<div>Ok, so I turned on rt.logging and surprise!!! apparently it is touching our LDAP, even though AD doesn't log it by default(stupid AD).</div>
<div> </div>
<div>Now I'm seeing a few things in the debug level logging....</div>
<div> </div>
<div>First thing that really stands out is ...</div>
<div> </div>
<div> [error]: Couldn't create user mjohnson: Could not create user (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129)</div>
<div>[debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)</div>
<div> </div>
<div>Something is preventing the user from being created... based on the INSERT language I see, it looks like RTFM doesn't work with 3.8.8??? I dunno, it's trying to use a field called Priviledged in the User table... which doesn't exist?</div>

<div> </div>
<div>I'm not sure if I"m on the right track, but it would be nice if anyone has experienced this or has any thoughts to let me know!</div>
<div>Mike.</div>
<div><br> </div>
<div class="gmail_quote">On Mon, Jul 26, 2010 at 2:19 PM, Mike Johnson <span dir="ltr"><<a href="mailto:mike.johnson@nosm.ca">mike.johnson@nosm.ca</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">
<div>So, </div>
<div> </div>
<div>After a few days of searching and testing, I've come to the conclusion that RT simply isn't sending anything to our LDAP server to authenticate...</div>
<div> </div>
<div>RT is still using RT's regular authentication method.</div>
<div> </div>
<div>Can anyone tell me what's wrong with my setup? RT doesn't complain when I boot it up, yet ExternalAuth will not even attempt to authenticate to my LDAP when I try to login.</div>
<div> </div>
<div>I've used SoftTerra's LDAP browser to ensure the "service rt"(account name is svc_rt) can bind to the LDAP and I even gave it update rights during troubleshooting... this is also how I figured out that RT isn't binding, only the LDAP browser connections are showing up in the Event log.</div>

<div> </div>
<div>I've also verified that my RT box can hit the ldap port(by "telnet to myad.mydomain.local 389").... </div>
<div> </div>
<div>I'm lost on where to go next....</div>
<div> </div>
<div>
<div>Here are all the LDAP/ExternalAuth related settings in my config...</div></div>
<div># LDAP SETTINGS<br>Set($ExternalAuthPriority,['NOSMLDAP']);<br>Set($ExternalInfoPriority,['NOSMLDAP']);<br>Set($ExternalServiceUSersSSLorTLS,0);<br>Set($AutoCreateNonExternalUsers,1);<br>Set($WebExternalAuto,1);<br>
Set($AutoCreate,{Priviledged =>1});<br>Set($ExternalSettings,      {<br>                                'NOSMLDAP'       =>  {<br>                                                        'type'                      =>  'ldap',<br>
                                                        'server'                    =>  '<ldapip>',<br>                                                        'user'                      =>  'cn=service rt,ou=Users,ou=Northern Ontario School of Medicine,dc=nosm,dc=local',<br>
                                                        'pass'                    =>  '<password>',<br>                                                        'base'                      =>  'dc=nosm,dc=local',<br>
                                                        'filter'                    =>  '(&(objectCategory=User) (ObjectClass=Person))', 
<div class="im"><br>                                                        'd_filter'                  =>  '(userAccountControl:1.2.840.113556.1.4.803:=2)',<br></div>                                                        'tls'                       =>  0,<br>
                                                        'ssl_version'               =>  3, 
<div class="im"><br>                                                        'net_ldap_args'             => [    version =>  3   ],<br></div>                                                        'group'                     =>  'cn=Staff,ou=Groups,ou=Northern Ontario School of Medicine,dc=nosm,dc=local',<br>
                                                        'group_attr'                =>  'member', 
<div class="im"><br>                                                         'attr_match_list'           => [    'Name',<br>                                                                                            'EmailAddress'<br>
</div>                                                                                        ],<br>                                                        'attr_map'                  =>  {   'Name' => 'sAMAccountName',<br>
                                                                                            'EmailAddress' => 'mail',<br>                                                                                            'RealName' => 'cn',<br>
