<div>Ok, so I turned on rt.logging and surprise!!! apparently it is touching our LDAP, even though AD doesn't log it by default(stupid AD).</div>
<div> </div>
<div>Now I'm seeing a few things in the debug level logging....</div>
<div> </div>
<div>First thing that really stands out is ...</div>
<div> </div>
<div> [error]: Couldn't create user mjohnson: Could not create user (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129)</div>
<div>[debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)</div>
<div> </div>
<div>Something is preventing the user from being created... based on the INSERT language I see, it looks like RTFM doesn't work with 3.8.8??? I dunno, it's trying to use a field called Priviledged in the User table... which doesn't exist?</div>
<div> </div>
<div>I'm not sure if I"m on the right track, but it would be nice if anyone has experienced this or has any thoughts to let me know!</div>
<div>Mike.</div>
<div><br> </div>
<div class="gmail_quote">On Mon, Jul 26, 2010 at 2:19 PM, Mike Johnson <span dir="ltr"><<a href="mailto:mike.johnson@nosm.ca">mike.johnson@nosm.ca</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">
<div>So, </div>
<div> </div>
<div>After a few days of searching and testing, I've come to the conclusion that RT simply isn't sending anything to our LDAP server to authenticate...</div>
<div> </div>
<div>RT is still using RT's regular authentication method.</div>
<div> </div>
<div>Can anyone tell me what's wrong with my setup? RT doesn't complain when I boot it up, yet ExternalAuth will not even attempt to authenticate to my LDAP when I try to login.</div>
<div> </div>
<div>I've used SoftTerra's LDAP browser to ensure the "service rt"(account name is svc_rt) can bind to the LDAP and I even gave it update rights during troubleshooting... this is also how I figured out that RT isn't binding, only the LDAP browser connections are showing up in the Event log.</div>
<div> </div>
<div>I've also verified that my RT box can hit the ldap port(by "telnet to myad.mydomain.local 389").... </div>
<div> </div>
<div>I'm lost on where to go next....</div>
<div> </div>
<div>
<div>Here are all the LDAP/ExternalAuth related settings in my config...</div></div>
<div># LDAP SETTINGS<br>Set($ExternalAuthPriority,['NOSMLDAP']);<br>Set($ExternalInfoPriority,['NOSMLDAP']);<br>Set($ExternalServiceUSersSSLorTLS,0);<br>Set($AutoCreateNonExternalUsers,1);<br>Set($WebExternalAuto,1);<br>
Set($AutoCreate,{Priviledged =>1});<br>Set($ExternalSettings, {<br> 'NOSMLDAP' => {<br> 'type' => 'ldap',<br>
'server' => '<ldapip>',<br> 'user' => 'cn=service rt,ou=Users,ou=Northern Ontario School of Medicine,dc=nosm,dc=local',<br>
'pass' => '<password>',<br> 'base' => 'dc=nosm,dc=local',<br>
'filter' => '(&(objectCategory=User) (ObjectClass=Person))',
<div class="im"><br> 'd_filter' => '(userAccountControl:1.2.840.113556.1.4.803:=2)',<br></div> 'tls' => 0,<br>
'ssl_version' => 3,
<div class="im"><br> 'net_ldap_args' => [ version => 3 ],<br></div> 'group' => 'cn=Staff,ou=Groups,ou=Northern Ontario School of Medicine,dc=nosm,dc=local',<br>
'group_attr' => 'member',
<div class="im"><br> 'attr_match_list' => [ 'Name',<br> 'EmailAddress'<br>
</div> ],<br> 'attr_map' => { 'Name' => 'sAMAccountName',<br>
'EmailAddress' => 'mail',<br> 'RealName' => 'cn',<br>
'ExternalAuthId' => 'sAMAccountName'<br> }<br>
}<br> }<br>);</div>
<div>Set(@Plugins,qw(RT::Authen::ExternalAuth));<br></div>
<div> </div>
<div> </div>
<div>As I indicated before</div>
<div> </div>
<div>CentOS 5.5</div>
<div class="im">
<div>RT3.8.8</div>
<div>ExternalAuth 0.8</div></div>
<div>LDAP = Windows 2003 AD</div>
<div>Help would be much appreciated.</div>
<div> </div>
<div>Thanks!</div>
<div>Mike.</div>
<div>
<div></div>
<div class="h5">
<div> </div>
<div> </div>
