[rt-users] ExternalAuth - loading fine but isn't authenticating to LDAP

Mike Johnson mike.johnson at nosm.ca
Mon Jul 26 16:09:01 EDT 2010


Ok, so I turned on rt.logging and surprise!!! apparently it is touching our
LDAP, even though AD doesn't log it by default(stupid AD).

Now I'm seeing a few things in the debug level logging....

First thing that really stands out is ...

 [error]: Couldn't create user mjohnson: Could not create user
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129)
[debug]: Autohandler called ExternalAuth. Response: (0, No User)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)

Something is preventing the user from being created... based on the INSERT
language I see, it looks like RTFM doesn't work with 3.8.8??? I dunno, it's
trying to use a field called Priviledged in the User table... which doesn't
exist?

I'm not sure if I"m on the right track, but it would be nice if anyone has
experienced this or has any thoughts to let me know!
Mike.


On Mon, Jul 26, 2010 at 2:19 PM, Mike Johnson <mike.johnson at nosm.ca> wrote:

> So,
>
> After a few days of searching and testing, I've come to the conclusion that
> RT simply isn't sending anything to our LDAP server to authenticate...
>
> RT is still using RT's regular authentication method.
>
> Can anyone tell me what's wrong with my setup? RT doesn't complain when I
> boot it up, yet ExternalAuth will not even attempt to authenticate to my
> LDAP when I try to login.
>
> I've used SoftTerra's LDAP browser to ensure the "service rt"(account name
> is svc_rt) can bind to the LDAP and I even gave it update rights during
> troubleshooting... this is also how I figured out that RT isn't binding,
> only the LDAP browser connections are showing up in the Event log.
>
> I've also verified that my RT box can hit the ldap port(by "telnet to
> myad.mydomain.local 389")....
>
> I'm lost on where to go next....
>
>  Here are all the LDAP/ExternalAuth related settings in my config...
> # LDAP SETTINGS
> Set($ExternalAuthPriority,['NOSMLDAP']);
> Set($ExternalInfoPriority,['NOSMLDAP']);
> Set($ExternalServiceUSersSSLorTLS,0);
> Set($AutoCreateNonExternalUsers,1);
> Set($WebExternalAuto,1);
> Set($AutoCreate,{Priviledged =>1});
> Set($ExternalSettings,      {
>                                 'NOSMLDAP'       =>  {
>
> 'type'                      =>  'ldap',
>
> 'server'                    =>  '<ldapip>',
>
> 'user'                      =>  'cn=service rt,ou=Users,ou=Northern Ontario
> School of Medicine,dc=nosm,dc=local',
>
> 'pass'                    =>  '<password>',
>
> 'base'                      =>  'dc=nosm,dc=local',
>
> 'filter'                    =>  '(&(objectCategory=User)
> (ObjectClass=Person))',
>
>
> 'd_filter'                  =>
> '(userAccountControl:1.2.840.113556.1.4.803:=2)',
>
> 'tls'                       =>  0,
>
> 'ssl_version'               =>  3,
>
>
> 'net_ldap_args'             => [    version =>  3   ],
>
> 'group'                     =>  'cn=Staff,ou=Groups,ou=Northern Ontario
> School of Medicine,dc=nosm,dc=local',
>
> 'group_attr'                =>  'member',
>
>
> 'attr_match_list'           => [    'Name',
>
> 'EmailAddress'
>
> ],
>
> 'attr_map'                  =>  {   'Name' => 'sAMAccountName',
>
> 'EmailAddress' => 'mail',
>
> 'RealName' => 'cn',
>
> 'ExternalAuthId' => 'sAMAccountName'
>
> }
>                                                     }
>                                  }
> );
> Set(@Plugins,qw(RT::Authen::ExternalAuth));
>
>
