]: LDAP Search ===  Base: ou=its employees,ou=employee accounts,ou=eiu users,dc=eiuad,dc=eiu.dc=edu == Filter: (&(objectClass=person)(sAMAccountName=blmurphy)) == Attrs: sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Tue Aug 30 14:32:12 2011] [debug]: User Check Failed :: ( EIUAD ) blmurphy User not found (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:318)

Anyone have any other pointers for trying to debug this thing?

Thanks.

Brian 
----- Original Message -----
From: "Brian Murphy" <blmurphy at eiu.edu>
To: rt-users at lists.bestpractical.com
Sent: Tuesday, August 30, 2011 9:13:51 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

I have been trying to do a little debugging.

I am using RT version 4.0.0 and it appears the ExternalAuth I am using is version 0.08, is that versioning a match?  

Secondly, I went to ExternalAuth.pm and added a debug statment and it appears as though I am not getting any value passed for $given_user or $given_pass to my external authentication explaining why it appears that I am not even calling my actual ldap active directory and attempting external auth, I continue to receive:

 Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:66)
[Tue Aug 30 14:08:37 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:94)
[Tue Aug 30 14:08:37 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)

as my only debug messages out of external authentication, it appears to not be getting any given_user to work with.

Thanks 

Brian 
----- Original Message -----
From: "Brian Murphy" <blmurphy at eiu.edu>
To: rt-users at lists.bestpractical.com
Sent: Monday, August 29, 2011 11:32:47 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

Still struggling with trying to get RT externally authenticating with my 2008 Active Directory.

I have been able to accomplish an ldapsearch with the following options successfully:

ldapsearch -x -b "dc=eiuad,dc=eiu,dc=edu" -D "CN=RT Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu" -h eiuad.eiu.edu -p 389 -W "sAMAccountName=blmurphy"

I would like to use the blmurphy as my RT account name.  When I execute the above ldapsearch and input the prompted for password I get back my account information from the Active Directory. I have the following set in my RT_SiteConfig.pm but continue to get the externalauth nouser response.

Brian 

Set($ExternalSettings,      {   
                                # EIUAD Active Directory
                                'EIUAD'       =>  {   ## GENERIC SECTION
                                                        # The type of service (db/ldap/cookie) 
                                                        'type'                      =>  'ldap',
                                                        # The server hosting the service
                                                        'server'                    =>  'eiuad.eiu.edu',
                                                        ## SERVICE-SPECIFIC SECTION
                                                        # If you can bind to your LDAP server anonymously you should 
                                                        # remove the user and pass config lines, otherwise specify them here:
                                                        # 
                                                        # The username RT should use to connect to the LDAP server 
                                                        'user'                      =>  'CN=RT Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu',
                                                        # The password RT should use to connect to the LDAP server
                                                        'pass'                    =>  'xxxxxxxxx',
                                                        #
                                                        # The LDAP search base
                                                        'base'                      =>  'dc=eiuad,dc=eiu,dc=edu',
                                                        #
                                                        # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
                                                        # YOU **MUST** SPECIFY A filter AND A d_filter!!
                                                        #
                                                        # The filter to use to match RT-Users
                                                        'filter'                    =>  '(sAMAccountName=*)',
                                                        # A catch-all example filter: '(objectClass=*)'
                                                        #
                                                        # The filter that will only match disabled users
                                                        'd_filter'                  =>  '(objectclass=Foo)',
                                                        # A catch-none example d_filter: '(objectClass=FooBarBaz)'
                                                        #
                                                        # Should we try to use TLS to encrypt connections?
                                                        'tls'                       =>  0,
                                                        # SSL Version to provide to Net::SSLeay *if* using SSL
                                                        'ssl_version'               =>  3,
                                                        # What other args should I pass to Net::LDAP->new($host, at args)?
                                                        'net_ldap_args'             => [    version =>  3   ],
                                                        # Does authentication depend on group membership? What group name?
                                                        'group'                     =>  'CN=RT_Access,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu',
                                                        # What is the attribute for the group object that determines membership?
                                                        'group_attr'                =>  'memberOf',
                                                        ## RT ATTRIBUTE MATCHING SECTION
                                                        # The list of RT attributes that uniquely identify a user
                                                        # This example shows what you *can* specify.. I recommend reducing this
                                                        # to just the Name and EmailAddress to save encountering problems later.
                                                        'attr_match_list'           => [    'Name'
                                                                                        ],
                                                        # The mapping of RT attributes on to LDAP attributes
                                                        'attr_map'                  =>  {   'Name' => 'sAMAccountName'
                                                                                        }
                                                    }

