Thanks for the fantastic info Mike... it's much appreciated!<br><br>I spent some time with User_Local.pm and did a little debugging. I didn't have much luck, but on a whim, in RT_SiteConfig.pm, I changed...<br><br>
<span class="q" id="q_11866cb2fd100e79_0">
Set($LdapGroupAttr, 'uniqueMember');</span><br><br>...to:<br><span class="q" id="q_11866cb2fd100e79_0"><br>Set($LdapGroupAttr, 'member');</span><br><br>I haven't been able to dig up how these two attributes differ yet, but I confirmed that group-based authentication is working as intended. I'm going to come back to this and nail the issue down when I find a little time.<br>
<br>Thanks again Mike. Sorry for the earlier barrage, List; Gmail appears to have thrown a fit when I sent the message.<br><br>-Matt<br><br><br><div><span class="gmail_quote">On 3/1/08, <b class="gmail_sendername">Mike Peachey</b> <<a href="mailto:mike.peachey@jennic.com">mike.peachey@jennic.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
RT Lists wrote:<br> > These are the lines for our LDAP group settings in RT_SiteConfig.pm:<br> ><br> > # If you set these, only members of this group can auth via LDAP<br> > Set($LdapGroup, 'cn=RT,ou=ITST,ou=Everyone,dc=domain,dc=tld');<br>
> Set($LdapGroupAttr, 'uniqueMember');<br> ><br> > The group RT in the OU ITST in the OU Everyone in the AD root definitely<br> > exists. It contains users that can log in just fine if those lines are<br>
> commented out and RT is restarted. When we try to log in with these<br> > settings uncommented, the web interface says "Error: Your username or<br> > password is incorrect" and we get these lines in the debug logs:<br>
><br> <br><snip><br> <br><br> > Feb 29 12:32:26 stilgar RT: Trying LDAP authentication<br> > Feb 29 12:32:26 stilgar RT: RT::User::IsLDAPPassword Found LDAP DN:<br> > CN=rttestuser,OU=ITST,OU=Everyone,DC=domain,dc=tld<br>
> Feb 29 12:32:26 stilgar RT: RT::User::IsLDAPPassword AUTH FAILED: rttestuser<br> <br><snip><br> <br>><br> > I've been banging my head against the wall on this for a while and am<br> > starting to run out of ideas. If any of you fine folks can offer a<br>
> suggestion, it would be highly appreciated :)<br> <br> <br>This is something for which you are going to need to debug the code<br> yourself. You need to add a few new debugging statements to the LDAP<br> groups code to work out exactly where the authentication is failing. It<br>
may be that the code isn't doing group checking in the way you'd expect<br> for AD because AD is a poor bastardisation of good LDAP. To be honest I<br> can't remember exactly right now.. perhaps when I get back to work on<br>
Monday I'll be in a position to check.<br> <br> Bottom line is, the code that does the group checking is unbelievably<br> small and simple and with even the most basic programming knowledge, you<br> should be able to fix it yourself.<br>
<br> The code in question is inside IsLdapPassword inside<br> $RTHOME/local/lib/RT/User_Local.pm:<br> <br> # Is there an LDAP Group to check?<br> if ($ldap_group) {<br> $filter =<br> Net::LDAP::Filter->new("(${ldap_group_attr}=${ldap_dn})");<br>
<br> $ldap_msg = $ldap->search(base => $ldap_group,<br> filter => $filter,<br> attrs => ['dn'],<br> scope => 'base');<br>
<br> unless ($ldap_msg->code == LDAP_SUCCESS ||<br> $ldap_msg->code == LDAP_PARTIAL_RESULTS) {<br> $RT::Logger->critical((caller(0))[3],<br> "Search for", $filter->as_string,<br>
"failed:",<br> ldap_error_name($ldap_msg->code),<br> $ldap_msg->code);<br> return;<br> }<br> <br> unless ($ldap_msg->count == 1) {<br> $RT::Logger->info((caller(0))[3], "AUTH FAILED:", $self->Name);<br>
return;<br> }<br> }<br> <br> Recommendations I would make would be:<br> 1. Insert "use Data::Dumper" at the top of the file.<br> 2. For each variable that you're not TOTALLY sure what it does and what<br>
it's set to within the block of code above, insert<br> "$RT::Logger->debug("\$VARIABLE = $VARIABLE);"<br> 3. Check your AD schema to ensure that if you were to search for<br> $ldap_group, using the $filter with a base scope, looking for dn attrs,<br>
that you would return a single group.<br> 4. If you want to be sure what the ldap search results in:<br> "$RT::Logger("Ldap Result:\n",Dumper($ldap_msg));" straight after the<br> search directive.<br>
5. Finally, don't forget that, as shown in the code above, the group<br> authorisation is confirmed if the LDAP search results in one and only<br> one result. If it gives more than one result, the auth fails. You may<br>
want to code your way around this if you need to have multiple possible<br> groups results.<br> <br> As a general tip for coding in IsLdapPassword: Authorisation is<br> successful if the method runs to the end wihout interruption. All the<br>
checks within it return 0 (default for return statement) if the user is<br> to be denied access or just continue on to the next check if a failure<br> wasn't detected.<br> <br> Have fun...<br> <br> Don't forget.. when you're done making a change to User_Local.pm:<br>
$ apachectl stop<br> $ rm -rvf $RTHOME/var/mason_data/obj/*<br> $ apachectl start<br> --<br> Kind Regards,<br> <br> ___________________________________________________<br> <br> Mike Peachey, IT<br> Tel: +44 (0) 114 281 2655<br>
Fax: +44 (0) 114 281 2951<br> Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK<br> <a href="http://www.jennic.com">http://www.jennic.com</a><br> Confidential<br> ___________________________________________________<br>
</blockquote></div><br>