[rt-users] RT 4.4.1 on Debian with RT::Authen::ExternalAuth?

Wed Oct 19 10:36:07 EDT 2016

Hi Malcolm,

The output from rt-ldapimport is normal if no changes are required, as
I've just tried it here in my lab and it is working.

Incidentally LDAPImport doesn't currently support TLS, I've written a 
patch which
you are welcome to have if you would like it. I'm afraid I haven't 
submitted it to BP
yet, but intend too when I get some time.

Best Regards

Martin

On 2016-10-19 14:21, Malcolm Galland wrote:
> Ah, yes.  It looks like I had commented it out during testing, and
> that's what was causing the PeerHost error.  Below is the section of
> SiteConfig dedicated to LDAPImport:
> 
> Set($LDAPHost,'ggdc1.domain.int'); 
>     Set($LDAPUser,'LDAP_ACCOUNT'); 
>     Set($LDAPPassword,'LDAP_ACCOUNT_PASS'); 
>     Set($LDAPBase, 'dc=domain,dc=int'); 
>     Set($LDAPFilter, '(&(cn = users))'); 
>     Set($LDAPMapping, {Name         => 'uid', # required
>                        EmailAddress => 'mail', 
>                        RealName     => 'cn', 
>                        WorkPhone    => 'telephoneNumber', 
>                        Organization => 'departmentName'}); 
> 
>     # If you want to sync Groups from LDAP into RT
> 
>     Set($LDAPGroupBase, 'dc=domain,dc=int'); 
>     Set($LDAPGroupFilter, '(&(cn = Groups))'); 
>     Set($LDAPGroupMapping, {Name               => 'cn', 
>                             Member_Attr        => 'member', 
>                             Member_Attr_Value  => 'dn' });
> 
> Interesting follow up question though, when I run rt-ldapimport I don't
> get any errors, but the output doesn't exactly instill a feeling of
> sucess either:
> 
> /opt/rt4/sbin/rt-ldapimport --debug
> Running test import, no data will be changed
> Rerun command with --import to perform the import
> Rerun command with --debug for more information
> Testing group import
> Finished test
> 
> 
> On Wed, 2016-10-19 at 14:09 +0000, Martin Wheldon wrote:
>> Hi Malcolm,
>> 
>> You are missing the LDAP import configuration, which is separate
>> from 
>> the External auth config.
>> The following will help:
>> 
>>    https://docs.bestpractical.com/rt/4.4.1/RT/LDAPImport.html
>> 
>> Best Regards
>> 
>> Martin
>> 
>> On 2016-10-19 13:37, Malcolm Galland wrote:
>> >
>> > I've set up RT, and am testing it with rt-server.  Everything seems
>> > to
>> > be going smoothly except LDAP with RT::Authen::ExternalAuth.  I
>> > read
>> > the docs and have implemented the suggested changes in
>> > /opt/rt4/etc/RT_SiteConfig.pm like so:
>> >
>> > Set( $ExternalAuthPriority, ["My_LDAP"] );
>> > Set( $ExternalInfoPriority, ["My_LDAP"] );
>> > Set($ExternalAuth, 1);
>> > Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
>> > Set($AutoCreateNonExternalUsers, 1);
>> > Set($ExternalSettings, {
>> >     'My_LDAP'       =>  {
>> >         'type'             =>  'ldap',
>> >         'server'           =>  'ggdc1.domain.int',
>> >         'user'             =>  'LDAP_ACCOUNT',
>> >         'pass'             =>  'LDAP_ACCOUNT_PASS',
>> >         'base'             =>  'ou=Production,dc=domain,dc=int',
>> >         'filter'           =>  '(objectClass=inetOrgPerson)',
>> >         'attr_match_list'  => [
>> >             'Name',
>> >             'EmailAddress',
>> >         ],
>> >         'attr_map' => {
>> >                 'Name'         => 'sAMAccountName',
>> >                 'EmailAddress' => 'mail',
>> >                 'RealName'     => 'cn',
>> >                 'WorkPhone'    => 'telephoneNumber',
>> >                 'Address1'     => 'streetAddress',
>> >                 'City'         => 'l',
>> >                 'State'        => 'st',
>> >                 'Zip'          => 'postalCode',
>> >                 'Country'      => 'co',
>> >         },
>> >     },
>> > } );
>> >
>> > The issue is when I try to login the users aren't allowed access,
>> > and I
>> > get the following error from rt-server:
>> >
>> > [error]: FAILED LOGIN for username_redacted from IP_REDACTED
>> > (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:826)
>> >
>> > Just for kicks, if I run /opt/rt4/sbin/rt-ldapimport --debug
>> > I get: 
>> >  [critical]: Expected 'PeerHost' at
>> > /usr/local/share/perl/5.20.2/Net/LDAP.pm line 164.
>> > (/opt/rt4/sbin/../lib/RT.pm:390)
>> >
>> > Any ideas?  I read every document I could find, but it's hard to
>> > know
>> > which non-official ones you can trust since RT has been around so
>> > long
>> > and ExternalAuth was just added to the core.  Also, the official
>> > docs
>> > are a bit terse.
>> > ---------
>> > RT 4.4 and RTIR training sessions, and a new workshop day!
>> > https://bestpractical.com/training
>> > * Boston - October 24-26
>> > * Los Angeles - Q1 2017