Val,<br><br>I think it is your LDAP external settings. We use the LDAP UserID that one signs in with as the name and we use TLS. Anyway, this is what we have. I'm remove sensitive stuff, but I think there will be enough to correlate:<br>
<br><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="ProgId" content="Word.Document"><meta name="Generator" content="Microsoft Word 11"><meta name="Originator" content="Microsoft Word 11"><link rel="File-List" href="file:///C:%5CDOCUME%7E1%5CKFCROC%7E1%5CLOCALS%7E1%5CTemp%5Cmsohtml1%5C01%5Cclip_filelist.xml"><style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;
mso-header-margin:.5in;
mso-footer-margin:.5in;
mso-paper-source:0;}
div.Section1
{page:Section1;}
-->
</style>
<p class="MsoNormal"># User is authenticated if successfully confirmed by any
service</p>
<p class="MsoNormal">#<span style=""> </span><b style="">No more services are checked</b></p>
<p class="MsoNormal">#</p>
<p class="MsoNormal"><b style="">Set($ExternalAuthPriority,<span style=""> </span>[ 'My_LDAP' ] );</b></p>
<p class="MsoNormal"><b style="">Set($ExternalInfoPriority,<span style=""> </span>[ 'My_LDAP' ] );</b></p>
<p class="MsoNormal"><b style="">Set($ExternalServiceUsesSSLorTLS,
1);</b></p>
<p class="MsoNormal"><b style="">Set($AutoCreateNonExternalUsers,
0);</b></p>
<p class="MsoNormal">#</p>
<p class="MsoNormal"># These are the full settings for each external service as a
HashOfHashes</p>
<p class="MsoNormal"># No more services are checked</p>
<p class="MsoNormal">#</p>
<p class="MsoNormal"><b style="">Set(</b></p>
<p class="MsoNormal"><b style=""><span style=""> </span>$ExternalSettings,</b></p>
<p class="MsoNormal"><b style=""><span style=""> </span>{</b></p>
<p class="MsoNormal"><b style=""><span style=""> </span>'My_LDAP' =></b></p>
<p class="MsoNormal"><b style=""><span style=""> </span>{</b></p>
<p class="MsoNormal"><b style=""><span style=""> </span>‘type’<span style=""> </span><span style=""> </span>=> 'ldap',</b></p>
<p class="MsoNormal"><b style=""><span style=""> </span><span style=""> </span>‘server’<span style="">
</span>=> 'our server’,</b></p>
<p class="MsoNormal"><b style=""><span style=""> </span>‘user’<span style=""> </span>=><span style="">
</span>‘’,</b></p>
<p class="MsoNormal"><b style=""><span style=""> </span>‘pass’<span style=""> </span><span style=""> </span>=><span style="">
</span>‘’,</b></p>
<p class="MsoNormal"><b style=""><span style=""> </span>‘base’<span style=""> </span><span style=""> </span>=> 'ou=People,o=company name,c=US’,</b></p>
<p class="MsoNormal"><b style=""><span style=""> </span>‘filter’<span style=""> </span><span style=""> </span>=>
'(&(xxxstatus=A)(|(xxxpan=CF*)(xxxpan=EH*)(xxxpan=HR*)(xxxpan=IC*)))’, # division prefixes we use as a filter on top of "active" stastus</b></p>
<p class="MsoNormal"><b style=""><span style=""> </span>‘d_filter’<span style=""> </span>=> '(!(|(xxxEmpStat=Staff)(xxxEmpStat=Guest)))', # staff or guest</b></p>
<p class="MsoNormal"><b style=""><span style=""> </span>‘tls’<span style=""> </span><span style=""> </span>=> 1,</b></p>
<p class="MsoNormal"><b style=""><span style=""> </span>‘net_ldap_args’<span style=""> </span><span style=""> </span>=>
[ version => 3],</b></p>
<p class="MsoNormal"><b style=""><span style=""> </span>‘attr_match_list’ <span style=""> </span>=> ['Name',</b></p>
<p class="MsoNormal"><b style=""><span style=""> </span><span style=""> </span>'EmailAddress',</b></p>
<p class="MsoNormal"><b style=""><span style=""> </span><span style=""> </span><span style=""> </span>'RealName',</b></p>
<p class="MsoNormal"><b style=""><span style=""> </span><span style=""> </span>'uid'</b></p>
<p class="MsoNormal"><b style=""><span style="">
</span>],</b></p>
