[rt-users] rt4 and External Auth to AD 2008 non-ssl
Andrew Wagner
aawagner at wisc.edu
Mon Aug 29 12:39:53 EDT 2011
Brian,
In my RT_SiteConfig.pm we use group_attr => 'member' rather than
memberOf. Might be worth a shot.
Andrew Wagner
Assistant Network Administrator
aawagner at wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu
On 8/29/2011 11:32 AM, Brian Murphy wrote:
> Still struggling with trying to get RT externally authenticating with my 2008 Active Directory.
>
> I have been able to accomplish an ldapsearch with the following options successfully:
>
> ldapsearch -x -b "dc=eiuad,dc=eiu,dc=edu" -D "CN=RT Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu" -h eiuad.eiu.edu -p 389 -W "sAMAccountName=blmurphy"
>
> I would like to use the blmurphy as my RT account name. When I execute the above ldapsearch and input the prompted for password I get back my account information from the Active Directory. I have the following set in my RT_SiteConfig.pm but continue to get the externalauth nouser response.
>
> Brian
>
> Set($ExternalSettings, {
> # EIUAD Active Directory
> 'EIUAD' => { ## GENERIC SECTION
> # The type of service (db/ldap/cookie)
> 'type' => 'ldap',
> # The server hosting the service
> 'server' => 'eiuad.eiu.edu',
> ## SERVICE-SPECIFIC SECTION
> # If you can bind to your LDAP server anonymously you should
> # remove the user and pass config lines, otherwise specify them here:
> #
> # The username RT should use to connect to the LDAP server
> 'user' => 'CN=RT Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu',
> # The password RT should use to connect to the LDAP server
> 'pass' => 'xxxxxxxxx',
> #
> # The LDAP search base
> 'base' => 'dc=eiuad,dc=eiu,dc=edu',
> #
> # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
> # YOU **MUST** SPECIFY A filter AND A d_filter!!
> #
> # The filter to use to match RT-Users
> 'filter' => '(sAMAccountName=*)',
> # A catch-all example filter: '(objectClass=*)'
> #
> # The filter that will only match disabled users
> 'd_filter' => '(objectclass=Foo)',
> # A catch-none example d_filter: '(objectClass=FooBarBaz)'
> #
> # Should we try to use TLS to encrypt connections?
> 'tls' => 0,
> # SSL Version to provide to Net::SSLeay *if* using SSL
> 'ssl_version' => 3,
> # What other args should I pass to Net::LDAP->new($host, at args)?
> 'net_ldap_args' => [ version => 3 ],
> # Does authentication depend on group membership? What group name?
> 'group' => 'CN=RT_Access,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu',
> # What is the attribute for the group object that determines membership?
> 'group_attr' => 'memberOf',
> ## RT ATTRIBUTE MATCHING SECTION
> # The list of RT attributes that uniquely identify a user
> # This example shows what you *can* specify.. I recommend reducing this
> # to just the Name and EmailAddress to save encountering problems later.
> 'attr_match_list' => [ 'Name'
> ],
> # The mapping of RT attributes on to LDAP attributes
> 'attr_map' => { 'Name' => 'sAMAccountName'
> }
> }
>
> ----- Original Message -----
> From: "Brian Murphy"<blmurphy at eiu.edu>
> To: rt-users at lists.bestpractical.com
> Sent: Thursday, August 25, 2011 11:59:50 AM
> Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
>
> I only get the login failed message back from web.pm.
>
> The account I am using is already in RT and being used so is this a problem. I was assuming the id would exist and just the auth would be done externally.
>
> Brian
> ----- Original Message -----
> From: "Kevin Falcone"<falcone at bestpractical.com>
> To: rt-users at lists.bestpractical.com
> Sent: Thursday, August 25, 2011 9:46:01 AM
> Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
>
> On Wed, Aug 24, 2011 at 04:42:04PM -0500, Brian Murphy wrote:
>> Thanks for the tip on the logging kevin.
>>
>> Seeing the following, don't know eactly what to make of it.
>>
>> [Wed Aug 24 21:38:37 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
>> [Wed Aug 24 21:38:37 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
>> [Wed Aug 24 21:38:37 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
> Those are the messages you get when the login page pops up.
> What do you get after typing your username and password in?
