<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="2050" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-GB link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal>Hi – hoping someone can help me, I’m trying to
get the RT::Authen::ExternalAuth plugin to work so I can use LDAP for
authentication. Just using mysql at the moment, so want to keep this as well. Running
RT 3.8.5 on Centos, I’d like mysql auth first and then LDAP next. I’ve
managed to configure this without any errors and my mysql authentication still
works after a httpd restart. However LDAP auth never works, I’m not that
familiar with LDAP so am hoping if I provide my config and rt.log below someone
might be able to point me in the right direction:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><snip><o:p></o:p></p>
<p class=MsoNormal># AN EXAMPLE LDAP SERVICE<o:p></o:p></p>
<p class=MsoNormal>
'My_LDAP' => { ##
GENERIC SECTION<o:p></o:p></p>
<p class=MsoNormal>
# The type of service (db/ldap/cookie)<o:p></o:p></p>
<p class=MsoNormal>
'type'
=> 'ldap',<o:p></o:p></p>
<p class=MsoNormal>
# The server hosting the service<o:p></o:p></p>
<p class=MsoNormal>
'server'
=> '172.17.2.1',<o:p></o:p></p>
<p class=MsoNormal>
## SERVICE-SPECIFIC SECTION<o:p></o:p></p>
<p class=MsoNormal>
# If you can bind
to your LDAP server anonymously you should<o:p></o:p></p>
<p class=MsoNormal>
# remove the user and pass config lines, otherwise specify them here:<o:p></o:p></p>
<p class=MsoNormal>
#<o:p></o:p></p>
<p class=MsoNormal>
# The username RT should use to connect to the LDAP server<o:p></o:p></p>
<p class=MsoNormal>
'user'
=> 'ldap-rt',<o:p></o:p></p>
<p class=MsoNormal>
#
The password RT should use to connect to the LDAP server<o:p></o:p></p>
<p class=MsoNormal>
'pass'
=> 'xxxxxxxxx',<o:p></o:p></p>
<p class=MsoNormal>
#<o:p></o:p></p>
<p class=MsoNormal>
#
The LDAP search base<o:p></o:p></p>
<p class=MsoNormal>
'base'
=> 'ou=hosting,ou=corp,dc=internal,dc=hosteurope,dc=com',<o:p></o:p></p>
<p class=MsoNormal>
#<o:p></o:p></p>
<p class=MsoNormal>
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!<o:p></o:p></p>
<p class=MsoNormal>
# YOU **MUST** SPECIFY A filter AND A d_filter!!<o:p></o:p></p>
<p class=MsoNormal>
#<o:p></o:p></p>
<p class=MsoNormal>
# The filter to use to match RT-Users<o:p></o:p></p>
<p class=MsoNormal>
'filter'
=> '(objectClass=User)',<o:p></o:p></p>
<p class=MsoNormal>
#
A catch-all example filter: '(objectClass=*)'<o:p></o:p></p>
<p class=MsoNormal>
#<o:p></o:p></p>
<p class=MsoNormal>
# The filter that will only match disabled users<o:p></o:p></p>
<p class=MsoNormal>
'd_filter'
=> '(objectClass=FooBarBaz)',<o:p></o:p></p>
<p class=MsoNormal>
# A catch-none example d_filter: '(objectClass=FooBarBaz)'<o:p></o:p></p>
<p class=MsoNormal>
#<o:p></o:p></p>
<p class=MsoNormal>
# Should we try to use TLS to encrypt connections?<o:p></o:p></p>
<p class=MsoNormal>
'tls'
=> 0,<o:p></o:p></p>
<p class=MsoNormal>
# SSL Version to provide to Net::SSLeay *if* using SSL<o:p></o:p></p>
<p class=MsoNormal>
'ssl_version'
=> 3,<o:p></o:p></p>
<p class=MsoNormal>
# What other args should I pass to Net::LDAP->new($host,@args)?<o:p></o:p></p>
<p class=MsoNormal>
'net_ldap_args'
=> [ version => 3 ],<o:p></o:p></p>
<p class=MsoNormal>
# Does authentication depend on group membership? What group name?<o:p></o:p></p>
<p class=MsoNormal>
'group'
=> 'GROUP_NAME',<o:p></o:p></p>
<p class=MsoNormal>
# What is the attribute for the group object that determines membership?<o:p></o:p></p>
<p class=MsoNormal>
'group_attr'
=> 'GROUP_ATTR',<o:p></o:p></p>
<p class=MsoNormal>
## RT ATTRIBUTE MATCHING SECTION<o:p></o:p></p>
<p class=MsoNormal>
# The list of RT
attributes that uniquely identify a user<o:p></o:p></p>
