[rt-users] Has anyone sucessfully configured LDAP to authenticate against AD with version 4.0.1?
josh.cole
josh.cole at fresno.edu
Mon Aug 29 19:28:29 EDT 2011
I think I have made some progress. Still receiving an error.
The error is:
[Mon Aug 29 23:15:41 2011] [debug]: Attempting to use external auth service:
Active_Directory
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Aug 29 23:15:41 2011] [debug]: Calling UserExists with $username (josh
cole) and $service (Active_Directory)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Mon Aug 29 23:15:41 2011] [debug]: UserExists params:
username: josh cole , service: Active_Directory
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Mon Aug 29 23:15:41 2011] [debug]: LDAP Search === Base: DC=fpu,DC=local
== Filter: (&(objectclass=person)(sAMAccountName=josh cole)) == Attrs:
mail,sAMAccountName
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Mon Aug 29 23:15:41 2011] [debug]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo called by
RT::Authen::ExternalAuth
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
553 with: Disabled: 0, EmailAddress: , Gecos: josh cole, Name: josh cole,
Privileged: 0
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:450)
[Mon Aug 29 23:15:41 2011] [debug]: Attempting to get user info using this
external service: Active_Directory
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:458)
[Mon Aug 29 23:15:41 2011] [debug]: Attempting to use this canonicalization
key: ExternalAuthId
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472)
[Mon Aug 29 23:15:41 2011] [debug]: This attribute ( ExternalAuthId ) is
null or incorrectly defined in the attr_map for this service (
Active_Directory )
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:474)
[Mon Aug 29 23:15:41 2011] [debug]: Attempting to use this canonicalization
key: EmailAddress
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472)
[Mon Aug 29 23:15:41 2011] [debug]: LDAP Search === Base:
DC=mydomain,DC=local == Filter: (&(objectclass=person)) == Attrs:
mail,sAMAccountName
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:195)
[Mon Aug 29 23:15:51 2011] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: 0,
EmailAddress: , Gecos: josh cole, Name: josh cole, Privileged: 0
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
[Mon Aug 29 23:15:51 2011] [error]: Couldn't create user josh cole: Could
not set user info
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129)
[Mon Aug 29 23:15:51 2011] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[Mon Aug 29 23:15:51 2011] [error]: FAILED LOGIN for josh cole from
172.18.10.65 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:655)
josh.cole wrote:
>
> Below is the result:
>
> [Mon Aug 29 20:04:21 2011] [critical]:
> RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind:
> LDAP_INVALID_CREDENTIALS 49
> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:467)
>
>
> Andrew Wagner-4 wrote:
>>
>> I should have noticed this sooner - try specifying the full DN of your
>> rtauth user. That is,
>> CN=rtauth,OU=someOU,OU=anotherOU,DC=mine,DC=his,DC=hers,DC=com.
>>
>> Andrew Wagner
>> Assistant Network Administrator
>> aawagner at wisc.edu
>> 265-5710
>> Room 370B
>> Wisconsin Center for Education Research (WCER)
>> www.wcer.wisc.edu
>>
>>
>> On 8/29/2011 2:18 PM, josh.cole wrote:
>>> The user is within the base. The user exists in a sub-OU inside of ITS.
>>> I
>>> have the correct DC, I have the ip entered for the DC/LDAP Server.
>>>
>>> Yes sir that is correct, I am using placeholders. I do not believe that
>>> SSL
>>> is being used based on the config I provided. All of the information is
>>> correct. I have used an ldap browser to verify connectivity on port 389
>>> and
>>> to verify the information I've placed into the config.
>>>
>>>
>>> Andrew Wagner-4 wrote:
>>>> I believe that if you specify SSL, Authen-External will automatically
>>>> uses port 636 (LDAPS). TLS encryption uses 389. We used TLS as LDAPS
>>>> is no longer officially supported.
>>>>
>>>> Is the user you are trying to authenticate with inside your base? Do
>>>> you have the correct domain controller specified under server? Do you
>>>> have the right domain specified and formatted under base? I assume
>>>> you're replacing your domain information with placeholders in your
>>>> config and are not actually using rt.mydomain.local.
