[rt-users] Has anyone sucessfully configured LDAP to authenticate against AD with version 4.0.1?

josh.cole josh.cole at fresno.edu
Mon Aug 29 15:08:48 EDT 2011


Enabled debugging and here is the output. I know I exist, I must have missed
something somewhere when configuring the authentication method. I will also
post my current RT_SiteConfig underneath the error log. 

[Mon Aug 29 18:57:19 2011] [debug]: Attempting to use external auth service:
Active_Directory
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Aug 29 18:57:19 2011] [debug]: SSO Failed and no user to test with.
Nexting
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Mon Aug 29 18:57:19 2011] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[Mon Aug 29 18:57:23 2011] [debug]: Attempting to use external auth service:
Active_Directory
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Aug 29 18:57:23 2011] [debug]: Calling UserExists with $username (josh
cole) and $service (Active_Directory)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Mon Aug 29 18:57:23 2011] [debug]: UserExists params:
username: josh cole , service: Active_Directory
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Mon Aug 29 18:57:23 2011] [debug]: LDAP Search ===  Base:
OU=ITS,DC=mydomain,DC=local == Filter:
(&(objectclass=person)(sAMAccountName=josh cole)) == Attrs:
l,displayName,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,sAMAccountName
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Mon Aug 29 18:57:23 2011] [debug]: User Check Failed :: ( Active_Directory
) josh cole User not found
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:318)

Current config:
# This file was generated by running "update-rt-siteconfig-3.8".
#
# While local modifications will not be overwritten without permission,
# it is recommended the they are instead placed in 
# /etc/request-tracker3.8/RT_SiteConfig.d
#
# Note that modifications to the RT_SiteConfig.d directory won't 
# take effect until the update command mentioned above is run again.

# start /etc/request-tracker3.8/RT_SiteConfig.d/40-timezone
# dynamically find out the current timezone
my $zone = "PST";
$zone=`/bin/cat /etc/timezone`
    if -f "/etc/timezone";
chomp $zone;
Set($Timezone, $zone);
# end   /etc/request-tracker3.8/RT_SiteConfig.d/40-timezone
# start /etc/request-tracker3.8/RT_SiteConfig.d/50-debconf
# THE BASICS:

Set($WebDomain, 'rt.netman.mydomain.local');
Set($rtname, 'rt.netman.mydomain.local');
Set($Organization, 'netman.mydomain.local');

#Set($CorrespondAddress , 'rt at netman.mydomain.local');
#Set($CommentAddress , 'rt-comment at netman.mydomain.local');
Set($MaxAttachmentSize , 10000000);
Set($FriendlyFromLineFormat, "\"%s\" <%s>");
Set(@Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalServiceUsesSSLorTLS,    0);
Set($ExternalAuthPriority,  [   'Active_Directory'
                            ]
);
Set($ExternalInfoPriority,  [ 'Active_Directory'
                            ]
);
Set($AutoCreateNonExternalUsers,    0);

Set($ExternalSettings,      {   'Active_Directory'       =>  {   'type'                     
=>  'ldap',
                                                        'auth'                     
=>  1,
                                                        'info'                     
=>  1,
                                                        'server'                   
=>  '172.16.1.70',
                                                        'base'                     
=>  'OU=ITS,DC=fpu,DC=local',
								'user'                      =>  'rtauth',
                                                        # The password RT
should use to connect to the LDAP server
                                                        'pass'                   
=>  'xxxxxx',
                                                        # The filter to use
to match RT-Users
                                                        'filter'                   
=>  '(objectclass=person)',
                                                        # The filter that
will only match disabled users
                                                        'd_filter'                 
=>  '(userAccountControl:1.2.840.113556.1.4.803:=2)',
                                                        # Should we try to
use TLS to encrypt connections?
                                                        'tls'                      
=>  0,
                                                        # What other args
should I pass to Net::LDAP->new($host, at args)?
                                                        'net_ldap_args'            
=> [    version =>  3   ],
                                                        # Does
authentication depend on group membership? What group name?
                                                        'group'                    
=>  'Request-Tracker',
                                                        # What is the
attribute for the group object that determines membership?
                                                        'group_attr'               
=>  'member',
                                                        ## RT ATTRIBUTE
MATCHING SECTION
                                                        # The list of RT
attributes that uniquely identify a user
                                                        'attr_match_list'          
=> [   'ExternalAuthId','EmailAddress' ],
                                                        # The mapping of RT
attributes on to LDAP attributes
                                                        'attr_map'                 
=>  {   'Name' => 'sAMAccountName',
                                                                                           
'EmailAddress' => 'mail',
                                                                                           
'Organization' => 'physicalDeliveryOfficeName',
                                                                                           
'RealName' => 'displayName',
                                                                                           
'ExternalAuthId' => 'sAMAccountName',
                                                                                           
'Gecos' => 'sAMAccountName',
                                                                                           
'WorkPhone' => 'telephoneNumber',
                                                                                           
'Address1' => 'streetAddress',
                                                                                           
'City' => 'l',
                                                                                           
'State' => 'st',
                                                                                           
'Zip' => 'postalCode',
                                                                                           
'Country' => 'co'
                                                                                       