<p class=MsoNormal>
# This example shows what you *can* specify.. I recommend reducing this<o:p></o:p></p>
<p class=MsoNormal>
# to just the Name and EmailAddress to save encountering problems later.<o:p></o:p></p>
<p class=MsoNormal>
'attr_match_list'
=> [ 'Name',<o:p></o:p></p>
<p class=MsoNormal>
'EmailAddress',<o:p></o:p></p>
<p class=MsoNormal>
'RealName',<o:p></o:p></p>
<p class=MsoNormal>
'WorkPhone',<o:p></o:p></p>
<p class=MsoNormal>
'Address2'<o:p></o:p></p>
<p class=MsoNormal>
],<o:p></o:p></p>
<p class=MsoNormal>
# The mapping of RT attributes on to LDAP attributes<o:p></o:p></p>
<p class=MsoNormal>
'attr_map'
=> { 'Name' => 'sAMAccountName',<o:p></o:p></p>
<p class=MsoNormal>
'EmailAddress' => 'mail',<o:p></o:p></p>
<p class=MsoNormal>
'Organization' => 'physicalDeliveryOfficeName',<o:p></o:p></p>
<p class=MsoNormal>
'RealName' => 'cn',<o:p></o:p></p>
<p class=MsoNormal>
'ExternalAuthId' => 'sAMAccountName',
'Gecos' => 'sAMAccountName',<o:p></o:p></p>
<p class=MsoNormal> 'WorkPhone'
=> 'telephoneNumber',<o:p></o:p></p>
<p class=MsoNormal>
'Address1' => 'streetAddress',<o:p></o:p></p>
<p class=MsoNormal>
'City'
=> 'l',<o:p></o:p></p>
<p class=MsoNormal>
'State' => 'st',<o:p></o:p></p>
<p class=MsoNormal>
'Zip' => 'postalCode',<o:p></o:p></p>
<p class=MsoNormal>
'Country' => 'co'<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>And this is a complete log entry if I try to use my LDAP
credentials:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>[Sun May 9 10:10:24 2010] [debug]: RT's GnuPG
libraries couldn't successfully read your configured GnuPG home directory
(/opt/rt3/var/data/gpg). PGP support has been disabled (/opt/rt3/bin/../lib/RT/Config.pm:380)<o:p></o:p></p>
<p class=MsoNormal>[Sun May 9 10:10:24 2010] [debug]: Reloading RT::User
to work around a bug in RT-3.8.0 and RT-3.8.1
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)<o:p></o:p></p>
<p class=MsoNormal>[Sun May 9 10:10:24 2010] [debug]: Attempting to use
external auth service: My_MySQL
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)<o:p></o:p></p>
<p class=MsoNormal>[Sun May 9 10:10:24 2010] [debug]: Calling UserExists
with $username (jgrunnell) and $service (My_MySQL) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)<o:p></o:p></p>
<p class=MsoNormal>[Sun May 9 10:10:24 2010] [debug]: Disable Check
Failed :: ( My_MySQL ) jgrunnell User not found
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI.pm:234)<o:p></o:p></p>
<p class=MsoNormal>[Sun May 9 10:10:24 2010] [debug]: Attempting to use
external auth service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)<o:p></o:p></p>
<p class=MsoNormal>[Sun May 9 10:10:24 2010] [debug]: Calling UserExists
with $username (jgrunnell) and $service (My_LDAP) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)<o:p></o:p></p>
<p class=MsoNormal>[Sun May 9 10:10:24 2010] [debug]: UserExists params:<o:p></o:p></p>
<p class=MsoNormal>username: jgrunnell , service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)<o:p></o:p></p>
<p class=MsoNormal>[Sun May 9 10:10:25 2010] [debug]: LDAP Search
=== Base: ou=hosting,ou=corp,dc=internal,dc=hosteurope,dc=com == Filter:
(&(objectClass=User)(sAMAccountName=jgrunnell)) == Attrs:
l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,sAMAccountName
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)<o:p></o:p></p>
<p class=MsoNormal>[Sun May 9 10:10:25 2010] [debug]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User /opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm
20 with: Disabled: 0, EmailAddress: , Gecos: jgrunnell, Name: jgrunnell,
Privileged: 0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:450)<o:p></o:p></p>