<p class="MsoNormal"><b style=""><span style=""> </span>‘attr_map’<span style=""> </span>=><span style=""> </span>{'Name' <span style=""> </span>=> 'uid',</b></p>
<p class="MsoNormal"><b style=""><span style=""> </span><span style=""> </span><span style=""> </span><span style=""> </span><span style=""> </span>'EmailAddress' <span style=""> </span><span style=""> </span>=>
'mail',</b></p>
<p class="MsoNormal"><b style=""><span style=""> </span><span style=""> </span><span style=""> </span>'Organization'<span style=""> </span>=> ‘o’,</b></p>
<p class="MsoNormal"><b style=""><span style=""> </span><span style=""> </span><span style=""> </span>'RealName'<span style=""> </span>=> 'cn',</b></p>
<p class="MsoNormal"><b style=""><span style=""> </span><span style=""> </span><span style=""> </span>'ExternalAuthId' <span style=""> </span>=> 'uid',</b></p>
<p class="MsoNormal"><b style=""><span style=""> </span><span style=""> </span><span style=""> </span><span style=""> </span>'Gecos' <span style=""> </span>=> 'uid',</b></p>
<p class="MsoNormal"><b style=""><span style=""> </span><span style=""> </span><span style=""> </span>'WorkPhone' <span style=""> </span>=> 'telephonenumber',</b></p>
<p class="MsoNormal"><b style=""><span style=""> </span><span style=""> </span><span style=""> </span>'Address1' <span style=""> </span>=> 'xxxmailstop',</b></p>
<p class="MsoNormal"><b style=""><span style=""> </span><span style=""> </span>'Address2'<span style=""> </span>=> 'postaladdress’</b></p>
<p class="MsoNormal"><b style=""><span style="">
</span>}</b></p>
<p class="MsoNormal"><b style=""><span style=""> </span>}</b></p>
<p class="MsoNormal"><b style=""><span style=""> </span>}</b></p>
<p class="MsoNormal" style=""><b style=""><span style=""> </span>);</b></p>
<b style=""><span style="font-size: 12pt; font-family: "Times New Roman";">1;</span></b><br><br>An explanation of our settings:<br><br>We are stating that we use LDAP for both authorization AND the Info we pull.<br>
We turn on External Service using SSL or TLS.<br>We do <b>NOT</b> autocreate users that do not pass the LDAP auth process.<br>We do not specify any user or pass.<br>We specify the LDAP ou, o, & c values.<br>We specify an additional filter. For us, the status (for the user signing in) must be active on the LDAP table AND, in addition, we specifiy division codes. We only want certain company employees from specified division to be able to use RT.<br>
We specify a "disable" filter for any user signing on if they are not classified as staff or a guest.<br>We specify the argument version we use.<br>We specify what LDAP attributes we want to match against when authorizing.<br>
We specify what LDAP info we want to download into the RT USER Table:<br>- Name will be the LDAP UserID they sign on with<br>- Email address is the LDAP email address associated with this LDAP UserId.<br>- Organization info will be what we set in 'o' to earlier (base=>o= company name).<br>
- and on.<br><br>Notice we use the same LDAP UserId (uid) for Name, ExternalAuthID and Gecos.<br><br>I guess the main thing to look for is <i>a consistency</i> in what LDAP fields you use for Auth and what you save. If I say I use the <i>LDAP 'uid"</i> for <i>Name</i>, then I must make sure that all references to <i>Name</i> are expecting that it be the LDAP UserID (<i>'uid</i>').<br>
<br>That's the best advice I can give you. Hope it's enough.<br><br>Kenn<br>LBNL<br><br><br><div class="gmail_quote">On Mon, Sep 27, 2010 at 10:19 AM, Val Polyakov <span dir="ltr"><<a href="mailto:val@polyakov.me">val@polyakov.me</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">ldapsearch works, i can find myself using:<br>
<br>
ldapsearch -LLL -x -H ldap://ADserver:389 -b<br>
