[rt-users] RT::Authen::ExternalAuth debugging

Alan Cheng chenga at ias.edu
Thu Oct 16 00:46:27 EDT 2008


Rich,

(1) You should see something similar in your RT log if it is indeed
trying to authenticate against your AD.

[Thu Oct 16 00:25:12 2008] [info]: RT::User::IsExternalPassword External
Auth OK                          
( MY_LDAP ): alan (/usr/local/rt381/bin/../local/lib/RT/User_Vendor.pm:281)

[Thu Oct 16 00:25:12 2008] [debug]: RT::User::IsPassword External auth
SUCCEEDED                          
(/usr/local/rt381/bin/../local/lib/RT/User_Vendor.pm:360)

(2) Backup your RT_SiteConfig.pm and reduce the match_list to something
like this and test again:

   # The list of RT attributes that uniquely identify a user
          'attr_match_list' => [    'Name',
                                    'EmailAddress',
                               ],

It took me some efforts to get LDAP authentication against SUN Directory
Server 6.3 to work so keep trying! :)
http://www.gossamer-threads.com/lists/rt/users/79313?search_string=TLS;#79313

Good Luck!

Alan

Rich West wrote:
> Thanks for the debug link and the quick help! I wasn't sure what value
> to put in there, but, alas, the Wiki to the rescue. :)
>
> Those links were the ones that I followed.  It just doesn't seem to
> even attempt an AD auth ("testuser" exists in AD):
> [Wed Oct 15 22:42:06 2008] [error]: FAILED LOGIN for testuser from
> 10.100.10.6
> (/var/www/html/help.ourdomain.local/share/html/autohandler:265)
>
> I have this bizarre feeling like I am missing just one important piece
> of the puzzle...
>
> -Rich
>
> Eli Altman wrote:
>>
>> Andrew, if you’d like to get ExternalAuth working there are scores of
>> people who have set it up successfully.. so don’t give up.  I have
>> 3.8.1 with AuthenExternalAuth LDAP working just fine.  It also
>> autocreates users in the RT db as needed.  Rich, here is the link for
>> the logging debug setup:
>>
>>  
>>
>> http://wiki.bestpractical.com/view/Debug
>>
>>  
>>
>> Here is the instruction lineup, read them all carefully.
>>
>>  
>>
>> http://wiki.bestpractical.com/view/ExternalAuth  - Read the
>> “Post-Install” section
>>
>>  
>>
>> http://www.gossamer-threads.com/lists/rt/users/77286
>>
>> http://www.gossamer-threads.com/lists/rt/users/77139?search_string=ldap%
>> <http://www.gossamer-threads.com/lists/rt/users/77139?search_string=ldap%25>
>>
>>  
>>
>> If you go to the #rt irc channel I’d be happy to help solve
>> ExternalAuth issues.
>>
>>  
>>
>> Elias (whitman on #rt)
>>
>>  
>>
>> *From:* rt-users-bounces at lists.bestpractical.com
>> [mailto:rt-users-bounces at lists.bestpractical.com] *On Behalf Of
>> *Andrew Konkol
>> *Sent:* Wednesday, October 15, 2008 2:33 PM
>> *To:* rt-users at lists.bestpractical.com
>> *Subject:* Re: [rt-users] RT::Authen::ExternalAuth debugging
>>
>>  
>>
>> I too was going down this path.  What ended up working for me is
>> creating local accounts on rt first, then ldap authentication worked.
>> The other problem I ran into is the "give permissions for everyone to
>> create ticket" error when this plugin was activated.  Double checked
>> all permissions, and ensured that everyone could create a ticket for
>> the given queue and had no luck.
>>
>> For now I've rolled back the use of the plugin and I am just using
>> local accounts :(
>>
>> -a
>>
>> On Wed, Oct 15, 2008 at 4:17 PM, Rich West <Rich.West at wesmo.com
>> <mailto:Rich.West at wesmo.com>> wrote:
>>
>> I'm going down the route of integrating a new RT 3.8.1 install in to a
>> Windows 2003 Active Directory environment, and after going through the
>> wiki web of information, I found that the "proper" method is now
>> RT::Authen::ExternalAuth.  That was, unfortunately, after I tried
>> several other methods.  :(
>>
>> Anyhow, I saw a couple of postings on the list (specifically:
>> http://lists.bestpractical.com/pipermail/rt-users/2008-July/052959.html),
>> and managed to get things configured, but not functioning.  :(
>>
>> I am able to successfully ldapsearch :
>> ldapsearch -LLL -x -D "CN=Administrator,OU=IT
>> Department,OU=Users,DC=ourdomain,DC=local" -w ourpasswd -h
>> ad.ourdomain.local "(objectClass=Person)" -b "dc=ourdomain,dc=local"
>>
>> And I tried a couple of different variants for searching with command
>> line success: (objectClass=*), (sAMAccountName=user)
>>
>> However, I cannot seem to get it to work for RT.  I'm getting "Your
>> username or password is incorrect" after only a few seconds of
>> processing.  Probably the thing preventing me from debugging this
>> further is.. well.. I'm not sure how to turn up the volume on the
>> debugging. The most I am seeing in the logs is the login failure.
>>
>> Any ideas?
>>
>> Thanks!
>> -Rich
>>
>>
>>
>> RT_SiteConfig.pm contains:
>> # The order in which the services defined in ExternalSettings
>> # should be used to authenticate users. User is authenticated
>> # if successfully confirmed by any service - no more services
>> # are checked.
>> Set($ExternalAuthPriority,  [   'My_LDAP'
>>                            ]
>> );
>>
>> # The order in which the services defined in ExternalSettings
>> # should be used to get information about users. This includes
>> # RealName, Tel numbers etc, but also whether or not the user
>> # should be considered disabled.
>> # Once user info is found, no more services are checked.
>> Set($ExternalInfoPriority,  [
>>                                'My_LDAP'
>>                            ]
>> );
>>
>> # If this is set to true, then the relevant packages will
>> # be loaded to use SSL/TLS connections. At the moment,