----- Original Message -----
From: "Brian Murphy" <blmurphy at eiu.edu>
To: rt-users at lists.bestpractical.com
Sent: Thursday, August 25, 2011 11:59:50 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

I only get the login failed message back from web.pm.

The account I am using is already in RT and being used so is this a problem.  I was assuming the id would exist and just the auth would be done externally.

Brian 
----- Original Message -----
From: "Kevin Falcone" <falcone at bestpractical.com>
To: rt-users at lists.bestpractical.com
Sent: Thursday, August 25, 2011 9:46:01 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

On Wed, Aug 24, 2011 at 04:42:04PM -0500, Brian Murphy wrote:
> Thanks for the tip on the logging kevin.
> 
> Seeing the following, don't know eactly what to make of it.
> 
> [Wed Aug 24 21:38:37 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
> [Wed Aug 24 21:38:37 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
> [Wed Aug 24 21:38:37 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)

Those are the messages you get when the login page pops up.
What do you get after typing your username and password in?

-kevin


> ----- Original Message -----
> From: "Kevin Falcone" <falcone at bestpractical.com>
> To: rt-users at lists.bestpractical.com
> Sent: Wednesday, August 24, 2011 4:18:08 PM
> Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
> 
> On Wed, Aug 24, 2011 at 01:09:15PM -0500, Brian Murphy wrote:
> > I am trying desparately to get this goingnd am not seeing that my
> > externalauth is even being called. I am attaching my RT_SiteConfig.pm
> > for review. I am a newbie and don't know much about anything RT as
> > yet. I see very little in my /var/log/messages other tham LOGIN failed
> > for xxxxx from web.pm, so I don't really think my externalauth is
> > really in play as of yet. Any assistance in getting this going would
> > be greatly appreciated.
> 
> You don't appear to have turned your logging level up, most useful
> logs are at the debug level.  LogToScreen is probably the easiest,
> because they'll end up in your apache error log.
> 
> -kevin
> > 
> > # Any configuration directives you include  here will override 
> > # RT's default configuration file, RT_Config.pm
> > #
> > # To include a directive here, just copy the equivalent statement
> > # from RT_Config.pm and change the value. We've included a single
> > # sample value below.
> > #
> > # This file is actually a perl module, so you can include valid
> > # perl code, as well.
> > #
> > # The converse is also true, if this file isn't valid perl, you're
> > # going to run into trouble. To check your SiteConfig file, use
> > # this comamnd:
> > #
> > #   perl -c /path/to/your/etc/RT_SiteConfig.pm
> > #
> > # You must restart your webserver after making changes to this file.
> > 
> > 
> > # You must install Plugins on your own, this is only an example
> > # of the correct syntax to use when activating them.
> > # There should only be one @Plugins declaration in your config file.
> > #Set(@Plugins,(qw(RT::Extension::QuickDelete RT::Extension::CommandByMail  RT::Extension::ActivityReports)));
> > #Set(@Plugins,(qw(RT::Extension::ActivityReports)));
> > Set(@Plugins,(qw(RT::Extension::ActivityReports RT::Authen::ExternalAuth)));
> > 
> > Set( $CorrespondAddress, '' );
> > Set( $rtname, 'EIU ITS Campus Technology' );
> > Set( $DatabaseRequireSSL, '' );
> > Set( $WebPort, '8080' );
> > 
> > Set( $DatabaseType, 'mysql' );
> > 
> > Set( $SendmailPath, '/usr/sbin/sendmail' );
> > Set( $WebDomain, 'localhost' );
> > 
> > Set( $CommentAddress, '' );
> > Set($Timezone, "US/Central");
> > Set($UnsafeEmailCommands, 1);
> > Set($ParseNewMessageForTicketCcs, 1);
> > Set($NotifyActor, 1);
> > 
> > Set( $OwnerEmail, '' );
> > Set( $DatabaseUser, 'rt_user' );
> > Set( $DatabasePort, '' );
> > Set( $DatabasePassword, 'RT_pass1-' );
> > Set( $DatabaseAdmin, 'root' );
> > Set( $DatabaseAdminPassword, 'Mtfbwu+1' );
> > Set( $DatabaseHost, 'localhost' );
> > Set( $DatabaseName, 'rt4' );
> > Set( $Organization, 'ITS' );
> > 1;
> > # The order in which the services defined in ExternalSettings
> > # should be used to authenticate users. User is authenticated
> > # if successfully confirmed by any service - no more services
> > # are checked.
> > Set($ExternalAuthPriority,  [   'EIUAD'
> >                             ]
> > );
> > 
> > # The order in which the services defined in ExternalSettings
> > # should be used to get information about users. This includes
> > # RealName, Tel numbers etc, but also whether or not the user
> > # should be considered disabled. 
> > #
> > # Once user info is found, no more services are checked.
> > #
> > # You CANNOT use a SSO cookie for authentication.
> > Set($ExternalInfoPriority,  [   'EIUAD'
> >                             ]
> > );
> > 
> > # If this is set to true, then the relevant packages will
> > # be loaded to use SSL/TLS connections. At the moment,
> > # this just means "use Net::SSLeay;"
> > Set($ExternalServiceUsesSSLorTLS,    0);
> > 
> > # If this is set to 1, then users should be autocreated by RT
> > # as internal users if they fail to authenticate from an
> > # external service.
> > Set($AutoCreateNonExternalUsers,    0);
> > 
> > # These are the full settings for each external service as a HashOfHashes
> > # Note that you may have as many external services as you wish. They will
> > # be checked in the order specified in the Priority directives above.
> > # e.g. 
> > #   Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP','Other-DB']);
> > #
> > Set($ExternalSettings,      {   