}
                                                    }
                                }
);


# THE WEBSERVER:

Set($LogToFile, 'debug');
Set($LogDir, '/var/log/rt'); 

Set($WebPath , "/rt");
Set($WebBaseURL , "http://rt.netman.mydomain.local");

# end   /etc/request-tracker3.8/RT_SiteConfig.d/50-debconf
# start /etc/request-tracker3.8/RT_SiteConfig.d/51-dbconfig-common
# THE DATABASE:
# generated by dbconfig-common

# map from dbconfig-common database types to their names as known by RT
my %typemap = (
    mysql   => 'mysql',
    pgsql   => 'Pg',
    sqlite3 => 'SQLite',
);
    
Set($DatabaseType, $typemap{mysql} || "UNKNOWN");

Set($DatabaseHost, 'localhost');
Set($DatabasePort, '');

Set($DatabaseUser , 'rtuser');
Set($DatabasePassword , 'xxxxxx');

# SQLite needs a special case, since $DatabaseName must be a full pathname
my $dbc_dbname = 'rtdb'; if ( "mysql" eq "sqlite3" ) { Set ($DatabaseName,
'' . '/' . $dbc_dbname); } else { Set ($DatabaseName, $dbc_dbname); }
# end   /etc/request-tracker3.8/RT_SiteConfig.d/51-dbconfig-common
1;



