[rt-users] RT::Authen::ExternalAuth debugging
Eli Altman
eli at gmnameplate.com
Wed Oct 15 18:09:02 EDT 2008
Andrew, if you'd like to get ExternalAuth working there are scores of people who have set it up successfully.. so don't give up. I have 3.8.1 with AuthenExternalAuth LDAP working just fine. It also autocreates users in the RT db as needed. Rich, here is the link for the logging debug setup:
http://wiki.bestpractical.com/view/Debug
Here is the instruction lineup, read them all carefully.
http://wiki.bestpractical.com/view/ExternalAuth - Read the "Post-Install" section
http://www.gossamer-threads.com/lists/rt/users/77286
http://www.gossamer-threads.com/lists/rt/users/77139?search_string=ldap%<http://www.gossamer-threads.com/lists/rt/users/77139?search_string=ldap%25>
If you go to the #rt irc channel I'd be happy to help solve ExternalAuth issues.
Elias (whitman on #rt)
From: rt-users-bounces at lists.bestpractical.com [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Andrew Konkol
Sent: Wednesday, October 15, 2008 2:33 PM
To: rt-users at lists.bestpractical.com
Subject: Re: [rt-users] RT::Authen::ExternalAuth debugging
I too was going down this path. What ended up working for me is creating local accounts on rt first, then ldap authentication worked.
The other problem I ran into is the "give permissions for everyone to create ticket" error when this plugin was activated. Double checked all permissions, and ensured that everyone could create a ticket for the given queue and had no luck.
For now I've rolled back the use of the plugin and I am just using local accounts :(
-a
On Wed, Oct 15, 2008 at 4:17 PM, Rich West <Rich.West at wesmo.com<mailto:Rich.West at wesmo.com>> wrote:
I'm going down the route of integrating a new RT 3.8.1 install in to a
Windows 2003 Active Directory environment, and after going through the
wiki web of information, I found that the "proper" method is now
RT::Authen::ExternalAuth. That was, unfortunately, after I tried
several other methods. :(
Anyhow, I saw a couple of postings on the list (specifically:
http://lists.bestpractical.com/pipermail/rt-users/2008-July/052959.html),
and managed to get things configured, but not functioning. :(
I am able to successfully ldapsearch :
ldapsearch -LLL -x -D "CN=Administrator,OU=IT
Department,OU=Users,DC=ourdomain,DC=local" -w ourpasswd -h
ad.ourdomain.local "(objectClass=Person)" -b "dc=ourdomain,dc=local"
And I tried a couple of different variants for searching with command
line success: (objectClass=*), (sAMAccountName=user)
However, I cannot seem to get it to work for RT. I'm getting "Your
username or password is incorrect" after only a few seconds of
processing. Probably the thing preventing me from debugging this
further is.. well.. I'm not sure how to turn up the volume on the
debugging. The most I am seeing in the logs is the login failure.
Any ideas?
Thanks!
-Rich
RT_SiteConfig.pm contains:
# The order in which the services defined in ExternalSettings
# should be used to authenticate users. User is authenticated
# if successfully confirmed by any service - no more services
# are checked.
Set($ExternalAuthPriority, [ 'My_LDAP'
]
);
# The order in which the services defined in ExternalSettings
# should be used to get information about users. This includes
# RealName, Tel numbers etc, but also whether or not the user
# should be considered disabled.
# Once user info is found, no more services are checked.
Set($ExternalInfoPriority, [
'My_LDAP'
]
);
# If this is set to true, then the relevant packages will
# be loaded to use SSL/TLS connections. At the moment,
# this just means "use Net::SSLeay;"
Set($ExternalServiceUsesSSLorTLS, 0);
# If this is set to 1, then users should be autocreated by RT
# as internal users if they fail to authenticate from an
# external service.
Set($AutoCreateNonExternalUsers, 1);
# These are the full settings for each external service as a HashOfHashes
# Note that you may have as many external services as you wish. They will
# be checked in the order specified in the Priority directives above.
# e.g.
#
Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP','Other-DB']);
#
Set($ExternalSettings, {
# AN EXAMPLE LDAP SERVICE
'My_LDAP' => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
'type' => 'ldap',
# Should the service be used for authentication?
'auth' => 1,
# Should the service be used for information?
'info' => 1,
# The server hosting the service
'server' => 'ad.ourdomain.local',
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you
should
# remove the user and pass config lines, otherwise
specify them here:
#
# The username RT should use to connect to the LDAP server
'user' => 'CN=Administrator,OU=IT
Department,OU=Users,DC=ourdomain,DC=local',
# The password RT should use to connect to the LDAP server
'pass' => 'ourpasswd',
#
# The LDAP search base
'base' => 'dc=ourdomain,dc=local',
# The filter to use to match RT-Users
'filter' => '(objectclass=Person)',
# The filter that will only match disabled users
# 'd_filter' =>
'(serAccountControl:1.2.840.113556.1.4.803:=2)',
'd_filter' =>
'(&(objectCategory=person)(objectClass=user)
(userAccountControl:1.2.840.113556.1.4.803:=2))',
# Should we try to use TLS to encrypt connections?
'tls' => 0,
# What other args should I pass to
Net::LDAP->new($host, at args)?
'net_ldap_args' => [ version => 3 ],
# Does authentication depend on group membership? What
group name?
'group' => '',
# What is the attribute for the group object that
determines membership?
'group_attr' => '',
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
'attr_match_list' => [ 'Name',
'EmailAddress',
'RealName',
'WorkPhone',
'Address2'
],
# The mapping of RT attributes on to LDAP attributes
'attr_map' => { 'Name' =>
'sAMAccountName',
'EmailAddress' =>
'mail',
'Organization' =>
'physicalDeliveryOfficeName',
'RealName' => 'cn',
'ExternalAuthId' =>
'sAMAccountName',
'Gecos' =>
'sAMAccountName',
'WorkPhone' =>
'telephoneNumber',
'Address1' =>
'streetAddress',
'City' => 'l',
'State' => 'st',
'Zip' => 'postalCode',
'Country' => 'co'
}
}
}
);
1;
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
Community help: http://wiki.bestpractical.com
Commercial support: sales at bestpractical.com<mailto:sales at bestpractical.com>
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20081015/2a644959/attachment.htm>
More information about the rt-users
mailing list