[rt-users] rt4 and External Auth to AD 2008 non-ssl

Brian Murphy blmurphy at eiu.edu
Tue Aug 30 14:42:16 EDT 2011


I have actually gotten auth to work through my active directory.  

I still have to debug my group membership attribute as that is what was tripping me up this last time.  Not real sure how to code it.

seeing this failure:
[Tue Aug 30 16:15:09 2011] [debug]: LDAP Search ===  Base: dc=eiuad,dc=eiu,dc=edu == Filter: (member=CN=Murphy, Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
[Tue Aug 30 16:15:09 2011] [info]: EIUAD AUTH FAILED: blmurphy (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
[Tue Aug 30 16:15:09 2011] [debug]: LDAP password validation result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
[Tue Aug 30 16:15:09 2011] [debug]: Password Validation Check Result:  0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)

I removed the group check form the SiteConfig and now I can login using my external active directory credentials.  Anyone have an idea what I might be coding or placing wrong on tryin to use the group memebership?

Thanks for all your input(s).

Brian 

----- Original Message -----
From: "Brian Murphy" <blmurphy at eiu.edu>
To: rt-users at lists.bestpractical.com
Sent: Tuesday, August 30, 2011 11:33:53 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

Complaing about validating the password after locating the user entry.

I am now receiving the following out of the external auth:


[Tue Aug 30 16:15:09 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Tue Aug 30 16:15:09 2011] [debug]: Calling UserExists with $username (blmurphy) and $service (EIUAD) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Tue Aug 30 16:15:09 2011] [debug]: UserExists params:
username: blmurphy , service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Tue Aug 30 16:15:09 2011] [debug]: LDAP Search ===  Base: dc=eiuad,dc=eiu,dc=edu == Filter: (&(objectClass=*)(sAMAccountName=blmurphy)) == Attrs: sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Tue Aug 30 16:15:09 2011] [debug]: Password validation required for service - Executing... (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
[Tue Aug 30 16:15:09 2011] [debug]: Trying external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
[Tue Aug 30 16:15:09 2011] [debug]: LDAP Search ===  Base: dc=eiuad,dc=eiu,dc=edu == Filter: (&(sAMAccountName=blmurphy)(objectClass=*)) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
[Tue Aug 30 16:15:09 2011] [debug]: Found LDAP DN: CN=Murphy\, Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
[Tue Aug 30 16:15:09 2011] [debug]: LDAP Search ===  Base: dc=eiuad,dc=eiu,dc=edu == Filter: (member=CN=Murphy, Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
[Tue Aug 30 16:15:09 2011] [info]: EIUAD AUTH FAILED: blmurphy (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
[Tue Aug 30 16:15:09 2011] [debug]: LDAP password validation result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
[Tue Aug 30 16:15:09 2011] [debug]: Password Validation Check Result:  0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
[Tue Aug 30 16:15:09 2011] [debug]: Autohandler called ExternalAuth. Response: (0, Password Invalid) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[Tue Aug 30 16:15:09 2011] [error]: FAILED LOGIN for blmurphy from 139.67.17.30 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:639)


Using the following RT_SiteConfig.pm settings:

Set($ExternalSettings,      {
                                # EIUAD Active Directory
                                'EIUAD'       =>  {   ## GENERIC SECTION
                                                        # The type of service (db/ldap/cookie)
                                                        'type'                      =>  'ldap',
                                                        # The server hosting the service
                                                        'server'                    =>  'eiuad.eiu.edu',
                                                        ## SERVICE-SPECIFIC SECTION
                                                        # If you can bind to your LDAP server anonymously you should
                                                        # remove the user and pass config lines, otherwise specify them here:
                                                        #
                                                        # The username RT should use to connect to the LDAP server
                                                        'user'                      =>  'CN=RT Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu',
                                                        # The password RT should use to connect to the LDAP server
                                                        'pass'                    =>  'xxxxxxxxx!',
                                                        #
                                                        # The LDAP search base
                                                        #'base'                      =>  'ou=its employees,ou=employee accounts,ou=eiu users,dc=eiuad,dc=eiu,dc=edu',
                                                        'base'                      =>   'dc=eiuad,dc=eiu,dc=edu',
                                                        #
                                                        # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
                                                        # YOU **MUST** SPECIFY A filter AND A d_filter!!
                                                        #
                                                        # The filter to use to match RT-Users
                                                        'filter'                    =>  '(objectClass=*)',
                                                        # A catch-all example filter: '(objectClass=*)'
                                                        #
                                                        # The filter that will only match disabled users
                                                        'd_filter'                  =>  '(objectclass=Foo)',
                                                        # A catch-none example d_filter: '(objectClass=FooBarBaz)'
                                                        #
                                                        # Should we try to use TLS to encrypt connections?
                                                        'tls'                       =>  0,
                                                        # SSL Version to provide to Net::SSLeay *if* using SSL
                                                        'ssl_version'               =>  3,
                                                        # What other args should I pass to Net::LDAP->new($host, at args)?
                                                        'net_ldap_args'             => [    version =>  3   ],
                                                        # Does authentication depend on group membership? What group name?
                                                        'group'                     =>  'CN=RT_Access,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu',
                                                        # What is the attribute for the group object that determines membership?
                                                        'group_attr'                =>  'member',
                                                        ## RT ATTRIBUTE MATCHING SECTION
                                                        # The list of RT attributes that uniquely identify a user
                                                        # This example shows what you *can* specify.. I recommend reducing this
                                                        # to just the Name and EmailAddress to save encountering problems later.
                                                        'attr_match_list'           => [    'Name'
                                                                                        ],
                                                        # The mapping of RT attributes on to LDAP attributes
                                                        'attr_map'                  =>  {   'Name' => 'sAMAccountName'
                                                                                        }
                                                    }
                                }
);