> >                                 # EIUAD Active Directory
> >                                 'EIUAD'       =>  {   ## GENERIC SECTION
> >                                                         # The type of service (db/ldap/cookie) 
> >                                                         'type'                      =>  'ldap',
> >                                                         # The server hosting the service
> >                                                         'server'                    =>  'xxxxx.xxx.edu',
> >                                                         ## SERVICE-SPECIFIC SECTION
> >                                                         # If you can bind to your LDAP server anonymously you should 
> >                                                         # remove the user and pass config lines, otherwise specify them here:
> >                                                         # 
> >                                                         # The username RT should use to connect to the LDAP server 
> >                                                         'user'                      =>  'rtauth',
> >                                                         # The password RT should use to connect to the LDAP server
> >                                                         'pass'                    =>  'xxxxxxx,
> >                                                         #
> >                                                         # The LDAP search base
> >                                                         'base'                      =>  'dc=xxxxx,dc=xxx,dc=edu',
> >                                                         #
> >                                                         # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
> >                                                         # YOU **MUST** SPECIFY A filter AND A d_filter!!
> >                                                         #
> >                                                         # The filter to use to match RT-Users
> >                                                         'filter'                    =>  '(objectclass=person)',
> >                                                         # A catch-all example filter: '(objectClass=*)'
> >                                                         #
> >                                                         # The filter that will only match disabled users
> >                                                         'd_filter'                  =>  '(objectclass=Foo)',
> >                                                         # A catch-none example d_filter: '(objectClass=FooBarBaz)'
> >                                                         #
> >                                                         # Should we try to use TLS to encrypt connections?
> >                                                         'tls'                       =>  0,
> >                                                         # SSL Version to provide to Net::SSLeay *if* using SSL
> >                                                         'ssl_version'               =>  3,
> >                                                         # What other args should I pass to Net::LDAP->new($host, at args)?
> >                                                         'net_ldap_args'             => [    version =>  3   ],
> >                                                         # Does authentication depend on group membership? What group name?
> >                                                         'group'                     =>  'rt_access',
> >                                                         # What is the attribute for the group object that determines membership?
> >                                                         'group_attr'                =>  'memberOf',
> >                                                         ## RT ATTRIBUTE MATCHING SECTION
> >                                                         # The list of RT attributes that uniquely identify a user
> > 							# This example shows what you *can* specify.. I recommend reducing this
> >                                                         # to just the Name and EmailAddress to save encountering problems later.
> >                                                         'attr_match_list'           => [    'Name'
> >                                                                                         ],
> >                                                         # The mapping of RT attributes on to LDAP attributes
> >                                                         'attr_map'                  =>  {   'Name' => 'sAMAccountName'
> >                                                                                         }
> >                                                     }
> >                                 }
> > );
> > 
> > 1;
> 
> --------
> RT Training Sessions (http://bestpractical.com/services/training.html)
> *  Chicago, IL, USA � September 26 & 27, 2011
> *  San Francisco, CA, USA � October 18 & 19, 2011
> *  Washington DC, USA � October 31 & November 1, 2011
> *  Melbourne VIC, Australia � November 28 & 29, 2011
> *  Barcelona, Spain � November 28 & 29, 2011
> --------
> RT Training Sessions (http://bestpractical.com/services/training.html)
> *  Chicago, IL, USA  September 26 & 27, 2011
> *  San Francisco, CA, USA  October 18 & 19, 2011
> *  Washington DC, USA  October 31 & November 1, 2011
> *  Melbourne VIC, Australia  November 28 & 29, 2011
> *  Barcelona, Spain  November 28 & 29, 2011

