[rt-users] Has anyone sucessfully configured LDAP to authenticate against AD with version 4.0.1?
josh.cole
josh.cole at fresno.edu
Mon Aug 29 15:08:48 EDT 2011
Enabled debugging and here is the output. I know I exist, I must have missed
something somewhere when configuring the authentication method. I will also
post my current RT_SiteConfig underneath the error log.
[Mon Aug 29 18:57:19 2011] [debug]: Attempting to use external auth service:
Active_Directory
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Aug 29 18:57:19 2011] [debug]: SSO Failed and no user to test with.
Nexting
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Mon Aug 29 18:57:19 2011] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[Mon Aug 29 18:57:23 2011] [debug]: Attempting to use external auth service:
Active_Directory
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Aug 29 18:57:23 2011] [debug]: Calling UserExists with $username (josh
cole) and $service (Active_Directory)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Mon Aug 29 18:57:23 2011] [debug]: UserExists params:
username: josh cole , service: Active_Directory
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Mon Aug 29 18:57:23 2011] [debug]: LDAP Search === Base:
OU=ITS,DC=mydomain,DC=local == Filter:
(&(objectclass=person)(sAMAccountName=josh cole)) == Attrs:
l,displayName,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,sAMAccountName
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Mon Aug 29 18:57:23 2011] [debug]: User Check Failed :: ( Active_Directory
) josh cole User not found
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:318)
Current config:
# This file was generated by running "update-rt-siteconfig-3.8".
#
# While local modifications will not be overwritten without permission,
# it is recommended the they are instead placed in
# /etc/request-tracker3.8/RT_SiteConfig.d
#
# Note that modifications to the RT_SiteConfig.d directory won't
# take effect until the update command mentioned above is run again.
# start /etc/request-tracker3.8/RT_SiteConfig.d/40-timezone
# dynamically find out the current timezone
my $zone = "PST";
$zone=`/bin/cat /etc/timezone`
if -f "/etc/timezone";
chomp $zone;
Set($Timezone, $zone);
# end /etc/request-tracker3.8/RT_SiteConfig.d/40-timezone
# start /etc/request-tracker3.8/RT_SiteConfig.d/50-debconf
# THE BASICS:
Set($WebDomain, 'rt.netman.mydomain.local');
Set($rtname, 'rt.netman.mydomain.local');
Set($Organization, 'netman.mydomain.local');
#Set($CorrespondAddress , 'rt at netman.mydomain.local');
#Set($CommentAddress , 'rt-comment at netman.mydomain.local');
Set($MaxAttachmentSize , 10000000);
Set($FriendlyFromLineFormat, "\"%s\" <%s>");
Set(@Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalServiceUsesSSLorTLS, 0);
Set($ExternalAuthPriority, [ 'Active_Directory'
]
);
Set($ExternalInfoPriority, [ 'Active_Directory'
]
);
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings, { 'Active_Directory' => { 'type'
=> 'ldap',
'auth'
=> 1,
'info'
=> 1,
'server'
=> '172.16.1.70',
'base'
=> 'OU=ITS,DC=fpu,DC=local',
'user' => 'rtauth',
# The password RT
should use to connect to the LDAP server
'pass'
=> 'xxxxxx',
# The filter to use
to match RT-Users
'filter'
=> '(objectclass=person)',
# The filter that
will only match disabled users
'd_filter'
=> '(userAccountControl:1.2.840.113556.1.4.803:=2)',
# Should we try to
use TLS to encrypt connections?
'tls'
=> 0,
# What other args
should I pass to Net::LDAP->new($host, at args)?
'net_ldap_args'
=> [ version => 3 ],
# Does
authentication depend on group membership? What group name?
'group'
=> 'Request-Tracker',
# What is the
attribute for the group object that determines membership?