>
> -kevin
>
>
>> ----- Original Message -----
>> From: "Kevin Falcone"<falcone at bestpractical.com>
>> To: rt-users at lists.bestpractical.com
>> Sent: Wednesday, August 24, 2011 4:18:08 PM
>> Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
>>
>> On Wed, Aug 24, 2011 at 01:09:15PM -0500, Brian Murphy wrote:
>>> I am trying desparately to get this goingnd am not seeing that my
>>> externalauth is even being called. I am attaching my RT_SiteConfig.pm
>>> for review. I am a newbie and don't know much about anything RT as
>>> yet. I see very little in my /var/log/messages other tham LOGIN failed
>>> for xxxxx from web.pm, so I don't really think my externalauth is
>>> really in play as of yet. Any assistance in getting this going would
>>> be greatly appreciated.
>> You don't appear to have turned your logging level up, most useful
>> logs are at the debug level. LogToScreen is probably the easiest,
>> because they'll end up in your apache error log.
>>
>> -kevin
>>> # Any configuration directives you include here will override
>>> # RT's default configuration file, RT_Config.pm
>>> #
>>> # To include a directive here, just copy the equivalent statement
>>> # from RT_Config.pm and change the value. We've included a single
>>> # sample value below.
>>> #
>>> # This file is actually a perl module, so you can include valid
>>> # perl code, as well.
>>> #
>>> # The converse is also true, if this file isn't valid perl, you're
>>> # going to run into trouble. To check your SiteConfig file, use
>>> # this comamnd:
>>> #
>>> # perl -c /path/to/your/etc/RT_SiteConfig.pm
>>> #
>>> # You must restart your webserver after making changes to this file.
>>>
>>>
>>> # You must install Plugins on your own, this is only an example
>>> # of the correct syntax to use when activating them.
>>> # There should only be one @Plugins declaration in your config file.
>>> #Set(@Plugins,(qw(RT::Extension::QuickDelete RT::Extension::CommandByMail RT::Extension::ActivityReports)));
>>> #Set(@Plugins,(qw(RT::Extension::ActivityReports)));
>>> Set(@Plugins,(qw(RT::Extension::ActivityReports RT::Authen::ExternalAuth)));
>>>
>>> Set( $CorrespondAddress, '' );
>>> Set( $rtname, 'EIU ITS Campus Technology' );
>>> Set( $DatabaseRequireSSL, '' );
>>> Set( $WebPort, '8080' );
>>>
>>> Set( $DatabaseType, 'mysql' );
>>>
>>> Set( $SendmailPath, '/usr/sbin/sendmail' );
>>> Set( $WebDomain, 'localhost' );
>>>
>>> Set( $CommentAddress, '' );
>>> Set($Timezone, "US/Central");
>>> Set($UnsafeEmailCommands, 1);
>>> Set($ParseNewMessageForTicketCcs, 1);
>>> Set($NotifyActor, 1);
>>>
>>> Set( $OwnerEmail, '' );
>>> Set( $DatabaseUser, 'rt_user' );
>>> Set( $DatabasePort, '' );
>>> Set( $DatabasePassword, 'RT_pass1-' );
>>> Set( $DatabaseAdmin, 'root' );
>>> Set( $DatabaseAdminPassword, 'Mtfbwu+1' );
>>> Set( $DatabaseHost, 'localhost' );
>>> Set( $DatabaseName, 'rt4' );
>>> Set( $Organization, 'ITS' );
>>> 1;
>>> # The order in which the services defined in ExternalSettings
>>> # should be used to authenticate users. User is authenticated
>>> # if successfully confirmed by any service - no more services
>>> # are checked.
>>> Set($ExternalAuthPriority, [ 'EIUAD'
>>> ]
>>> );
>>>
>>> # The order in which the services defined in ExternalSettings
>>> # should be used to get information about users. This includes
>>> # RealName, Tel numbers etc, but also whether or not the user
>>> # should be considered disabled.
>>> #
>>> # Once user info is found, no more services are checked.
>>> #
>>> # You CANNOT use a SSO cookie for authentication.
>>> Set($ExternalInfoPriority, [ 'EIUAD'
>>> ]
>>> );
>>>
>>> # If this is set to true, then the relevant packages will
>>> # be loaded to use SSL/TLS connections. At the moment,
>>> # this just means "use Net::SSLeay;"
>>> Set($ExternalServiceUsesSSLorTLS, 0);
>>>
>>> # If this is set to 1, then users should be autocreated by RT
>>> # as internal users if they fail to authenticate from an
>>> # external service.
>>> Set($AutoCreateNonExternalUsers, 0);
>>>
>>> # These are the full settings for each external service as a HashOfHashes
>>> # Note that you may have as many external services as you wish. They will
>>> # be checked in the order specified in the Priority directives above.