--------
RT Training Sessions (http://bestpractical.com/services/training.html)
*  Chicago, IL, USA � September 26 & 27, 2011
*  San Francisco, CA, USA � October 18 & 19, 2011
*  Washington DC, USA � October 31 & November 1, 2011
*  Melbourne VIC, Australia � November 28 & 29, 2011
*  Barcelona, Spain � November 28 & 29, 2011
--------
RT Training Sessions (http://bestpractical.com/services/training.html)
*  Chicago, IL, USA  September 26 & 27, 2011
*  San Francisco, CA, USA  October 18 & 19, 2011
*  Washington DC, USA  October 31 & November 1, 2011
*  Melbourne VIC, Australia  November 28 & 29, 2011
*  Barcelona, Spain  November 28 & 29, 2011
--------
RT Training Sessions (http://bestpractical.com/services/training.html)
*  Chicago, IL, USA  September 26 & 27, 2011
*  San Francisco, CA, USA  October 18 & 19, 2011
*  Washington DC, USA  October 31 & November 1, 2011
*  Melbourne VIC, Australia  November 28 & 29, 2011
*  Barcelona, Spain  November 28 & 29, 2011
--------
RT Training Sessions (http://bestpractical.com/services/training.html)
*  Chicago, IL, USA  September 26 & 27, 2011
*  San Francisco, CA, USA  October 18 & 19, 2011
*  Washington DC, USA  October 31 & November 1, 2011
*  Melbourne VIC, Australia  November 28 & 29, 2011
*  Barcelona, Spain  November 28 & 29, 2011



More information about the rt-users mailing list