<div class="gmail_quote">On Fri, Jul 23, 2010 at 10:03 AM, Mike Johnson <span dir="ltr"><<a href="mailto:mike.johnson@nosm.ca" target="_blank">mike.johnson@nosm.ca</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">
<div>I found another guide that outlines how to setup ExternalAuth for AD on the wiki</div>
<div> </div>
<div><a href="http://wiki.bestpractical.com/view/CentOS5InstallPlusSome" target="_blank">http://wiki.bestpractical.com/view/CentOS5InstallPlusSome</a></div>
<div> </div>
<div>Others following this thread might find it useful...</div>
<div> </div>
<div>I did learn that you're looking for the full cn/ou path for your user, not just a username...(I forgot that's how LDAP finds users)....</div>
<div> </div>
<div>Haris you might want to check that in your config... didn't help me *shrug* but might help you.</div>
<div> </div>
<div>Thanks!</div>
<div>Mike.</div>
<div>
<div></div>
<div>
<div> </div>
<div><br><br> </div>
<div class="gmail_quote">On Fri, Jul 23, 2010 at 9:18 AM, Mike Johnson <span dir="ltr"><<a href="mailto:mike.johnson@nosm.ca" target="_blank">mike.johnson@nosm.ca</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">
<div>Hi Haris,</div>
<div> </div>
<div>No go yet.</div>
<div> </div>
<div>Kenneth did send some info for me to check out, perhaps it may help you...</div>
<div> </div>
<div>**Kenneth's email cut/pasted**</div>
<div>
<div></div>
<div>
<div>Mike,</div>
<div>First off, check to see how you've set $WebExternalAuto. I'm not sure how that would affect LDAP if it was turned on.</div>
<div>Second, I'll assume you've set your "Plugins" appropriately to include "RT::Authen::ExternalAuth".</div>
<div>Thirdly, you have to make sure certain LDAP parameters are consistent (ie. if you're using TLS, etc.).</div>
<div>Below is what we use for our list of parameters:</div>
<div><br>Set($ExternalAuthPriority, [ 'My_LDAP' ] );<br>Set($ExternalInfoPriority, [ 'My_LDAP' ] );<br>Set($ExternalServiceUsesSSLorTLS, 1);<br>Set($AutoCreateNonExternalUsers, 0);</div>
<div><br>Set(<br> $ExternalSettings,<br> {<br> 'My_LDAP' =><br> {<br> ‘type’ => 'ldap',<br> ‘server’ => '<a href="http://ldap.lbl.gov/" target="_blank">ldap.lbl.gov</a>’,<br>
‘user’ => ‘’,<br> ‘pass’ => ‘’,<br> ‘base’ => 'ou=People,o=name of our company,c=US’,<br> ‘filter’ => '(&(status that equals active)(|(dicision code)))’,<br>
‘d_filter’ => '(!(|(lblEmpStat=Staff)(lblEmpStat=Guest)))',<br> ‘tls’ => 1,<br> ‘net_ldap_args’ => [ version => 3],<br> ‘attr_match_list’ => ['Name',<br>
'EmailAddress',<br> 'RealName',<br> 'uid'<br> ],<br>
‘attr_map’ => {'Name' => 'uid',<br> 'EmailAddress' => 'mail',<br> 'Organization' => ‘o’,<br>
'RealName' => 'cn',<br> 'ExternalAuthId' => 'uid',<br> 'Gecos' => 'uid',<br>
'WorkPhone' => 'telephonenumber',<br> 'Address1' => 'lblmailstop',<br>
'Address2' => 'postaladdress’<br> }<br> }<br> }<br> );<br>1;</div>
<div><br>I don't think the attr_map would affect this, but your match list could.</div>
<div>Anyway, check it all out cause if there are any inconsistencies (like TLS being used and on), it will fail.</div>
<div>Hope this helps.</div>
<div>Kenn<br>LBNL</div>
<div> </div></div></div>
<div>*** end cut/paste**<br><br></div>
<div>
<div></div>
<div>
<div class="gmail_quote">On Thu, Jul 22, 2010 at 7:23 PM, M.F.Haris <span dir="ltr"><<a href="mailto:mfharis@gmail.com" target="_blank">mfharis@gmail.com</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">
<div dir="ltr">hi Mike,
<div>I am also facing the same problem and i have checked my configuration over and over, also compared with some available on internet.</div>
<div>in my case i didn't enter any attribute with blank value like 'group' attribute in your case. but rest of the things are similar to what i have entered.</div>
<div><br></div>
<div>I get a message 'Failed to Login with user (myuser) ... '</div>
<div><br></div>
