[rt-users] ExternalAuth seems to do nothing
Kevin Falcone
falcone at bestpractical.com
Fri Aug 12 15:45:35 EDT 2011
On Fri, Aug 12, 2011 at 10:32:20AM -0700, Erik Lyons wrote:
> Thanks Kevin,
>
> That helped, at least with getting some proper logging going on. I did
> even get one or two cryptic references to ExternalAuth and LDAP in the
> log. Unfortunately, though, I still don't see any evidence that a
> connection is attempted. I'm a little concerned about escaping in the LDAP
> admin user and password, as other open source products using this AD
> require a username in the form "DOMAIN\Username", and our admin password
> happens to contain an apostrophe. But if there is something wrong with the
> admin login it would be cool to see an error to that effect.
It ldapsearch works with your user/pass, RT-Authen-ExternalAuth will
normally work. ExternalAuth doesn't need an admin, you can always
create a machine account called rtauthen with a non-quote password if
you're concerned (it just needs to be able to read enough of the
system, it doesn't need to update)
-kevin
> Here is the newly-trimmed config (I removed the SSO/cookie items to keep
> it simple):
>
> Set($Timezone, "US/Pacific");
> Set(@Plugins, (qw(RT::Authen::ExternalAuth)));
> Set($DatabaseRTHost, "localhost");
> #Set($LogToSyslog, "debug");
> Set($LogToScreen, "error");
> Set($LogToFile, "debug");
> Set($LogToFileNamed, "rt.log"); #log to rt.log
> Set($LogStackTraces, "error");
> Set($LogDir, q{var/log});
> Set($LogoLinkURL, "http://helpdesk.here.org");
> Set($LogoAltText, "Your Help Desk from Information Technology");
> Set($HomePageRefreshInterval, 1200);
> Set($PlainTextPre, 0);
> Set($SuppressInlineTextFiles, 1);
> Set(@Active_MakeClicky, qw('httpurl'));
> Set( $rtname, 'here.org' );
> Set( $DatabaseUser, 'rt_user' );
> Set( $CorrespondAddress, 'helpdesk at here.org' );
> Set( $rtname, 'here.org' );
> Set( $DatabaseRequireSSL, '' );
> Set( $WebPort, '80' );
> Set( $Organization, 'here.org' );
> Set( $DatabaseType, 'mysql' );
> Set( $DatabasePassword, 'secret' );
> Set( $DatabaseAdmin, 'root' );
> Set( $SendmailPath, '/usr/sbin/sendmail' );
> Set( $WebDomain, 'helpdesk.here.org' );
> Set( $DatabaseAdminPassword, 'secret' );
> Set( $CommentAddress, 'helpdesk at here.org' );
> Set( $DatabaseHost, 'localhost' );
> Set( $DatabaseName, 'rt4' );
> Set( $OwnerEmail, 'elyons at here.org' );
> Set($ExternalAuthPriority, [ 'My_LDAP',
> # 'My_MySQL',
> # 'My_SSO_Cookie'
> ]
> );
>
> # The order in which the services defined in ExternalSettings
> # should be used to get information about users. This includes
> # RealName, Tel numbers etc, but also whether or not the user
> # should be considered disabled.
> #
> # Once user info is found, no more services are checked.
> #
> # You CANNOT use a SSO cookie for authentication.
> Set($ExternalInfoPriority, [ # 'My_MySQL',
> 'My_LDAP'
> ]
> );
>
> # If this is set to true, then the relevant packages will
> # be loaded to use SSL/TLS connections. At the moment,
> # this just means "use Net::SSLeay;"
> Set($ExternalServiceUsesSSLorTLS, 0);
>
> # If this is set to 1, then users should be autocreated by RT
> # as internal users if they fail to authenticate from an
> # external service.
> Set($AutoCreateNonExternalUsers, 0);
>
> # These are the full settings for each external service as a HashOfHashes
> # Note that you may have as many external services as you wish. They will
> # be checked in the order specified in the Priority directives above.
> # e.g.
> #
> Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP',
> 'Other-DB']);
> #
> Set($ExternalSettings, { # AN EXAMPLE LDAP SERVICE
> 'My_LDAP' => { ## GENERIC SECTION
> # The type of service (db/ldap/cookie)
> 'type' => 'ldap',
> # The server hosting the service
> 'server' => 'blacksun.here.org',
> ## SERVICE-SPECIFIC SECTION
> # If you can bind to your LDAP server anonymously you
> should
> # remove the user and pass config lines, otherwise specify
> them here:
> #
> # The username RT should use to connect to the LDAP server
> 'user' => 'Administrator',
> # The password RT should use to connect to the LDAP server
> 'pass' => 'thing\'2011',
> #
> # The LDAP search base
> 'base' => 'ou=Organisational
> Unit,dc=here,dc=org',
> #
> # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN
> PARENTHESES!