>>>>
>>>> Andrew Wagner
>>>> Assistant Network Administrator
>>>> aawagner at wisc.edu
>>>> 265-5710
>>>> Room 370B
>>>> Wisconsin Center for Education Research (WCER)
>>>> www.wcer.wisc.edu
>>>>
>>>>
>>>> On 8/29/2011 12:55 PM, josh.cole wrote:
>>>>> I think I am close now. I made those changes to the config. I am
>>>>> receiving an
>>>>> error when I try to login with my AD credentials. The error is:
>>>>> [Mon Aug 29 17:35:31 2011] [critical]:
>>>>> RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to
>>>>> rt.mydomain.local
>>>>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:437)
>>>>>
>>>>> Do I need to specify an ldap port? I did add a username and password
>>>>> to
>>>>> authenticate.
>>>>>
>>>>>
>>>>> josh.cole wrote:
>>>>>> Thank you very much for your feedback. I really appreciate it.
>>>>>>
>>>>>> Andrew Wagner-4 wrote:
>>>>>>> Yes, Josh. That is correct. The ExternalAuthen checks all
>>>>>>> locations
>>>>>>> for users under the base OU. Either change your specified base in
>>>>>>> RT_SiteConfig.pm or move the users to the OU that you want RT to
>>>>>>> search.
>>>>>>>
>>>>>>> Andrew Wagner
>>>>>>> Assistant Network Administrator
>>>>>>> aawagner at wisc.edu
>>>>>>> 265-5710
>>>>>>> Room 370B
>>>>>>> Wisconsin Center for Education Research (WCER)
>>>>>>> www.wcer.wisc.edu
>>>>>>>
>>>>>>>
>>>>>>> On 8/29/2011 11:39 AM, josh.cole wrote:
>>>>>>>> Thank you for your response. So just to make sure I understand, if
>>>>>>>> the
>>>>>>>> users
>>>>>>>> I want to be able to authenticate in RT are not in the OU specified
>>>>>>>> it
>>>>>>>> will
>>>>>>>> not work? So I should move those users to whatever the OU is that I
>>>>>>>> specify
>>>>>>>> in the base?
>>>>>>>>
>>>>>>>> Andrew Wagner-4 wrote:
>>>>>>>>> 1. For group_attr, you want the term to be 'member'. That checks
>>>>>>>>> for
>>>>>>>>> membership in the group.
>>>>>>>>>
>>>>>>>>> 2. For your base, you need to choose the next highest level of
>>>>>>>>> Active
>>>>>>>>> Directory beyond where your users are stored. This means you need
>>>>>>>>> to
>>>>>>>>> specify the OU where your users are, not just a random "Users" OU.
>>>>>>>>>
>>>>>>>>> Andrew Wagner
>>>>>>>>> Assistant Network Administrator
>>>>>>>>> aawagner at wisc.edu
>>>>>>>>> 265-5710
>>>>>>>>> Room 370B
>>>>>>>>> Wisconsin Center for Education Research (WCER)
>>>>>>>>> www.wcer.wisc.edu
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 8/29/2011 11:26 AM, josh.cole wrote:
>>>>>>>>>> I am trying to make this work. I installed the latest version of
>>>>>>>>>> ExternalAuth. I am working with Request Tracker for the first
>>>>>>>>>> time,
>>>>>>>>>> just
>>>>>>>>>> upgraded from 3.8.7 to 4.0.1. There are a few things that I think
>>>>>>>>>> are
>>>>>>>>>> off
>>>>>>>>>> but I am not sure what the correct solution is.
>>>>>>>>>>
>>>>>>>>>> 1. I am not sure what to use for the group_attr I want to have
>>>>>>>>>> users
>>>>>>>>>> in
>>>>>>>>>> the
>>>>>>>>>> group Request-Tracker inside of AD be able to authenticate with
>>>>>>>>>> their
>>>>>>>>>> credentials when logging into RT and I believe the filter is set
>>>>>>>>>> correctly
>>>>>>>>>> other than what needs to be added for the group_attribute. I am
>>>>>>>>>> not
>>>>>>>>>> sure
>>>>>>>>>> what that should be.
