[rt-users] RT & mysql / LDAP Auth

Julian Grunnell Julian.Grunnell at webfusion.com
Sun May 9 06:12:17 EDT 2010


Hi - hoping someone can help me, I'm trying to get the
RT::Authen::ExternalAuth plugin to work so I can use LDAP for
authentication. Just using mysql at the moment, so want to keep this as
well. Running RT 3.8.5 on Centos, I'd like mysql auth first and then
LDAP next. I've managed to configure this without any errors and my
mysql authentication still works after a httpd restart. However LDAP
auth never works, I'm not that familiar with LDAP so am hoping if I
provide my config and rt.log below someone might be able to point me in
the right direction:

 

 

<snip>

# AN EXAMPLE LDAP SERVICE

                                'My_LDAP'       =>  {   ## GENERIC
SECTION

                                                        # The type of
service (db/ldap/cookie)

                                                        'type'
=>  'ldap',

                                                        # The server
hosting the service

                                                        'server'
=>  '172.17.2.1',

                                                        ##
SERVICE-SPECIFIC SECTION

                                                        # If you can
bind to your LDAP server anonymously you should

                                                        # remove the
user and pass config lines, otherwise specify them here:

                                                        #

                                                        # The username
RT should use to connect to the LDAP server

                                                        'user'
=>  'ldap-rt',

                                                        # The password
RT should use to connect to the LDAP server

                                                        'pass'
=>  'xxxxxxxxx',

                                                        #

                                                        # The LDAP
search base

                                                        'base'
=>  'ou=hosting,ou=corp,dc=internal,dc=hosteurope,dc=com',

                                                        #

                                                        # ALL FILTERS
MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!

                                                        # YOU **MUST**
SPECIFY A filter AND A d_filter!!

                                                        #

                                                        # The filter to
use to match RT-Users

                                                        'filter'
=>  '(objectClass=User)',

                                                        # A catch-all
example filter: '(objectClass=*)'

                                                        #

                                                        # The filter
that will only match disabled users

                                                        'd_filter'
=>  '(objectClass=FooBarBaz)',

                                                        # A catch-none
example d_filter: '(objectClass=FooBarBaz)'

                                                        #

                                                        # Should we try
to use TLS to encrypt connections?

                                                        'tls'
=>  0,

                                                        # SSL Version to
provide to Net::SSLeay *if* using SSL

                                                        'ssl_version'
=>  3,

                                                        # What other
args should I pass to Net::LDAP->new($host, at args)?

                                                        'net_ldap_args'
=> [    version =>  3   ],

                                                        # Does
authentication depend on group membership? What group name?

                                                        'group'
=>  'GROUP_NAME',

                                                        # What is the
attribute for the group object that determines membership?

                                                        'group_attr'
=>  'GROUP_ATTR',

                                                        ## RT ATTRIBUTE
MATCHING SECTION

                                                        # The list of RT
attributes that uniquely identify a user

                                                        # This example
shows what you *can* specify.. I recommend reducing this

                                                        # to just the
Name and EmailAddress to save encountering problems later.

 
'attr_match_list'           => [    'Name',

 
'EmailAddress',

 
'RealName',

 
'WorkPhone',

 
'Address2'

 
],

                                                        # The mapping of
RT attributes on to LDAP attributes

                                                        'attr_map'
=>  {   'Name' => 'sAMAccountName',

 
'EmailAddress' => 'mail',

 
'Organization' => 'physicalDeliveryOfficeName',

 
'RealName' => 'cn',

 
'ExternalAuthId' => 'sAMAccountName',
'Gecos' => 'sAMAccountName',

 
'WorkPhone' => 'telephoneNumber',

 
'Address1' => 'streetAddress',

 
'City' => 'l',

 
'State' => 'st',

 
'Zip' => 'postalCode',

 
'Country' => 'co'

 

 

And this is a complete log entry if I try to use my LDAP credentials:

 

[Sun May  9 10:10:24 2010] [debug]: RT's GnuPG libraries couldn't
successfully read your configured GnuPG home directory
(/opt/rt3/var/data/gpg). PGP support has been disabled
(/opt/rt3/bin/../lib/RT/Config.pm:380)

[Sun May  9 10:10:24 2010] [debug]: Reloading RT::User to work around a
bug in RT-3.8.0 and RT-3.8.1
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu
th/autohandler/Auth:14)

[Sun May  9 10:10:24 2010] [debug]: Attempting to use external auth
service: My_MySQL
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:64)

[Sun May  9 10:10:24 2010] [debug]: Calling UserExists with $username
(jgrunnell) and $service (My_MySQL)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:105)

[Sun May  9 10:10:24 2010] [debug]: Disable Check Failed :: ( My_MySQL )
jgrunnell User not found
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/DBI.pm:234)

[Sun May  9 10:10:24 2010] [debug]: Attempting to use external auth
service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:64)

[Sun May  9 10:10:24 2010] [debug]: Calling UserExists with $username
(jgrunnell) and $service (My_LDAP)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:105)

[Sun May  9 10:10:24 2010] [debug]: UserExists params:

username: jgrunnell , service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:274)

[Sun May  9 10:10:25 2010] [debug]: LDAP Search ===  Base:
ou=hosting,ou=corp,dc=internal,dc=hosteurope,dc=com == Filter:
(&(objectClass=User)(sAMAccountName=jgrunnell)) == Attrs:
l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,
sAMAccountName,physicalDeliveryOfficeName,sAMAccountName
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:304)

[Sun May  9 10:10:25 2010] [debug]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm 20
with: Disabled: 0, EmailAddress: , Gecos: jgrunnell, Name: jgrunnell,
Privileged: 0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:450)

[Sun May  9 10:10:25 2010] [debug]: Attempting to get user info using
this external service: My_MySQL
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:458)

[Sun May  9 10:10:25 2010] [debug]: Attempting to use this
canonicalization key: Gecos
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:472)

[Sun May  9 10:10:25 2010] [warning]: DBD::mysql::db selectall_hashref
failed: Unknown column 'email' in 'field list' at
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth
/DBI.pm line 163, <DATA> line 273.
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/DBI.pm:163)

[Sun May  9 10:10:25 2010] [warning]: Issuing rollback() for database
handle being DESTROY'd without explicit disconnect() at
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth
/DBI.pm line 163, <DATA> line 273.
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/DBI.pm:163)

[Sun May  9 10:10:25 2010] [error]: FAILED LOGIN for jgrunnell from
212.103.233.1 (/opt/rt3/share/html/autohandler:268)

 

 

 

Thanks in advance.

 

Julian Grunnell
Unix Sys Admin
Webfusion Limited.

Phone:0208 587 7212
Mobile:07803649593
Email:Julian.Grunnell at webfusion.com

  <http://www.webfusion.com/> 

Bringing the world's ideas online
Webfusion <http://www.webfusion.com> , 123-reg
<http://www.123-reg.co.uk> , Donhost <http://www.donhost.co.uk> , 
Supanames <http://www.supanames.co.uk> 
Follow us on Twitter: Webfusion <http://twitter.com/webfusion> , 123-reg
<http://twitter.com/123reg> 

This e-mail is subject to: Webfusion disclaimer
<http://www.corporate.webfusion.co.uk/disclaimer> 
Please consider the environment before printing this email

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20100509/ff7a5205/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 877 bytes
Desc: image001.gif
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20100509/ff7a5205/attachment.gif>


More information about the rt-users mailing list