> # YOU **MUST** SPECIFY A filter AND A d_filter!!
> #
> # The filter to use to match RT-Users
> 'filter' =>
> '(objectClass=organizationalPerson)',
> # A catch-all example filter: '(objectClass=*)'
> #
> # The filter that will only match disabled users
> 'd_filter' => '(MILF)',
> # A catch-none example d_filter: '(objectClass=FooBarBaz)'
> #
> # Should we try to use TLS to encrypt connections?
> 'tls' => 0,
> # SSL Version to provide to Net::SSLeay *if* using SSL
> 'ssl_version' => 3,
> # What other args should I pass to
> Net::LDAP->new($host, at args)?
> 'net_ldap_args' => [ version => 3 ],
> # Does authentication depend on group membership? What
> group name?
> 'group' => 'member',
> # What is the attribute for the group object that
> determines membership?
> # 'group_attr' => 'GROUP_ATTR',
> 'group_attr' => 'cn',
> ## RT ATTRIBUTE MATCHING SECTION
> # The list of RT attributes that uniquely identify a user
> # This example shows what you *can* specify.. I
> recommend reducing this
> # to just the Name and EmailAddress to save
> encountering problems later.
> 'attr_match_list' => [ 'Name',
> 'EmailAddress'
> # 'EmailAddress',
> # 'RealName',
> # 'WorkPhone',
> # 'Address2'
> ],
> # The mapping of RT attributes on to LDAP
> attributes
> 'attr_map' => { 'Name' =>
> 'sAMAccountName',
> 'EmailAddress' => 'mail',
> 'Organization' =>
> 'physicalDeliveryOfficeName',
> 'RealName' => 'cn',
> 'ExternalAuthId' =>
> 'sAMAccountName',
> 'Gecos' => 'sAMAccountName',
> 'WorkPhone' =>
> 'telephoneNumber',
> 'Address1' => 'streetAddress',
> 'City' => 'l',
> 'State' => 'st',
> 'Zip' => 'postalCode',
> 'Country' => 'co'
> }
> },
> }
> );
>
>
>
>
> On 8/5/11 6:49 AM, "Kevin Falcone" <falcone at bestpractical.com> wrote:
>
> >On Thu, Aug 04, 2011 at 01:40:15PM -0700, Erik Lyons wrote:
> >> I have RT 4.0.1 newly installed and functioning on Fedora 15.
> >> Additionally, I've installed RT::Authen::ExternalAuth and (I think)
> >>added all the
> >> corresponding config directives, pointing to an AD server.
> >> So far I've seen no indication that any LDAP connection has been
> >>attempted, I can only
> >> authenticate as an internal RT user, and I see no log messages of
> >>any sort involving
> >> ExternalAuth or LDAP or any related thing. Logging is on debug. What
> >>am I missing?
> >
> >You actually have 3 kinds of logging enabled:
> >
> >> Set($LogToSyslog, "debug");
> >
> >Many syslogs suppress debug messages
> >
> >> Set($LogToScreen, "error");
> >
> >Your apache logs only get errors
> >
> >> Set($LogToFile, 1);
> >
> >That isn't a valid value, so you get nothing useful in rt.log
> >Try "debug".
> >
> >> Set($ExternalAuthPriority, [ 'My_LDAP',
> >> 'My_MySQL',
> >> 'My_SSO_Cookie'
> >> ]
> >
> >Did you want to check 3 things, or just your ldap config
> >
> >> Set($ExternalInfoPriority, [ 'My_MySQL',
> >> 'My_LDAP'
> >> ]
> >> );
> >
> >Did you want to check 2 things, or just your ldap config?
> >
> >You don't actually have My_MySQL defined, so I bet you're getting
> >errors about that.
> >
> >All of these comments assume that you've installed version 0.09,
> >cleared your mason cache and can see that the plugin is configured in
> >Tools -> Configuration -> Tools -> System Configuration
> >
> >-kevin
>
> --------
> RT Training Sessions (http://bestpractical.com/services/training.html)
> * Chicago, IL, USA September 26 & 27, 2011
> * San Francisco, CA, USA October 18 & 19, 2011
> * Washington DC, USA October 31 & November 1, 2011
> * Melbourne VIC, Australia November 28 & 29, 2011
> * Barcelona, Spain November 28 & 29, 2011
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20110812/88efe34a/attachment.sig>
More information about the rt-users
mailing list