>>>>>>>>>>
>>>>>>>>>> 2. For my base statement. I am specifying the Users OU but none
>>>>>>>>>> of
>>>>>>>>>> my
>>>>>>>>>> users
>>>>>>>>>> are in that OU. I am not sure exactly what it's looking for
>>>>>>>>>> there.
>>>>>>>>>>
>>>>>>>>>> Any help is appreciated!
>>>>>>>>>> ExternalAuth config:
>>>>>>>>>>
>>>>>>>>>> I have added the following to my RT_SiteConfig.pm:
>>>>>>>>>>
>>>>>>>>>> @RT::MailPlugins = ("RT::Authen::ExternalAuth");
>>>>>>>>>> Set(@Plugins, qw(RT::Authen::ExternalAuth) );
>>>>>>>>>> Set($ExternalAuthPriority, [ 'Active_Directory'
>>>>>>>>>> ]
>>>>>>>>>> );
>>>>>>>>>> Set($ExternalInfoPriority, [ 'Active_Directory'
>>>>>>>>>> ]
>>>>>>>>>> );
>>>>>>>>>> Set($AutoCreateNonExternalUsers, 0);
>>>>>>>>>>
>>>>>>>>>> Set($ExternalSettings, { 'Active_Directory' =>
>>>>>>>>>> {
>>>>>>>>>> 'type'
>>>>>>>>>> => 'ldap',
>>>>>>>>>>
>>>>>>>>>> 'auth'
>>>>>>>>>> => 1,
>>>>>>>>>>
>>>>>>>>>> 'info'
>>>>>>>>>> => 1,
>>>>>>>>>>
>>>>>>>>>> 'server'
>>>>>>>>>> => 'rt.mydomain.local',
>>>>>>>>>>
>>>>>>>>>> 'base'
>>>>>>>>>> => 'OU=Users,DC=mydomain,DC=local',
>>>>>>>>>> # The
>>>>>>>>>> filter
>>>>>>>>>> to
>>>>>>>>>> use
>>>>>>>>>> to match RT-Users
>>>>>>>>>>
>>>>>>>>>> 'filter'
>>>>>>>>>> => '(objectclass=person)',
>>>>>>>>>> # The
>>>>>>>>>> filter
>>>>>>>>>> that
>>>>>>>>>> will only match disabled users
>>>>>>>>>>
>>>>>>>>>> 'd_filter'
>>>>>>>>>> => '(userAccountControl:1.2.840.113556.1.4.803:=2)',
>>>>>>>>>> #
>>>>>>>>>> Should
>>>>>>>>>> we
>>>>>>>>>> try
>>>>>>>>>> to
>>>>>>>>>> use TLS to encrypt connections?
>>>>>>>>>> 'tls'
>>>>>>>>>> => 0,
>>>>>>>>>> #
>>>>>>>>>> What
>>>>>>>>>> other
>>>>>>>>>> args
>>>>>>>>>> should I pass to Net::LDAP->new($host, at args)?
>>>>>>>>>>
>>>>>>>>>> 'net_ldap_args'
>>>>>>>>>> => [ version => 3 ],
>>>>>>>>>> #
>>>>>>>>>> Does
>>>>>>>>>> authentication depend on group membership? What group name?
>>>>>>>>>>
>>>>>>>>>> 'group'
>>>>>>>>>> => 'Request-Tracker',
>>>>>>>>>> #
>>>>>>>>>> What is
>>>>>>>>>> the
>>>>>>>>>> attribute for the group object that determines membership?
