[rt-users] Trying to sort out the combination of $WebExternalAuth and and RT::Authen::External

John Andersen john at yvig.com
Fri Oct 14 20:44:58 EDT 2011


Hoping someone can point me to where I am going wrong.  I have been
trolling the wiki, cpan, this list, and Google for the last couple of
days with no luck so far.  Probably something apparent that I'm
missing.....

I am after the following behavior:
  - A user inside our network and on a machine my company controls
will be auto-logged in via SSO (mod_auth_kerb)
  - Upon successful SSO login, even if it's a first time login, the
user info in canonicalized from our LDAP dir (Active Directory)
  - If the user cannot use SSO, the login fails gracefully back to the
form-based login built in to RT.
  - If the user successfully authenticates via
RT::Authen::ExternalAuth the user info is again canonicalized even if
it's a first time login.
  - If an email is received from a requester, the email is looked up
in LDAP to canonicalize the user info as well.
  - If the email address does NOT exist in the LDAP directory, go
ahead and create an account anyway using the email address as the
username.

No prob, right??

The basics:   RT 4.0.2 from source
                    server: debian 6.0 (Squeeze)
                    db:  PostgreSQL
                    Apache2
                    RT running under modperl

What I have working:

If I have WebExternalAuth turned *off*, my LDAP connection via
RT::Authen::ExternalAuth is working just fine.
  - I have it pointed to our Active Directory server (Server 2008 R2
if it matters).
  - A user in the directory **CAN** login via the form based login screen
  - If they don't exist, the user is properly created as desired.
  - The user info is also pulled via LDAP via CanonicalizeUserInfo() as desired.

All is well.
-------

If I turn *ON* $WebExternalAuth (I'm using mod_auth_kerb) I get the
following behavior:

  - The user *IS* logged in with SSO as desired provided they already
have an account.
  - The user info is *NOT* canonicalized from the LDAP directory as I
would like.  --FAIL--
  - If the user does not exist, they *ARE* created, but again, the
user info is NOT canonicalized from the directory. --FAIL--
  - Also, mod_auth_kerb, does NOT fall back to the form-based login.
It tries to use the KrbPasswd method which I have specifically
disabled. --FAIL--

The message I get in the RT log (via syslog) when a user logs in with
SSO seems to indicate that the user variable is not being set and
passed to the RT::Authen::ExternalAuth extension if I read the error
right.  The odd thing to me, is that while the error says SSO is
failing, it most definitely is not.  The user **is** successfully
logged in.
----- error from syslog ---
Oct 14 16:41:25 rt RT: Attempting to use external auth service: LDAP_DIR1
Oct 14 16:41:25 rt RT: SSO Failed and no user to test with. Nexting
Oct 14 16:41:25 rt RT: Autohandler called ExternalAuth. Response: (0, No User)

---- info from apache error log ---- (all looks well here, I think?)
[Fri Oct 14 17:33:54 2011] [debug] src/mod_auth_kerb.c(1628): [client
172.27.146.144] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Fri Oct 14 17:33:54 2011] [debug] src/mod_auth_kerb.c(1240): [client
172.27.146.144] Acquiring creds for HTTP/rt.sunnysidehospital.org
[Fri Oct 14 17:33:54 2011] [debug] src/mod_auth_kerb.c(1385): [client
172.27.146.144] Verifying client data using KRB5 GSS-API
[Fri Oct 14 17:33:54 2011] [debug] src/mod_auth_kerb.c(1401): [client
172.27.146.144] Client didn't delegate us their credential
[Fri Oct 14 17:33:54 2011] [debug] src/mod_auth_kerb.c(1420): [client
172.27.146.144] GSS-API token of length 181 bytes will be sent back
[Fri Oct 14 17:33:54 2011] [debug] src/mod_auth_kerb.c(1534): [client
172.27.146.144] kerb_authenticate_a_name_to_local_name andersjp at SCH.AD
-> andersjp


(Full disclosure, I am also receiving this message on apache startup,
but I believe it is completely unrelated.....)
Oct 14 17:33:10 rt RT: The RTAddressRegexp option is not set in the
config. Not setting this option results in additional SQL queries to
check whether each address belongs to RT or not. It is especially
important to set this option if RT recieves emails on addresses that
are not in the database or config.


