[rt-users] Please help with RT::Authen::ExternalAuth with nested LDAP/AD groups

Nilesh me at nileshgr.com
Fri Jul 15 14:03:40 EDT 2016 

On Thu, 2016-07-14 at 19:19 +0000, Landon Stewart wrote:
> Hello,
> 
> I have a working mod_authnz_ldap configuration for apache 2.4 (on a
> virtualhost on the same server) but I cannot seem to convert the configuration
> to a valid RT::Authen::ExternalAuth::LDAP configuration.  At one point I could
> see in var/log/rt.log that it was at least checking the nested groups for
> membership but the filter didn't look quite right.  I have since changed that
> configuration and it seems to stall for a minute and then fail.  It gets my
> real name from the AD service but then cannot match the sub/nested group
> filter I think?
> 
> The apache configuration that works is:
>     <Location /adirectoryname>
>         LogLevel debug
>         AuthName "Password protected. Enter your AD username and password."
>         AuthType Basic
>         AuthBasicProvider ldap
>         AuthLDAPURL
> "ldap://ldap.server.hostname/OU=iweb,DC=corp,DC=iweb,DC=com?sAMAccountName?sub
> ?(objectClass=*)"
>         AuthLDAPGroupAttribute member
>         AuthLDAPGroupAttributeIsDN on
>         AuthLDAPBindDN "ldapbinduserstring"
>         AuthLDAPBindPassword ldapbindpass
>     Require ldap-filter
> memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS,OU=Groupes,OU=iWeb,DC=
> corp,DC=iweb,DC=com
>     </Location>
> 
> 
> So far I've got this in RT_SiteConfig.pm for RT:
> ...snipped...
> Set($ExternalSettings, {
>     'My_LDAP' => {
>         'type' => 'ldap',
>         'server' => 'corp.iweb.com',
>         'user' => 'ldapbinduserstring',
>         'pass' => 'ldapbindpass',
>         'base' => 'OU=iweb,DC=corp,DC=iweb,DC=com',
>         'filter' => '(objectClass=*)',
>         'd_filter' => 'UserAccountControl:1.2.840.113556.1.4.803:=2',
>         'group' => 'RTIR_WEB_SC_ACCESS',
>         'group_scope' => 'sub',
>      
>   'group_attr' => 'memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS',
>         'group_attr_value' => 'OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com',
>         'tls' => 0,
>         'attr_match_list' => [
>             'Name',
>             'EmailAddress',
>         ],
>         'attr_map' => {
>             'Name' => 'sAMAccountName',
>             'EmailAddress' => 'mail',
>             'Organization' => 'physicalDeliveryOfficeName',
>             'RealName' => 'cn',
>             'ExternalAuthId' => 'sAMAccountName',
>             'Gecos' => 'sAMAccountName',
>         },
>     },
> } );
> ...snipped...
> Plugin('RT::IR', 'RT::Authen::ExternalAuth');
> 
> The log entries with the above configuration are:
> [28280] [Thu Jul 14 19:12:14 2016] [debug]: Attempting to use external auth
> service: My_LDAP (/opt/rt4/local/plugins/RT-Authen-
> ExternalAuth/lib/RT/Authen/ExternalAuth.pm:424)
> [28280] [Thu Jul 14 19:12:14 2016] [debug]: Calling UserExists with $username
> (lstewart) and $service (My_LDAP) (/opt/rt4/local/plugins/RT-Authen-
> ExternalAuth/lib/RT/Authen/ExternalAuth.pm:465)
> [28280] [Thu Jul 14 19:12:14 2016] [debug]: UserExists params:
> username: lstewart , service: My_LDAP (/opt/rt4/local/plugins/RT-Authen-
> ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)
> [28280] [Thu Jul 14 19:12:14 2016] [debug]: LDAP Search ===  Base:
> OU=iweb,DC=corp,DC=iweb,DC=com == Filter:
> (&(objectClass=*)(sAMAccountName=lstewart)) ==
> Attrs: sAMAccountName,physicalDeliveryOfficeName,mail,cn,sAMAccountName,sAMAcc
> ountName (/opt/rt4/local/plugins/RT-Authen-
> ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)
> [28280] [Thu Jul 14 19:12:14 2016] [debug]: Password validation required for
> service - Executing... (/opt/rt4/local/plugins/RT-Authen-
> ExternalAuth/lib/RT/Authen/ExternalAuth.pm:517)
> [28280] [Thu Jul 14 19:12:14 2016] [debug]: Trying external auth service:
> My_LDAP (/opt/rt4/local/plugins/RT-Authen-
> ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:153)
> [28280] [Thu Jul 14 19:14:14 2016] [debug]: LDAP Search ===  Base:
> OU=iweb,DC=corp,DC=iweb,DC=com == Filter:
> (&(sAMAccountName=lstewart)(objectClass=*)) == Attrs:
> dn,OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com (/opt/rt4/local/plugins/RT-
> Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:186)
> [28280] [Thu Jul 14 19:14:14 2016] [debug]: Found LDAP DN: CN=Landon
> Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com
> (/opt/rt4/local/plugins/RT-Authen-
> ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:220)
> [28280] [Thu Jul 14 19:14:15 2016] [debug]: Attribute
> 'OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com' has no value; falling back to
> 'CN=Landon Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com'
> (/opt/rt4/local/plugins/RT-Authen-
> ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:249)
> [28280] [Thu Jul 14 19:14:15 2016] [debug]: LDAP Search ===  Base:
> RTIR_WEB_SC_ACCESS == Scope: sub == Filter:
> (memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS=CN=Landon Stewart,OU=
> Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com) == Attrs: dn
> (/opt/rt4/local/plugins/RT-Authen-
> ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:256)
> [28280] [Thu Jul 14 19:14:15 2016] [critical]: Search for
> (memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS=CN=Landon
> Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com) failed:
> LDAP_INVALID_DN_SYNTAX 34 (/opt/rt4/local/plugins/RT-Authen-
> ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
> [28280] [Thu Jul 14 19:14:15 2016] [debug]: LDAP password validation result: 0
> (/opt/rt4/local/plugins/RT-Authen-
> ExternalAuth/lib/RT/Authen/ExternalAuth.pm:696)
> [28280] [Thu Jul 14 19:14:15 2016] [debug]: Password Validation Check
> Result:  0 (/opt/rt4/local/plugins/RT-Authen-
> ExternalAuth/lib/RT/Authen/ExternalAuth.pm:521)
> [28280] [Thu Jul 14 19:14:15 2016] [debug]: Autohandler called ExternalAuth.
> Response: (0, Password Invalid) (/opt/rt4/local/plugins/RT-Authen-
> ExternalAuth/html/Elements/DoAuth:11)
> [28280] [Thu Jul 14 19:14:15 2016] [error]: FAILED LOGIN for lstewart from
> xx.xx.xx.xx (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:810)
> 
> 
> --
> Landon Stewart
> Lead Analyst - Abuse and Security Management
> INTERNAP ®
> lstewart at internap.com • www.internap.com
> 
> ---------
> RT 4.4 and RTIR Training Sessions https://bestpractical.com/training
> * Los Angeles - September, 2016


Your setup looks perfectly fine, but I may be missing something because I
haven't used AD. I use OpenLDAP with rt-ldapimport script for authentication and
rt-ldapimport --no-users --import to sync users (enabled Group member syncing in
the importer). Works good. May be give that a try?

-- 
Nilesh

More information about the rt-users mailing list