> As I indicated before
>
> CentOS 5.5
>  RT3.8.8
> ExternalAuth 0.8
> LDAP = Windows 2003 AD
> Help would be much appreciated.
>
> Thanks!
> Mike.
>
>
> On Fri, Jul 23, 2010 at 10:03 AM, Mike Johnson <mike.johnson at nosm.ca>wrote:
>
>> I found another guide that outlines how to setup ExternalAuth for AD on
>> the wiki
>>
>> http://wiki.bestpractical.com/view/CentOS5InstallPlusSome
>>
>> Others following this thread might find it useful...
>>
>> I did learn that you're looking for the full cn/ou path for your user, not
>> just a username...(I forgot that's how LDAP finds users)....
>>
>> Haris you might want to check that in your config... didn't help me
>> *shrug* but might help you.
>>
>> Thanks!
>> Mike.
>>
>>
>>
>>
>> On Fri, Jul 23, 2010 at 9:18 AM, Mike Johnson <mike.johnson at nosm.ca>wrote:
>>
>>> Hi Haris,
>>>
>>> No go yet.
>>>
>>> Kenneth did send some info for me to check out, perhaps it may help
>>> you...
>>>
>>> **Kenneth's email cut/pasted**
>>>   Mike,
>>> First off, check to see how you've set $WebExternalAuto. I'm not sure how
>>> that would affect LDAP if it was turned on.
>>> Second, I'll assume you've set your "Plugins" appropriately to include
>>> "RT::Authen::ExternalAuth".
>>> Thirdly, you have to make sure certain LDAP parameters are consistent
>>> (ie. if you're using TLS, etc.).
>>> Below is what we use for our list of parameters:
>>>
>>> Set($ExternalAuthPriority,  [ 'My_LDAP' ] );
>>> Set($ExternalInfoPriority,  [ 'My_LDAP' ] );
>>> Set($ExternalServiceUsesSSLorTLS, 1);
>>> Set($AutoCreateNonExternalUsers, 0);
>>>
>>> Set(
>>>     $ExternalSettings,
>>>       {
>>>         'My_LDAP' =>
>>>            {
>>>             ‘type’        => 'ldap',
>>>             ‘server’     => 'ldap.lbl.gov’,
>>>             ‘user’        =>  ‘’,
>>>             ‘pass’        =>  ‘’,
>>>             ‘base’        => 'ou=People,o=name of our company,c=US’,
>>>             ‘filter’       => '(&(status that equals active)(|(dicision
>>> code)))’,
>>>             ‘d_filter’   => '(!(|(lblEmpStat=Staff)(lblEmpStat=Guest)))',
>>>             ‘tls’            => 1,
>>>             ‘net_ldap_args’    => [ version => 3],
>>>             ‘attr_match_list’  => ['Name',
>>>                                                   'EmailAddress',
>>>                                                   'RealName',
>>>                                                   'uid'
>>>                                                 ],
>>>             ‘attr_map’            =>  {'Name'                  => 'uid',
>>>                                                   'EmailAddress'    =>
>>> 'mail',
>>>                                                   'Organization'      =>
>>> ‘o’,
>>>                                                   'RealName'           =>
>>> 'cn',
>>>                                                   'ExternalAuthId'  =>
>>> 'uid',
>>>
>>> 'Gecos'                   => 'uid',
>>>                                                   'WorkPhone'         =>
>>> 'telephonenumber',
>>>                                                   'Address1'
>>> => 'lblmailstop',
>>>                                                   'Address2'
>>> => 'postaladdress’
>>>                                                  }
>>>            }
>>>       }
>>>    );
>>> 1;
>>>
>>> I don't think the attr_map would affect this, but your match list could.
>>> Anyway, check it all out cause if there are any inconsistencies (like TLS
>>> being used and on), it will fail.
>>> Hope this helps.