<p class=MsoNormal>[Sun May 9 10:10:25 2010] [debug]: Attempting to get
user info using this external service: My_MySQL
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:458)<o:p></o:p></p>
<p class=MsoNormal>[Sun May 9 10:10:25 2010] [debug]: Attempting to use
this canonicalization key: Gecos (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472)<o:p></o:p></p>
<p class=MsoNormal>[Sun May 9 10:10:25 2010] [warning]: DBD::mysql::db
selectall_hashref failed: Unknown column 'email' in 'field list' at
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI.pm
line 163, <DATA> line 273.
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI.pm:163)<o:p></o:p></p>
<p class=MsoNormal>[Sun May 9 10:10:25 2010] [warning]: Issuing
rollback() for database handle being DESTROY'd without explicit disconnect() at
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI.pm
line 163, <DATA> line 273.
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI.pm:163)<o:p></o:p></p>
<p class=MsoNormal>[Sun May 9 10:10:25 2010] [error]: FAILED LOGIN for
jgrunnell from 212.103.233.1 (/opt/rt3/share/html/autohandler:268)<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Thanks in advance.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal style='margin-bottom:7.5pt'><span style='font-size:13.5pt;
font-family:"Arial","sans-serif";color:black'>Julian Grunnell</span><span
style='font-size:12.0pt;font-family:"Times New Roman","serif"'><br>
</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#666666'>Unix Sys Admin<br>
Webfusion Limited.<br>
<br>
</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#4AA800'>Phone:</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#666666'>0208 587 7212<br>
</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#4AA800'>Mobile:</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#666666'>07803649593<br>
</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#4AA800'>Email:</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#666666'>Julian.Grunnell@webfusion.com</span><span style='font-size:
12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal style='margin-bottom:7.5pt'><a
href="http://www.webfusion.com/"><span style='font-size:12.0pt;font-family:
"Times New Roman","serif";color:blue;text-decoration:none'><img border=0
width=86 height=36 id="_x0000_i1025" src="cid:image001.gif@01CAEF67.8C6500E0"
alt=Webfusion></span></a><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal style='margin-bottom:7.5pt'><i><span style='font-size:
10.0pt;font-family:"Arial","sans-serif";color:#666666'>Bringing the world's
ideas online</span></i><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#666666'><br>
<a href="http://www.webfusion.com"><span style='color:#666666'>Webfusion</span></a>,
<a href="http://www.123-reg.co.uk"><span style='color:#666666'>123-reg</span></a>,
<a href="http://www.donhost.co.uk"><span style='color:#666666'>Donhost</span></a>,
<a href="http://www.supanames.co.uk"><span style='color:#666666'>Supanames</span></a><br>
</span><b><i><span style='font-size:7.5pt;font-family:"Arial","sans-serif";
color:#666666'>Follow us on Twitter: <a href="http://twitter.com/webfusion"><span
style='color:#666666'>Webfusion</span></a>, <a
href="http://twitter.com/123reg"><span style='color:#666666'>123-reg</span></a></span></i></b><span
style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#666666'>This
e-mail is subject to: <a
href="http://www.corporate.webfusion.co.uk/disclaimer"><span
style='color:#666666'>Webfusion disclaimer</span></a><br>
Please consider the environment before printing this email</span><span
style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
</td>
</tr>
</table>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>