[rt-users] RT::Authen::ExternalAuth debugging

Eli Altman eli at gmnameplate.com
Wed Oct 15 18:09:02 EDT 2008


Andrew, if you'd like to get ExternalAuth working there are scores of people who have set it up successfully.. so don't give up.  I have 3.8.1 with AuthenExternalAuth LDAP working just fine.  It also autocreates users in the RT db as needed.  Rich, here is the link for the logging debug setup:

http://wiki.bestpractical.com/view/Debug

Here is the instruction lineup, read them all carefully.

http://wiki.bestpractical.com/view/ExternalAuth  - Read the "Post-Install" section

http://www.gossamer-threads.com/lists/rt/users/77286
http://www.gossamer-threads.com/lists/rt/users/77139?search_string=ldap%<http://www.gossamer-threads.com/lists/rt/users/77139?search_string=ldap%25>

If you go to the #rt irc channel I'd be happy to help solve ExternalAuth issues.

Elias (whitman on #rt)

From: rt-users-bounces at lists.bestpractical.com [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Andrew Konkol
Sent: Wednesday, October 15, 2008 2:33 PM
To: rt-users at lists.bestpractical.com
Subject: Re: [rt-users] RT::Authen::ExternalAuth debugging

I too was going down this path.  What ended up working for me is creating local accounts on rt first, then ldap authentication worked.
The other problem I ran into is the "give permissions for everyone to create ticket" error when this plugin was activated.  Double checked all permissions, and ensured that everyone could create a ticket for the given queue and had no luck.

For now I've rolled back the use of the plugin and I am just using local accounts :(

-a
On Wed, Oct 15, 2008 at 4:17 PM, Rich West <Rich.West at wesmo.com<mailto:Rich.West at wesmo.com>> wrote:
I'm going down the route of integrating a new RT 3.8.1 install in to a
Windows 2003 Active Directory environment, and after going through the
wiki web of information, I found that the "proper" method is now
RT::Authen::ExternalAuth.  That was, unfortunately, after I tried
several other methods.  :(

Anyhow, I saw a couple of postings on the list (specifically:
http://lists.bestpractical.com/pipermail/rt-users/2008-July/052959.html),
and managed to get things configured, but not functioning.  :(

I am able to successfully ldapsearch :
ldapsearch -LLL -x -D "CN=Administrator,OU=IT
Department,OU=Users,DC=ourdomain,DC=local" -w ourpasswd -h
ad.ourdomain.local "(objectClass=Person)" -b "dc=ourdomain,dc=local"

And I tried a couple of different variants for searching with command
line success: (objectClass=*), (sAMAccountName=user)

However, I cannot seem to get it to work for RT.  I'm getting "Your
username or password is incorrect" after only a few seconds of
processing.  Probably the thing preventing me from debugging this
further is.. well.. I'm not sure how to turn up the volume on the
debugging. The most I am seeing in the logs is the login failure.

Any ideas?

Thanks!
-Rich



RT_SiteConfig.pm contains:
# The order in which the services defined in ExternalSettings
# should be used to authenticate users. User is authenticated
# if successfully confirmed by any service - no more services
# are checked.
Set($ExternalAuthPriority,  [   'My_LDAP'
                           ]
);

# The order in which the services defined in ExternalSettings
# should be used to get information about users. This includes
# RealName, Tel numbers etc, but also whether or not the user
# should be considered disabled.
# Once user info is found, no more services are checked.
Set($ExternalInfoPriority,  [
                               'My_LDAP'
                           ]
);

# If this is set to true, then the relevant packages will
# be loaded to use SSL/TLS connections. At the moment,
# this just means "use Net::SSLeay;"
Set($ExternalServiceUsesSSLorTLS,    0);

# If this is set to 1, then users should be autocreated by RT
# as internal users if they fail to authenticate from an
# external service.
Set($AutoCreateNonExternalUsers,    1);

# These are the full settings for each external service as a HashOfHashes
# Note that you may have as many external services as you wish. They will
# be checked in the order specified in the Priority directives above.
# e.g.
#
Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP','Other-DB']);
#
Set($ExternalSettings,      {
       # AN EXAMPLE LDAP SERVICE
       'My_LDAP'       =>  {   ## GENERIC SECTION
               # The type of service (db/ldap/cookie)
               'type'                      =>  'ldap',
               # Should the service be used for authentication?
               'auth'                      =>  1,
               # Should the service be used for information?
               'info'                      =>  1,
               # The server hosting the service
               'server'                    =>  'ad.ourdomain.local',
               ## SERVICE-SPECIFIC SECTION
               # If you can bind to your LDAP server anonymously you
should
               # remove the user and pass config lines, otherwise
specify them here:
               #
               # The username RT should use to connect to the LDAP server
               'user'                      =>  'CN=Administrator,OU=IT
Department,OU=Users,DC=ourdomain,DC=local',
               # The password RT should use to connect to the LDAP server
               'pass'                    =>  'ourpasswd',
               #
               # The LDAP search base
               'base'                      =>  'dc=ourdomain,dc=local',
               # The filter to use to match RT-Users
               'filter'                    =>  '(objectclass=Person)',
               # The filter that will only match disabled users
#                'd_filter'                  =>
'(serAccountControl:1.2.840.113556.1.4.803:=2)',
               'd_filter'                  =>
'(&(objectCategory=person)(objectClass=user)
(userAccountControl:1.2.840.113556.1.4.803:=2))',
               # Should we try to use TLS to encrypt connections?
               'tls'                       =>  0,
               # What other args should I pass to
Net::LDAP->new($host, at args)?
               'net_ldap_args'             => [    version =>  3   ],
               # Does authentication depend on group membership? What
group name?
               'group'                     =>  '',
               # What is the attribute for the group object that
determines membership?
               'group_attr'                =>  '',
               ## RT ATTRIBUTE MATCHING SECTION
               # The list of RT attributes that uniquely identify a user
               'attr_match_list'           => [    'Name',
                                                   'EmailAddress',
                                                   'RealName',
                                                   'WorkPhone',
                                                   'Address2'
                                               ],
               # The mapping of RT attributes on to LDAP attributes
               'attr_map'                  =>  {   'Name' =>
'sAMAccountName',
                                                   'EmailAddress' =>
'mail',
                                                   'Organization' =>
'physicalDeliveryOfficeName',
                                                   'RealName' => 'cn',
                                                   'ExternalAuthId' =>
'sAMAccountName',
                                                   'Gecos' =>
'sAMAccountName',
                                                   'WorkPhone' =>
'telephoneNumber',
                                                   'Address1' =>
'streetAddress',
                                                   'City' => 'l',
                                                   'State' => 'st',
                                                   'Zip' => 'postalCode',
                                                   'Country' => 'co'
                                               }
           }
       }
);
1;

_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales at bestpractical.com<mailto:sales at bestpractical.com>


Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20081015/2a644959/attachment.htm>


More information about the rt-users mailing list