[rt-users] ldap externalauth problem
Val Polyakov
val at polyakov.me
Mon Sep 27 13:40:06 EDT 2010
sure
'filter' => '(&(ObjectCategory=User))',
'd_filter' => '(userAccountControl=514)',
[Mon Sep 27 17:39:08 2010] [debug]: Reloading RT::User to work around a
bug in RT-3.8.0 and RT-3.8.1
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[Mon Sep 27 17:39:08 2010] [debug]: Attempting to use external auth
service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Sep 27 17:39:08 2010] [debug]: Calling UserExists with $username
(polyva) and $service (My_LDAP)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Mon Sep 27 17:39:08 2010] [debug]: UserExists params:
username: polyva , service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Mon Sep 27 17:39:08 2010] [debug]: LDAP Search === Base:
ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter:
(&(&(ObjectCategory=User))(sAMAccountName=polyva)) == Attrs:
l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,mail
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Mon Sep 27 17:39:08 2010] [debug]: Password validation required for
service - Executing...
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
[Mon Sep 27 17:39:08 2010] [debug]: Trying external auth service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
[Mon Sep 27 17:39:08 2010] [debug]: LDAP Search === Base:
ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter:
(&(sAMAccountName=polyva)(&(ObjectCategory=User))) == Attrs: dn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
[Mon Sep 27 17:39:08 2010] [debug]: Found LDAP DN: CN=Polyakov\,
Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
[Mon Sep 27 17:39:08 2010] [debug]: LDAP Search === Base:
ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter: (member=CN=Polyakov,
Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org) == Attrs: dn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
[Mon Sep 27 17:39:08 2010] [info]: My_LDAP AUTH FAILED: polyva
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
[Mon Sep 27 17:39:08 2010] [debug]: LDAP password validation result: 0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
[Mon Sep 27 17:39:08 2010] [debug]: Password Validation Check Result: 0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
[Mon Sep 27 17:39:08 2010] [debug]: Autohandler called ExternalAuth.
Response: (0, Password Invalid)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[Mon Sep 27 17:39:08 2010] [error]: FAILED LOGIN for polyva from
192.168.110.125 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)
[Mon Sep 27 17:39:08 2010] [debug]: Reloading RT::User to work around a
bug in RT-3.8.0 and RT-3.8.1
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[Mon Sep 27 17:39:08 2010] [debug]: Attempting to use external auth
service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Sep 27 17:39:08 2010] [debug]: SSO Failed and no user to test with.
Nexting
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Mon Sep 27 17:39:08 2010] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
> Can you remove the d_filter you have? Its different than what I have
> 'd_filter' => '(userAccountControl=514)',
>
> Jason Ledford
> Systems Analyst
> The Biltmore Company
> One North Pack Square
> Asheville, NC 28801
> (828) 225-6127
> ________________________________________
> From: rt-users-bounces at lists.bestpractical.com
> [rt-users-bounces at lists.bestpractical.com] On Behalf Of Val Polyakov
> [val at polyakov.me]
> Sent: Monday, September 27, 2010 1:19 PM
> To: John Alberts
> Cc: rt-users at lists.bestpractical.com
> Subject: Re: [rt-users] ldap externalauth problem
>
> ldapsearch works, i can find myself using:
>
> ldapsearch -LLL -x -H ldap://ADserver:389 -b
> 'ou=users,ou=yonkers,dc=mydomain,dc=org' -D 'cn=rt,ou=Service
> Accounts,ou=Users,ou=HIGHSECURITY,dc=mydomain,dc=org' -w 'rtPassword'
> '(&(ObjectClass=Person)(cn=Polyakov, Valeriy))'
>
>
> I also turned on debug loging for externalauth, and here's what I see in
> the log. the password im providing is correct, it seems to be able to find
> my account, but then I get an auth failure.. why ? :/
>
>
> [Mon Sep 27 17:11:18 2010] [debug]: Reloading RT::User to work around a
> bug in RT-3.8.0 and RT-3.8.1
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
> [Mon Sep 27 17:11:18 2010] [debug]: Attempting to use external auth
> service: My_LDAP
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
> [Mon Sep 27 17:11:18 2010] [debug]: Calling UserExists with $username
> (polyva) and $service (My_LDAP)
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
> [Mon Sep 27 17:11:18 2010] [debug]: UserExists params:
> username: polyva , service: My_LDAP
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
> [Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base:
> ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter:
> (&(&(ObjectCategory=User))(sAMAccountName=polyva)) == Attrs:
> l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,mail
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
> [Mon Sep 27 17:11:18 2010] [debug]: Password validation required for
> service - Executing...
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
> [Mon Sep 27 17:11:18 2010] [debug]: Trying external auth service: My_LDAP
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
> [Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base:
> ou=Users,ou=Yonkers,dc=consumer,dc=org == Filter:
> (&(sAMAccountName=polyva)(&(ObjectCategory=User))) == Attrs: dn
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
> [Mon Sep 27 17:11:18 2010] [debug]: Found LDAP DN: CN=Polyakov\,
> Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
> [Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base:
> ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter: (member=CN=Polyakov,
> Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org) == Attrs: dn
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
> [Mon Sep 27 17:11:18 2010] [info]: My_LDAP AUTH FAILED: polyva
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
> [Mon Sep 27 17:11:18 2010] [debug]: LDAP password validation result: 0
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
> [Mon Sep 27 17:11:18 2010] [debug]: Password Validation Check Result: 0
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
> [Mon Sep 27 17:11:18 2010] [debug]: Autohandler called ExternalAuth.
