[rt-users] ldap externalauth problem
Val Polyakov
val at polyakov.me
Mon Sep 27 14:02:02 EDT 2010
so i've rewritten the file from scratch, and it works now (however i still
have some questions at the bottom)
final/working version:
Set($ExternalAuthPriority, [ 'My_LDAP' ] );
Set($ExternalInfoPriority, [ 'My_LDAP' ] );
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);
Set($LogToFile, 'debug');
Set($LogDir, '/var/log/rt');
Set($ExternalSettings, {
'My_LDAP' => {
'type' => 'ldap',
'server' => 'cudctwo.mydomain.org',
'user' => 'cn=rt,ou=Service
Accounts,ou=Users,ou=HIGHSECURITY,dc=mydomain,dc=org',
'pass' => 'rtpasswd',
'base' =>
'ou=Users,ou=Yonkers,dc=mydomain,dc=org',
'filter' =>
'(&(ObjectCategory=User)(ObjectClass=Person))',
'd_filter' =>
'(userAccountControl:1.2.840.113556.1.4.803:=2)',
'tls' => 0,
# 'ssl_version' => 3,
'net_ldap_args' => [ version => 3
],
# 'group' => 'cn=Domain
Users,ou=Groups,dc=mydomain,dc=org',
# 'group_attr' => 'member',
'attr_match_list' => [ 'Name', 'EmailAddress'
],
'attr_map' => { 'Name' =>
'sAMAccountName',
'EmailAddress' => 'mail',
'Organization' =>
'physicalDeliveryOfficeName',
'RealName' => 'cn',
'ExternalAuthId' =>
'sAMAccountName',
'Gecos' =>
'sAMAccountName',
'WorkPhone' =>
'telephoneNumber',
'Address1' =>
'streetAddress',
'City' => 'l',
'State' => 'st',
'Zip' => 'postalCode',
'Country' => 'co'
}
}
}
);
1;
now a question:
my users are spread across many OUs, there is not a single OU which I can
point RT to and say "search for the username over here!". there are 5 OUs
that the user can be in. is there a way for me to specify all of them? I
kinda need to, otherwise 4/5th of our users wouldnt be able to login :/
so.. how do I have 5 bases to look in? heh
> sure
>
> 'filter' =>
> '(&(ObjectCategory=User))',
> 'd_filter' =>
> '(userAccountControl=514)',
>
>
> [Mon Sep 27 17:39:08 2010] [debug]: Reloading RT::User to work around a
> bug in RT-3.8.0 and RT-3.8.1
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
> [Mon Sep 27 17:39:08 2010] [debug]: Attempting to use external auth
> service: My_LDAP
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
> [Mon Sep 27 17:39:08 2010] [debug]: Calling UserExists with $username
> (polyva) and $service (My_LDAP)
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
> [Mon Sep 27 17:39:08 2010] [debug]: UserExists params:
> username: polyva , service: My_LDAP
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
> [Mon Sep 27 17:39:08 2010] [debug]: LDAP Search === Base:
> ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter:
> (&(&(ObjectCategory=User))(sAMAccountName=polyva)) == Attrs:
> l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,mail
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
> [Mon Sep 27 17:39:08 2010] [debug]: Password validation required for
> service - Executing...
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
> [Mon Sep 27 17:39:08 2010] [debug]: Trying external auth service: My_LDAP
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
> [Mon Sep 27 17:39:08 2010] [debug]: LDAP Search === Base:
> ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter:
> (&(sAMAccountName=polyva)(&(ObjectCategory=User))) == Attrs: dn
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
> [Mon Sep 27 17:39:08 2010] [debug]: Found LDAP DN: CN=Polyakov\,
> Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
> [Mon Sep 27 17:39:08 2010] [debug]: LDAP Search === Base:
> ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter: (member=CN=Polyakov,
> Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org) == Attrs: dn
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
> [Mon Sep 27 17:39:08 2010] [info]: My_LDAP AUTH FAILED: polyva
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
> [Mon Sep 27 17:39:08 2010] [debug]: LDAP password validation result: 0
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
> [Mon Sep 27 17:39:08 2010] [debug]: Password Validation Check Result: 0
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
> [Mon Sep 27 17:39:08 2010] [debug]: Autohandler called ExternalAuth.