                                                                                            'ExternalAuthId' => 'sAMAccountName'<br>                                                                                        }<br>
                                                    }<br>                                 }<br>);</div>
<div>Set(@Plugins,qw(RT::Authen::ExternalAuth));<br></div>
<div> </div>
<div> </div>
<div>As I indicated before</div>
<div> </div>
<div>CentOS 5.5</div>
<div class="im">
<div>RT3.8.8</div>
<div>ExternalAuth 0.8</div></div>
<div>LDAP = Windows 2003 AD</div>
<div>Help would be much appreciated.</div>
<div> </div>
<div>Thanks!</div>
<div>Mike.</div>
<div>
<div></div>
<div class="h5">
<div> </div>
<div> </div>
<div class="gmail_quote">On Fri, Jul 23, 2010 at 10:03 AM, Mike Johnson <span dir="ltr"><<a href="mailto:mike.johnson@nosm.ca" target="_blank">mike.johnson@nosm.ca</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">
<div>I found another guide that outlines how to setup ExternalAuth for AD on the wiki</div>
<div> </div>
<div><a href="http://wiki.bestpractical.com/view/CentOS5InstallPlusSome" target="_blank">http://wiki.bestpractical.com/view/CentOS5InstallPlusSome</a></div>
<div> </div>
<div>Others following this thread might find it useful...</div>
<div> </div>
<div>I did learn that you're looking for the full cn/ou path for your user, not just a username...(I forgot that's how LDAP finds users)....</div>
<div> </div>
<div>Haris you might want to check that in your config... didn't help me *shrug* but might help you.</div>
<div> </div>
<div>Thanks!</div>
<div>Mike.</div>
<div>
<div></div>
<div>
<div> </div>
<div><br><br> </div>
<div class="gmail_quote">On Fri, Jul 23, 2010 at 9:18 AM, Mike Johnson <span dir="ltr"><<a href="mailto:mike.johnson@nosm.ca" target="_blank">mike.johnson@nosm.ca</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">
<div>Hi Haris,</div>
<div> </div>
<div>No go yet.</div>
<div> </div>
<div>Kenneth did send some info for me to check out, perhaps it may help you...</div>
<div> </div>
<div>**Kenneth's email cut/pasted**</div>
<div>
<div></div>
<div>
<div>Mike,</div>
<div>First off, check to see how you've set $WebExternalAuto. I'm not sure how that would affect LDAP if it was turned on.</div>
<div>Second, I'll assume you've set your "Plugins" appropriately to include "RT::Authen::ExternalAuth".</div>
<div>Thirdly, you have to make sure certain LDAP parameters are consistent (ie. if you're using TLS, etc.).</div>
<div>Below is what we use for our list of parameters:</div>
<div><br>Set($ExternalAuthPriority,  [ 'My_LDAP' ] );<br>Set($ExternalInfoPriority,  [ 'My_LDAP' ] );<br>Set($ExternalServiceUsesSSLorTLS, 1);<br>Set($AutoCreateNonExternalUsers, 0);</div>
<div><br>Set(<br>    $ExternalSettings,<br>      {<br>        'My_LDAP' =><br>           {<br>            ‘type’        => 'ldap',<br>            ‘server’     => '<a href="http://ldap.lbl.gov/" target="_blank">ldap.lbl.gov</a>’,<br>
            ‘user’        =>  ‘’,<br>            ‘pass’        =>  ‘’,<br>            ‘base’        => 'ou=People,o=name of our company,c=US’,<br>            ‘filter’       => '(&(status that equals active)(|(dicision code)))’,<br>
            ‘d_filter’   => '(!(|(lblEmpStat=Staff)(lblEmpStat=Guest)))',<br>            ‘tls’            => 1,<br>            ‘net_ldap_args’    => [ version => 3],<br>            ‘attr_match_list’  => ['Name',<br>
                                                  'EmailAddress',<br>                                                  'RealName',<br>                                                  'uid'<br>                                                ],<br>
            ‘attr_map’            =>  {'Name'                  => 'uid',<br>                                                  'EmailAddress'    => 'mail',<br>                                                  'Organization'      => ‘o’,<br>
                                                  'RealName'           => 'cn',<br>                                                  'ExternalAuthId'  => 'uid',<br>                                                  'Gecos'                   => 'uid',<br>
                                                  'WorkPhone'         => 'telephonenumber',<br>                                                  'Address1'             => 'lblmailstop',<br>
                                                  'Address2'             => 'postaladdress’<br>                                                 }<br>           }<br>      }<br>   );<br>1;</div>
<div><br>I don't think the attr_map would affect this, but your match list could.</div>
