<p>There is one bug with group check. If user who tries to login has no rights in ldap to see the group then check fails and error in the logs is not very helpful.</p>
<p>Regards, Ruslan. From phone.</p>
<div class="gmail_quote">30.08.2011 22:42 пользователь "Brian Murphy" <<a href="mailto:blmurphy@eiu.edu">blmurphy@eiu.edu</a>> написал:<br type="attribution">> I have actually gotten auth to work through my active directory.  <br>
> <br>> I still have to debug my group membership attribute as that is what was tripping me up this last time.  Not real sure how to code it.<br>> <br>> seeing this failure:<br>> [Tue Aug 30 16:15:09 2011] [debug]: LDAP Search ===  Base: dc=eiuad,dc=eiu,dc=edu == Filter: (member=CN=Murphy, Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)<br>
> [Tue Aug 30 16:15:09 2011] [info]: EIUAD AUTH FAILED: blmurphy (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)<br>> [Tue Aug 30 16:15:09 2011] [debug]: LDAP password validation result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)<br>
> [Tue Aug 30 16:15:09 2011] [debug]: Password Validation Check Result:  0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)<br>> <br>> I removed the group check form the SiteConfig and now I can login using my external active directory credentials.  Anyone have an idea what I might be coding or placing wrong on tryin to use the group memebership?<br>
> <br>> Thanks for all your input(s).<br>> <br>> Brian <br>> <br>> ----- Original Message -----<br>> From: "Brian Murphy" <<a href="mailto:blmurphy@eiu.edu">blmurphy@eiu.edu</a>><br>> To: <a href="mailto:rt-users@lists.bestpractical.com">rt-users@lists.bestpractical.com</a><br>
> Sent: Tuesday, August 30, 2011 11:33:53 AM<br>> Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl<br>> <br>> Complaing about validating the password after locating the user entry.<br>> <br>
> I am now receiving the following out of the external auth:<br>> <br>> <br>> [Tue Aug 30 16:15:09 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)<br>
> [Tue Aug 30 16:15:09 2011] [debug]: Calling UserExists with $username (blmurphy) and $service (EIUAD) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)<br>> [Tue Aug 30 16:15:09 2011] [debug]: UserExists params:<br>
> username: blmurphy , service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)<br>> [Tue Aug 30 16:15:09 2011] [debug]: LDAP Search ===  Base: dc=eiuad,dc=eiu,dc=edu == Filter: (&(objectClass=*)(sAMAccountName=blmurphy)) == Attrs: sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)<br>
> [Tue Aug 30 16:15:09 2011] [debug]: Password validation required for service - Executing... (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)<br>> [Tue Aug 30 16:15:09 2011] [debug]: Trying external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)<br>
> [Tue Aug 30 16:15:09 2011] [debug]: LDAP Search ===  Base: dc=eiuad,dc=eiu,dc=edu == Filter: (&(sAMAccountName=blmurphy)(objectClass=*)) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)<br>
> [Tue Aug 30 16:15:09 2011] [debug]: Found LDAP DN: CN=Murphy\, Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)<br>
> [Tue Aug 30 16:15:09 2011] [debug]: LDAP Search ===  Base: dc=eiuad,dc=eiu,dc=edu == Filter: (member=CN=Murphy, Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)<br>
> [Tue Aug 30 16:15:09 2011] [info]: EIUAD AUTH FAILED: blmurphy (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)<br>> [Tue Aug 30 16:15:09 2011] [debug]: LDAP password validation result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)<br>
> [Tue Aug 30 16:15:09 2011] [debug]: Password Validation Check Result:  0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)<br>> [Tue Aug 30 16:15:09 2011] [debug]: Autohandler called ExternalAuth. Response: (0, Password Invalid) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)<br>
> [Tue Aug 30 16:15:09 2011] [error]: FAILED LOGIN for blmurphy from 139.67.17.30 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:639)<br>> <br>> <br>> Using the following RT_SiteConfig.pm settings:<br>> <br>> Set($ExternalSettings,      {<br>
>                                 # EIUAD Active Directory<br>>                                 'EIUAD'       =>  {   ## GENERIC SECTION<br>>                                                         # The type of service (db/ldap/cookie)<br>
>                                                         'type'                      =>  'ldap',<br>>                                                         # The server hosting the service<br>>                                                         'server'                    =>  '<a href="http://eiuad.eiu.edu">eiuad.eiu.edu</a>',<br>
