[rt-users] ExternalAuth help needed

Wes Modes wmodes at ucsc.edu
Thu Jan 13 16:41:34 EST 2011


I found that I don't need to define MySQL as an external auth source
because, uh, it is not external.  I am using the default mysql
authentication for rt.  So I removed mysql from the ExternalAuthPriority
and ExternalInfoPriority arrays.
This quiets some of the more perplexing "Password Encryption" errors,
but still leaves me with these similar errors:

For a local rt user:

    [Thu Jan 13 21:39:34 2011] [critical]: Search for
    (ou=group,dc=ucsc,dc=edu=uid=wmodes,ou=people,dc=ucsc,dc=edu)
    failed: LDAP_INVALID_DN_SYNTAX 34
    (/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:116)


and for an LDAP only user:

    [Thu Jan 13 21:40:27 2011] [critical]: Search for
    (ou=group,dc=ucsc,dc=edu=uid=rjohnson,ou=people,dc=ucsc,dc=edu)
    failed: LDAP_INVALID_DN_SYNTAX 34
    (/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:116)
    [Thu Jan 13 21:40:27 2011] [error]: FAILED LOGIN for rjohnson from
    128.114.163.50 (/usr/lib/rt/RT/Interface/Web.pm:424)


Here are the config files:

    # Any configuration directives you include  here will override
    # RT's default configuration file, RT_Config.pm
    #
    # To include a directive here, just copy the equivalent statement
    # from RT_Config.pm and change the value. We've included a single
    # sample value below.
    #
    # This file is actually a perl module, so you can include valid
    # perl code, as well.
    #
    # The converse is also true, if this file isn't valid perl, you're
    # going to run into trouble. To check your SiteConfig file, use
    # this comamnd:
    #
    #   perl -c /path/to/your/etc/RT_SiteConfig.pm

    #Set( $rtname, 'example.com');
    #Set( $rtname, 'example.com');
    #Set(@Plugins,(qw(Extension::QuickDelete RT::FM)));
    Set(@Plugins,qw(RT::Extension::ExtractCustomFieldValues
    RT::Authen::ExternalAuth));

    require "/etc/rt/RT_Authen-ExternalAuth.pm";

    # Look into the zoneinfo database for valid values
    (/usr/share/zoneinfo/)
    # Set( $Timezone , 'US/Eastern');

    # Set( $WebBaseURL , "http://localhost");

    Set( $WebPath , "/rt");

    Set($rtname , "rt.library.ucsc.edu");
    Set($Organization , "rt.library.ucsc.edu");
    Set($Timezone , 'US/Pacific');

    Set($DatabaseUser , 'root');
    Set($DatabasePassword , 'r3c at ll');
    Set($DatabaseName , 'rt3');

    Set($CanonicalizeEmailAddressMatch   , 'rt2.library.ucsc.edu$');
    #Set($CanonicalizeEmailAddressReplace , 'library.ucsc.edu');

    Set($RTAddressRegexp, '\@rt2.library.ucsc.edu$');

    Set($OwnerEmail, 'rootmail');
    Set($WebBaseURL, "http://rt2.library.ucsc.edu");

    # $LogoURL points to the URL of the RT logo displayed in the web UI
    Set($LogoURL , $WebImagesURL . "library.gif");

    Set($LogToFile, 'error');

    1;


and the external auth config:

    # The order in which the services defined in ExternalSettings
    # should be used to authenticate users. User is authenticated
    # if successfully confirmed by any service - no more services
    # are checked.
    Set($ExternalAuthPriority,  [   'My_LDAP',
                                ]
    );

    # The order in which the services defined in ExternalSettings
    # should be used to get information about users. This includes
    # RealName, Tel numbers etc, but also whether or not the user
    # should be considered disabled.
    #
    # Once user info is found, no more services are checked.
    #
    # You CANNOT use a SSO cookie for authentication.
    Set($ExternalInfoPriority,  [
                                    'My_LDAP'
                                ]
    );

    # If this is set to true, then the relevant packages will
    # be loaded to use SSL/TLS connections. At the moment,
    # this just means "use Net::SSLeay;"
    Set($ExternalServiceUsesSSLorTLS,    0);

    # If this is set to 1, then users should be autocreated by RT
    # as internal users if they fail to authenticate from an
    # external service.
    Set($AutoCreateNonExternalUsers,    0);

    # These are the full settings for each external service as a
    HashOfHashes
    # Note that you may have as many external services as you wish. They
    will
    # be checked in the order specified in the Priority directives above.
    # e.g.
    #  
    Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP','Other-DB']);
    #
    Set($ExternalSettings,      {  
        # AN EXAMPLE DB SERVICE
                                   