>> # this just means "use Net::SSLeay;"
>> Set($ExternalServiceUsesSSLorTLS,    0);
>>
>> # If this is set to 1, then users should be autocreated by RT
>> # as internal users if they fail to authenticate from an
>> # external service.
>> Set($AutoCreateNonExternalUsers,    1);
>>
>> # These are the full settings for each external service as a HashOfHashes
>> # Note that you may have as many external services as you wish. They will
>> # be checked in the order specified in the Priority directives above.
>> # e.g.
>> #
>> Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP','Other-DB']);
>> #
>> Set($ExternalSettings,      {
>>        # AN EXAMPLE LDAP SERVICE
>>        'My_LDAP'       =>  {   ## GENERIC SECTION
>>                # The type of service (db/ldap/cookie)
>>                'type'                      =>  'ldap',
>>                # Should the service be used for authentication?
>>                'auth'                      =>  1,
>>                # Should the service be used for information?
>>                'info'                      =>  1,
>>                # The server hosting the service
>>                'server'                    =>  'ad.ourdomain.local',
>>                ## SERVICE-SPECIFIC SECTION
>>                # If you can bind to your LDAP server anonymously you
>> should
>>                # remove the user and pass config lines, otherwise
>> specify them here:
>>                #
>>                # The username RT should use to connect to the LDAP server
>>                'user'                      =>  'CN=Administrator,OU=IT
>> Department,OU=Users,DC=ourdomain,DC=local',
>>                # The password RT should use to connect to the LDAP server
>>                'pass'                    =>  'ourpasswd',
>>                #
>>                # The LDAP search base
>>                'base'                      =>  'dc=ourdomain,dc=local',
>>                # The filter to use to match RT-Users
>>                'filter'                    =>  '(objectclass=Person)',
>>                # The filter that will only match disabled users
>> #                'd_filter'                  =>
>> '(serAccountControl:1.2.840.113556.1.4.803:=2)',
>>                'd_filter'                  =>
>> '(&(objectCategory=person)(objectClass=user)
>> (userAccountControl:1.2.840.113556.1.4.803:=2))',
>>                # Should we try to use TLS to encrypt connections?
>>                'tls'                       =>  0,
>>                # What other args should I pass to
>> Net::LDAP->new($host, at args)?
>>                'net_ldap_args'             => [    version =>  3   ],
>>                # Does authentication depend on group membership? What
>> group name?
>>                'group'                     =>  '',
>>                # What is the attribute for the group object that
>> determines membership?
>>                'group_attr'                =>  '',
>>                ## RT ATTRIBUTE MATCHING SECTION
>>                # The list of RT attributes that uniquely identify a user
>>                'attr_match_list'           => [    'Name',
>>                                                    'EmailAddress',
>>                                                    'RealName',
>>                                                    'WorkPhone',
>>                                                    'Address2'
>>                                                ],
>>                # The mapping of RT attributes on to LDAP attributes
>>                'attr_map'                  =>  {   'Name' =>
>> 'sAMAccountName',
>>                                                    'EmailAddress' =>
>> 'mail',
>>                                                    'Organization' =>
>> 'physicalDeliveryOfficeName',
>>                                                    'RealName' => 'cn',
>>                                                    'ExternalAuthId' =>
>> 'sAMAccountName',
>>                                                    'Gecos' =>
>> 'sAMAccountName',
>>                                                    'WorkPhone' =>
>> 'telephoneNumber',
>>                                                    'Address1' =>
>> 'streetAddress',
>>                                                    'City' => 'l',
>>                                                    'State' => 'st',
>>                                                    'Zip' => 'postalCode',
>>                                                    'Country' => 'co'
>>                                                }
>>            }
>>        }
>> );
>> 1;
>>
>> _______________________________________________
>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>
>> Community help: http://wiki.bestpractical.com
>> Commercial support: sales at bestpractical.com
>> <mailto:sales at bestpractical.com>
>>
>>
>> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
>> Buy a copy at http://rtbook.bestpractical.com
>>
>>  
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>
>> Community help: http://wiki.bestpractical.com
>> Commercial support: sales at bestpractical.com
>>
>>
>> Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
>> Buy a copy at http://rtbook.bestpractical.com
> ------------------------------------------------------------------------
>
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
>
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
> Buy a copy at http://rtbook.bestpractical.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20081016/43bf6450/attachment.htm>


More information about the rt-users mailing list