[rt-users] AD integration for external auth

Trev trevor at onepost.net
Tue Jul 7 13:32:42 EDT 2015 

Sorry about that, review the blog entry I sent you prior. I do see I did
add that plugin, again, it's been a while since I wrestled with LDAP
authentication. So, I threw my working config with notes, into that blog.



On Tue, Jul 7, 2015 at 1:30 PM, Trev <trevor at onepost.net> wrote:

> Use -->   Plugin( "RT::Extension::LDAPImport" );
>
> Note the configuration I linked to you prior.
>
> I had some issues with limited functionality using Plugin('RT::Authen::ExternalAuth').. it's been a while actually, I may not even have had that extension working.
>
>
>
> On Tue, Jul 7, 2015 at 1:28 PM, Trev <trevor at onepost.net> wrote:
>
>> If you mean during the login via RT Gui --  username is, sAMAccountName.
>> THere shouldn't be any need to prefix with the domain as the domain is
>> already be queried.
>>
>>
>>
>> On Tue, Jul 7, 2015 at 1:24 PM, Yan Seiner <yan at seiner.com> wrote:
>>
>>>  What format do you use for the username?
>>>
>>> When I try hpm\yans which should, in theory, work, I get:
>>>
>>> [5367] [Tue Jul  7 17:07:28 2015] [debug]: LDAP Search ===  Base:
>>> dc=hpm,dc=net == Filter: (&(objectClass=*)(sAMAccountName=hpm\5cyans)) ==
>>> Attrs: sAMAccountName,mail
>>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)
>>>
>>> Notice the mangled sAMAccountName=hpm\5cyans .  If this is what it is
>>> searching for, then we have a problem.   :)
>>>
>>> --Yan
>>>
>>>
>>> On 7/7/2015 11:57 AM, Trev wrote:
>>>
>>>  This may help:
>>>
>>>
>>> http://trevthorpe.blogspot.com/2015/01/request-tracker-424-ldap-authentication.html
>>>
>>>
>>>
>>> On Tue, Jul 7, 2015 at 11:24 AM, Yan Seiner <yan at seiner.com> wrote:
>>>
>>>> I'm coming back to RT after a few years.  I am trying to set up
>>>> external auth against our AD server.
>>>>
>>>> I have a working implementation for mediawiki, so I know that it's
>>>> possible on our system.  As far as possible I've duplicated the options
>>>> from mediawiki/php to rt/perl, but I am still missing something important
>>>> as all login attempts get rejected with a NoUser.
>>>>
>>>> The only thing that I find different (and I'm searching my memory from
>>>> a few years ago when I set up mediawiki) there is a line where the user
>>>> name is pre-pended with the domain for AD:
>>>>
>>>> $wgLDAPSearchStrings = array( 'HPM' => "HPM\\USER-NAME" );
>>>>
>>>> And I can't find anything like that in the RT config.
>>>>
>>>> Does anyone have a working AD external auth they can share?
>>>>
>>>> Thanks.
>>>>
>>>> Here's the logfile snippet:
>>>>
>>>> [4835] [Tue Jul  7 15:17:14 2015] [debug]: Attempting to use external
>>>> auth service: My_LDAP
>>>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:424)
>>>> [4835] [Tue Jul  7 15:17:14 2015] [debug]: Calling UserExists with
>>>> $username (yans) and $service (My_LDAP)
>>>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:465)
>>>> [4835] [Tue Jul  7 15:17:14 2015] [debug]: UserExists params:
>>>> username: yans , service: My_LDAP
>>>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)
>>>> [4835] [Tue Jul  7 15:17:14 2015] [debug]: LDAP Search ===  Base:
>>>> ou=Staff,dc=hpm,dc=net == Filter:
>>>> (&(objectClass=inetOrgPerson)(sAMAccountName=yans)) == Attrs:
>>>> cn,co,telephoneNumber,l,postalCode,streetAddress,st,sAMAccountName,mail
>>>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)
>>>> [4835] [Tue Jul  7 15:17:14 2015] [debug]: User Check Failed :: (
>>>> My_LDAP ) yans User not found
>>>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:483)
>>>> [4835] [Tue Jul  7 15:17:14 2015] [debug]: Autohandler called
>>>> ExternalAuth. Response: (0, No User)
>>>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
>>>> [4835] [Tue Jul  7 15:17:14 2015] [error]: FAILED LOGIN for yans from
>>>> 10.10.30.51 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:810)
>>>>
>>>> And here's the setup in RTSiteConfig.pm:
>>>>
>>>> Plugin('RT::Authen::ExternalAuth');
>>>> Set($ExternalAuthPriority,  [ 'My_LDAP' ]);
>>>> Set($ExternalInfoPriority,  [ 'My_LDAP' ]);
>>>> Set($ExternalSettings, {
>>>>      'My_LDAP'       =>  {
>>>>      'type'             =>  'ldap',
>>>>      'server'           =>  'file_print.hpm.net',
>>>>                 # By not passing 'user' and 'pass' we are using an
>>>> anonymous
>>>>                 # bind, which some servers to not allow
>>>>      'base'             =>  'dc=hpm,dc=net',
>>>>      'filter'           =>  '(objectClass=inetOrgPerson)',
>>>>                 # Users are allowed to log in via email address or
>>>> account
>>>>                 # name
>>>>      'attr_match_list'  => [
>>>>            'Name',
>>>> #           'EmailAddress',
>>>>            ],
>>>>                 # Import the following properties of the user from LDAP
>>>> upon
>>>>                 # login
>>>>                 'attr_map' => {
>>>>                     'Name'         => 'sAMAccountName',
>>>>                     'EmailAddress' => 'mail',
>>>>                     'RealName'     => 'cn',
>>>>                     'WorkPhone'    => 'telephoneNumber',
>>>>                     'Address1'     => 'streetAddress',
>>>>                     'City'         => 'l',
>>>>                     'State'        => 'st',
>>>>                     'Zip'          => 'postalCode',
>>>>                     'Country'      => 'co',
>>>>                 },
>>>>             },
>>>>         } );
>>>>
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20150707/9a503e91/attachment.htm>

More information about the rt-users mailing list