[rt-users] External Auth config with RT on Debian

Jeff Solberg jsolberg at intrepidls.com
Tue Jul 2 13:22:32 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Kevin,

In System Configuration in the Web UI I show the following being read in RT. 

LogToFile	'debug'	site config
LogToFileNamed	'rt.log'	site config
LogToScreen		'debug'	site config
LogToSyslog 	''		site config
Plugins 		'RT::Authen::ExternalAuth'	site config

Then under loaded Perl Modules I see

RT::Authen::ExternalAuth	0.16		/usr/local/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm

I would definably agree with you that the plugin is not being run because I have done TCP Packet dumps as I was logging in and there is no activity being sent to my LDAP Server/DC. Oddly enough one would think that with the debugging set it would be telling me something. As I stated earlier the only message being logged in RT.LOG is the FAILED LOGON message. I will look at the permissions on the plugin. Should it be readable by www-data? Thanks again for your help on this. I really need to get this working so I can then move on to the next phase and tailor it to my companies needs.

Jeff


- -----Original Message-----
From: rt-users-bounces at lists.bestpractical.com [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Kevin Falcone
Sent: Tuesday, July 02, 2013 10:05 AM
To: rt-users at lists.bestpractical.com
Subject: [secure] Re: [rt-users] External Auth config with RT on Debian
Sensitivity: Confidential

* PGP Signed by an unknown key

On Mon, Jul 01, 2013 at 05:59:53PM +0000, Jeff Solberg wrote:
> 
> Added the following to my site config:

Go back to the System Configuration page and confirm that you see these settings being read by RT.

If you have the Plugin installed, and the logging configured, then it isn't being run.  The next things to check are permissions.  Can the webserver read the callbacks provided by the extension and are they being run.