First, is what I want to do truly possible? Second, can anyone help me
see what I have wrong here?
------------
Apache2 config section:
----------
## Redirect everything to https
<VirtualHost *:80>
 ServerName rt.sunnysidehospital.org
 <Location />
   Redirect permanent / https://rt.sunnysidehospital.org/
 </Location>
</VirtualHost>


<VirtualHost rt.sunnysidehospital.org:443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/rt.sunnysidehospital.org.crt
SSLCertificateKeyFile /etc/apache2/ssl/rt.sunnysidehospital.org
SSLCACertificateFile /etc/apache2/ssl/sch_ca.cer

### Optional apache logs for RT
ErrorLog /opt/rt4/var/log/apache2.error
TransferLog /opt/rt4/var/log/apache2.access
LogLevel debug

        AddDefaultCharset UTF-8

        DocumentRoot "/opt/rt4/share/html"
        <Location />
                SetHandler modperl
                PerlResponseHandler Plack::Handler::Apache2
                PerlSetVar psgi_app /opt/rt4/sbin/rt-server

## Kerberos for Single Signon with AD

                AuthType Kerberos
                AuthName "Sunnyside Hospital Login"
                KrbMethodNegotiate on
                KrbMethodK5Passwd off
#               KrbMethodK4Passwd off  # when I uncomment this I get an error
#  (Invalid command 'KrbMethodK4Passwd', perhaps misspelled or
#   defined by a module not included in the server configuration)

                KrbAuthRealms SCH.AD
                Krb5KeyTab /etc/apache2/krb5.keytab
                KrbServiceName HTTP/rt.sunnysidehospital.org
                KrbSaveCredentials off
                KrbLocalUserMapping on
                require valid-user

                Order allow,deny
                Allow from all

        </Location>

        <Perl>
                use Plack::Handler::Apache2;
                Plack::Handler::Apache2->preload("/opt/rt4/sbin/rt-server");
        </Perl>
</VirtualHost>
-------------------------------

Relevant RT_SiteConfig.pm sections:
----------------------------

Set( $WebExternalAuth, 1 );
Set( $WebFallBackToInternalAuth, 1 );
Set( $WebExternalGecos, undef );
Set( $WebExternalAuto, 1 );
Set( $AutoCreate, Privileged => 0 );

Set( @Plugins, qw(
        RT::Authen::ExternalAuth
        RT::Extension::JSGantt
        RT::Extension::MergeUsers
        RT::Extension::PriorityAsString
        RT::Extension::ReportSpam )
);

Set( $ExternalAuthPriority,['LDAP_DIR1']);
Set( $ExternalInfoPriority,['LDAP_DIR1']);
Set( $ExternalServiceUsesSSLorTLS, 0);
Set( $AutoCreateNonExternalUsers, 1);

Set($ExternalSettings,      {   # SCH LDAP Settings
        'LDAP_DIR1'       =>  {   ## GENERIC SECTION

                'type'                      =>  'ldap',
                'server'                    =>  'dir1.sch.ad',
                'user' => 'cn=LDAP Auth,ou=SCH Users,dc=sch,dc=ad',
                'pass'                    =>  '************',
                'base'                      =>  'dc=sch,dc=ad',

                # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
                # YOU **MUST** SPECIFY A filter AND A d_filter!!

                # The filter to use to match RT-Users
                'filter'   =>  '(mail=*)(sAMAccountType=805306368)',

                # The filter that will only match disabled users
                'd_filter' =>
'(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)',

                'tls'                       =>  0,
                'ssl_version'               =>  3,
                'net_ldap_args'             => [    version =>  3   ],
                #'group'                     =>  'GROUP',
                #'group_attr'                =>  'GROUP_ATTR',

                'attr_match_list'       => [    'Name',
                                                'EmailAddress'
                ],

                # The mapping of RT attributes on to LDAP attributes
                'attr_map'      =>  {   'Name' => 'sAMAccountName',
                                        'EmailAddress' => 'mail',
                                        'Organization' => 'department',
                                        'RealName' => 'cn',
                                        'ExternalAuthId' => 'sAMAccountName',
                                        'WorkPhone' => 'telephoneNumber',
                                        'MobilePhone' => 'mobile',
                                        'Address1' => 'streetAddress',
                                        'City' => 'l',
                                        'State' => 'st',
                                        'Zip' => 'postalCode',
                                        'Country' => 'co'
                }
        }
}
);

-----

FYI, I have tested my ldap filters with ldapsearch and run them
exactly as RT puts them together (according to the logs) and can
successfully return info for both my users filter and my disabled
users filter.


Thanks in advance for the help!  (And my sincere apologies for the
short novel I had to write here.)

-John Andersen



More information about the rt-users mailing list