[rt-users] ExternalAuth seems to do nothing

Kevin Falcone falcone at bestpractical.com
Fri Aug 12 15:45:35 EDT 2011


On Fri, Aug 12, 2011 at 10:32:20AM -0700, Erik Lyons wrote:
> Thanks Kevin,
> 
> That helped, at least with getting some proper logging going on. I did
> even get one or two cryptic references to ExternalAuth and LDAP in the
> log. Unfortunately, though, I still don't see any evidence that a
> connection is attempted. I'm a little concerned about escaping in the LDAP
> admin user and password, as other open source products using this AD
> require a username in the form "DOMAIN\Username", and our admin password
> happens to contain an apostrophe. But if there is something wrong with the
> admin login it would be cool to see an error to that effect.

It ldapsearch works with your user/pass, RT-Authen-ExternalAuth will
normally work.  ExternalAuth doesn't need an admin, you can always
create a machine account called rtauthen with a non-quote password if
you're concerned (it just needs to be able to read enough of the
system, it doesn't need to update)

-kevin

> Here is the newly-trimmed config (I removed the SSO/cookie items to keep
> it simple):
> 
> Set($Timezone, "US/Pacific");
> Set(@Plugins, (qw(RT::Authen::ExternalAuth)));
> Set($DatabaseRTHost, "localhost");
> #Set($LogToSyslog, "debug");
> Set($LogToScreen, "error");
> Set($LogToFile, "debug");
> Set($LogToFileNamed, "rt.log");    #log to rt.log
> Set($LogStackTraces, "error");
> Set($LogDir, q{var/log});
> Set($LogoLinkURL, "http://helpdesk.here.org");
> Set($LogoAltText, "Your Help Desk from Information Technology");
> Set($HomePageRefreshInterval, 1200);
> Set($PlainTextPre, 0);
> Set($SuppressInlineTextFiles, 1);
> Set(@Active_MakeClicky, qw('httpurl'));
> Set( $rtname, 'here.org' );
> Set( $DatabaseUser, 'rt_user' );
> Set( $CorrespondAddress, 'helpdesk at here.org' );
> Set( $rtname, 'here.org' );
> Set( $DatabaseRequireSSL, '' );
> Set( $WebPort, '80' );
> Set( $Organization, 'here.org' );
> Set( $DatabaseType, 'mysql' );
> Set( $DatabasePassword, 'secret' );
> Set( $DatabaseAdmin, 'root' );
> Set( $SendmailPath, '/usr/sbin/sendmail' );
> Set( $WebDomain, 'helpdesk.here.org' );
> Set( $DatabaseAdminPassword, 'secret' );
> Set( $CommentAddress, 'helpdesk at here.org' );
> Set( $DatabaseHost, 'localhost' );
> Set( $DatabaseName, 'rt4' );
> Set( $OwnerEmail, 'elyons at here.org' );
> Set($ExternalAuthPriority,  [   'My_LDAP',
>                                # 'My_MySQL',
>                                # 'My_SSO_Cookie'
>                             ]
> );
> 
> # The order in which the services defined in ExternalSettings
> # should be used to get information about users. This includes
> # RealName, Tel numbers etc, but also whether or not the user
> # should be considered disabled.
> #
> # Once user info is found, no more services are checked.
> #
> # You CANNOT use a SSO cookie for authentication.
> Set($ExternalInfoPriority,  [  # 'My_MySQL',
>                                 'My_LDAP'
>                             ]
> );
> 
> # If this is set to true, then the relevant packages will
> # be loaded to use SSL/TLS connections. At the moment,
> # this just means "use Net::SSLeay;"
> Set($ExternalServiceUsesSSLorTLS, 0);
> 
> # If this is set to 1, then users should be autocreated by RT
> # as internal users if they fail to authenticate from an
> # external service.
> Set($AutoCreateNonExternalUsers, 0);
> 
> # These are the full settings for each external service as a HashOfHashes
> # Note that you may have as many external services as you wish. They will
> # be checked in the order specified in the Priority directives above.
> # e.g. 
> #   
> Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP',
> 'Other-DB']);
> #
> Set($ExternalSettings,  {  # AN EXAMPLE LDAP SERVICE
>         'My_LDAP'       =>  {   ## GENERIC SECTION
>                 # The type of service (db/ldap/cookie)
>                 'type'                      =>  'ldap',
>                 # The server hosting the service
>                 'server'                    =>  'blacksun.here.org',
>                 ## SERVICE-SPECIFIC SECTION
>                 # If you can bind to your LDAP server anonymously you
> should 
>                 # remove the user and pass config lines, otherwise specify
> them here:
>                 # 
>                 # The username RT should use to connect to the LDAP server
>                 'user'                      =>  'Administrator',
>                 # The password RT should use to connect to the LDAP server
>                 'pass'                    =>  'thing\'2011',
>                 #
>                 # The LDAP search base
>                 'base'                      =>  'ou=Organisational
> Unit,dc=here,dc=org',
>                 #
>                 # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN
> PARENTHESES!
>                 # YOU **MUST** SPECIFY A filter AND A d_filter!!
>                 #
>                 # The filter to use to match RT-Users
>                 'filter'                    =>
> '(objectClass=organizationalPerson)',
>                 # A catch-all example filter: '(objectClass=*)'