----- Original Message -----
From: "Brian Murphy" <blmurphy at eiu.edu>
To: rt-users at lists.bestpractical.com
Sent: Tuesday, August 30, 2011 10:59:08 AM
Subject: Fwd: [rt-users] rt4 and External Auth to AD 2008 non-ssl


Well, sh**!  Sometimes the simplest are the most difficult.  I was way too close to the forest to see the trees on that one.  Having a . instead of the , in my base string was causing me to not be able to find the entry.  I have my filter set to () and am using the sAMAccountName and finding the user account, but now it refuses my password.  here is what I get in the log.  Any ideas.  I know my password and am using it for other accounts.

[Tue Aug 30 15:48:14 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Tue Aug 30 15:48:14 2011] [debug]: Calling UserExists with $username (blmurphy) and $service (EIUAD) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Tue Aug 30 15:48:14 2011] [debug]: UserExists params:
username: blmurphy , service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Tue Aug 30 15:48:14 2011] [debug]: LDAP Search ===  Base: dc=eiuad,dc=eiu,dc=edu == Filter: (&(sAMAccountName=blmurphy)) == Attrs: sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Tue Aug 30 15:48:14 2011] [debug]: Password validation required for service - Executing... (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
[Tue Aug 30 15:48:14 2011] [debug]: Trying external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
[Tue Aug 30 15:48:14 2011] [debug]: LDAP Search ===  Base: dc=eiuad,dc=eiu,dc=edu == Filter: (&(sAMAccountName=blmurphy)) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
[Tue Aug 30 15:48:14 2011] [debug]: Found LDAP DN: CN=Murphy\, Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
[Tue Aug 30 15:48:14 2011] [debug]: LDAP Search ===  Base: dc=eiuad,dc=eiu,dc=edu == Filter: (member=CN=Murphy, Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
[Tue Aug 30 15:48:14 2011] [info]: EIUAD AUTH FAILED: blmurphy (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
[Tue Aug 30 15:48:14 2011] [debug]: LDAP password validation result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
[Tue Aug 30 15:48:14 2011] [debug]: Password Validation Check Result:  0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
[Tue Aug 30 15:48:14 2011] [debug]: Autohandler called ExternalAuth. Response: (0, Password Invalid) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[Tue Aug 30 15:48:14 2011] [error]: FAILED LOGIN for blmurphy from 139.67.17.30 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:639)
[Tue Aug 30 15:48:17 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Tue Aug 30 15:48:17 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Tue Aug 30 15:48:17 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)

----- Original Message -----
From: "David Chandek-Stark" <david.chandek.stark at duke.edu>
To: "Brian Murphy" <blmurphy at eiu.edu>, rt-users at lists.bestpractical.com
Sent: Tuesday, August 30, 2011 10:41:54 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

I'm guessing your base should have a comma b/w "eiu" and "dc" -- I.e.,
"dc=eiuad,dc=eiu,dc=edu".

--D

On 8/30/11 11:34 AM, "Brian Murphy" <blmurphy at eiu.edu> wrote:
>[Tue Aug 30 15:29:48 2011] [debug]: LDAP Search ===  Base:
>dc=eiuad,dc=eiu.dc=edu == Filter: (&(sAMAccountName=blmurphy)) == Attrs:
>sAMAccountName 
>(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/
>LDAP.pm:304)

--------
RT Training Sessions (http://bestpractical.com/services/training.html)
*  Chicago, IL, USA  September 26 & 27, 2011
*  San Francisco, CA, USA  October 18 & 19, 2011
*  Washington DC, USA  October 31 & November 1, 2011
*  Melbourne VIC, Australia  November 28 & 29, 2011
*  Barcelona, Spain  November 28 & 29, 2011



More information about the rt-users mailing list