[rt-users] rt4 and External Auth to AD 2008 non-ssl

Kevin Falcone falcone at bestpractical.com
Fri Aug 26 09:51:27 EDT 2011


On Thu, Aug 25, 2011 at 11:59:50AM -0500, Brian Murphy wrote:
> I only get the login failed message back from web.pm.
> The account I am using is already in RT and being used so is this a problem.  I was assuming the id would exist and just the auth would be done externally.

If you get those 3 lines while loading the page, you're going to get at
least those three lines when typing in your username and password before
getting the LOGIN FAILED.

In reality, it'll probably look more like (I'm using a sqlite db for
this example, but the code path is the same)

Attempting to use external auth service: mydb 
Calling UserExists with $username (bob) and $service (mydb) 
Password validation required for service - Executing... 
Trying external auth service: mydb 
RT::Authen::ExternalAuth::DBI::GetAuth External Auth OK ( mydb ): bob 
Authentication successful. Now updating user information and attempting login. 
RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::Authen::ExternalAuth
Attempting to get user info using this external service: mydb 
Attempting to use this canonicalization key: Name 
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning EmailAddress: bob at example.com, ExternalAuthId: bob, Name: bob, RealName:  
UPDATED user ( bob ) from External Service 
Successful login for bob from 127.0.0.1 
Autohandler called ExternalAuth. Response: (1, Successful login) 