>                 #
>                 # The filter that will only match disabled users
>                 'd_filter'                  =>  '(MILF)',
>                 # A catch-none example d_filter: '(objectClass=FooBarBaz)'
>                 #
>                 # Should we try to use TLS to encrypt connections?
>                 'tls'                       =>  0,
>                 # SSL Version to provide to Net::SSLeay *if* using SSL
>                 'ssl_version'               =>  3,
>                 # What other args should I pass to
> Net::LDAP->new($host, at args)?
>                 'net_ldap_args'             => [    version =>  3   ],
>                 # Does authentication depend on group membership? What
> group name?
>                 'group'                     =>  'member',
>                 # What is the attribute for the group object that
> determines membership?
> #               'group_attr'                =>  'GROUP_ATTR',
>                 'group_attr'                =>  'cn',
>                 ## RT ATTRIBUTE MATCHING SECTION
>                 # The list of RT attributes that uniquely identify a user
>                         # This example shows what you *can* specify.. I
> recommend reducing this
>                         # to just the Name and EmailAddress to save
> encountering problems later.
>                         'attr_match_list'           => [    'Name',
>                                              'EmailAddress'
>                     #                         'EmailAddress',
>                     #                         'RealName',
>                     #                         'WorkPhone',
>                     #                         'Address2'
>                                          ],
>                         # The mapping of RT attributes on to LDAP
> attributes
>                         'attr_map'                  =>  {   'Name' =>
> 'sAMAccountName',
>                                              'EmailAddress' => 'mail',
>                                              'Organization' =>
> 'physicalDeliveryOfficeName',
>                                              'RealName' => 'cn',
>                                              'ExternalAuthId' =>
> 'sAMAccountName',
>                                              'Gecos' => 'sAMAccountName',
>                                              'WorkPhone' =>
> 'telephoneNumber',
>                                              'Address1' => 'streetAddress',
>                                              'City' => 'l',
>                                              'State' => 'st',
>                                              'Zip' => 'postalCode',
>                                              'Country' => 'co'
>                                          }
>                                   },
>         }
> );
> 
> 
> 
> 
> On 8/5/11 6:49 AM, "Kevin Falcone" <falcone at bestpractical.com> wrote:
> 
> >On Thu, Aug 04, 2011 at 01:40:15PM -0700, Erik Lyons wrote:
> >>    I have RT 4.0.1 newly installed and functioning on Fedora 15.
> >>    Additionally, I've installed RT::Authen::ExternalAuth and (I think)
> >>added all the
> >>    corresponding config directives, pointing to an AD server.
> >>    So far I've seen no indication that any LDAP connection has been
> >>attempted, I can only
> >>    authenticate as an internal RT user, and I see no log messages of
> >>any sort involving
> >>    ExternalAuth or LDAP or any related thing. Logging is on debug. What
> >>am I missing?
> >
> >You actually have 3 kinds of logging enabled:
> >
> >>    Set($LogToSyslog, "debug");
> >
> >Many syslogs suppress debug messages
> >
> >>    Set($LogToScreen, "error");
> >
> >Your apache logs only get errors
> >
> >>    Set($LogToFile, 1);
> >
> >That isn't a valid value, so you get nothing useful in rt.log
> >Try "debug".
> >
> >>    Set($ExternalAuthPriority,  [   'My_LDAP',
> >>                                    'My_MySQL',
> >>                                    'My_SSO_Cookie'
> >>                                ]
> >
> >Did you want to check 3 things, or just your ldap config
> >
> >>    Set($ExternalInfoPriority,  [   'My_MySQL',
> >>                                    'My_LDAP'
> >>                                ]
> >>    );
> >
> >Did you want to check 2 things, or just your ldap config?
> >
> >You don't actually have My_MySQL defined, so I bet you're getting
> >errors about that.
> >
> >All of these comments assume that you've installed version 0.09,
> >cleared your mason cache and can see that the plugin is configured in
> >Tools -> Configuration -> Tools -> System Configuration
> >
> >-kevin
> 
> --------
> RT Training Sessions (http://bestpractical.com/services/training.html)
> *  Chicago, IL, USA  September 26 & 27, 2011
> *  San Francisco, CA, USA  October 18 & 19, 2011
> *  Washington DC, USA  October 31 & November 1, 2011
> *  Melbourne VIC, Australia  November 28 & 29, 2011
> *  Barcelona, Spain  November 28 & 29, 2011
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20110812/88efe34a/attachment.sig>


More information about the rt-users mailing list