[rt-users] External Auth config with RT on Debian

Kevin Falcone falcone at bestpractical.com
Mon Jul 1 12:28:55 EDT 2013


On Mon, Jul 01, 2013 at 04:24:51PM +0000, Jeff Solberg wrote:
> > - -----Original Message-----
> > From: rt-users-bounces at lists.bestpractical.com [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Kevin Falcone
> > Sent: Monday, July 01, 2013 9:14 AM
> > To: rt-users at lists.bestpractical.com
> > Subject: [secure] Re: [rt-users] External Auth config with RT on Debian
> > Sensitivity: Confidential
> > 
> > * PGP Signed by an unknown key
> > 
> > On Fri, Jun 28, 2013 at 12:29:22PM -0700, jsolberg wrote:
> > > Default settings till here....
> > > #PLUGINS
> > > Set( @Plugins, qw(RT::Authen::ExternalAuth));
> > > 
> > > #External Auth Settings
> > > 
> > > Set($ExternalAuthPriority, [ 'My_LDAP',] ); Set($ExternalInfoPriority, 
> > > [ 'My_LDAP',] ); Set($ExternalServiceUsesSSLorTLS, 0); 
> > > Set($AutoCreateNonExternalUsers, 0); Set($ExternalSettings, {
> > >     'My_LDAP'       =>  {
> > >         'type'                      =>  'ldap',
> > >         'server'                    =>  'dc2.xxxxxx.com',
> > >         'user'                      =>  'cn=Bind
> > > Ldap,ou=User,Logins,dc=intrepidls,dc=com',
> > >         'pass'                    =>  'xxxxxxx',
> > >         'base'                      =>  'dc=xxxx,dc=com',
> > >         'filter'                    => 
> > > '(&(ObjectCategory=User)(ObjectClass=Person))',
> > >         'd_filter'                  => 
> > > '(userAccountControl:1.2.840.113556.1.4.803=2)',
> > >         'group'                     =>  'cn=Domain
> > > Users,ou=Groups_Security,dc=xxxxx,dc=com',
> > >         'group_attr'                =>  'member',
> > >         'tls'                       =>  0,
> > >         'ssl_version'               =>  3,
> > >         'net_ldap_args'             => [    version =>  3, port => 3268   ],
> > >         'group_scope'               =>  'base',
> > >         'group_attr_value'          =>  'GROUP_ATTR_VALUE',
> > >         'attr_match_list' => [
> > >             'Name',
> > >             'EmailAddress',
> > >             'RealName',
> > >         ],
> > >         'attr_map' => {
> > >             'Name' => 'sAMAccountName',
> > >             'EmailAddress' => 'mail',
> > >             'Organization' => 'physicalDeliveryOfficeName',
> > >             'RealName' => 'cn',
> > >             'ExternalAuthId' => 'sAMAccountName',
> > >             'Gecos' => 'sAMAccountName',
> > >             'WorkPhone' => 'telephoneNumber',
> > >             'Address1' => 'streetAddress',
> > >             'City' => 'l',
> > >             'State' => 'st',
> > >             'Zip' => 'postalCode',
> > >             'Country' => 'co'
> > >         },
> > >     },
> > >     # An example SSO cookie service
> > >     'My_SSO_Cookie'  => {
> > >         'type'                      =>  'cookie',
> > >         'name'                      =>  'loginCookieValue',
> > >         'u_table'                   =>  'users',
> > >         'u_field'                   =>  'username',
> > >         'u_match_key'               =>  'userID',
> > >         'c_table'                   =>  'login_cookie',
> > >         'c_field'                   =>  'loginCookieValue',
> > >         'c_match_key'               =>  'loginCookieUserID',
> > >         'db_service_name'           =>  'My_MySQL'
> > >     },
> > > } );
> > > 
> > > 1;
> > > 
> > > I then use update-rt-siteconfig to merge these settings into 
> > > RT_SiteConfig.pm. From what I read this is all correct and "Should" 
> > > allow AD accounts to log in. Here is what is logging in the apache2 error log:
> > > 
> > > [Fri Jun 28 19:01:58 2013] [warning]: The actual HTTP_HOST (admin-rt4) 
> > > does NOT match the configured WebDomain (localhost). Perhaps you 
> > > should Set($WebDomain, 'admin-rt4'); in RT_SiteConfig.pm, otherwise 
> > > your internal links may be broken.
> > > (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:1194)
> > > [Fri Jun 28 19:02:09 2013] [error]: FAILED LOGIN for 
> > > jsolberg at xxxxxx.com from 10.10.30.62 
> > > (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
> > > [Fri Jun 28 19:02:40 2013] [error]: FAILED LOGIN for jsolberg from
> > > 10.10.30.62 ( /usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
> > > [Fri Jun 28 19:02:52 2013] [info]: Successful login for root from
> > > 10.10.30.62 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:745)
> > > root at admin-rt4:/usr/share/request-tracker4/lib#
> > 
> > Navigate to Tools -> Configuration -> System Configuration and check that Plugins contains RT::Authen::ExternalAuth.
> > 
> Thanks for your reply. In the sys config it shows the following under PLUGINS:
> 
> Plugins   [
>         'RT::Authen::ExternalAuth'
>           ]

Great - now go make sure your $LogToScreen is set to 'debug' and log
in again.

root will always be able to log in because it has a local password
set, you're more concerned about getting useful debugging messages for
your jsolberg user.

-kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 235 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20130701/e84f8d71/attachment.sig>


More information about the rt-users mailing list