>                                                         ## SERVICE-SPECIFIC SECTION<br>>                                                         # If you can bind to your LDAP server anonymously you should<br>>                                                         # remove the user and pass config lines, otherwise specify them here:<br>
>                                                         #<br>>                                                         # The username RT should use to connect to the LDAP server<br>>                                                         'user'                      =>  'CN=RT Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu',<br>
>                                                         # The password RT should use to connect to the LDAP server<br>>                                                         'pass'                    =>  'xxxxxxxxx!',<br>
>                                                         #<br>>                                                         # The LDAP search base<br>>                                                         #'base'                      =>  'ou=its employees,ou=employee accounts,ou=eiu users,dc=eiuad,dc=eiu,dc=edu',<br>
>                                                         'base'                      =>   'dc=eiuad,dc=eiu,dc=edu',<br>>                                                         #<br>>                                                         # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!<br>
>                                                         # YOU **MUST** SPECIFY A filter AND A d_filter!!<br>>                                                         #<br>>                                                         # The filter to use to match RT-Users<br>
>                                                         'filter'                    =>  '(objectClass=*)',<br>>                                                         # A catch-all example filter: '(objectClass=*)'<br>
>                                                         #<br>>                                                         # The filter that will only match disabled users<br>>                                                         'd_filter'                  =>  '(objectclass=Foo)',<br>
>                                                         # A catch-none example d_filter: '(objectClass=FooBarBaz)'<br>>                                                         #<br>>                                                         # Should we try to use TLS to encrypt connections?<br>
>                                                         'tls'                       =>  0,<br>>                                                         # SSL Version to provide to Net::SSLeay *if* using SSL<br>
>                                                         'ssl_version'               =>  3,<br>>                                                         # What other args should I pass to Net::LDAP->new($host,@args)?<br>
>                                                         'net_ldap_args'             => [    version =>  3   ],<br>>                                                         # Does authentication depend on group membership? What group name?<br>
>                                                         'group'                     =>  'CN=RT_Access,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu',<br>>                                                         # What is the attribute for the group object that determines membership?<br>
>                                                         'group_attr'                =>  'member',<br>>                                                         ## RT ATTRIBUTE MATCHING SECTION<br>
>                                                         # The list of RT attributes that uniquely identify a user<br>>                                                         # This example shows what you *can* specify.. I recommend reducing this<br>
>                                                         # to just the Name and EmailAddress to save encountering problems later.<br>>                                                         'attr_match_list'           => [    'Name'<br>
>                                                                                         ],<br>>                                                         # The mapping of RT attributes on to LDAP attributes<br>>                                                         'attr_map'                  =>  {   'Name' => 'sAMAccountName'<br>
>                                                                                         }<br>>                                                     }<br>>                                 }<br>> );<br>> <br>