-kevin


> ----- Original Message -----
> From: "Kevin Falcone" <falcone at bestpractical.com>
> To: rt-users at lists.bestpractical.com
> Sent: Thursday, August 25, 2011 9:46:01 AM
> Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
> 
> On Wed, Aug 24, 2011 at 04:42:04PM -0500, Brian Murphy wrote:
> > Thanks for the tip on the logging kevin.
> > 
> > Seeing the following, don't know eactly what to make of it.
> > 
> > [Wed Aug 24 21:38:37 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
> > [Wed Aug 24 21:38:37 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
> > [Wed Aug 24 21:38:37 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
> 
> Those are the messages you get when the login page pops up.
> What do you get after typing your username and password in?
> 
> -kevin
> 
> 
> > ----- Original Message -----
> > From: "Kevin Falcone" <falcone at bestpractical.com>
> > To: rt-users at lists.bestpractical.com
> > Sent: Wednesday, August 24, 2011 4:18:08 PM
> > Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
> > 
> > On Wed, Aug 24, 2011 at 01:09:15PM -0500, Brian Murphy wrote:
> > > I am trying desparately to get this goingnd am not seeing that my
> > > externalauth is even being called. I am attaching my RT_SiteConfig.pm
> > > for review. I am a newbie and don't know much about anything RT as
> > > yet. I see very little in my /var/log/messages other tham LOGIN failed
> > > for xxxxx from web.pm, so I don't really think my externalauth is
> > > really in play as of yet. Any assistance in getting this going would
> > > be greatly appreciated.
> > 
> > You don't appear to have turned your logging level up, most useful
> > logs are at the debug level.  LogToScreen is probably the easiest,
> > because they'll end up in your apache error log.
> > 
> > -kevin
> > > 
> > > # Any configuration directives you include  here will override 
> > > # RT's default configuration file, RT_Config.pm
> > > #
> > > # To include a directive here, just copy the equivalent statement
> > > # from RT_Config.pm and change the value. We've included a single
> > > # sample value below.
> > > #
> > > # This file is actually a perl module, so you can include valid
> > > # perl code, as well.
> > > #
> > > # The converse is also true, if this file isn't valid perl, you're
> > > # going to run into trouble. To check your SiteConfig file, use
> > > # this comamnd:
> > > #
> > > #   perl -c /path/to/your/etc/RT_SiteConfig.pm
> > > #
> > > # You must restart your webserver after making changes to this file.
> > > 
> > > 
> > > # You must install Plugins on your own, this is only an example
> > > # of the correct syntax to use when activating them.
> > > # There should only be one @Plugins declaration in your config file.
> > > #Set(@Plugins,(qw(RT::Extension::QuickDelete RT::Extension::CommandByMail  RT::Extension::ActivityReports)));
> > > #Set(@Plugins,(qw(RT::Extension::ActivityReports)));
> > > Set(@Plugins,(qw(RT::Extension::ActivityReports RT::Authen::ExternalAuth)));
> > > 
> > > Set( $CorrespondAddress, '' );
> > > Set( $rtname, 'EIU ITS Campus Technology' );
> > > Set( $DatabaseRequireSSL, '' );
> > > Set( $WebPort, '8080' );
> > > 
> > > Set( $DatabaseType, 'mysql' );
> > > 
> > > Set( $SendmailPath, '/usr/sbin/sendmail' );
> > > Set( $WebDomain, 'localhost' );
> > > 
> > > Set( $CommentAddress, '' );
> > > Set($Timezone, "US/Central");
> > > Set($UnsafeEmailCommands, 1);
> > > Set($ParseNewMessageForTicketCcs, 1);
> > > Set($NotifyActor, 1);
> > > 
> > > Set( $OwnerEmail, '' );
> > > Set( $DatabaseUser, 'rt_user' );
> > > Set( $DatabasePort, '' );
> > > Set( $DatabasePassword, 'RT_pass1-' );
> > > Set( $DatabaseAdmin, 'root' );
> > > Set( $DatabaseAdminPassword, 'Mtfbwu+1' );
> > > Set( $DatabaseHost, 'localhost' );
> > > Set( $DatabaseName, 'rt4' );
> > > Set( $Organization, 'ITS' );
> > > 1;
> > > # The order in which the services defined in ExternalSettings
> > > # should be used to authenticate users. User is authenticated
> > > # if successfully confirmed by any service - no more services
> > > # are checked.
> > > Set($ExternalAuthPriority,  [   'EIUAD'
> > >                             ]
> > > );
> > > 
> > > # The order in which the services defined in ExternalSettings
> > > # should be used to get information about users. This includes
> > > # RealName, Tel numbers etc, but also whether or not the user
> > > # should be considered disabled. 
> > > #
> > > # Once user info is found, no more services are checked.
> > > #
> > > # You CANNOT use a SSO cookie for authentication.
> > > Set($ExternalInfoPriority,  [   'EIUAD'
> > >                             ]
> > > );
> > > 
> > > # If this is set to true, then the relevant packages will
> > > # be loaded to use SSL/TLS connections. At the moment,
> > > # this just means "use Net::SSLeay;"
> > > Set($ExternalServiceUsesSSLorTLS,    0);
> > > 
> > > # If this is set to 1, then users should be autocreated by RT
> > > # as internal users if they fail to authenticate from an
> > > # external service.
> > > Set($AutoCreateNonExternalUsers,    0);
> > > 
> > > # These are the full settings for each external service as a HashOfHashes
> > > # Note that you may have as many external services as you wish. They will
> > > # be checked in the order specified in the Priority directives above.
> > > # e.g. 
> > > #   Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP','Other-DB']);
> > > #
> > > Set($ExternalSettings,      {   
> > >                                 # EIUAD Active Directory
> > >                                 'EIUAD'       =>  {   ## GENERIC SECTION
> > >                                                         # The type of service (db/ldap/cookie) 
> > >                                                         'type'                      =>  'ldap',
> > >                                                         # The server hosting the service
> > >                                                         'server'                    =>  'xxxxx.xxx.edu',
