[rt-users] External Auth config with RT on Debian

Jeff Solberg jsolberg at intrepidls.com
Mon Jul 1 12:38:18 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Do I just add the $SetToLog options anywhere in the RT_SiteConfig.pm?

- -----Original Message-----
From: rt-users-bounces at lists.bestpractical.com [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Kevin Falcone
Sent: Monday, July 01, 2013 9:29 AM
To: rt-users at lists.bestpractical.com
Subject: [secure] Re: [rt-users] External Auth config with RT on Debian
Sensitivity: Confidential

* PGP Signed by an unknown key

On Mon, Jul 01, 2013 at 04:24:51PM +0000, Jeff Solberg wrote:
> > - -----Original Message-----
> > From: rt-users-bounces at lists.bestpractical.com 
> > [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Kevin 
> > Falcone
> > Sent: Monday, July 01, 2013 9:14 AM
> > To: rt-users at lists.bestpractical.com
> > Subject: [secure] Re: [rt-users] External Auth config with RT on 
> > Debian
> > Sensitivity: Confidential
> > 
> > > Old Signed by an unknown key
> > 
> > On Fri, Jun 28, 2013 at 12:29:22PM -0700, jsolberg wrote:
> > > Default settings till here....
> > > #PLUGINS
> > > Set( @Plugins, qw(RT::Authen::ExternalAuth));
> > > 
> > > #External Auth Settings
> > > 
> > > Set($ExternalAuthPriority, [ 'My_LDAP',] ); 
> > > Set($ExternalInfoPriority, [ 'My_LDAP',] ); 
> > > Set($ExternalServiceUsesSSLorTLS, 0); Set($AutoCreateNonExternalUsers, 0); Set($ExternalSettings, {
> > >     'My_LDAP'       =>  {
> > >         'type'                      =>  'ldap',
> > >         'server'                    =>  'dc2.xxxxxx.com',
> > >         'user'                      =>  'cn=Bind
> > > Ldap,ou=User,Logins,dc=intrepidls,dc=com',
> > >         'pass'                    =>  'xxxxxxx',
> > >         'base'                      =>  'dc=xxxx,dc=com',
> > >         'filter'                    => 
> > > '(&(ObjectCategory=User)(ObjectClass=Person))',
> > >         'd_filter'                  => 
> > > '(userAccountControl:1.2.840.113556.1.4.803=2)',
> > >         'group'                     =>  'cn=Domain
> > > Users,ou=Groups_Security,dc=xxxxx,dc=com',
> > >         'group_attr'                =>  'member',
> > >         'tls'                       =>  0,
> > >         'ssl_version'               =>  3,
> > >         'net_ldap_args'             => [    version =>  3, port => 3268   ],
> > >         'group_scope'               =>  'base',
> > >         'group_attr_value'          =>  'GROUP_ATTR_VALUE',
> > >         'attr_match_list' => [
> > >             'Name',
> > >             'EmailAddress',
> > >             'RealName',
> > >         ],
> > >         'attr_map' => {
> > >             'Name' => 'sAMAccountName',
> > >             'EmailAddress' => 'mail',
> > >             'Organization' => 'physicalDeliveryOfficeName',
> > >             'RealName' => 'cn',
> > >             'ExternalAuthId' => 'sAMAccountName',
> > >             'Gecos' => 'sAMAccountName',
> > >             'WorkPhone' => 'telephoneNumber',
> > >             'Address1' => 'streetAddress',
> > >             'City' => 'l',
> > >             'State' => 'st',
> > >             'Zip' => 'postalCode',
> > >             'Country' => 'co'
> > >         },
> > >     },
> > >     # An example SSO cookie service
> > >     'My_SSO_Cookie'  => {
> > >         'type'                      =>  'cookie',
> > >         'name'                      =>  'loginCookieValue',
> > >         'u_table'                   =>  'users',
> > >         'u_field'                   =>  'username',
> > >         'u_match_key'               =>  'userID',
> > >         'c_table'                   =>  'login_cookie',
> > >         'c_field'                   =>  'loginCookieValue',
> > >         'c_match_key'               =>  'loginCookieUserID',
> > >         'db_service_name'           =>  'My_MySQL'
> > >     },
> > > } );
> > > 
> > > 1;
> > > 
> > > I then use update-rt-siteconfig to merge these settings into 
> > > RT_SiteConfig.pm. From what I read this is all correct and "Should"
> > > allow AD accounts to log in. Here is what is logging in the apache2 error log:
> > > 
> > > [Fri Jun 28 19:01:58 2013] [warning]: The actual HTTP_HOST 
> > > (admin-rt4) does NOT match the configured WebDomain (localhost). 
> > > Perhaps you should Set($WebDomain, 'admin-rt4'); in 
> > > RT_SiteConfig.pm, otherwise your internal links may be broken.
> > > (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:1194)
> > > [Fri Jun 28 19:02:09 2013] [error]: FAILED LOGIN for 
> > > jsolberg at xxxxxx.com from 10.10.30.62
> > > (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
> > > [Fri Jun 28 19:02:40 2013] [error]: FAILED LOGIN for jsolberg from
> > > 10.10.30.62 ( 
> > > /usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
> > > [Fri Jun 28 19:02:52 2013] [info]: Successful login for root from
> > > 10.10.30.62 
> > > (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:745)
> > > root at admin-rt4:/usr/share/request-tracker4/lib#
> > 
> > Navigate to Tools -> Configuration -> System Configuration and check that Plugins contains RT::Authen::ExternalAuth.
> > 
> Thanks for your reply. In the sys config it shows the following under PLUGINS:
> 
> Plugins   [
>         'RT::Authen::ExternalAuth'
>           ]

Great - now go make sure your $LogToScreen is set to 'debug' and log in again.

root will always be able to log in because it has a local password set, you're more concerned about getting useful debugging messages for your jsolberg user.

- -kevin

* Unknown Key
* 0x9E42250A

-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.1 (Build 4940)
Charset: us-ascii

wsBVAwUBUdGwfU8vfChWkpdqAQgoxgf+IW3MwbDxATCMSx7dEOEgPjjTY2ZfJD0z
7Ez7SM+J0ke7+ljDhRYkZC7uMX2XF9O1N1JY1mv1O390ECPNUmXegDd54gmp7KHh
Er9zx6AT77ZavXpf43nwGFty4pmlQfDRf5YfhDWJu8qQe+MivSHLbqw50JDKHNYe
/R3A3DwC20Eukc76AQUpKJxDQrxL7mty8BxEaOgXquPl/S8JUWbJTpuTvL1cLoG5
yyfRECXvxrCYQKwttst5iaEQlPZ3zu0ja+sE10+dwdEW9oYC6/RBHlus3fASJxVj
siDp0h56GDQFDmgCm0oMVRQEh5kPMu01U4PP2TA+X66rKFSQyl69ng==
=4cdn
-----END PGP SIGNATURE-----


More information about the rt-users mailing list