'ou=users,ou=yonkers,dc=mydomain,dc=org' -D 'cn=rt,ou=Service<br>
Accounts,ou=Users,ou=HIGHSECURITY,dc=mydomain,dc=org' -w 'rtPassword'<br>
'(&(ObjectClass=Person)(cn=Polyakov, Valeriy))'<br>
<br>
<br>
I also turned on debug loging for externalauth, and here's what I see in<br>
the log. the password im providing is correct, it seems to be able to find<br>
my account, but then I get an auth failure.. why ? :/<br>
<br>
<br>
[Mon Sep 27 17:11:18 2010] [debug]: Reloading RT::User to work around a<br>
bug in RT-3.8.0 and RT-3.8.1<br>
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)<br>
[Mon Sep 27 17:11:18 2010] [debug]: Attempting to use external auth<br>
service: My_LDAP<br>
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)<br>
[Mon Sep 27 17:11:18 2010] [debug]: Calling UserExists with $username<br>
(polyva) and $service (My_LDAP)<br>
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)<br>
[Mon Sep 27 17:11:18 2010] [debug]: UserExists params:<br>
username: polyva , service: My_LDAP<br>
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)<br>
[Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base:<br>
ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter:<br>
(&(&(ObjectCategory=User))(sAMAccountName=polyva)) == Attrs:<br>
l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,mail<br>
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)<br>
[Mon Sep 27 17:11:18 2010] [debug]: Password validation required for<br>
service - Executing...<br>
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)<br>
[Mon Sep 27 17:11:18 2010] [debug]: Trying external auth service: My_LDAP<br>
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)<br>
[Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base:<br>
ou=Users,ou=Yonkers,dc=consumer,dc=org == Filter:<br>
(&(sAMAccountName=polyva)(&(ObjectCategory=User))) == Attrs: dn<br>
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)<br>
[Mon Sep 27 17:11:18 2010] [debug]: Found LDAP DN: CN=Polyakov\,<br>
Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org<br>
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)<br>
[Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base:<br>
ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter: (member=CN=Polyakov,<br>
Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org) == Attrs: dn<br>
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)<br>
[Mon Sep 27 17:11:18 2010] [info]: My_LDAP AUTH FAILED: polyva<br>
<div class="im">(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)<br>
</div>[Mon Sep 27 17:11:18 2010] [debug]: LDAP password validation result: 0<br>
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)<br>
[Mon Sep 27 17:11:18 2010] [debug]: Password Validation Check Result: 0<br>
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)<br>
[Mon Sep 27 17:11:18 2010] [debug]: Autohandler called ExternalAuth.<br>
Response: (0, Password Invalid)<br>
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)<br>
[Mon Sep 27 17:11:18 2010] [error]: FAILED LOGIN for polyva from<br>
<div><div></div><div class="h5">192.168.110.125 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)<br>
<br>
<br>
<br>
> Val,<br>
> Have you verified that ldapsearch works for you on this box?<br>
><br>
> I used something like this to test:<br>
><br>
><br>
> ldapsearch -LLL -x -H ldap://<ldap server>:389 -b<br>
> 'DC=corp,DC=something,DC=com' -D '<a href="mailto:ldapuser@corp.something.com">ldapuser@corp.something.com</a>' -w<br>
> '<ldapuser password>' '(&(ObjectClass=Person)(cn=<username to search<br>
> for))'<br>
><br>
><br>
> I had to request from our Windows AD guys to allow the ldapuser to be able<br>