>>>>>>>>>>
>>>>>>>>>> #'group_attr'
>>>>>>>>>> => 'GROUP_ATTR',
>>>>>>>>>> ## RT
>>>>>>>>>> ATTRIBUTE
>>>>>>>>>> MATCHING SECTION
>>>>>>>>>> # The
>>>>>>>>>> list
>>>>>>>>>> of RT
>>>>>>>>>> attributes that uniquely identify a user
>>>>>>>>>>
>>>>>>>>>> 'attr_match_list'
>>>>>>>>>> => [ 'ExternalAuthId','EmailAddress' ],
>>>>>>>>>> # The
>>>>>>>>>> mapping of
>>>>>>>>>> RT
>>>>>>>>>> attributes on to LDAP attributes
>>>>>>>>>>
>>>>>>>>>> 'attr_map'
>>>>>>>>>> => { 'Name' => 'sAMAccountName',
>>>>>>>>>>
>>>>>>>>>> 'EmailAddress' => 'mail',
>>>>>>>>>>
>>>>>>>>>> 'Organization' => 'physicalDeliveryOfficeName',
>>>>>>>>>>
>>>>>>>>>> 'RealName' => 'displayName',
>>>>>>>>>>
>>>>>>>>>> 'ExternalAuthId' => 'sAMAccountName',
>>>>>>>>>>
>>>>>>>>>> 'Gecos' => 'sAMAccountName',
>>>>>>>>>>
>>>>>>>>>> 'WorkPhone' => 'telephoneNumber',
>>>>>>>>>>
>>>>>>>>>> 'Address1' => 'streetAddress',
>>>>>>>>>>
>>>>>>>>>> 'City' => 'l',
>>>>>>>>>>
>>>>>>>>>> 'State' => 'st',
>>>>>>>>>>
>>>>>>>>>> 'Zip' => 'postalCode',
>>>>>>>>>>
>>>>>>>>>> 'Country' => 'co'
>>>>>>>>>>
>>>>>>>>>> }
>>>>>>>>>> }
>>>>>>>>>> }
>>>>>>>>>> );
>>>>>>>>>>
>>>>>>>>> --------
>>>>>>>>> RT Training Sessions
>>>>>>>>> (http://bestpractical.com/services/training.html)
>>>>>>>>> * Chicago, IL, USA — September 26& 27, 2011
>>>>>>>>> * San Francisco, CA, USA — October 18& 19, 2011
>>>>>>>>> * Washington DC, USA — October 31& November 1, 2011
>>>>>>>>> * Melbourne VIC, Australia — November 28& 29, 2011
>>>>>>>>> * Barcelona, Spain — November 28& 29, 2011
>>>>>>>>>
>>>>>>>
>>>>>>> --------
>>>>>>> RT Training Sessions
>>>>>>> (http://bestpractical.com/services/training.html)
>>>>>>> * Chicago, IL, USA — September 26& 27, 2011
>>>>>>> * San Francisco, CA, USA — October 18& 19, 2011
>>>>>>> * Washington DC, USA — October 31& November 1, 2011
>>>>>>> * Melbourne VIC, Australia — November 28& 29, 2011
>>>>>>> * Barcelona, Spain — November 28& 29, 2011
>>>>>>>
>>>>
>>>>
>>>> --------
>>>> RT Training Sessions (http://bestpractical.com/services/training.html)
>>>> * Chicago, IL, USA — September 26& 27, 2011
>>>> * San Francisco, CA, USA — October 18& 19, 2011
>>>> * Washington DC, USA — October 31& November 1, 2011
>>>> * Melbourne VIC, Australia — November 28& 29, 2011
>>>> * Barcelona, Spain — November 28& 29, 2011
>>>>
>>
>>
>>
>> --------
>> RT Training Sessions (http://bestpractical.com/services/training.html)
>> * Chicago, IL, USA — September 26 & 27, 2011
>> * San Francisco, CA, USA — October 18 & 19, 2011
>> * Washington DC, USA — October 31 & November 1, 2011
>> * Melbourne VIC, Australia — November 28 & 29, 2011
>> * Barcelona, Spain — November 28 & 29, 2011
>>
>
>
--
View this message in context: http://old.nabble.com/Has-anyone-sucessfully-configured-LDAP-to-authenticate-against-AD-with-version-4.0.1--tp32358024p32360916.html
Sent from the Request Tracker - User mailing list archive at Nabble.com.
More information about the rt-users
mailing list