[rt-users] RT & mysql / LDAP Auth

Julian Grunnell Julian.Grunnell at webfusion.com
Fri May 14 04:37:19 EDT 2010


--
Julian Grunnell
This email is subject to: www.corporate.webfusion.co.uk/disclaimer

>-----Original Message-----
>From: Mike Peachey [mailto:mike.peachey at jennic.com]
>Sent: 13 May 2010 13:56
>To: Julian Grunnell
>Cc: rt-users at lists.bestpractical.com
>Subject: Re: [rt-users] RT & mysql / LDAP Auth
>
>Julian Grunnell wrote:
>>> -----Original Message-----
>>> From: Mike Peachey [mailto:mike.peachey at jennic.com]
>>> Sent: 10 May 2010 12:54
>>> To: Julian Grunnell
>>> Cc: rt-users at lists.bestpractical.com
>>> Subject: Re: [rt-users] RT & mysql / LDAP Auth
>>>
>>
>> So at present users are just authenticating against RT's own DB for
>user
>> access. What I'd like to do is keep this but also have LDAP. The
>reason
>> being users now have multiple usernames / passwords for different
>> services we run and I want to use LDAP as a way to simplify this -
BUT
>> in order for this to be done I also need to be able to keep the MySQL
>> access for now and not break RT for all the users.
>>
>> The RT DB is on a different physical server and the fact that after I
>> restarted httpd with the config above and could still login with my
>> usual (mysql) credentials assumed that atleast part of it was working
>-
>> is this not the case?
>
>No, you've misunderstood and it has massively complicated your
debugging
>of the situation.
>
>ExternalAuth *only* adds to the available authentication mechanisms. It
>does not replace RT's own. The use of ExternalAuth MySQL authentication
>is if you want to be able to authenticate against some other MySQL
>source such as a custom website database or the database of another
>web-application. This is /in addition/ to checking against RT's own
>internal database (whether this is hosted locally or not).
>
>So, authentication happens in this order:
>
>1. ExternalAuth
>2. RT-Internal
>
>And you can have as many ExternalAuth sources as you wish.
>
>
>For your setup, what you want is to only specify the LDAP source which
>is then checked for a valid user. If there's no user in LDAP, RT's
>internal DB will be checked.
>--
>Kind Regards,
>
[>] 
Right, thanks - that makes sense now. I misunderstood the use of this
and thought you had to define ALL the authentication methods you wanted
to use. So I have removed the MySQL section completely from the config
and tried again with different results. Using my LDAP credentials I
still get "Your username or password is incorrect" BUT RT has created me
as a user, the "Let this user be granted rights" box is unchecked and
I'm NOT a member of any Groups. The logs created when this was done are:

[Fri May 14 08:22:41 2010] [debug]: Attempting to use external auth
service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:64)
[Fri May 14 08:22:41 2010] [debug]: Calling UserExists with $username
(jgrunnell) and $service (My_LDAP)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:105)
[Fri May 14 08:22:41 2010] [debug]: UserExists params:
username: jgrunnell , service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:274)
[Fri May 14 08:22:41 2010] [debug]: LDAP Search ===  Base:
ou=hosting,ou=corp,dc=internal,dc=hosteurope,dc=com == Filter:
(&(objectClass=User)(sAMAccountName=jgrunnell)) == Attrs:
l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,
sAMAccountName,physicalDeliveryOfficeName,sAMAccountName
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:304)
[Fri May 14 08:22:41 2010] [debug]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm 20
with: Disabled: 0, EmailAddress: , Gecos: jgrunnell, Name: jgrunnell,
Privileged: 0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:450)
[Fri May 14 08:22:41 2010] [debug]: Attempting to get user info using
this external service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:458)
[Fri May 14 08:22:41 2010] [debug]: Attempting to use this
canonicalization key: Name
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:472)
[Fri May 14 08:22:41 2010] [debug]: LDAP Search ===  Base:
ou=hosting,ou=corp,dc=internal,dc=hosteurope,dc=com == Filter:
(&(objectClass=User)(sAMAccountName=jgrunnell)) == Attrs:
l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,
sAMAccountName,physicalDeliveryOfficeName,sAMAccountName
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:195)
[Fri May 14 08:22:41 2010] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: ,
City: , Country: , Disabled: 0, EmailAddress:
Julian.Grunnell at webfusion.com, ExternalAuthId: jgrunnell, Gecos:
jgrunnell, Name: jgrunnell, Organization: Leeds, Privileged: 0,
RealName: Julian Grunnell, State: , WorkPhone: 0208 587 7212, Zip:
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:536)
[Fri May 14 08:22:41 2010] [debug]: About to think about scrips for
transaction #30149954
(/opt/rt3/bin/../lib/RT/Transaction_Overlay.pm:163)
[Fri May 14 08:22:42 2010] [debug]: About to think about scrips for
transaction #30149955
(/opt/rt3/bin/../lib/RT/Transaction_Overlay.pm:163)
[Fri May 14 08:22:42 2010] [info]: Autocreated external user jgrunnell (
8078757 )
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:132)
[Fri May 14 08:22:42 2010] [debug]: Loading new user ( jgrunnell ) into
current session
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:138)
[Fri May 14 08:22:42 2010] [debug]: Password validation required for
service - Executing...
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:155)
[Fri May 14 08:22:42 2010] [debug]: Trying external auth service:
My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:16)
[Fri May 14 08:22:42 2010] [debug]: LDAP Search ===  Base:
ou=hosting,ou=corp,dc=internal,dc=hosteurope,dc=com == Filter:
(&(sAMAccountName=jgrunnell)(objectClass=User)) == Attrs: dn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:43)
[Fri May 14 08:22:42 2010] [debug]: Found LDAP DN: CN=Julian
Grunnell,OU=Technical,OU=Users,OU=Leeds,OU=Webfusion,OU=Hosting,OU=Corp,
DC=internal,DC=hosteurope,DC=com
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:75)
[Fri May 14 08:22:42 2010] [debug]: LDAP Search ===  Base:
ou=hosting,ou=corp,dc=internal,dc=hosteurope,dc=com == Filter:
(GROUP_ATTR=CN=Julian
Grunnell,OU=Technical,OU=Users,OU=Leeds,OU=Webfusion,OU=Hosting,OU=Corp,
DC=internal,DC=hosteurope,DC=com) == Attrs: dn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:100)
[Fri May 14 08:22:42 2010] [critical]: Search for (GROUP_ATTR=CN=Julian
Grunnell,OU=Technical,OU=Users,OU=Leeds,OU=Webfusion,OU=Hosting,OU=Corp,
DC=internal,DC=hosteurope,DC=com) failed: LDAP_INVALID_DN_SYNTAX 34
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:116)
[Fri May 14 08:22:42 2010] [debug]: LDAP password validation result: 0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:334)
[Fri May 14 08:22:42 2010] [debug]: Password Validation Check Result:  0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:159)
[Fri May 14 08:22:42 2010] [debug]: Autohandler called ExternalAuth.
Response: (0, Password Invalid)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu
th/autohandler/Auth:26)
[Fri May 14 08:22:42 2010] [error]: FAILED LOGIN for jgrunnell from
212.103.233.1 (/opt/rt3/share/html/autohandler:268)


So making some progress, but not quite there.

Thanks.




More information about the rt-users mailing list