        'My_MySQL'   =>  {     
            ## GENERIC SECTION
            # The type of service (db/ldap/cookie)
            'type'                      =>  'db',
            # The server hosting the service
            'server'                    =>  'rt2.library.ucsc.edu',
            ## SERVICE-SPECIFIC SECTION
            # The database name
            'database'                  =>  'rt3',
            # The database table
            'table'                     =>  'Users',
            # The user to connect to the database as
            'user'                      =>  'root',
            # The password to use to connect with
            'pass'                      =>  'xxxxxxxx',
            # The port to use to connect with (e.g. 3306)
            'port'                      =>  '3306',
            # The name of the Perl DBI driver to use (e.g. mysql)
            'dbi_driver'                =>  'mysql',
            # The field in the table that holds usernames
            'u_field'                   =>  'Name',
            # The field in the table that holds passwords
            'p_field'                   =>  'Password',
            # The Perl package & subroutine used to encrypt passwords
            # e.g. if the passwords are stored using the MySQL v3.23
    "PASSWORD"
            # function, then you will need Crypt::MySQL::password, but
    for the
            # MySQL4+ password function you will need
    Crypt::MySQL::password41
            # Alternatively, you could use Digest::MD5::md5_hex or any other
            # encryption subroutine you can load in your perl installation
            'p_enc_pkg'                 =>  'Crypt::MySQL',
            'p_enc_sub'                 =>  'password',
            # If your p_enc_sub takes a salt as a second parameter,
            # uncomment this line to add your salt
            #'p_salt'                    =>  'SALT',
            #
            # The field and values in the table that determines if a
    user should
            # be disabled. For example, if the field is 'user_status'
    and the values
            # are ['0','1','2','disabled'] then the user will be
    disabled if their
            # user_status is set to '0','1','2' or the string 'disabled'.
            # Otherwise, they will be considered enabled.
            'd_field'                   =>  'disabled',
            'd_values'                  =>  ['0'],
            ## RT ATTRIBUTE MATCHING SECTION
            # The list of RT attributes that uniquely identify a user
            'attr_match_list'           =>  [   'Gecos',
                                                'Name'
                                            ],
            # The mapping of RT attributes on to field names
            'attr_map'                  =>  {   'Name' => 'username',
                                                'EmailAddress' => 'email',
                                                'ExternalAuthId' =>
    'username',
                                                'Gecos' => 'userID'
                                            }
        },
        # AN EXAMPLE LDAP SERVICE
        'My_LDAP'       =>  {  
            ## GENERIC SECTION
            # The type of service (db/ldap/cookie)
            'type'                      =>  'ldap',
            # The server hosting the service
            'server'                    =>  'dir1.library.ucsc.edu',
            ## SERVICE-SPECIFIC SECTION
            # If you can bind to your LDAP server anonymously you should
            # remove the user and pass config lines, otherwise specify
    them here:
            #
            # The username RT should use to connect to the LDAP server
            'user'                      =>  'cn=admin,dc=ucsc,dc=edu',
            # The password RT should use to connect to the LDAP server
            'pass'                    =>  'xxxxxxxx',
            #
            # The LDAP search base
            'base'                      =>  'ou=people,dc=ucsc,dc=edu',
            #
            # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
            # YOU **MUST** SPECIFY A filter AND A d_filter!!
            #
            # The filter to use to match RT-Users
            'filter'                    =>  '(objectClass=person)',
            # A catch-all example filter: '(objectClass=*)'
            #
            # The filter that will only match disabled users
            'd_filter'                  =>  '(objectClass=FooBarBaz)',
            # A catch-none example d_filter: '(objectClass=FooBarBaz)'
            #
            # Should we try to use TLS to encrypt connections?
            'tls'                       =>  0,
            # SSL Version to provide to Net::SSLeay *if* using SSL
            'ssl_version'               =>  3,
            # What other args should I pass to Net::LDAP->new($host, at args)?
            'net_ldap_args'             => [    version =>  3   ],
            # Does authentication depend on group membership? What group
    name?
            'group'                     =>  'staff',
            # What is the attribute for the group object that determines
    membership?
            'group_attr'                =>  'ou=group,dc=ucsc,dc=edu',
            ## RT ATTRIBUTE MATCHING SECTION
            # The list of RT attributes that uniquely identify a user

            # This example shows what you *can* specify.. I recommend
    reducing this

            # to just the Name and EmailAddress to save encountering
    problems later.
            'attr_match_list'           => [    'Name',
                                                'EmailAddress',
                                            ],
            # The mapping of RT attributes on to LDAP attributes
            'attr_map'                  =>  {   'Name' => 'uid',
                                                'EmailAddress' => 'mail',
                                                'RealName' => 'cn',
                                                'ExternalAuthId' => 'uid',
                                                'Gecos' => 'gecos',
                                                'WorkPhone' =>
    'telephoneNumber',
                                            }

        },
        # An example SSO cookie service
        'My_SSO_Cookie'  => {  
            # # The type of service (db/ldap/cookie)
            'type'                      =>  'cookie',
            # The name of the cookie to be used
            'name'                      =>  'loginCookieValue',
            # The users table
            'u_table'                   =>  'users',
            # The username field in the users table
            'u_field'                   =>  'username',
            # The field in the users table that uniquely identifies a user
            # and also exists in the cookies table
            'u_match_key'               =>  'userID',
            # The cookies table
            'c_table'                   =>  'login_cookie',
            # The field that stores cookie values
            'c_field'                   =>  'loginCookieValue',
            # The field in the cookies table that uniquely identifies a user
            # and also exists in the users table
            'c_match_key'               =>  'loginCookieUserID',
            # The DB service in this configuration to use to lookup the
    cookie information
            'db_service_name'           =>  'My_MySQL'
        }
    }

    );

    1;

Any help would be appreciated.  Thanks.

Wes


On 1/12/2011 4:14 PM, Kevin Falcone wrote:
> On Wed, Jan 12, 2011 at 04:01:08PM -0800, Wes Modes wrote:
>>      [Wed Jan 12 23:31:22 2011] [error]: AUTH FAILED, Couldn't Load Password Encryption Package.
>>      Error: Can't locate Crypt/MySQL.pm in @INC (@INC contains: /usr/local/rt/lib
> What are you doing to load that?
>
> You should send along the other parts of your RT_SiteConfig.pm, it
> appears you've got something 'interesting' running.  Did you tell
> RT-Authen-ExternalAuth to look at LDAP and a mysql database?
>
> -kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20110113/f2d1364a/attachment.htm>


More information about the rt-users mailing list