'group_attr'
=> 'member',
## RT ATTRIBUTE
MATCHING SECTION
# The list of RT
attributes that uniquely identify a user
'attr_match_list'
=> [ 'ExternalAuthId','EmailAddress' ],
# The mapping of RT
attributes on to LDAP attributes
'attr_map'
=> { 'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'Organization' => 'physicalDeliveryOfficeName',
'RealName' => 'displayName',
'ExternalAuthId' => 'sAMAccountName',
'Gecos' => 'sAMAccountName',
'WorkPhone' => 'telephoneNumber',
'Address1' => 'streetAddress',
'City' => 'l',
'State' => 'st',
'Zip' => 'postalCode',
'Country' => 'co'
}
}
}
);
# THE WEBSERVER:
Set($LogToFile, 'debug');
Set($LogDir, '/var/log/rt');
Set($WebPath , "/rt");
Set($WebBaseURL , "http://rt.netman.mydomain.local");
# end /etc/request-tracker3.8/RT_SiteConfig.d/50-debconf
# start /etc/request-tracker3.8/RT_SiteConfig.d/51-dbconfig-common
# THE DATABASE:
# generated by dbconfig-common
# map from dbconfig-common database types to their names as known by RT
my %typemap = (
mysql => 'mysql',
pgsql => 'Pg',
sqlite3 => 'SQLite',
);
Set($DatabaseType, $typemap{mysql} || "UNKNOWN");
Set($DatabaseHost, 'localhost');
Set($DatabasePort, '');
Set($DatabaseUser , 'rtuser');
Set($DatabasePassword , 'xxxxxx');
# SQLite needs a special case, since $DatabaseName must be a full pathname
my $dbc_dbname = 'rtdb'; if ( "mysql" eq "sqlite3" ) { Set ($DatabaseName,
'' . '/' . $dbc_dbname); } else { Set ($DatabaseName, $dbc_dbname); }
# end /etc/request-tracker3.8/RT_SiteConfig.d/51-dbconfig-common
1;
josh.cole wrote:
>
> I think I am close now. I made those changes to the config. I am receiving
> an error when I try to login with my AD credentials. The error is simply:
> [Mon Aug 29 18:18:58 2011] [error]: FAILED LOGIN for josh cole from
> xxx.xxx.xxx.xxx (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:655)
>
> Do I need to specify an ldap port? I did add a username and password to
> authenticate.
>
>
> josh.cole wrote:
>>
>> Thank you very much for your feedback. I really appreciate it.
>>
>> Andrew Wagner-4 wrote:
>>>
>>> Yes, Josh. That is correct. The ExternalAuthen checks all locations
>>> for users under the base OU. Either change your specified base in
>>> RT_SiteConfig.pm or move the users to the OU that you want RT to search.
>>>
>>> Andrew Wagner
>>> Assistant Network Administrator
>>> aawagner at wisc.edu
>>> 265-5710
>>> Room 370B
>>> Wisconsin Center for Education Research (WCER)
>>> www.wcer.wisc.edu
>>>
>>>
>>> On 8/29/2011 11:39 AM, josh.cole wrote:
>>>> Thank you for your response. So just to make sure I understand, if the
>>>> users
>>>> I want to be able to authenticate in RT are not in the OU specified it
>>>> will
>>>> not work? So I should move those users to whatever the OU is that I
>>>> specify
>>>> in the base?
>>>>
>>>> Andrew Wagner-4 wrote:
>>>>> 1. For group_attr, you want the term to be 'member'. That checks for
>>>>> membership in the group.
>>>>>
>>>>> 2. For your base, you need to choose the next highest level of Active
>>>>> Directory beyond where your users are stored. This means you need to
>>>>> specify the OU where your users are, not just a random "Users" OU.
>>>>>
>>>>> Andrew Wagner
>>>>> Assistant Network Administrator
>>>>> aawagner at wisc.edu
>>>>> 265-5710
>>>>> Room 370B
>>>>> Wisconsin Center for Education Research (WCER)
>>>>> www.wcer.wisc.edu
>>>>>
>>>>>
>>>>> On 8/29/2011 11:26 AM, josh.cole wrote:
>>>>>> I am trying to make this work. I installed the latest version of
>>>>>> ExternalAuth. I am working with Request Tracker for the first time,
>>>>>> just
>>>>>> upgraded from 3.8.7 to 4.0.1. There are a few things that I think are
>>>>>> off
>>>>>> but I am not sure what the correct solution is.
>>>>>>
>>>>>> 1. I am not sure what to use for the group_attr I want to have users
>>>>>> in
>>>>>> the
>>>>>> group Request-Tracker inside of AD be able to authenticate with their
>>>>>> credentials when logging into RT and I believe the filter is set
>>>>>> correctly
>>>>>> other than what needs to be added for the group_attribute. I am not
>>>>>> sure
>>>>>> what that should be.
>>>>>>
>>>>>> 2. For my base statement. I am specifying the Users OU but none of my
>>>>>> users
>>>>>> are in that OU. I am not sure exactly what it's looking for there.
>>>>>>
>>>>>> Any help is appreciated!
