[rt-users] ldap externalauth problem

Val Polyakov val at polyakov.me
Mon Sep 27 13:40:06 EDT 2010


sure

                     'filter'                =>  '(&(ObjectCategory=User))',
                     'd_filter'              =>  '(userAccountControl=514)',


[Mon Sep 27 17:39:08 2010] [debug]: Reloading RT::User to work around a
bug in RT-3.8.0 and RT-3.8.1
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[Mon Sep 27 17:39:08 2010] [debug]: Attempting to use external auth
service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Sep 27 17:39:08 2010] [debug]: Calling UserExists with $username
(polyva) and $service (My_LDAP)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Mon Sep 27 17:39:08 2010] [debug]: UserExists params:
username: polyva , service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Mon Sep 27 17:39:08 2010] [debug]: LDAP Search ===  Base:
ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter:
(&(&(ObjectCategory=User))(sAMAccountName=polyva)) == Attrs:
l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,mail
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Mon Sep 27 17:39:08 2010] [debug]: Password validation required for
service - Executing...
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
[Mon Sep 27 17:39:08 2010] [debug]: Trying external auth service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
[Mon Sep 27 17:39:08 2010] [debug]: LDAP Search ===  Base:
ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter:
(&(sAMAccountName=polyva)(&(ObjectCategory=User))) == Attrs: dn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
[Mon Sep 27 17:39:08 2010] [debug]: Found LDAP DN: CN=Polyakov\,
Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
[Mon Sep 27 17:39:08 2010] [debug]: LDAP Search ===  Base:
ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter: (member=CN=Polyakov,
Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org) == Attrs: dn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
[Mon Sep 27 17:39:08 2010] [info]: My_LDAP AUTH FAILED: polyva
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
[Mon Sep 27 17:39:08 2010] [debug]: LDAP password validation result: 0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
[Mon Sep 27 17:39:08 2010] [debug]: Password Validation Check Result:  0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
[Mon Sep 27 17:39:08 2010] [debug]: Autohandler called ExternalAuth.
Response: (0, Password Invalid)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[Mon Sep 27 17:39:08 2010] [error]: FAILED LOGIN for polyva from
192.168.110.125 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)
[Mon Sep 27 17:39:08 2010] [debug]: Reloading RT::User to work around a
bug in RT-3.8.0 and RT-3.8.1
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[Mon Sep 27 17:39:08 2010] [debug]: Attempting to use external auth
service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Sep 27 17:39:08 2010] [debug]: SSO Failed and no user to test with.
Nexting
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Mon Sep 27 17:39:08 2010] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)