>>> # e.g.
>>> # Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP','Other-DB']);
>>> #
>>> Set($ExternalSettings, {
>>> # EIUAD Active Directory
>>> 'EIUAD' => { ## GENERIC SECTION
>>> # The type of service (db/ldap/cookie)
>>> 'type' => 'ldap',
>>> # The server hosting the service
>>> 'server' => 'xxxxx.xxx.edu',
>>> ## SERVICE-SPECIFIC SECTION
>>> # If you can bind to your LDAP server anonymously you should
>>> # remove the user and pass config lines, otherwise specify them here:
>>> #
>>> # The username RT should use to connect to the LDAP server
>>> 'user' => 'rtauth',
>>> # The password RT should use to connect to the LDAP server
>>> 'pass' => 'xxxxxxx,
>>> #
>>> # The LDAP search base
>>> 'base' => 'dc=xxxxx,dc=xxx,dc=edu',
>>> #
>>> # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
>>> # YOU **MUST** SPECIFY A filter AND A d_filter!!
>>> #
>>> # The filter to use to match RT-Users
>>> 'filter' => '(objectclass=person)',
>>> # A catch-all example filter: '(objectClass=*)'
>>> #
>>> # The filter that will only match disabled users
>>> 'd_filter' => '(objectclass=Foo)',
>>> # A catch-none example d_filter: '(objectClass=FooBarBaz)'
>>> #
>>> # Should we try to use TLS to encrypt connections?
>>> 'tls' => 0,
>>> # SSL Version to provide to Net::SSLeay *if* using SSL
>>> 'ssl_version' => 3,
>>> # What other args should I pass to Net::LDAP->new($host, at args)?
>>> 'net_ldap_args' => [ version => 3 ],
>>> # Does authentication depend on group membership? What group name?
>>> 'group' => 'rt_access',
>>> # What is the attribute for the group object that determines membership?
>>> 'group_attr' => 'memberOf',
>>> ## RT ATTRIBUTE MATCHING SECTION
>>> # The list of RT attributes that uniquely identify a user
>>> # This example shows what you *can* specify.. I recommend reducing this
>>> # to just the Name and EmailAddress to save encountering problems later.
>>> 'attr_match_list' => [ 'Name'
>>> ],
>>> # The mapping of RT attributes on to LDAP attributes
>>> 'attr_map' => { 'Name' => 'sAMAccountName'
>>> }
>>> }
>>> }
>>> );
>>>
>>> 1;
>> --------
>> RT Training Sessions (http://bestpractical.com/services/training.html)
>> * Chicago, IL, USA � September 26& 27, 2011
>> * San Francisco, CA, USA � October 18& 19, 2011
>> * Washington DC, USA � October 31& November 1, 2011
>> * Melbourne VIC, Australia � November 28& 29, 2011
>> * Barcelona, Spain � November 28& 29, 2011
>> --------
>> RT Training Sessions (http://bestpractical.com/services/training.html)
>> * Chicago, IL, USA September 26& 27, 2011
>> * San Francisco, CA, USA October 18& 19, 2011
>> * Washington DC, USA October 31& November 1, 2011
>> * Melbourne VIC, Australia November 28& 29, 2011
>> * Barcelona, Spain November 28& 29, 2011
> --------
> RT Training Sessions (http://bestpractical.com/services/training.html)
> * Chicago, IL, USA � September 26& 27, 2011
> * San Francisco, CA, USA � October 18& 19, 2011
> * Washington DC, USA � October 31& November 1, 2011
> * Melbourne VIC, Australia � November 28& 29, 2011
> * Barcelona, Spain � November 28& 29, 2011
> --------
> RT Training Sessions (http://bestpractical.com/services/training.html)
> * Chicago, IL, USA September 26& 27, 2011
> * San Francisco, CA, USA October 18& 19, 2011
> * Washington DC, USA October 31& November 1, 2011
> * Melbourne VIC, Australia November 28& 29, 2011
> * Barcelona, Spain November 28& 29, 2011
> --------
> RT Training Sessions (http://bestpractical.com/services/training.html)
> * Chicago, IL, USA September 26& 27, 2011
> * San Francisco, CA, USA October 18& 19, 2011
> * Washington DC, USA October 31& November 1, 2011
> * Melbourne VIC, Australia November 28& 29, 2011
> * Barcelona, Spain November 28& 29, 2011
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7410 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20110829/1599bf4f/attachment.bin>
More information about the rt-users
mailing list