>>>>>> ExternalAuth config:
>>>>>>
>>>>>> I have added the following to my RT_SiteConfig.pm:
>>>>>>
>>>>>> @RT::MailPlugins = ("RT::Authen::ExternalAuth");
>>>>>> Set(@Plugins, qw(RT::Authen::ExternalAuth) );
>>>>>> Set($ExternalAuthPriority, [ 'Active_Directory'
>>>>>> ]
>>>>>> );
>>>>>> Set($ExternalInfoPriority, [ 'Active_Directory'
>>>>>> ]
>>>>>> );
>>>>>> Set($AutoCreateNonExternalUsers, 0);
>>>>>>
>>>>>> Set($ExternalSettings, { 'Active_Directory' => {
>>>>>> 'type'
>>>>>> => 'ldap',
>>>>>> 'auth'
>>>>>> => 1,
>>>>>> 'info'
>>>>>> => 1,
>>>>>> 'server'
>>>>>> => 'rt.mydomain.local',
>>>>>> 'base'
>>>>>> => 'OU=Users,DC=mydomain,DC=local',
>>>>>> # The
>>>>>> filter to
>>>>>> use
>>>>>> to match RT-Users
>>>>>> 'filter'
>>>>>> => '(objectclass=person)',
>>>>>> # The
>>>>>> filter
>>>>>> that
>>>>>> will only match disabled users
>>>>>> 'd_filter'
>>>>>> => '(userAccountControl:1.2.840.113556.1.4.803:=2)',
>>>>>> # Should we
>>>>>> try
>>>>>> to
>>>>>> use TLS to encrypt connections?
>>>>>> 'tls'
>>>>>> => 0,
>>>>>> # What
>>>>>> other
>>>>>> args
>>>>>> should I pass to Net::LDAP->new($host, at args)?
>>>>>>
>>>>>> 'net_ldap_args'
>>>>>> => [ version => 3 ],
>>>>>> # Does
>>>>>> authentication depend on group membership? What group name?
>>>>>> 'group'
>>>>>> => 'Request-Tracker',
>>>>>> # What is
>>>>>> the
>>>>>> attribute for the group object that determines membership?
>>>>>>
>>>>>> #'group_attr'
>>>>>> => 'GROUP_ATTR',
>>>>>> ## RT
>>>>>> ATTRIBUTE
>>>>>> MATCHING SECTION
>>>>>> # The list
>>>>>> of RT
>>>>>> attributes that uniquely identify a user
>>>>>>
>>>>>> 'attr_match_list'
>>>>>> => [ 'ExternalAuthId','EmailAddress' ],
>>>>>> # The
>>>>>> mapping of
>>>>>> RT
>>>>>> attributes on to LDAP attributes
>>>>>> 'attr_map'
>>>>>> => { 'Name' => 'sAMAccountName',
>>>>>>
>>>>>> 'EmailAddress' => 'mail',
>>>>>>
>>>>>> 'Organization' => 'physicalDeliveryOfficeName',
>>>>>>
>>>>>> 'RealName' => 'displayName',
>>>>>>
>>>>>> 'ExternalAuthId' => 'sAMAccountName',
>>>>>>
>>>>>> 'Gecos' => 'sAMAccountName',
>>>>>>
>>>>>> 'WorkPhone' => 'telephoneNumber',
>>>>>>
>>>>>> 'Address1' => 'streetAddress',
>>>>>>
>>>>>> 'City' => 'l',
>>>>>>
>>>>>> 'State' => 'st',
>>>>>>
>>>>>> 'Zip' => 'postalCode',
>>>>>>
>>>>>> 'Country' => 'co'
>>>>>>
>>>>>> }
>>>>>> }
>>>>>> }
>>>>>> );
>>>>>>
>>>>>
>>>>>
>>>>> --------
>>>>> RT Training Sessions (http://bestpractical.com/services/training.html)
>>>>> * Chicago, IL, USA — September 26& 27, 2011
>>>>> * San Francisco, CA, USA — October 18& 19, 2011
>>>>> * Washington DC, USA — October 31& November 1, 2011
>>>>> * Melbourne VIC, Australia — November 28& 29, 2011
>>>>> * Barcelona, Spain — November 28& 29, 2011
>>>>>
>>>
>>>
>>>
>>> --------
>>> RT Training Sessions (http://bestpractical.com/services/training.html)
>>> * Chicago, IL, USA — September 26 & 27, 2011
>>> * San Francisco, CA, USA — October 18 & 19, 2011
>>> * Washington DC, USA — October 31 & November 1, 2011
>>> * Melbourne VIC, Australia — November 28 & 29, 2011
>>> * Barcelona, Spain — November 28 & 29, 2011
>>>
>>
>>
>
>
--
View this message in context: http://old.nabble.com/Has-anyone-sucessfully-configured-LDAP-to-authenticate-against-AD-with-version-4.0.1--tp32358024p32359355.html
Sent from the Request Tracker - User mailing list archive at Nabble.com.
More information about the rt-users
mailing list