> > >                                                         ## SERVICE-SPECIFIC SECTION
> > >                                                         # If you can bind to your LDAP server anonymously you should 
> > >                                                         # remove the user and pass config lines, otherwise specify them here:
> > >                                                         # 
> > >                                                         # The username RT should use to connect to the LDAP server 
> > >                                                         'user'                      =>  'rtauth',
> > >                                                         # The password RT should use to connect to the LDAP server
> > >                                                         'pass'                    =>  'xxxxxxx,
> > >                                                         #
> > >                                                         # The LDAP search base
> > >                                                         'base'                      =>  'dc=xxxxx,dc=xxx,dc=edu',
> > >                                                         #
> > >                                                         # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
> > >                                                         # YOU **MUST** SPECIFY A filter AND A d_filter!!
> > >                                                         #
> > >                                                         # The filter to use to match RT-Users
> > >                                                         'filter'                    =>  '(objectclass=person)',
> > >                                                         # A catch-all example filter: '(objectClass=*)'
> > >                                                         #
> > >                                                         # The filter that will only match disabled users
> > >                                                         'd_filter'                  =>  '(objectclass=Foo)',
> > >                                                         # A catch-none example d_filter: '(objectClass=FooBarBaz)'
> > >                                                         #
> > >                                                         # Should we try to use TLS to encrypt connections?
> > >                                                         'tls'                       =>  0,
> > >                                                         # SSL Version to provide to Net::SSLeay *if* using SSL
> > >                                                         'ssl_version'               =>  3,
> > >                                                         # What other args should I pass to Net::LDAP->new($host, at args)?
> > >                                                         'net_ldap_args'             => [    version =>  3   ],
> > >                                                         # Does authentication depend on group membership? What group name?
> > >                                                         'group'                     =>  'rt_access',
> > >                                                         # What is the attribute for the group object that determines membership?
> > >                                                         'group_attr'                =>  'memberOf',
> > >                                                         ## RT ATTRIBUTE MATCHING SECTION
> > >                                                         # The list of RT attributes that uniquely identify a user
> > > 							# This example shows what you *can* specify.. I recommend reducing this
> > >                                                         # to just the Name and EmailAddress to save encountering problems later.
> > >                                                         'attr_match_list'           => [    'Name'
> > >                                                                                         ],
> > >                                                         # The mapping of RT attributes on to LDAP attributes
> > >                                                         'attr_map'                  =>  {   'Name' => 'sAMAccountName'
> > >                                                                                         }
> > >                                                     }
> > >                                 }
> > > );
> > > 
> > > 1;
> > 
> > --------
> > RT Training Sessions (http://bestpractical.com/services/training.html)
> > *  Chicago, IL, USA � September 26 & 27, 2011
> > *  San Francisco, CA, USA � October 18 & 19, 2011
> > *  Washington DC, USA � October 31 & November 1, 2011
> > *  Melbourne VIC, Australia � November 28 & 29, 2011
> > *  Barcelona, Spain � November 28 & 29, 2011
> > --------
> > RT Training Sessions (http://bestpractical.com/services/training.html)
> > *  Chicago, IL, USA  September 26 & 27, 2011
> > *  San Francisco, CA, USA  October 18 & 19, 2011
> > *  Washington DC, USA  October 31 & November 1, 2011
> > *  Melbourne VIC, Australia  November 28 & 29, 2011
> > *  Barcelona, Spain  November 28 & 29, 2011
> 
> --------
> RT Training Sessions (http://bestpractical.com/services/training.html)
> *  Chicago, IL, USA � September 26 & 27, 2011
> *  San Francisco, CA, USA � October 18 & 19, 2011
> *  Washington DC, USA � October 31 & November 1, 2011
> *  Melbourne VIC, Australia � November 28 & 29, 2011
> *  Barcelona, Spain � November 28 & 29, 2011
> --------
> RT Training Sessions (http://bestpractical.com/services/training.html)
> *  Chicago, IL, USA  September 26 & 27, 2011
> *  San Francisco, CA, USA  October 18 & 19, 2011
> *  Washington DC, USA  October 31 & November 1, 2011
> *  Melbourne VIC, Australia  November 28 & 29, 2011
> *  Barcelona, Spain  November 28 & 29, 2011
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20110826/6d3099b8/attachment.sig>


More information about the rt-users mailing list