<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
Hello,
<div class=""><br class="">
</div>
<div class="">I have a working mod_authnz_ldap configuration for apache 2.4 (on a virtualhost on the same server) but I cannot seem to convert the configuration to a valid RT::Authen::ExternalAuth::LDAP configuration. At one point I could see in var/log/rt.log
that it was at least checking the nested groups for membership but the filter didn't look quite right. I have since changed that configuration and it seems to stall for a minute and then fail. It gets my real name from the AD service but then cannot match
the sub/nested group filter I think?</div>
<div class=""><br class="">
</div>
<div class=""><u class=""><b class="">The apache configuration that works is:</b></u></div>
<div class=""> <Location /adirectoryname></div>
<div class=""> LogLevel debug<br class="">
AuthName "Password protected. Enter your AD username and password."<br class="">
AuthType Basic<br class="">
AuthBasicProvider ldap<br class="">
AuthLDAPURL "<a href="ldap://ldap.server.hostname/OU=iweb,DC=corp,DC=iweb,DC=com?sAMAccountName?sub?(objectClass=*)" class="">ldap://ldap.server.hostname/OU=iweb,DC=corp,DC=iweb,DC=com?sAMAccountName?sub?(objectClass=*)</a>"<br class="">
AuthLDAPGroupAttribute member<br class="">
AuthLDAPGroupAttributeIsDN on<br class="">
AuthLDAPBindDN "ldapbinduserstring"<br class="">
AuthLDAPBindPassword ldapbindpass<br class="">
<span class="Apple-tab-span" style="white-space:pre"></span> Require ldap-filter memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS,OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com<br class="">
</Location></div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><u class=""><b class="">So far I've got this in RT_SiteConfig.pm for RT:</b></u></div>
<div class="">...snipped...</div>
<div class="">Set($ExternalSettings, {</div>
<div class=""> 'My_LDAP' => {<br class="">
'type' => 'ldap',<br class="">
'server' => '<a href="http://corp.iweb.com" class="">corp.iweb.com</a>',<br class="">
'user' => 'ldapbinduserstring',<br class="">
'pass' => 'ldapbindpass',<br class="">
'base' => 'OU=iweb,DC=corp,DC=iweb,DC=com',<br class="">
'filter' => '(objectClass=*)',<br class="">
'd_filter' => 'UserAccountControl:1.2.840.113556.1.4.803:=2',<br class="">
'group' => 'RTIR_WEB_SC_ACCESS',<br class="">
'group_scope' => 'sub',<br class="">
'group_attr' => 'memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS',<br class="">
'group_attr_value' => 'OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com',<br class="">
'tls' => 0,<br class="">
'attr_match_list' => [<br class="">
'Name',<br class="">
'EmailAddress',<br class="">
],<br class="">
'attr_map' => {<br class="">
'Name' => 'sAMAccountName',<br class="">
'EmailAddress' => 'mail',<br class="">
'Organization' => 'physicalDeliveryOfficeName',<br class="">
'RealName' => 'cn',<br class="">
'ExternalAuthId' => 'sAMAccountName',<br class="">
'Gecos' => 'sAMAccountName',<br class="">
},<br class="">
},<br class="">
} );</div>
<div class="">...snipped...</div>
<div class="">Plugin('RT::IR', 'RT::Authen::ExternalAuth');</div>
<div class=""><br class="">
</div>
<div class=""><u class=""><b class="">The log entries with the above configuration are:</b></u></div>
<div class="">[28280] [Thu Jul 14 19:12:14 2016] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:424)</div>
<div class="">[28280] [Thu Jul 14 19:12:14 2016] [debug]: Calling UserExists with $username (lstewart) and $service (My_LDAP) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:465)<br class="">
[28280] [Thu Jul 14 19:12:14 2016] [debug]: UserExists params:<br class="">
username: lstewart , service: My_LDAP (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)<br class="">
[28280] [Thu Jul 14 19:12:14 2016] [debug]: LDAP Search === Base: OU=iweb,DC=corp,DC=iweb,DC=com == Filter: (&(objectClass=*)(sAMAccountName=lstewart)) == Attrs: sAMAccountName,physicalDeliveryOfficeName,mail,cn,sAMAccountName,sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)<br class="">
[28280] [Thu Jul 14 19:12:14 2016] [debug]: Password validation required for service - Executing... (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:517)<br class="">
[28280] [Thu Jul 14 19:12:14 2016] [debug]: Trying external auth service: My_LDAP (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:153)<br class="">
[28280] [Thu Jul 14 19:14:14 2016] [debug]: LDAP Search === Base: OU=iweb,DC=corp,DC=iweb,DC=com == Filter: (&(sAMAccountName=lstewart)(objectClass=*)) == Attrs: dn,OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:186)<br class="">
[28280] [Thu Jul 14 19:14:14 2016] [debug]: Found LDAP DN: CN=Landon Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:220)<br class="">
[28280] [Thu Jul 14 19:14:15 2016] [debug]: Attribute 'OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com' has no value; falling back to 'CN=Landon Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com' (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:249)<br class="">
[28280] [Thu Jul 14 19:14:15 2016] [debug]: LDAP Search === Base: RTIR_WEB_SC_ACCESS == Scope: sub == Filter: (memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS=CN=Landon Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:256)<br class="">
[28280] [Thu Jul 14 19:14:15 2016] [critical]: Search for (memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS=CN=Landon Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com) failed: LDAP_INVALID_DN_SYNTAX 34 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)<br class="">
[28280] [Thu Jul 14 19:14:15 2016] [debug]: LDAP password validation result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:696)<br class="">
[28280] [Thu Jul 14 19:14:15 2016] [debug]: Password Validation Check Result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:521)<br class="">
[28280] [Thu Jul 14 19:14:15 2016] [debug]: Autohandler called ExternalAuth. Response: (0, Password Invalid) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)<br class="">
[28280] [Thu Jul 14 19:14:15 2016] [error]: FAILED LOGIN for lstewart from xx.xx.xx.xx (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:810)</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
<div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div style="margin-top: 0px; margin-bottom: 0px;" class="">
<div style="margin-top: 0px; margin-bottom: 0px;" class=""><span style="font-family: Arial;" class="">--</span></div>
<div style="margin-top: 0px; margin-bottom: 0px;" class=""><span style="font-family: Arial;" class="">Landon Stewart</span></div>
<div style="margin-top: 0px; margin-bottom: 0px;" class=""><font face="Arial" class="">Lead Analyst - Abuse and Security Management<br class="">
</font><b class=""><i class=""><span style="font-family: 'Arial Black';" class="">INTERNAP</span></i></b><span style="font-family: Arial;" class=""><span class="Apple-converted-space"> </span><sup class="">®</sup></span></div>
<div style="margin-top: 0px; margin-bottom: 0px;" class=""><a href="mailto:lstewart@internap.com" class="">lstewart@internap.com</a><span style="font-family: Arial;" class=""> • </span><a href="http://www.internap.com" class="">www.internap.com</a></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br class="">
</div>
</body>
</html>