>>> Kenn
>>> LBNL
>>>
>>> *** end cut/paste**
>>>
>>>   On Thu, Jul 22, 2010 at 7:23 PM, M.F.Haris <mfharis at gmail.com> wrote:
>>>
>>>> hi Mike,
>>>> I am also facing the same problem and i have checked my configuration
>>>> over and over, also compared with some available on internet.
>>>> in my case i didn't enter any attribute with blank value like 'group'
>>>> attribute in your case. but rest of the things are similar to what i have
>>>> entered.
>>>>
>>>> I get a message 'Failed to Login with user (myuser) ... '
>>>>
>>>> do you get the same error message? please share your experience if you
>>>> are able to solve this crap.
>>>>
>>>> thanks
>>>> Haris
>>>>
>>>>
>>>>  On Thu, Jul 22, 2010 at 3:59 PM, Mike Johnson <mike.johnson at nosm.ca>wrote:
>>>>
>>>>>   Hi everyone,
>>>>>
>>>>> Where do I start debugging my setup??
>>>>>
>>>>> I have CentOS5.5, RT3.8.8, ExternalAuth 0.8 attempting to connect to an
>>>>> Active Drectory LDAP.
>>>>>
>>>>> Everything loads fine(I get no errors from my config files).  I've
>>>>> loaded the ExternalAuth plugin, but when I attempt to login to the UI with
>>>>> an LDAP user, I get an invalid user/pass.  The only error/logging I can find
>>>>> anywhere is in syslog and that just tells me the same thing...
>>>>>
>>>>> I'm connecting to an Active Directory server, and with some
>>>>> googling/rt-users searching I found the following settings to use.
>>>>>
>>>>> 'filter'                    =>  '(objectCategory=User)',
>>>>>  'd_filter'                  =>
>>>>> '(userAccountControl:1.2.840.113556.1.4.803:=2)',
>>>>>
>>>>>
>>>>> I've left group and group_attr blank(is that allowed?) as I want all
>>>>> users found under my base DN to be able to use RT.
>>>>>
>>>>> In the attr_match_list I have name and email address only
>>>>> In attr_map I have the sAMAccountName mail and cn mapped to their
>>>>> respective places in RT.
>>>>>
>>>>> I've tested the user/pass I'm using(our LDAP is setup to not allow
>>>>> anonymous unfortunately, so I have to use an account to bind.
>>>>>
>>>>> I can't seem to find where ExternalAuth would toss an error out for me
>>>>> to read if it's failling because of the arguments I've set...
>>>>>
>>>>> Any help would be appreciated.
>>>>> --
>>>>> Mike Johnson
>>>>> Datatel Programmer/Analyst
>>>>> Northern Ontario School of Medicine
>>>>> 955 Oliver Road
>>>>> Thunder Bay, ON   P7B 5E1
>>>>> Phone: (807) 766-7331
>>>>> Email: mike.johnson at nosm.ca
>>>>>
>>>>>
>>>>> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
>>>>> Buy a copy at http://rtbook.bestpractical.com
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Mike Johnson
>>> Datatel Programmer/Analyst
>>> Northern Ontario School of Medicine
>>> 955 Oliver Road
>>> Thunder Bay, ON   P7B 5E1
>>> Phone: (807) 766-7331
>>> Email: mike.johnson at nosm.ca
>>>
>>
>>
>>
>> --
>> Mike Johnson
>> Datatel Programmer/Analyst
>> Northern Ontario School of Medicine
>> 955 Oliver Road
>> Thunder Bay, ON   P7B 5E1
>> Phone: (807) 766-7331
>> Email: mike.johnson at nosm.ca
>>
>
>
>
> --
> Mike Johnson
> Datatel Programmer/Analyst
> Northern Ontario School of Medicine
> 955 Oliver Road
> Thunder Bay, ON   P7B 5E1
> Phone: (807) 766-7331
> Email: mike.johnson at nosm.ca
>



-- 
Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON   P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson at nosm.ca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20100726/722d29ff/attachment.htm>


More information about the rt-users mailing list