> Response: (0, Password Invalid)
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
> [Mon Sep 27 17:11:18 2010] [error]: FAILED LOGIN for polyva from
> 192.168.110.125 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)
>
>
>
>> Val,
>> Have you verified that ldapsearch works for you on this box?
>>
>> I used something like this to test:
>>
>>
>> ldapsearch -LLL -x -H ldap://<ldap server>:389 -b
>> 'DC=corp,DC=something,DC=com' -D 'ldapuser at corp.something.com' -w
>> '<ldapuser password>' '(&(ObjectClass=Person)(cn=<username to search
>> for))'
>>
>>
>> I had to request from our Windows AD guys to allow the ldapuser to be
>> able
>> to read all user information. I also had to have them open the firewall
>> to our server, because by default, they only allow certain servers to
>> query the AD servers.
>>
>> John
>>
>>
>>
>> On 09/27/2010 10:14 AM, Val Polyakov wrote:
>>
>> Trying to get my RT 3.8.8 on RHEL5 to authenticate against our
>> corporate
>> AD.
>>
>> I followed this guide here:
>> http://wiki.bestpractical.com/view/CentOS5InstallPlusSome
>>
>> I also checked that apache has access to over here
>> (RT-Authen-ExternalAuth
>> dir was chgrp -R'ed and chmod -R 770'ed):
>>
>> [root at rt plugins]# pwd
>> /opt/rt3/local/plugins
>> [root at rt plugins]# ls -ltr
>> total 4
>> drwxrwx--- 5 root apache 4096 Sep 13 14:16 RT-Authen-ExternalAuth
>> [root at rt plugins]# ps awwwux |grep httpd
>> root 2313 0.1 4.1 348008 83360 ? Ss 10:32 0:02
>> /usr/sbin/httpd
>> apache 2317 0.0 4.1 350272 82612 ? S 10:32 0:00
>> /usr/sbin/httpd
>> apache 2318 0.0 4.1 350272 82616 ? S 10:32 0:00
>> /usr/sbin/httpd
>> apache 2319 0.0 4.0 348204 82216 ? S 10:32 0:00
>> /usr/sbin/httpd
>> apache 2320 0.0 4.1 350272 82684 ? S 10:32 0:00
>> /usr/sbin/httpd
>> apache 2321 0.0 4.1 350928 83388 ? S 10:32 0:00
>> /usr/sbin/httpd
>> apache 2322 0.0 4.1 350272 82616 ? S 10:32 0:00
>> /usr/sbin/httpd
>> apache 2323 0.0 4.1 350272 82616 ? S 10:32 0:00
>> /usr/sbin/httpd
>> apache 2324 0.0 4.1 350668 83172 ? S 10:32 0:00
>> /usr/sbin/httpd
>> root 3537 0.0 0.0 61148 708 pts/0 R+ 11:06 0:00
>> grep
>> httpd
>> [root at rt plugins]#
>>
>> when I set this up and tried to login with my AD account for the
>> first
>> time, here's what I saw in /var/log/httpd/error_log :
>>
>>
>> [root at rt autohandler]# tail -f /var/log/httpd/error_log
>> [Mon Sep 27 14:32:29 2010] [info]:
>> RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1:
>> 101
>> Truman Avenue, City: Yonkers, Country: United States, Disabled: 0,
>> EmailAddress: vpolyakov at consumer.org, ExternalAuthId: POLYVA,
>> Gecos:
>> POLYVA, Name: POLYVA, Organization: 1-8D, Privileged: 0, RealName:
>> Polyakov, Valeriy, State: NY, WorkPhone: (914) 378-2577, Zip:
>> 10703
>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
>> [Mon Sep 27 14:32:29 2010] [info]: Autocreated external user
>> POLYVA ( 36
>> )
>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:132)
>> [Mon Sep 27 14:32:29 2010] [info]: My_LDAP AUTH FAILED: polyva
>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
>>
>> ....
>>
>> And ever since then when I try to login I only see this:
>>
>> [Mon Sep 27 14:52:31 2010] [info]: My_LDAP AUTH FAILED: polyva
>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
>> [Mon Sep 27 14:52:31 2010] [error]: FAILED LOGIN for polyva from
>> 192.168.110.125 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)
>>
>>
>> my /opt/rt3/etc/RT_SiteConfig.pm and
>> /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc are attached
>>
>>
>> Any suggestions?
>>
>>
>>
>> RT Training in Washington DC, USA on Oct 25 & 26 2010
>> Last one this year -- Learn how to get the most out of RT!
>>
>>
>> --
>> John Alberts
>> Hosted Services
>> Exlibris USA
>> john.alberts at exlibrisgroup.com
>> cell: 1-508-878-2197
>>
>
>
>
> RT Training in Washington DC, USA on Oct 25 & 26 2010
> Last one this year -- Learn how to get the most out of RT!
More information about the rt-users
mailing list