> to read all user information. I also had to have them open the firewall<br>
> to our server, because by default, they only allow certain servers to<br>
> query the AD servers.<br>
><br>
> John<br>
><br>
><br>
><br>
> On 09/27/2010 10:14 AM, Val Polyakov wrote:<br>
><br>
> Trying to get my RT 3.8.8 on RHEL5 to authenticate against our corporate<br>
> AD.<br>
><br>
> I followed this guide here:<br>
> <a href="http://wiki.bestpractical.com/view/CentOS5InstallPlusSome" target="_blank">http://wiki.bestpractical.com/view/CentOS5InstallPlusSome</a><br>
><br>
> I also checked that apache has access to over here<br>
> (RT-Authen-ExternalAuth<br>
> dir was chgrp -R'ed and chmod -R 770'ed):<br>
><br>
> [root@rt plugins]# pwd<br>
> /opt/rt3/local/plugins<br>
> [root@rt plugins]# ls -ltr<br>
> total 4<br>
> drwxrwx--- 5 root apache 4096 Sep 13 14:16 RT-Authen-ExternalAuth<br>
> [root@rt plugins]# ps awwwux |grep httpd<br>
> root 2313 0.1 4.1 348008 83360 ? Ss 10:32 0:02<br>
> /usr/sbin/httpd<br>
> apache 2317 0.0 4.1 350272 82612 ? S 10:32 0:00<br>
> /usr/sbin/httpd<br>
> apache 2318 0.0 4.1 350272 82616 ? S 10:32 0:00<br>
> /usr/sbin/httpd<br>
> apache 2319 0.0 4.0 348204 82216 ? S 10:32 0:00<br>
> /usr/sbin/httpd<br>
> apache 2320 0.0 4.1 350272 82684 ? S 10:32 0:00<br>
> /usr/sbin/httpd<br>
> apache 2321 0.0 4.1 350928 83388 ? S 10:32 0:00<br>
> /usr/sbin/httpd<br>
> apache 2322 0.0 4.1 350272 82616 ? S 10:32 0:00<br>
> /usr/sbin/httpd<br>
> apache 2323 0.0 4.1 350272 82616 ? S 10:32 0:00<br>
> /usr/sbin/httpd<br>
> apache 2324 0.0 4.1 350668 83172 ? S 10:32 0:00<br>
> /usr/sbin/httpd<br>
> root 3537 0.0 0.0 61148 708 pts/0 R+ 11:06 0:00 grep<br>
> httpd<br>
> [root@rt plugins]#<br>
><br>
> when I set this up and tried to login with my AD account for the first<br>
> time, here's what I saw in /var/log/httpd/error_log :<br>
><br>
><br>
> [root@rt autohandler]# tail -f /var/log/httpd/error_log<br>
> [Mon Sep 27 14:32:29 2010] [info]:<br>
> RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: 101<br>
> Truman Avenue, City: Yonkers, Country: United States, Disabled: 0,<br>
> EmailAddress: <a href="mailto:vpolyakov@consumer.org">vpolyakov@consumer.org</a>, ExternalAuthId: POLYVA, Gecos:<br>
> POLYVA, Name: POLYVA, Organization: 1-8D, Privileged: 0, RealName:<br>
> Polyakov, Valeriy, State: NY, WorkPhone: (914) 378-2577, Zip: 10703<br>
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)<br>
> [Mon Sep 27 14:32:29 2010] [info]: Autocreated external user POLYVA ( 36<br>
> )<br>
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:132)<br>
> [Mon Sep 27 14:32:29 2010] [info]: My_LDAP AUTH FAILED: polyva<br>
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)<br>
><br>
> ....<br>
><br>
> And ever since then when I try to login I only see this:<br>
><br>
> [Mon Sep 27 14:52:31 2010] [info]: My_LDAP AUTH FAILED: polyva<br>
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)<br>
> [Mon Sep 27 14:52:31 2010] [error]: FAILED LOGIN for polyva from<br>
> 192.168.110.125 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)<br>
><br>
><br>
> my /opt/rt3/etc/RT_SiteConfig.pm and<br>
> /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc are attached<br>
><br>
><br>
> Any suggestions?<br>
><br>
><br>
><br>
> RT Training in Washington DC, USA on Oct 25 & 26 2010<br>
> Last one this year -- Learn how to get the most out of RT!<br>
><br>
><br>
> --<br>
> John Alberts<br>
> Hosted Services<br>
> Exlibris USA<br>
> <a href="mailto:john.alberts@exlibrisgroup.com">john.alberts@exlibrisgroup.com</a><br>
> cell: 1-508-878-2197<br>
><br>
<br>
<br>
<br>
RT Training in Washington DC, USA on Oct 25 & 26 2010<br>
Last one this year -- Learn how to get the most out of RT!<br>
</div></div></blockquote></div><br>