
<html>


<head>


<meta http-equiv="Content-Type" content="text/html; charset=utf-8">


</head>


<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">


Hello,


<div class=""><br class="">


</div>


<div class="">I have a working mod_authnz_ldap configuration for apache 2.4 (on a virtualhost on the same server) but I cannot seem to convert the configuration to a valid RT::Authen::ExternalAuth::LDAP configuration.  At one point I could see in var/log/rt.log


 that it was at least checking the nested groups for membership but the filter didn't look quite right.  I have since changed that configuration and it seems to stall for a minute and then fail.  It gets my real name from the AD service but then cannot match


 the sub/nested group filter I think?</div>


<div class=""><br class="">


</div>


<div class=""><u class=""><b class="">The apache configuration that works is:</b></u></div>


<div class="">    <Location /adirectoryname></div>


<div class="">        LogLevel debug<br class="">


        AuthName "Password protected. Enter your AD username and password."<br class="">


        AuthType Basic<br class="">


        AuthBasicProvider ldap<br class="">


        AuthLDAPURL "<a href="ldap://ldap.server.hostname/OU=iweb,DC=corp,DC=iweb,DC=com?sAMAccountName?sub?(objectClass=*)" class="">ldap://ldap.server.hostname/OU=iweb,DC=corp,DC=iweb,DC=com?sAMAccountName?sub?(objectClass=*)</a>"<br class="">


        AuthLDAPGroupAttribute member<br class="">


        AuthLDAPGroupAttributeIsDN on<br class="">


        AuthLDAPBindDN "ldapbinduserstring"<br class="">


        AuthLDAPBindPassword ldapbindpass<br class="">


<span class="Apple-tab-span" style="white-space:pre"></span>    Require ldap-filter memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS,OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com<br class="">


    </Location></div>


<div class=""><br class="">


</div>


<div class=""><br class="">


</div>


<div class=""><u class=""><b class="">So far I've got this in RT_SiteConfig.pm for RT:</b></u></div>


<div class="">...snipped...</div>


<div class="">Set($ExternalSettings, {</div>


<div class="">    'My_LDAP' => {<br class="">


        'type' => 'ldap',<br class="">


        'server' => '<a href="http://corp.iweb.com" class="">corp.iweb.com</a>',<br class="">


        'user' => 'ldapbinduserstring',<br class="">


        'pass' => 'ldapbindpass',<br class="">


        'base' => 'OU=iweb,DC=corp,DC=iweb,DC=com',<br class="">


        'filter' => '(objectClass=*)',<br class="">


        'd_filter' => 'UserAccountControl:1.2.840.113556.1.4.803:=2',<br class="">


        'group' => 'RTIR_WEB_SC_ACCESS',<br class="">


        'group_scope' => 'sub',<br class="">


        'group_attr' => 'memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS',<br class="">


        'group_attr_value' => 'OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com',<br class="">


        'tls' => 0,<br class="">


        'attr_match_list' => [<br class="">


            'Name',<br class="">


            'EmailAddress',<br class="">


        ],<br class="">


        'attr_map' => {<br class="">


            'Name' => 'sAMAccountName',<br class="">


            'EmailAddress' => 'mail',<br class="">


            'Organization' => 'physicalDeliveryOfficeName',<br class="">


            'RealName' => 'cn',<br class="">


            'ExternalAuthId' => 'sAMAccountName',<br class="">


            'Gecos' => 'sAMAccountName',<br class="">


        },<br class="">


    },<br class="">


} );</div>


<div class="">...snipped...</div>


<div class="">Plugin('RT::IR', 'RT::Authen::ExternalAuth');</div>


<div class=""><br class="">


</div>


<div class=""><u class=""><b class="">The log entries with the above configuration are:</b></u></div>


<div class="">[28280] [Thu Jul 14 19:12:14 2016] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:424)</div>


<div class="">[28280] [Thu Jul 14 19:12:14 2016] [debug]: Calling UserExists with $username (lstewart) and $service (My_LDAP) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:465)<br class="">


[28280] [Thu Jul 14 19:12:14 2016] [debug]: UserExists params:<br class="">


username: lstewart , service: My_LDAP (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)<br class="">


[28280] [Thu Jul 14 19:12:14 2016] [debug]: LDAP Search ===  Base: OU=iweb,DC=corp,DC=iweb,DC=com == Filter: (&(objectClass=*)(sAMAccountName=lstewart)) == Attrs: sAMAccountName,physicalDeliveryOfficeName,mail,cn,sAMAccountName,sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)<br class="">


[28280] [Thu Jul 14 19:12:14 2016] [debug]: Password validation required for service - Executing... (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:517)<br class="">


[28280] [Thu Jul 14 19:12:14 2016] [debug]: Trying external auth service: My_LDAP (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:153)<br class="">


[28280] [Thu Jul 14 19:14:14 2016] [debug]: LDAP Search ===  Base: OU=iweb,DC=corp,DC=iweb,DC=com == Filter: (&(sAMAccountName=lstewart)(objectClass=*)) == Attrs: dn,OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:186)<br class="">


[28280] [Thu Jul 14 19:14:14 2016] [debug]: Found LDAP DN: CN=Landon Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:220)<br class="">


[28280] [Thu Jul 14 19:14:15 2016] [debug]: Attribute 'OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com' has no value; falling back to 'CN=Landon Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com' (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:249)<br class="">


[28280] [Thu Jul 14 19:14:15 2016] [debug]: LDAP Search ===  Base: RTIR_WEB_SC_ACCESS == Scope: sub == Filter: (memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS=CN=Landon Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:256)<br class="">


[28280] [Thu Jul 14 19:14:15 2016] [critical]: Search for (memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS=CN=Landon Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com) failed: LDAP_INVALID_DN_SYNTAX 34 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)<br class="">


[28280] [Thu Jul 14 19:14:15 2016] [debug]: LDAP password validation result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:696)<br class="">


[28280] [Thu Jul 14 19:14:15 2016] [debug]: Password Validation Check Result:  0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:521)<br class="">


[28280] [Thu Jul 14 19:14:15 2016] [debug]: Autohandler called ExternalAuth. Response: (0, Password Invalid) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)<br class="">


[28280] [Thu Jul 14 19:14:15 2016] [error]: FAILED LOGIN for lstewart from xx.xx.xx.xx (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:810)</div>


<div class=""><br class="">


</div>


<div class=""><br class="">


<div class="">


<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">


<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">


<div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">


<div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">


<div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">


<div style="margin-top: 0px; margin-bottom: 0px;" class="">


<div style="margin-top: 0px; margin-bottom: 0px;" class=""><span style="font-family: Arial;" class="">--</span></div>


<div style="margin-top: 0px; margin-bottom: 0px;" class=""><span style="font-family: Arial;" class="">Landon Stewart</span></div>


<div style="margin-top: 0px; margin-bottom: 0px;" class=""><font face="Arial" class="">Lead Analyst - Abuse and Security Management<br class="">


</font><b class=""><i class=""><span style="font-family: 'Arial Black';" class="">INTERNAP</span></i></b><span style="font-family: Arial;" class=""><span class="Apple-converted-space"> </span><sup class="">®</sup></span></div>


<div style="margin-top: 0px; margin-bottom: 0px;" class=""><a href="mailto:lstewart@internap.com" class="">lstewart@internap.com</a><span style="font-family: Arial;" class=""> • </span><a href="http://www.internap.com" class="">www.internap.com</a></div>


</div>


</div>


</div>


</div>


</div>


</div>


</div>


<br class="">


</div>


</body>


</html>