- -kevin

> #logging
> Set($LogToSyslog    , '');
> Set($LogToScreen    , 'debug');
> Set($LogToFile      , 'debug');
> Set($LogDir, '/var/log/request-tracker4');
> Set($LogToFileNamed , "rt.log");    #log to rt.log
> 
> # end   /etc/request-tracker4/RT_SiteConfig.d/logging
> 
> And restarted apache2, I tried to log in with domain account and this 
> is what is being logged to rt.log
> 
> root at admin-rt4:/var/log/request-tracker4# cat rt.log [Mon Jul  1 
> 17:47:43 2013] [debug]: The RTAddressRegexp option is not set in the 
> config. Not setting this option results in additional SQL queries to 
> check whether each address belongs to RT or not. It is especially 
> important to set this option if RT recieves emails on addresses that 
> are not in the database or config. 
> (/usr/share/request-tracker4/lib/RT/Config.pm:454)
> [Mon Jul  1 17:47:43 2013] [warning]: The actual HTTP_HOST (admin-rt4) 
> does NOT match the configured WebDomain (localhost). Perhaps you 
> should Set($WebDomain, 'admin-rt4'); in RT_SiteConfig.pm, otherwise 
> your internal links may be broken. 
> (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:1194)
> [Mon Jul  1 17:47:50 2013] [error]: FAILED LOGIN for jsolberg from 
> 10.10.30.63 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
> [Mon Jul  1 17:49:46 2013] [info]: Successful login for root from 
> 10.10.30.63 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:745)
> [Mon Jul  1 17:53:05 2013] [error]: FAILED LOGIN for 
> jsolberg at xxxxx.com from 10.10.30.63 
> (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
> 
> My guess is the debugging options is not telling us much :(
> 
> Jeff
> 
> 
> 
> - -----Original Message-----
> From: rt-users-bounces at lists.bestpractical.com 
> [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Kevin 
> Falcone
> Sent: Monday, July 01, 2013 9:29 AM
> To: rt-users at lists.bestpractical.com
> Subject: [secure] Re: [rt-users] External Auth config with RT on 
> Debian
> Sensitivity: Confidential
> 
> > Old Signed by an unknown key
> 
> On Mon, Jul 01, 2013 at 04:24:51PM +0000, Jeff Solberg wrote:
> > > - -----Original Message-----
> > > From: rt-users-bounces at lists.bestpractical.com
> > > [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of 
> > > Kevin Falcone
> > > Sent: Monday, July 01, 2013 9:14 AM
> > > To: rt-users at lists.bestpractical.com
> > > Subject: [secure] Re: [rt-users] External Auth config with RT on 
> > > Debian
> > > Sensitivity: Confidential
> > > 
> > > > Old Signed by an unknown key
> > > 
> > > On Fri, Jun 28, 2013 at 12:29:22PM -0700, jsolberg wrote:
> > > > Default settings till here....
> > > > #PLUGINS
> > > > Set( @Plugins, qw(RT::Authen::ExternalAuth));
> > > > 
> > > > #External Auth Settings
> > > > 
> > > > Set($ExternalAuthPriority, [ 'My_LDAP',] ); 
> > > > Set($ExternalInfoPriority, [ 'My_LDAP',] ); 
> > > > Set($ExternalServiceUsesSSLorTLS, 0); Set($AutoCreateNonExternalUsers, 0); Set($ExternalSettings, {
> > > >     'My_LDAP'       =>  {
> > > >         'type'                      =>  'ldap',
> > > >         'server'                    =>  'dc2.xxxxxx.com',
> > > >         'user'                      =>  'cn=Bind
> > > > Ldap,ou=User,Logins,dc=intrepidls,dc=com',
> > > >         'pass'                    =>  'xxxxxxx',
> > > >         'base'                      =>  'dc=xxxx,dc=com',
> > > >         'filter'                    => 
> > > > '(&(ObjectCategory=User)(ObjectClass=Person))',
> > > >         'd_filter'                  => 
> > > > '(userAccountControl:1.2.840.113556.1.4.803=2)',
> > > >         'group'                     =>  'cn=Domain
> > > > Users,ou=Groups_Security,dc=xxxxx,dc=com',
> > > >         'group_attr'                =>  'member',
> > > >         'tls'                       =>  0,
> > > >         'ssl_version'               =>  3,
> > > >         'net_ldap_args'             => [    version =>  3, port => 3268   ],
> > > >         'group_scope'               =>  'base',
> > > >         'group_attr_value'          =>  'GROUP_ATTR_VALUE',
> > > >         'attr_match_list' => [
> > > >             'Name',
> > > >             'EmailAddress',
> > > >             'RealName',
> > > >         ],