> Response: (0, Password Invalid)
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
> [Mon Sep 27 17:39:08 2010] [error]: FAILED LOGIN for polyva from
> 192.168.110.125 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)
> [Mon Sep 27 17:39:08 2010] [debug]: Reloading RT::User to work around a
> bug in RT-3.8.0 and RT-3.8.1
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
> [Mon Sep 27 17:39:08 2010] [debug]: Attempting to use external auth
> service: My_LDAP
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
> [Mon Sep 27 17:39:08 2010] [debug]: SSO Failed and no user to test with.
> Nexting
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
> [Mon Sep 27 17:39:08 2010] [debug]: Autohandler called ExternalAuth.
> Response: (0, No User)
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
>
>> Can you remove the d_filter you have? Its different than what I have
>> 'd_filter' => '(userAccountControl=514)',
>>
>> Jason Ledford
>> Systems Analyst
>> The Biltmore Company
>> One North Pack Square
>> Asheville, NC 28801
>> (828) 225-6127
>> ________________________________________
>> From: rt-users-bounces at lists.bestpractical.com
>> [rt-users-bounces at lists.bestpractical.com] On Behalf Of Val Polyakov
>> [val at polyakov.me]
>> Sent: Monday, September 27, 2010 1:19 PM
>> To: John Alberts
>> Cc: rt-users at lists.bestpractical.com
>> Subject: Re: [rt-users] ldap externalauth problem
>>
>> ldapsearch works, i can find myself using:
>>
>> ldapsearch -LLL -x -H ldap://ADserver:389 -b
>> 'ou=users,ou=yonkers,dc=mydomain,dc=org' -D 'cn=rt,ou=Service
>> Accounts,ou=Users,ou=HIGHSECURITY,dc=mydomain,dc=org' -w 'rtPassword'
>> '(&(ObjectClass=Person)(cn=Polyakov, Valeriy))'
>>
>>
>> I also turned on debug loging for externalauth, and here's what I see in
>> the log. the password im providing is correct, it seems to be able to
>> find
>> my account, but then I get an auth failure.. why ? :/
>>
>>
>> [Mon Sep 27 17:11:18 2010] [debug]: Reloading RT::User to work around a
>> bug in RT-3.8.0 and RT-3.8.1
>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
>> [Mon Sep 27 17:11:18 2010] [debug]: Attempting to use external auth
>> service: My_LDAP
>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
>> [Mon Sep 27 17:11:18 2010] [debug]: Calling UserExists with $username
>> (polyva) and $service (My_LDAP)
>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
>> [Mon Sep 27 17:11:18 2010] [debug]: UserExists params:
>> username: polyva , service: My_LDAP
>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
>> [Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base:
>> ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter:
>> (&(&(ObjectCategory=User))(sAMAccountName=polyva)) == Attrs:
>> l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,mail
>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
>> [Mon Sep 27 17:11:18 2010] [debug]: Password validation required for
>> service - Executing...
>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
>> [Mon Sep 27 17:11:18 2010] [debug]: Trying external auth service:
>> My_LDAP
>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
>> [Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base:
>> ou=Users,ou=Yonkers,dc=consumer,dc=org == Filter:
>> (&(sAMAccountName=polyva)(&(ObjectCategory=User))) == Attrs: dn
>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
>> [Mon Sep 27 17:11:18 2010] [debug]: Found LDAP DN: CN=Polyakov\,
>> Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org
>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
>> [Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base:
>> ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter: (member=CN=Polyakov,
>> Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org) == Attrs: dn
>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
>> [Mon Sep 27 17:11:18 2010] [info]: My_LDAP AUTH FAILED: polyva
>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
>> [Mon Sep 27 17:11:18 2010] [debug]: LDAP password validation result: 0
>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
>> [Mon Sep 27 17:11:18 2010] [debug]: Password Validation Check Result: 0
>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
>> [Mon Sep 27 17:11:18 2010] [debug]: Autohandler called ExternalAuth.
>> Response: (0, Password Invalid)
>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
>> [Mon Sep 27 17:11:18 2010] [error]: FAILED LOGIN for polyva from
>> 192.168.110.125 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)
>>
>>
>>
>>> Val,
>>> Have you verified that ldapsearch works for you on this box?
>>>
>>> I used something like this to test:
>>>
>>>
>>> ldapsearch -LLL -x -H ldap://<ldap server>:389 -b
>>> 'DC=corp,DC=something,DC=com' -D 'ldapuser at corp.something.com' -w
>>> '<ldapuser password>' '(&(ObjectClass=Person)(cn=<username to search
>>> for))'
>>>
>>>
>>> I had to request from our Windows AD guys to allow the ldapuser to be
>>> able
>>> to read all user information. I also had to have them open the
>>> firewall
>>> to our server, because by default, they only allow certain servers to
>>> query the AD servers.