> Can you remove the d_filter you have?  Its different than what I have
> 'd_filter' =>  '(userAccountControl=514)',
>
> Jason Ledford
> Systems Analyst
> The Biltmore Company
> One North Pack Square
> Asheville, NC 28801
> (828) 225-6127
> ________________________________________
> From: rt-users-bounces at lists.bestpractical.com
> [rt-users-bounces at lists.bestpractical.com] On Behalf Of Val Polyakov
> [val at polyakov.me]
> Sent: Monday, September 27, 2010 1:19 PM
> To: John Alberts
> Cc: rt-users at lists.bestpractical.com
> Subject: Re: [rt-users] ldap externalauth problem
>
> ldapsearch works, i can find myself using:
>
> ldapsearch -LLL -x -H ldap://ADserver:389 -b
> 'ou=users,ou=yonkers,dc=mydomain,dc=org' -D 'cn=rt,ou=Service
> Accounts,ou=Users,ou=HIGHSECURITY,dc=mydomain,dc=org' -w 'rtPassword'
> '(&(ObjectClass=Person)(cn=Polyakov, Valeriy))'
>
>
> I also turned on debug loging for externalauth, and here's what I see in
> the log. the password im providing is correct, it seems to be able to find
> my account, but then I get an auth failure..  why ? :/
>
>
> [Mon Sep 27 17:11:18 2010] [debug]: Reloading RT::User to work around a
> bug in RT-3.8.0 and RT-3.8.1
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
> [Mon Sep 27 17:11:18 2010] [debug]: Attempting to use external auth
> service: My_LDAP
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
> [Mon Sep 27 17:11:18 2010] [debug]: Calling UserExists with $username
> (polyva) and $service (My_LDAP)
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
> [Mon Sep 27 17:11:18 2010] [debug]: UserExists params:
> username: polyva , service: My_LDAP
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
> [Mon Sep 27 17:11:18 2010] [debug]: LDAP Search ===  Base:
> ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter:
> (&(&(ObjectCategory=User))(sAMAccountName=polyva)) == Attrs:
> l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,mail
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
> [Mon Sep 27 17:11:18 2010] [debug]: Password validation required for
> service - Executing...
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
> [Mon Sep 27 17:11:18 2010] [debug]: Trying external auth service: My_LDAP
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
> [Mon Sep 27 17:11:18 2010] [debug]: LDAP Search ===  Base:
> ou=Users,ou=Yonkers,dc=consumer,dc=org == Filter:
> (&(sAMAccountName=polyva)(&(ObjectCategory=User))) == Attrs: dn
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
> [Mon Sep 27 17:11:18 2010] [debug]: Found LDAP DN: CN=Polyakov\,
> Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
> [Mon Sep 27 17:11:18 2010] [debug]: LDAP Search ===  Base:
> ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter: (member=CN=Polyakov,
> Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org) == Attrs: dn
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
> [Mon Sep 27 17:11:18 2010] [info]: My_LDAP AUTH FAILED: polyva
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
> [Mon Sep 27 17:11:18 2010] [debug]: LDAP password validation result: 0
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
> [Mon Sep 27 17:11:18 2010] [debug]: Password Validation Check Result:  0
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
> [Mon Sep 27 17:11:18 2010] [debug]: Autohandler called ExternalAuth.
> Response: (0, Password Invalid)
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
> [Mon Sep 27 17:11:18 2010] [error]: FAILED LOGIN for polyva from
> 192.168.110.125 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)
>
>
>
>> Val,
>> Have you verified that ldapsearch works for you on this box?
>>
>> I used something like this to test:
>>
>>
>> ldapsearch -LLL -x -H ldap://<ldap server>:389 -b
>> 'DC=corp,DC=something,DC=com' -D 'ldapuser at corp.something.com' -w
>> '<ldapuser password>' '(&(ObjectClass=Person)(cn=<username to search
>> for))'
>>
>>
>> I had to request from our Windows AD guys to allow the ldapuser to be
>> able
>> to read all user information.  I also had to have them open the firewall
>> to our server, because by default, they only allow certain servers to
>> query the AD servers.
>>
>> John
>>
>>
>>
>> On 09/27/2010 10:14 AM, Val Polyakov wrote:
>>
>>       Trying to get my RT 3.8.8 on RHEL5 to authenticate against our
>> corporate
>> AD.
>>
>>       I followed this guide here:
>>       http://wiki.bestpractical.com/view/CentOS5InstallPlusSome
>>
>>       I also checked that apache has access to over here
>> (RT-Authen-ExternalAuth
>>       dir was chgrp -R'ed and chmod -R 770'ed):
>>
>>       [root at rt plugins]# pwd
>>       /opt/rt3/local/plugins
>>       [root at rt plugins]# ls -ltr
>>       total 4
>>       drwxrwx--- 5 root apache 4096 Sep 13 14:16 RT-Authen-ExternalAuth
>>       [root at rt plugins]# ps awwwux |grep httpd
>>       root      2313  0.1  4.1 348008 83360 ?        Ss   10:32   0:02
>>       /usr/sbin/httpd
>>       apache    2317  0.0  4.1 350272 82612 ?        S    10:32   0:00
>>       /usr/sbin/httpd
>>       apache    2318  0.0  4.1 350272 82616 ?        S    10:32   0:00
>>       /usr/sbin/httpd
>>       apache    2319  0.0  4.0 348204 82216 ?        S    10:32   0:00
>>       /usr/sbin/httpd
>>       apache    2320  0.0  4.1 350272 82684 ?        S    10:32   0:00
>>       /usr/sbin/httpd
>>       apache    2321  0.0  4.1 350928 83388 ?        S    10:32   0:00
>>       /usr/sbin/httpd
>>       apache    2322  0.0  4.1 350272 82616 ?        S    10:32   0:00
>>       /usr/sbin/httpd
>>       apache    2323  0.0  4.1 350272 82616 ?        S    10:32   0:00
>>       /usr/sbin/httpd
>>       apache    2324  0.0  4.1 350668 83172 ?        S    10:32   0:00
>>       /usr/sbin/httpd
>>       root      3537  0.0  0.0  61148   708 pts/0    R+   11:06   0:00
>> grep
>> httpd
>>       [root at rt plugins]#
>>
>>       when I set this up and tried to login with my AD account for the
>> first
>>       time, here's what I saw in /var/log/httpd/error_log :
>>
>>
>>       [root at rt autohandler]# tail -f /var/log/httpd/error_log
>>       [Mon Sep 27 14:32:29 2010] [info]:
>>       RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1:
>> 101
>>       Truman Avenue, City: Yonkers, Country: United States, Disabled: 0,
>>       EmailAddress: vpolyakov at consumer.org, ExternalAuthId: POLYVA,
>> Gecos:
>>       POLYVA, Name: POLYVA, Organization: 1-8D, Privileged: 0, RealName:
>>       Polyakov, Valeriy, State: NY, WorkPhone: (914) 378-2577, Zip:
>> 10703
>>       (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
>>       [Mon Sep 27 14:32:29 2010] [info]: Autocreated external user
>> POLYVA ( 36
>> )
>>       (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:132)
>>       [Mon Sep 27 14:32:29 2010] [info]: My_LDAP AUTH FAILED: polyva
>>       (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
>>
>>       ....
>>
>>       And ever since then when I try to login I only see this:
>>
>>       [Mon Sep 27 14:52:31 2010] [info]: My_LDAP AUTH FAILED: polyva
>>       (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
>>       [Mon Sep 27 14:52:31 2010] [error]: FAILED LOGIN for polyva from
>>       192.168.110.125 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)
>>
>>
>>       my /opt/rt3/etc/RT_SiteConfig.pm and
>>       /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc are attached
>>
>>
>>       Any suggestions?
>>
>>
>>
>>       RT Training in Washington DC, USA on Oct 25 & 26 2010
>>       Last one this year -- Learn how to get the most out of RT!
>>
>>
>> --
>> John Alberts
>> Hosted Services
>> Exlibris USA
>> john.alberts at exlibrisgroup.com
>> cell: 1-508-878-2197
>>
>
>
>
> RT Training in Washington DC, USA on Oct 25 & 26 2010
> Last one this year -- Learn how to get the most out of RT!





More information about the rt-users mailing list