[rt-users] ldap auth failing
Asif Iqbal
vadud3 at gmail.com
Wed May 25 19:59:05 EDT 2011
On Wed, May 25, 2011 at 3:28 PM, Asif Iqbal <vadud3 at gmail.com> wrote:
> My ldapsearch works, but ldap auth with RT is failing
>
> # cat /etc/ldap/ldap.conf
> TLS_REQCERT never # without this ldap bind fails
> # TLS: peer cert untrusted or revoked (0x42)
> # TLS: can't connect: (unknown error code).
>
>
> # ldapsearch -LLL -W -D
> "uid=binduser,ou=People,dc=mnet,dc=example,dc=com" -b
> "ou=People,dc=mnet,dc=example,dc=com" -H ldaps://192.168.1.7:1636
> uid="asif" mail
> Enter LDAP Password: <secret>
> dn: uid=asif,ou=People,dc=mnet,dc=example,dc=com
> mail: Asif.Iqbal at example.com
>
> but RT fails with this error
>
> [Wed May 25 14:51:39 2011] [info] [client 192.168.1.215] (32)Broken
> pipe: core_output_filter: writing data to the network
> [Wed May 25 14:51:39 2011] [error] [client 192.168.1.215]
> Apache2::RequestIO::rflush: (103) Software caused connection abort at
> /usr/local/share/perl/5.10.1/Plack/Handler/Apache2.pm line 148
> [Wed May 25 14:51:39 2011] [debug] mod_deflate.c(615): [client
> 192.162.1.215] Zlib: Compressed 0 to 2 : URL /
> [Wed May 25 14:51:41 2011] [info] [client 192.168.1.215] Request
> header read timeout
> [Wed May 25 14:51:41 2011] [info] [client 192.168.1.215] Request
> header read timeout
> [Wed May 25 14:51:43 2011] [info] [client 192.168.1.215] (32)Broken
> pipe: core_output_filter: writing data to the network
> [Wed May 25 14:51:43 2011] [error] [client 192.168.1.215]
> Apache2::RequestIO::rflush: (103) Software caused connection abort at
> /usr/local/share/perl/5.10.1/Plack/Handler/Apache2.pm line 148
> [Wed May 25 14:51:43 2011] [debug] mod_deflate.c(615): [client
> 192.168.1.215] Zlib: Compressed 0 to 2 : URL /
> [Wed May 25 14:51:43 2011] [debug] mod_deflate.c(615): [client
> 192.168.1.215] Zlib: Compressed 0 to 8 : URL /NoAuth/Login.htm
> [Wed May 25 14:51:43 2011] [info] [client 192.168.1.215] (32)Broken
> pipe: core_output_filter: writing data to the network
> [Wed May 25 14:51:47 2011] [debug] mod_deflate.c(615): [client
> 192.168.1.215] Zlib: Compressed 4232 to 1682 : URL /NoAuth/Login.html,
> referer: http://192.168.1.72/NoAuth/Login.html
>
>
> and apache2/error.log show this
>
> [Wed May 25 18:51:43 2011] [error]: FAILED LOGIN for asif from
> 192.168.1.215 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:639)
>
> # egrep -v "^[[:space:]]*#|^$" /opt/rt4/etc/RT_SiteConfig.pm
> Set( $rtname, 'example.com');
> Set( @Plugins, qw(RT::Authen::ExternalAuth) );
> 1;
>
> # egrep -v "^[[:space:]]*#|^$"
> /opt/rt4/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm
> Set($ExternalAuthPriority, [ 'My_LDAP',
> 'My_MySQL',
> 'My_SSO_Cookie'
> ]
> );
> Set($ExternalInfoPriority, [ 'My_MySQL',
> 'My_LDAP'
> ]
> );
> Set($ExternalServiceUsesSSLorTLS, 1); # <== set this to `1' for
> TLS. tried with `0' as well and failed
> Set($AutoCreateNonExternalUsers, 1);
> Set($ExternalSettings, { # AN EXAMPLE DB SERVICE
> 'My_MySQL' => { ## GENERIC SECTION
> 'type'
> => 'db',
> 'server'
> => 'server.domain.tld',
> 'database'
> => 'DB_NAME',
> 'table'
> => 'USERS_TABLE',
> 'user'
> => 'DB_USER',
> 'pass'
> => 'DB_PASS',
> 'port'
> => 'DB_PORT',
> 'dbi_driver'
> => 'DBI_DRIVER',
> 'u_field'
> => 'username',
> 'p_field'
> => 'password',
> 'p_enc_pkg'
> => 'Crypt::MySQL',
> 'p_enc_sub'
> => 'password',
> 'd_field'
> => 'disabled',
> 'd_values'
> => ['0'],
>
> 'attr_match_list' => [ 'Gecos',
>
> 'Name'
>
> ],
> 'attr_map'
> => { 'Name' => 'username',
>
> 'EmailAddress' => 'email',
>
> 'ExternalAuthId' => 'username',
>
> 'Gecos' => 'userID'
>
> }
> },
> 'My_LDAP' => { ## GENERIC SECTION
> 'type'
> => 'ldap',
> 'server'
> => 'ldaps://192.168.1.7:1636',
> 'user'
> => 'sysldapq',
> 'pass'
> => 'secret',
> 'debug' => 255,
> 'base'
> => 'ou=People,dc=mnet,dc=example,dc=com',
> 'filter'
> => '(objectclass=mnetperson)',
> 'd_filter'
> => '(objectclass=blah)',
> 'tls'
> => 1, # <== set this to `1' for tls. failed with
> `0' as well
> 'ssl_version'
> => 3,
>
> 'net_ldap_args' => [ version => 3 ],
>
> 'attr_match_list' => [ 'Name',
>
> 'EmailAddress',
>
> ],
> 'attr_map'
> => { 'Name' => 'uid',
>
> 'EmailAddress' => 'mail',
>
> 'Organization' => 'companynumber',
>
> 'RealName' => 'cn',
>
> 'ExternalAuthId' => 'uid',
>
> 'WorkPhone' => 'telephoneNumber',
>
> 'Address1' => 'street',
>
> 'City' => 'l',
>
> 'State' => 'st',
> 'Zip' => 'postalCode'
>
> 'Country' => 'nationname'
>
> }
> },
> 'My_SSO_Cookie' => { # # The type
> of service (db/ldap/cookie)
> 'type'
> => 'cookie',
> 'name'
> => 'loginCookieValue',
> 'u_table'
> => 'users',
> 'u_field'
> => 'username',
> 'u_match_key'
> => 'userID',
> 'c_table'
> => 'login_cookie',
> 'c_field'
> => 'loginCookieValue',
> 'c_match_key'
> => 'loginCookieUserID',
>
> 'db_service_name' => 'My_MySQL'
> }
> }
> );
> 1;
>
> I can login as root with local password.
I got it working after going through the README few more times and
replacing the user => 'binduser' with user => 'the binddn of the user'
--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
More information about the rt-users
mailing list