> ----- Original Message -----<br>> From: "Brian Murphy" <<a href="mailto:blmurphy@eiu.edu">blmurphy@eiu.edu</a>><br>> To: <a href="mailto:rt-users@lists.bestpractical.com">rt-users@lists.bestpractical.com</a><br>
> Sent: Tuesday, August 30, 2011 10:59:08 AM<br>> Subject: Fwd: [rt-users] rt4 and External Auth to AD 2008 non-ssl<br>> <br>> <br>> Well, sh**!  Sometimes the simplest are the most difficult.  I was way too close to the forest to see the trees on that one.  Having a . instead of the , in my base string was causing me to not be able to find the entry.  I have my filter set to () and am using the sAMAccountName and finding the user account, but now it refuses my password.  here is what I get in the log.  Any ideas.  I know my password and am using it for other accounts.<br>
> <br>> [Tue Aug 30 15:48:14 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)<br>> [Tue Aug 30 15:48:14 2011] [debug]: Calling UserExists with $username (blmurphy) and $service (EIUAD) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)<br>
> [Tue Aug 30 15:48:14 2011] [debug]: UserExists params:<br>> username: blmurphy , service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)<br>> [Tue Aug 30 15:48:14 2011] [debug]: LDAP Search ===  Base: dc=eiuad,dc=eiu,dc=edu == Filter: (&(sAMAccountName=blmurphy)) == Attrs: sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)<br>
> [Tue Aug 30 15:48:14 2011] [debug]: Password validation required for service - Executing... (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)<br>> [Tue Aug 30 15:48:14 2011] [debug]: Trying external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)<br>
> [Tue Aug 30 15:48:14 2011] [debug]: LDAP Search ===  Base: dc=eiuad,dc=eiu,dc=edu == Filter: (&(sAMAccountName=blmurphy)) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)<br>
> [Tue Aug 30 15:48:14 2011] [debug]: Found LDAP DN: CN=Murphy\, Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)<br>
> [Tue Aug 30 15:48:14 2011] [debug]: LDAP Search ===  Base: dc=eiuad,dc=eiu,dc=edu == Filter: (member=CN=Murphy, Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)<br>
> [Tue Aug 30 15:48:14 2011] [info]: EIUAD AUTH FAILED: blmurphy (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)<br>> [Tue Aug 30 15:48:14 2011] [debug]: LDAP password validation result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)<br>
> [Tue Aug 30 15:48:14 2011] [debug]: Password Validation Check Result:  0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)<br>> [Tue Aug 30 15:48:14 2011] [debug]: Autohandler called ExternalAuth. Response: (0, Password Invalid) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)<br>
> [Tue Aug 30 15:48:14 2011] [error]: FAILED LOGIN for blmurphy from 139.67.17.30 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:639)<br>> [Tue Aug 30 15:48:17 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)<br>
> [Tue Aug 30 15:48:17 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)<br>> [Tue Aug 30 15:48:17 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)<br>
> <br>> ----- Original Message -----<br>> From: "David Chandek-Stark" <<a href="mailto:david.chandek.stark@duke.edu">david.chandek.stark@duke.edu</a>><br>> To: "Brian Murphy" <<a href="mailto:blmurphy@eiu.edu">blmurphy@eiu.edu</a>>, <a href="mailto:rt-users@lists.bestpractical.com">rt-users@lists.bestpractical.com</a><br>
> Sent: Tuesday, August 30, 2011 10:41:54 AM<br>> Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl<br>> <br>> I'm guessing your base should have a comma b/w "eiu" and "dc" -- I.e.,<br>
> "dc=eiuad,dc=eiu,dc=edu".<br>> <br>> --D<br>> <br>> On 8/30/11 11:34 AM, "Brian Murphy" <<a href="mailto:blmurphy@eiu.edu">blmurphy@eiu.edu</a>> wrote:<br>>>[Tue Aug 30 15:29:48 2011] [debug]: LDAP Search ===  Base:<br>
>>dc=eiuad,dc=eiu.dc=edu == Filter: (&(sAMAccountName=blmurphy)) == Attrs:<br>>>sAMAccountName <br>>>(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/<br>>>LDAP.pm:304)<br>
> <br>> --------<br>> RT Training Sessions (<a href="http://bestpractical.com/services/training.html">http://bestpractical.com/services/training.html</a>)<br>> *  Chicago, IL, USA  September 26 & 27, 2011<br>
> *  San Francisco, CA, USA  October 18 & 19, 2011<br>> *  Washington DC, USA  October 31 & November 1, 2011<br>> *  Melbourne VIC, Australia  November 28 & 29, 2011<br>> *  Barcelona, Spain  November 28 & 29, 2011<br>
> --------<br>> RT Training Sessions (<a href="http://bestpractical.com/services/training.html">http://bestpractical.com/services/training.html</a>)<br>> *  Chicago, IL, USA  September 26 & 27, 2011<br>> *  San Francisco, CA, USA  October 18 & 19, 2011<br>
> *  Washington DC, USA  October 31 & November 1, 2011<br>> *  Melbourne VIC, Australia  November 28 & 29, 2011<br>> *  Barcelona, Spain  November 28 & 29, 2011<br></div>