<div>Anyway, check it all out cause if there are any inconsistencies (like TLS being used and on), it will fail.</div>
<div>Hope this helps.</div>
<div>Kenn<br>LBNL</div>
<div> </div></div></div>
<div>*** end cut/paste**<br><br></div>
<div>
<div></div>
<div>
<div class="gmail_quote">On Thu, Jul 22, 2010 at 7:23 PM, M.F.Haris <span dir="ltr"><<a href="mailto:mfharis@gmail.com" target="_blank">mfharis@gmail.com</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">
<div dir="ltr">hi Mike, 
<div>I am also facing the same problem and i have checked my configuration over and over, also compared with some available on internet.</div>
<div>in my case i didn't enter any attribute with blank value like 'group' attribute in your case. but rest of the things are similar to what i have entered.</div>
<div><br></div>
<div>I get a message 'Failed to Login with user (myuser) ... '</div>
<div><br></div>
<div>do you get the same error message? please share your experience if you are able to solve this crap.</div>
<div><br></div>
<div>thanks<br clear="all"><font color="#888888">
<div dir="ltr"><font style="FONT-FAMILY: trebuchet ms,sans-serif" size="2">Haris </font><br style="FONT-FAMILY: trebuchet ms,sans-serif"></div><br><br></font>
<div class="gmail_quote">
<div>On Thu, Jul 22, 2010 at 3:59 PM, Mike Johnson <span dir="ltr"><<a href="mailto:mike.johnson@nosm.ca" target="_blank">mike.johnson@nosm.ca</a>></span> wrote:<br></div>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">
<div>
<div></div>
<div>
<div>Hi everyone,</div>
<div> </div>
<div>Where do I start debugging my setup??</div>
<div> </div>
<div>I have CentOS5.5, RT3.8.8, ExternalAuth 0.8 attempting to connect to an Active Drectory LDAP.</div>
<div> </div>
<div>Everything loads fine(I get no errors from my config files).  I've loaded the ExternalAuth plugin, but when I attempt to login to the UI with an LDAP user, I get an invalid user/pass.  The only error/logging I can find anywhere is in syslog and that just tells me the same thing... </div>

<div> </div>
<div>I'm connecting to an Active Directory server, and with some googling/rt-users searching I found the following settings to use.</div>
<div> </div>
<div>'filter'                    =>  '(objectCategory=User)',</div>
<div> 'd_filter'                  =>  '(userAccountControl:1.2.840.113556.1.4.803:=2)',</div>
<div> </div>
<div> </div>
<div>I've left group and group_attr blank(is that allowed?) as I want all users found under my base DN to be able to use RT.</div>
<div> </div>
<div>In the attr_match_list I have name and email address only</div>
<div>In attr_map I have the sAMAccountName mail and cn mapped to their respective places in RT.</div>
<div> </div>
<div>I've tested the user/pass I'm using(our LDAP is setup to not allow anonymous unfortunately, so I have to use an account to bind.</div>
<div> </div>
<div>I can't seem to find where ExternalAuth would toss an error out for me to read if it's failling because of the arguments I've set...</div>
<div> </div>
<div>Any help would be appreciated.<br>-- <br>Mike Johnson<br>Datatel Programmer/Analyst<br>Northern Ontario School of Medicine<br>955 Oliver Road<br>Thunder Bay, ON   P7B 5E1<br>Phone: (807) 766-7331<br>Email: <a href="mailto:mike.johnson@nosm.ca" target="_blank">mike.johnson@nosm.ca</a><br>
</div><br><br></div></div>
<div>Discover RT's hidden secrets with RT Essentials from O'Reilly Media.<br>Buy a copy at <a href="http://rtbook.bestpractical.com/" target="_blank">http://rtbook.bestpractical.com</a><br></div></blockquote></div>
<br></div></div></blockquote></div><br><br clear="all"><br>-- <br>Mike Johnson<br>Datatel Programmer/Analyst<br>Northern Ontario School of Medicine<br>955 Oliver Road<br>Thunder Bay, ON   P7B 5E1<br>Phone: (807) 766-7331<br>
Email: <a href="mailto:mike.johnson@nosm.ca" target="_blank">mike.johnson@nosm.ca</a><br></div></div></blockquote></div><br><br clear="all"><br>-- <br>Mike Johnson<br>Datatel Programmer/Analyst<br>Northern Ontario School of Medicine<br>
955 Oliver Road<br>Thunder Bay, ON   P7B 5E1<br>Phone: (807) 766-7331<br>Email: <a href="mailto:mike.johnson@nosm.ca" target="_blank">mike.johnson@nosm.ca</a><br></div></div></blockquote></div><br><br clear="all"><br>-- <br>
Mike Johnson<br>Datatel Programmer/Analyst<br>Northern Ontario School of Medicine<br>955 Oliver Road<br>Thunder Bay, ON   P7B 5E1<br>Phone: (807) 766-7331<br>Email: <a href="mailto:mike.johnson@nosm.ca" target="_blank">mike.johnson@nosm.ca</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Mike Johnson<br>Datatel Programmer/Analyst<br>Northern Ontario School of Medicine<br>955 Oliver Road<br>Thunder Bay, ON   P7B 5E1<br>Phone: (807) 766-7331<br>Email: <a href="mailto:mike.johnson@nosm.ca">mike.johnson@nosm.ca</a><br>