[rt-users] ExternalAuth+LDAP questions/oddities

Tobias G. Pfeiffer tgpfeiffer at web.de
Tue Dec 22 14:19:08 EST 2009 

Hi!

I have the following setup: Two machines, web.vm and db.vm (both Ubuntu 
9.10), where web.vm hosts a newly installed rt-3.8.4 (from the Ubuntu 
repositories) and db.vm an OpenLDAP server. I have installed the 
ExternalAuth plugin (using cpan) as described on 
http://wiki.bestpractical.com/view/ExternalAuth but it doesn't really 
work out.

I'll list the config file RT_SiteConfig.pm, then the problems:

------------------------

# This file was generated by running "update-rt-siteconfig".
#
# While local modifications will not be overwritten without permission,
# it is recommended the they are instead placed in
# /etc/request-tracker3.8/RT_SiteConfig.d
#
# Note that modifications to the RT_SiteConfig.d directory won't
# take effect until the update command mentioned above is run again.

# start /etc/request-tracker3.8/RT_SiteConfig.d/40-timezone
# dynamically find out the current timezone
my $zone = "UTC";
$zone=`/bin/cat /etc/timezone`
  if -f "/etc/timezone";
chomp $zone;
Set($Timezone, $zone);
# end   /etc/request-tracker3.8/RT_SiteConfig.d/40-timezone

# start /etc/request-tracker3.8/RT_SiteConfig.d/41-external-auth
Set( @Plugins, qw(RT::Authen::ExternalAuth) );

Set($ExternalAuthPriority,  [   'My_LDAP'  ]);

Set($ExternalInfoPriority,  [   'My_LDAP'  ]);

Set($ExternalServiceUsesSSLorTLS,  0);

Set($AutoCreateNonExternalUsers,  0);

Set($ExternalSettings,    {   # AN EXAMPLE LDAP SERVICE
  'My_LDAP'     =>  {
    ## GENERIC SECTION
    # The type of service (db/ldap/cookie)
    'type'            =>  'ldap',
    # The server hosting the service
    'server'          =>  'db.vm',
    ## SERVICE-SPECIFIC SECTION
    # If you can bind to your LDAP server anonymously you should
    # remove the user and pass config lines, otherwise specify them 
here:
    #
    # The username RT should use to connect to the LDAP server
    #'user'            =>  'rt_ldap_username',
    # The password RT should use to connect to the LDAP server
    #'pass'          =>  'rt_ldap_password',
    #
    # The LDAP search base
    'base'            =>  'dc=vm',
    #
    # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
    # YOU **MUST** SPECIFY A filter AND A d_filter!!
    #
    # The filter to use to match RT-Users
    'filter'          =>  '(objectClass=person)',
    # A catch-all example filter: '(objectClass=*)'
    #
    # The filter that will only match disabled users
    'd_filter'          =>  '(objectClass=FooBarBaz)',
    # A catch-none example d_filter: '(objectClass=FooBarBaz)'
    #
    # Should we try to use TLS to encrypt connections?
    'tls'             =>  0,
    # SSL Version to provide to Net::SSLeay *if* using SSL
    'ssl_version'         =>  3,
    # What other args should I pass to Net::LDAP->new($host, at args)?
    'net_ldap_args'       => [  version =>  3   ],
    # Does authentication depend on group membership? What group name?
    #'group'           =>  'GROUP_NAME',
    # What is the attribute for the group object that determines 
membership?
    #'group_attr'        =>  'GROUP_ATTR',
    ## RT ATTRIBUTE MATCHING SECTION
    # The list of RT attributes that uniquely identify a user
    # This example shows what you *can* specify.. I recommend reducing 
this
    # to just the Name and EmailAddress to save encountering problems 
later.
    'attr_match_list'       => [  'Name',
                      'EmailAddress'
                    ],
    # The mapping of RT attributes on to LDAP attributes
    'attr_map' =>
      {   'Name' => 'uid',
        'EmailAddress' => 'mail',
        #'Organization' => 'physicalDeliveryOfficeName',
        'RealName' => 'cn',
        'ExternalAuthId' => 'uid',
        'Gecos' => 'uid',
        #'WorkPhone' => 'telephoneNumber',
        #'Address1' => 'streetAddress',
        #'City' => 'l',
        #'State' => 'st',
        #'Zip' => 'postalCode',
        #'Country' => 'co'
      }
    }
  }
);

1;
# end   /etc/request-tracker3.8/RT_SiteConfig.d/41-external-auth

# start /etc/request-tracker3.8/RT_SiteConfig.d/50-debconf
# THE BASICS:

Set($rtname, '***');
Set($Organization, 'web.vm');

Set($CorrespondAddress , 'rt at web.vm');
Set($CommentAddress , 'rt-comment at web.vm');

# THE WEBSERVER:

Set($WebPath , "/rt");
Set($WebBaseURL , "http://web.vm");

# LOGGING
Set($LogToFile    , 'debug');
# end   /etc/request-tracker3.8/RT_SiteConfig.d/50-debconf

# start /etc/request-tracker3.8/RT_SiteConfig.d/51-dbconfig-common
# THE DATABASE:
# generated by dbconfig-common

# map from dbconfig-common database types to their names as known by RT
my %typemap = (
  mysql   => 'mysql',
  pgsql   => 'Pg',
  sqlite3 => 'SQLite',
);

Set($DatabaseType, $typemap{pgsql} || "UNKNOWN");

Set($DatabaseHost, 'db.vm');
Set($DatabasePort, '');

Set($DatabaseUser , 'rtuser');
Set($DatabasePassword , '****');

# SQLite needs a special case, since $DatabaseName must be a full 
pathname
my $dbc_dbname = 'rt'; if ( "pgsql" eq "sqlite3" ) { Set ($DatabaseName, 
'' . '/' . $dbc_dbname); } else { Set ($DatabaseName, $dbc_dbname); }
# end   /etc/request-tracker3.8/RT_SiteConfig.d/51-dbconfig-common
1;

-------------------

The format of an LDAP user entry is as follows:

dn: uid=pfeiffer,ou=team,dc=vm
givenName: Tobias
sn: Pfeiffer
mail: pfeiffer@***
uid: pfeiffer
objectClass: inetOrgPerson
objectClass: top
objectClass: person
objectClass: organizationalPerson
cn: Tobias Pfeiffer
[...]

I can login fine using the root account. Now if I try to login using the 
account "pfeiffer" and my LDAP password, the logfile lists only:

[Tue Dec 22 14:04:22 2009] [error]: FAILED LOGIN for pfeiffer from 
192.168.122.1 (/usr/share/request-tracker3.8/html/autohandler:268)

1. The "debug" log setting seems to have no effect here. (In general, 
e.g. while adding a new ticket, it works, however.)

2. I guess that the listed file ".../html/autohandler" isn't the correct 
one if ExternalAuth is used.

3. The web interface lists RT::Authen::ExternalAuth as a loaded plugin.

4. How exactly does ExternalAuth determine the DN to bind with from the 
given username? Should I login with my eMail address? The whole DN?

Maybe I'm missing something trivial... does anyone see anything that's 
missing? I've read through a number of posts where LDAP auth didn't work 
either, but at least they had the debug messages... maybe the answer to 
why I can't see them would be great already.

Thanks for your help,
Tobias
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20091222/8c41563f/attachment.sig>

More information about the rt-users mailing list