josh.cole wrote:
> 
> I think I am close now. I made those changes to the config. I am receiving
> an error when I try to login with my AD credentials. The error is simply:
> [Mon Aug 29 18:18:58 2011] [error]: FAILED LOGIN for josh cole from
> xxx.xxx.xxx.xxx (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:655)
> 
> Do I need to specify an ldap port? I did add a username and password to
> authenticate. 
> 
> 
> josh.cole wrote:
>> 
>> Thank you very much for your feedback. I really appreciate it. 
>> 
>> Andrew Wagner-4 wrote:
>>> 
>>> Yes, Josh.  That is correct.  The ExternalAuthen checks all locations 
>>> for users under the base OU.  Either change your specified base in 
>>> RT_SiteConfig.pm or move the users to the OU that you want RT to search.
>>> 
>>> Andrew Wagner
>>> Assistant Network Administrator
>>> aawagner at wisc.edu
>>> 265-5710
>>> Room 370B
>>> Wisconsin Center for Education Research (WCER)
>>> www.wcer.wisc.edu
>>> 
>>> 
>>> On 8/29/2011 11:39 AM, josh.cole wrote:
>>>> Thank you for your response. So just to make sure I understand, if the
>>>> users
>>>> I want to be able to authenticate in RT are not in the OU specified it
>>>> will
>>>> not work? So I should move those users to whatever the OU is that I
>>>> specify
>>>> in the base?
>>>>
>>>> Andrew Wagner-4 wrote:
>>>>> 1.  For group_attr, you want the term to be 'member'.  That checks for
>>>>> membership in the group.
>>>>>
>>>>> 2.  For your base, you need to choose the next highest level of Active
>>>>> Directory beyond where your users are stored.  This means you need to
>>>>> specify the OU where your users are, not just a random "Users" OU.
>>>>>
>>>>> Andrew Wagner
>>>>> Assistant Network Administrator
>>>>> aawagner at wisc.edu
>>>>> 265-5710
>>>>> Room 370B
>>>>> Wisconsin Center for Education Research (WCER)
>>>>> www.wcer.wisc.edu
>>>>>
>>>>>
>>>>> On 8/29/2011 11:26 AM, josh.cole wrote:
>>>>>> I am trying to make this work. I installed the latest version of
>>>>>> ExternalAuth. I am working with Request Tracker for the first time,
>>>>>> just
>>>>>> upgraded from 3.8.7 to 4.0.1. There are a few things that I think are
>>>>>> off
>>>>>> but I am not sure what the correct solution is.
>>>>>>
>>>>>> 1. I am not sure what to use for the group_attr I want to have users
>>>>>> in
>>>>>> the
>>>>>> group Request-Tracker inside of AD be able to authenticate with their
>>>>>> credentials when logging into RT and I believe the filter is set
>>>>>> correctly
>>>>>> other than what needs to be added for the group_attribute. I am not
>>>>>> sure
>>>>>> what that should be.
>>>>>>
>>>>>> 2. For my base statement. I am specifying the Users OU but none of my
>>>>>> users
>>>>>> are in that OU. I am not sure exactly what it's looking for there.
>>>>>>
>>>>>> Any help is appreciated!
>>>>>> ExternalAuth config:
>>>>>>
>>>>>> I have added the following to my RT_SiteConfig.pm:
>>>>>>
>>>>>> @RT::MailPlugins = ("RT::Authen::ExternalAuth");
>>>>>> Set(@Plugins, qw(RT::Authen::ExternalAuth) );
>>>>>> Set($ExternalAuthPriority,  [   'Active_Directory'
>>>>>>                               ]
>>>>>> );
>>>>>> Set($ExternalInfoPriority,  [ 'Active_Directory'
>>>>>>                               ]
>>>>>> );
>>>>>> Set($AutoCreateNonExternalUsers,    0);
>>>>>>
>>>>>> Set($ExternalSettings,      {   'Active_Directory'       =>    {  
>>>>>> 'type'
>>>>>> =>    'ldap',
>>>>>>                                                           'auth'
>>>>>> =>    1,
>>>>>>                                                           'info'
>>>>>> =>    1,
>>>>>>                                                           'server'
>>>>>> =>    'rt.mydomain.local',
>>>>>>                                                           'base'
>>>>>> =>    'OU=Users,DC=mydomain,DC=local',
>>>>>>                                                           # The
>>>>>> filter to
>>>>>> use
>>>>>> to match RT-Users
>>>>>>                                                           'filter'
>>>>>> =>    '(objectclass=person)',
>>>>>>                                                           # The
>>>>>> filter
>>>>>> that
>>>>>> will only match disabled users
>>>>>>                                                           'd_filter'
>>>>>> =>    '(userAccountControl:1.2.840.113556.1.4.803:=2)',
>>>>>>                                                           # Should we
>>>>>> try
>>>>>> to
>>>>>> use TLS to encrypt connections?
>>>>>>                                                           'tls'
>>>>>> =>    0,
>>>>>>                                                           # What
>>>>>> other
>>>>>> args
>>>>>> should I pass to Net::LDAP->new($host, at args)?
>>>>>>                                                          
>>>>>> 'net_ldap_args'
>>>>>> =>   [    version =>    3   ],
>>>>>>                                                           # Does
>>>>>> authentication depend on group membership? What group name?
>>>>>>                                                           'group'
>>>>>> =>    'Request-Tracker',
>>>>>>                                                           # What is
>>>>>> the
>>>>>> attribute for the group object that determines membership?
>>>>>>                                                          
>>>>>> #'group_attr'
>>>>>> =>    'GROUP_ATTR',
>>>>>>                                                           ## RT
>>>>>> ATTRIBUTE
>>>>>> MATCHING SECTION
>>>>>>                                                           # The list
>>>>>> of RT
>>>>>> attributes that uniquely identify a user
>>>>>>
>>>>>> 'attr_match_list'
>>>>>> =>   [   'ExternalAuthId','EmailAddress' ],
>>>>>>                                                           # The
>>>>>> mapping of
>>>>>> RT
>>>>>> attributes on to LDAP attributes
>>>>>>                                                           'attr_map'
>>>>>> =>    {   'Name' =>   'sAMAccountName',
>>>>>>
>>>>>> 'EmailAddress' =>   'mail',
>>>>>>
>>>>>> 'Organization' =>   'physicalDeliveryOfficeName',
>>>>>>
>>>>>> 'RealName' =>   'displayName',
>>>>>>
>>>>>> 'ExternalAuthId' =>   'sAMAccountName',
>>>>>>
>>>>>> 'Gecos' =>   'sAMAccountName',
>>>>>>
>>>>>> 'WorkPhone' =>   'telephoneNumber',
>>>>>>
>>>>>> 'Address1' =>   'streetAddress',
>>>>>>
>>>>>> 'City' =>   'l',
>>>>>>
>>>>>> 'State' =>   'st',
>>>>>>
>>>>>> 'Zip' =>   'postalCode',
>>>>>>
>>>>>> 'Country' =>   'co'
>>>>>>
>>>>>> }
>>>>>>                                                       }
>>>>>>                                   }
>>>>>> );
>>>>>>
>>>>>
>>>>>
>>>>> --------
>>>>> RT Training Sessions (http://bestpractical.com/services/training.html)
>>>>> *  Chicago, IL, USA — September 26&  27, 2011
>>>>> *  San Francisco, CA, USA — October 18&  19, 2011
>>>>> *  Washington DC, USA — October 31&  November 1, 2011
>>>>> *  Melbourne VIC, Australia — November 28&  29, 2011
>>>>> *  Barcelona, Spain — November 28&  29, 2011
>>>>>
>>> 
>>> 
>>>  
>>> --------
>>> RT Training Sessions (http://bestpractical.com/services/training.html)
>>> *  Chicago, IL, USA — September 26 & 27, 2011
>>> *  San Francisco, CA, USA — October 18 & 19, 2011
>>> *  Washington DC, USA — October 31 & November 1, 2011
>>> *  Melbourne VIC, Australia — November 28 & 29, 2011
>>> *  Barcelona, Spain — November 28 & 29, 2011
>>> 
>> 
>> 
> 
> 

-- 
View this message in context: http://old.nabble.com/Has-anyone-sucessfully-configured-LDAP-to-authenticate-against-AD-with-version-4.0.1--tp32358024p32359355.html
Sent from the Request Tracker - User mailing list archive at Nabble.com.




More information about the rt-users mailing list