>>>
>>> John
>>>
>>>
>>>
>>> On 09/27/2010 10:14 AM, Val Polyakov wrote:
>>>
>>> Trying to get my RT 3.8.8 on RHEL5 to authenticate against our
>>> corporate
>>> AD.
>>>
>>> I followed this guide here:
>>> http://wiki.bestpractical.com/view/CentOS5InstallPlusSome
>>>
>>> I also checked that apache has access to over here
>>> (RT-Authen-ExternalAuth
>>> dir was chgrp -R'ed and chmod -R 770'ed):
>>>
>>> [root at rt plugins]# pwd
>>> /opt/rt3/local/plugins
>>> [root at rt plugins]# ls -ltr
>>> total 4
>>> drwxrwx--- 5 root apache 4096 Sep 13 14:16 RT-Authen-ExternalAuth
>>> [root at rt plugins]# ps awwwux |grep httpd
>>> root 2313 0.1 4.1 348008 83360 ? Ss 10:32 0:02
>>> /usr/sbin/httpd
>>> apache 2317 0.0 4.1 350272 82612 ? S 10:32 0:00
>>> /usr/sbin/httpd
>>> apache 2318 0.0 4.1 350272 82616 ? S 10:32 0:00
>>> /usr/sbin/httpd
>>> apache 2319 0.0 4.0 348204 82216 ? S 10:32 0:00
>>> /usr/sbin/httpd
>>> apache 2320 0.0 4.1 350272 82684 ? S 10:32 0:00
>>> /usr/sbin/httpd
>>> apache 2321 0.0 4.1 350928 83388 ? S 10:32 0:00
>>> /usr/sbin/httpd
>>> apache 2322 0.0 4.1 350272 82616 ? S 10:32 0:00
>>> /usr/sbin/httpd
>>> apache 2323 0.0 4.1 350272 82616 ? S 10:32 0:00
>>> /usr/sbin/httpd
>>> apache 2324 0.0 4.1 350668 83172 ? S 10:32 0:00
>>> /usr/sbin/httpd
>>> root 3537 0.0 0.0 61148 708 pts/0 R+ 11:06 0:00
>>> grep
>>> httpd
>>> [root at rt plugins]#
>>>
>>> when I set this up and tried to login with my AD account for the
>>> first
>>> time, here's what I saw in /var/log/httpd/error_log :
>>>
>>>
>>> [root at rt autohandler]# tail -f /var/log/httpd/error_log
>>> [Mon Sep 27 14:32:29 2010] [info]:
>>> RT::Authen::ExternalAuth::CanonicalizeUserInfo returning
>>> Address1:
>>> 101
>>> Truman Avenue, City: Yonkers, Country: United States, Disabled:
>>> 0,
>>> EmailAddress: vpolyakov at consumer.org, ExternalAuthId: POLYVA,
>>> Gecos:
>>> POLYVA, Name: POLYVA, Organization: 1-8D, Privileged: 0,
>>> RealName:
>>> Polyakov, Valeriy, State: NY, WorkPhone: (914) 378-2577, Zip:
>>> 10703
>>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
>>> [Mon Sep 27 14:32:29 2010] [info]: Autocreated external user
>>> POLYVA ( 36
>>> )
>>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:132)
>>> [Mon Sep 27 14:32:29 2010] [info]: My_LDAP AUTH FAILED: polyva
>>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
>>>
>>> ....
>>>
>>> And ever since then when I try to login I only see this:
>>>
>>> [Mon Sep 27 14:52:31 2010] [info]: My_LDAP AUTH FAILED: polyva
>>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
>>> [Mon Sep 27 14:52:31 2010] [error]: FAILED LOGIN for polyva from
>>> 192.168.110.125 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)
>>>
>>>
>>> my /opt/rt3/etc/RT_SiteConfig.pm and
>>> /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc are attached
>>>
>>>
>>> Any suggestions?
>>>
>>>
>>>
>>> RT Training in Washington DC, USA on Oct 25 & 26 2010
>>> Last one this year -- Learn how to get the most out of RT!
>>>
>>>
>>> --
>>> John Alberts
>>> Hosted Services
>>> Exlibris USA
>>> john.alberts at exlibrisgroup.com
>>> cell: 1-508-878-2197
>>>
>>
>>
>>
>> RT Training in Washington DC, USA on Oct 25 & 26 2010
>> Last one this year -- Learn how to get the most out of RT!
>
>
More information about the rt-users
mailing list