[rt-users] ldap auth failing

Asif Iqbal vadud3 at gmail.com
Wed May 25 15:28:22 EDT 2011


My ldapsearch works, but ldap auth with RT is failing

# cat /etc/ldap/ldap.conf
TLS_REQCERT never  # without this ldap bind fails
                                  # TLS: peer cert untrusted or revoked (0x42)
                                  # TLS: can't connect: (unknown error code).


# ldapsearch -LLL -W -D
"uid=binduser,ou=People,dc=mnet,dc=example,dc=com" -b
"ou=People,dc=mnet,dc=example,dc=com" -H ldaps://192.168.1.7:1636
uid="asif" mail
Enter LDAP Password: <secret>
dn: uid=asif,ou=People,dc=mnet,dc=example,dc=com
mail: Asif.Iqbal at example.com

but RT fails with this error

[Wed May 25 14:51:39 2011] [info] [client 192.168.1.215] (32)Broken
pipe: core_output_filter: writing data to the network
[Wed May 25 14:51:39 2011] [error] [client 192.168.1.215]
Apache2::RequestIO::rflush: (103) Software caused connection abort at
/usr/local/share/perl/5.10.1/Plack/Handler/Apache2.pm line 148
[Wed May 25 14:51:39 2011] [debug] mod_deflate.c(615): [client
192.162.1.215] Zlib: Compressed 0 to 2 : URL /
[Wed May 25 14:51:41 2011] [info] [client 192.168.1.215] Request
header read timeout
[Wed May 25 14:51:41 2011] [info] [client 192.168.1.215] Request
header read timeout
[Wed May 25 14:51:43 2011] [info] [client 192.168.1.215] (32)Broken
pipe: core_output_filter: writing data to the network
[Wed May 25 14:51:43 2011] [error] [client 192.168.1.215]
Apache2::RequestIO::rflush: (103) Software caused connection abort at
/usr/local/share/perl/5.10.1/Plack/Handler/Apache2.pm line 148
[Wed May 25 14:51:43 2011] [debug] mod_deflate.c(615): [client
192.168.1.215] Zlib: Compressed 0 to 2 : URL /
[Wed May 25 14:51:43 2011] [debug] mod_deflate.c(615): [client
192.168.1.215] Zlib: Compressed 0 to 8 : URL /NoAuth/Login.htm
[Wed May 25 14:51:43 2011] [info] [client 192.168.1.215] (32)Broken
pipe: core_output_filter: writing data to the network
[Wed May 25 14:51:47 2011] [debug] mod_deflate.c(615): [client
192.168.1.215] Zlib: Compressed 4232 to 1682 : URL /NoAuth/Login.html,
referer: http://192.168.1.72/NoAuth/Login.html


and apache2/error.log show this

[Wed May 25 18:51:43 2011] [error]: FAILED LOGIN for asif from
192.168.1.215 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:639)

# egrep -v "^[[:space:]]*#|^$" /opt/rt4/etc/RT_SiteConfig.pm
Set( $rtname, 'example.com');
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
1;

# egrep -v "^[[:space:]]*#|^$"
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm
Set($ExternalAuthPriority,  [   'My_LDAP',
                                'My_MySQL',
                                'My_SSO_Cookie'
                            ]
);
Set($ExternalInfoPriority,  [   'My_MySQL',
                                'My_LDAP'
                            ]
);
Set($ExternalServiceUsesSSLorTLS,    1);  # <== set this to `1' for
TLS. tried with `0' as well and failed
Set($AutoCreateNonExternalUsers,    1);
Set($ExternalSettings,      {   # AN EXAMPLE DB SERVICE
                                'My_MySQL'   =>  {      ## GENERIC SECTION
                                                        'type'
             =>  'db',
                                                        'server'
             =>  'server.domain.tld',
                                                        'database'
             =>  'DB_NAME',
                                                        'table'
             =>  'USERS_TABLE',
                                                        'user'
             =>  'DB_USER',
                                                        'pass'
             =>  'DB_PASS',
                                                        'port'
             =>  'DB_PORT',
                                                        'dbi_driver'
             =>  'DBI_DRIVER',
                                                        'u_field'
             =>  'username',
                                                        'p_field'
             =>  'password',
                                                        'p_enc_pkg'
             =>  'Crypt::MySQL',
                                                        'p_enc_sub'
             =>  'password',
                                                        'd_field'
             =>  'disabled',
                                                        'd_values'
             =>  ['0'],

'attr_match_list'           =>  [   'Gecos',

                     'Name'

                 ],
                                                        'attr_map'
             =>  {   'Name' => 'username',

                     'EmailAddress' => 'email',

                     'ExternalAuthId' => 'username',

                     'Gecos' => 'userID'

                 }
                                                    },
                                'My_LDAP'       =>  {   ## GENERIC SECTION
                                                        'type'
             =>  'ldap',
                                                        'server'
             =>  'ldaps://192.168.1.7:1636',
                                                        'user'
             =>  'sysldapq',
                                                        'pass'
           =>  'secret',
							'debug'			  => 255,
                                                        'base'
             =>  'ou=People,dc=mnet,dc=example,dc=com',
                                                        'filter'
             =>  '(objectclass=mnetperson)',
                                                        'd_filter'
             =>  '(objectclass=blah)',
                                                        'tls'
             =>  1,         # <== set this to `1' for tls. failed with
`0' as well
                                                        'ssl_version'
             =>  3,

'net_ldap_args'             => [    version =>  3   ],

'attr_match_list'           => [    'Name',

                     'EmailAddress',

                 ],
                                                        'attr_map'
             =>  {   'Name' => 'uid',

                     'EmailAddress' => 'mail',

                     'Organization' => 'companynumber',

                     'RealName' => 'cn',

                     'ExternalAuthId' => 'uid',

                     'WorkPhone' => 'telephoneNumber',

                     'Address1' => 'street',

                     'City' => 'l',

                     'State' => 'st',
										    	    'Zip' => 'postalCode'

                     'Country' => 'nationname'

                 }
                                                    },
                                'My_SSO_Cookie'  => {   # # The type
of service (db/ldap/cookie)
                                                        'type'
             =>  'cookie',
                                                        'name'
             =>  'loginCookieValue',
                                                        'u_table'
             =>  'users',
                                                        'u_field'
             =>  'username',
                                                        'u_match_key'
             =>  'userID',
                                                        'c_table'
             =>  'login_cookie',
                                                        'c_field'
             =>  'loginCookieValue',
                                                        'c_match_key'
             =>  'loginCookieUserID',

'db_service_name'           =>  'My_MySQL'
                                                    }
                                }
);
1;

I can login as root with local password.

-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?



More information about the rt-users mailing list