> > > >         'attr_map' => {
> > > >             'Name' => 'sAMAccountName',
> > > >             'EmailAddress' => 'mail',
> > > >             'Organization' => 'physicalDeliveryOfficeName',
> > > >             'RealName' => 'cn',
> > > >             'ExternalAuthId' => 'sAMAccountName',
> > > >             'Gecos' => 'sAMAccountName',
> > > >             'WorkPhone' => 'telephoneNumber',
> > > >             'Address1' => 'streetAddress',
> > > >             'City' => 'l',
> > > >             'State' => 'st',
> > > >             'Zip' => 'postalCode',
> > > >             'Country' => 'co'
> > > >         },
> > > >     },
> > > >     # An example SSO cookie service
> > > >     'My_SSO_Cookie'  => {
> > > >         'type'                      =>  'cookie',
> > > >         'name'                      =>  'loginCookieValue',
> > > >         'u_table'                   =>  'users',
> > > >         'u_field'                   =>  'username',
> > > >         'u_match_key'               =>  'userID',
> > > >         'c_table'                   =>  'login_cookie',
> > > >         'c_field'                   =>  'loginCookieValue',
> > > >         'c_match_key'               =>  'loginCookieUserID',
> > > >         'db_service_name'           =>  'My_MySQL'
> > > >     },
> > > > } );
> > > > 
> > > > 1;
> > > > 
> > > > I then use update-rt-siteconfig to merge these settings into 
> > > > RT_SiteConfig.pm. From what I read this is all correct and "Should"
> > > > allow AD accounts to log in. Here is what is logging in the apache2 error log:
> > > > 
> > > > [Fri Jun 28 19:01:58 2013] [warning]: The actual HTTP_HOST
> > > > (admin-rt4) does NOT match the configured WebDomain (localhost). 
> > > > Perhaps you should Set($WebDomain, 'admin-rt4'); in 
> > > > RT_SiteConfig.pm, otherwise your internal links may be broken.
> > > > (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:1194)
> > > > [Fri Jun 28 19:02:09 2013] [error]: FAILED LOGIN for 
> > > > jsolberg at xxxxxx.com from 10.10.30.62
> > > > (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
> > > > [Fri Jun 28 19:02:40 2013] [error]: FAILED LOGIN for jsolberg 
> > > > from
> > > > 10.10.30.62 (
> > > > /usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
> > > > [Fri Jun 28 19:02:52 2013] [info]: Successful login for root 
> > > > from
> > > > 10.10.30.62
> > > > (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:745)
> > > > root at admin-rt4:/usr/share/request-tracker4/lib#
> > > 
> > > Navigate to Tools -> Configuration -> System Configuration and check that Plugins contains RT::Authen::ExternalAuth.
> > > 
> > Thanks for your reply. In the sys config it shows the following under PLUGINS:
> > 
> > Plugins   [
> >         'RT::Authen::ExternalAuth'
> >           ]
> 
> Great - now go make sure your $LogToScreen is set to 'debug' and log in again.
> 
> root will always be able to log in because it has a local password set, you're more concerned about getting useful debugging messages for your jsolberg user.
> 
> - -kevin
> 
> * Unknown Key
> * 0x9E42250A
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Universal 3.2.1 (Build 4940)
> Charset: us-ascii
> 
> wsBVAwUBUdHDnE8vfChWkpdqAQhtUQf8D4xW7+1lNWhskwrlWBqby4bVW2GNnOLe
> s4cxkRIMt5ReLeOyLZCUsUb99NuHwkPonIMrfzAHsD4b5J+bpoXI9VHwSA7Ob0EP
> r9+lwAAZV+JWq0gC5BRSqZFC9nQhEOcCTQj+YDX5ykhZEBqB7pHb0fvGv1KViT5U
> SPusBWr21tvjdH7++/vb0XAdxKT+JTYbjzXmVQG7Mv82A3x9Q01bNQBJ4Xn+tH4R
> h/Dny3llTZYhaf1Ms9pWwSAK48gok0G7EpWYKxL5zjWZvjtWgg3ZNlXURE6MNDTv
> GKaMeceeDiTZP8tdO/UA9WcxSkiqt7p4qyYigAb5J4RGKJASjCLchQ==
> =aMI6
> -----END PGP SIGNATURE-----

* Unknown Key
* 0x9E42250A

-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.1 (Build 4940)
Charset: us-ascii

wsBVAwUBUdMMW08vfChWkpdqAQiYCggAgoY4tX786FzhzU/mbpKSRRI+WNZUQFCV
bM1nHEuUR9chiiriUxqo9Ygqnpwcde7aCB7zijl6AJYR55NS2cpx7Puz1ihnY5Bl
HSy/Y9P0rXiu27Er1iiKjk9pA53+AjS3OZemk2W3AzVQ7Nlu8/7RQirXAn1iI0FO
G4QdoUFedB8XmvKIaTGCjZLvPLl2PUq7dTk2LH6QbTtGuh8Zq+BRrZ8PGF5qnUiD
c+jqhoq7zqJR+iEaO1NNirpCWtRnWCr0u2YvhSS91VwGe4QjVPMwMi9d3Ac3wmy4
6NLHzx1FsV/H0sSUn+8oiNDgc65dPf0HnjW3mLd+kOg7lyfQzlLKUw==
=NYaU
-----END PGP SIGNATURE-----


More information about the rt-users mailing list