<div>do you get the same error message? please share your experience if you are able to solve this crap.</div>
<div><br></div>
<div>thanks<br clear="all"><font color="#888888">
<div dir="ltr"><font style="FONT-FAMILY: trebuchet ms,sans-serif" size="2">Haris </font><br style="FONT-FAMILY: trebuchet ms,sans-serif"></div><br><br></font>
<div class="gmail_quote">
<div>On Thu, Jul 22, 2010 at 3:59 PM, Mike Johnson <span dir="ltr"><<a href="mailto:mike.johnson@nosm.ca" target="_blank">mike.johnson@nosm.ca</a>></span> wrote:<br></div>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">
<div>
<div></div>
<div>
<div>Hi everyone,</div>
<div> </div>
<div>Where do I start debugging my setup??</div>
<div> </div>
<div>I have CentOS5.5, RT3.8.8, ExternalAuth 0.8 attempting to connect to an Active Drectory LDAP.</div>
<div> </div>
<div>Everything loads fine(I get no errors from my config files). I've loaded the ExternalAuth plugin, but when I attempt to login to the UI with an LDAP user, I get an invalid user/pass. The only error/logging I can find anywhere is in syslog and that just tells me the same thing... </div>
<div> </div>
<div>I'm connecting to an Active Directory server, and with some googling/rt-users searching I found the following settings to use.</div>
<div> </div>
<div>'filter' => '(objectCategory=User)',</div>
<div> 'd_filter' => '(userAccountControl:1.2.840.113556.1.4.803:=2)',</div>
<div> </div>
<div> </div>
<div>I've left group and group_attr blank(is that allowed?) as I want all users found under my base DN to be able to use RT.</div>
<div> </div>
<div>In the attr_match_list I have name and email address only</div>
<div>In attr_map I have the sAMAccountName mail and cn mapped to their respective places in RT.</div>
<div> </div>
<div>I've tested the user/pass I'm using(our LDAP is setup to not allow anonymous unfortunately, so I have to use an account to bind.</div>
<div> </div>
<div>I can't seem to find where ExternalAuth would toss an error out for me to read if it's failling because of the arguments I've set...</div>
<div> </div>
<div>Any help would be appreciated.<br>-- <br>Mike Johnson<br>Datatel Programmer/Analyst<br>Northern Ontario School of Medicine<br>955 Oliver Road<br>Thunder Bay, ON P7B 5E1<br>Phone: (807) 766-7331<br>Email: <a href="mailto:mike.johnson@nosm.ca" target="_blank">mike.johnson@nosm.ca</a><br>
</div><br><br></div></div>
<div>Discover RT's hidden secrets with RT Essentials from O'Reilly Media.<br>Buy a copy at <a href="http://rtbook.bestpractical.com/" target="_blank">http://rtbook.bestpractical.com</a><br></div></blockquote></div>
<br></div></div></blockquote></div><br><br clear="all"><br>-- <br>Mike Johnson<br>Datatel Programmer/Analyst<br>Northern Ontario School of Medicine<br>955 Oliver Road<br>Thunder Bay, ON P7B 5E1<br>Phone: (807) 766-7331<br>
Email: <a href="mailto:mike.johnson@nosm.ca" target="_blank">mike.johnson@nosm.ca</a><br></div></div></blockquote></div><br><br clear="all"><br>-- <br>Mike Johnson<br>Datatel Programmer/Analyst<br>Northern Ontario School of Medicine<br>
955 Oliver Road<br>Thunder Bay, ON P7B 5E1<br>Phone: (807) 766-7331<br>Email: <a href="mailto:mike.johnson@nosm.ca" target="_blank">mike.johnson@nosm.ca</a><br></div></div></blockquote></div><br><br clear="all"><br>-- <br>
Mike Johnson<br>Datatel Programmer/Analyst<br>Northern Ontario School of Medicine<br>955 Oliver Road<br>Thunder Bay, ON P7B 5E1<br>Phone: (807) 766-7331<br>Email: <a href="mailto:mike.johnson@nosm.ca" target="_blank">mike.johnson@nosm.ca</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Mike Johnson<br>Datatel Programmer/Analyst<br>Northern Ontario School of Medicine<br>955 Oliver Road<br>Thunder Bay, ON P7B 5E1<br>Phone: (807) 766-7331<br>Email: <a href="mailto:mike.johnson@nosm.ca">mike.johnson@nosm.ca</a><br>