[rt-users] ExternalAuth help needed
Joachim Thuau
Joachim.Thuau at heavy-iron.com
Thu Jan 13 19:02:57 EST 2011
Wes,
Your user DN for the admin user is odd. I would expect it included some sort of "ou" component, something more along the lines of:
'user' => 'cn=admin,ou=people,dc=ucsc,dc=edu',
A couple more questions for you:
* What kind of LDAP server are you running?
* Do you have any sort of LDAP browser software on your machine? (ldapsearch is fine, but sometimes a little hard to get going).
That should solve your LDAP DN syntax issue.
Thanks,
Jok
From: rt-users-bounces at lists.bestpractical.com [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Wes Modes
Sent: Thursday, January 13, 2011 1:42 PM
To: rt-users at lists.bestpractical.com
Subject: Re: [rt-users] ExternalAuth help needed
I found that I don't need to define MySQL as an external auth source because, uh, it is not external. I am using the default mysql authentication for rt. So I removed mysql from the ExternalAuthPriority and ExternalInfoPriority arrays.
This quiets some of the more perplexing "Password Encryption" errors, but still leaves me with these similar errors:
For a local rt user:
[Thu Jan 13 21:39:34 2011] [critical]: Search for (ou=group,dc=ucsc,dc=edu=uid=wmodes,ou=people,dc=ucsc,dc=edu) failed: LDAP_INVALID_DN_SYNTAX 34 (/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:116)
and for an LDAP only user:
[Thu Jan 13 21:40:27 2011] [critical]: Search for (ou=group,dc=ucsc,dc=edu=uid=rjohnson,ou=people,dc=ucsc,dc=edu) failed: LDAP_INVALID_DN_SYNTAX 34 (/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:116)
[Thu Jan 13 21:40:27 2011] [error]: FAILED LOGIN for rjohnson from 128.114.163.50 (/usr/lib/rt/RT/Interface/Web.pm:424)
Here are the config files:
# Any configuration directives you include here will override
# RT's default configuration file, RT_Config.pm
#
# To include a directive here, just copy the equivalent statement
# from RT_Config.pm and change the value. We've included a single
# sample value below.
#
# This file is actually a perl module, so you can include valid
# perl code, as well.
#
# The converse is also true, if this file isn't valid perl, you're
# going to run into trouble. To check your SiteConfig file, use
# this comamnd:
#
# perl -c /path/to/your/etc/RT_SiteConfig.pm
#Set( $rtname, 'example.com');
#Set( $rtname, 'example.com');
#Set(@Plugins,(qw(Extension::QuickDelete RT::FM)));
Set(@Plugins,qw(RT::Extension::ExtractCustomFieldValues
RT::Authen::ExternalAuth));
require "/etc/rt/RT_Authen-ExternalAuth.pm";
# Look into the zoneinfo database for valid values (/usr/share/zoneinfo/)
# Set( $Timezone , 'US/Eastern');
# Set( $WebBaseURL , "http://localhost"<http://localhost>);
Set( $WebPath , "/rt");
Set($rtname , "rt.library.ucsc.edu");
Set($Organization , "rt.library.ucsc.edu");
Set($Timezone , 'US/Pacific');
Set($DatabaseUser , 'root');
Set($DatabasePassword , 'r3c at ll');
Set($DatabaseName , 'rt3');
Set($CanonicalizeEmailAddressMatch , 'rt2.library.ucsc.edu$');
#Set($CanonicalizeEmailAddressReplace , 'library.ucsc.edu');
Set($RTAddressRegexp, '\@rt2.library.ucsc.edu$');
Set($OwnerEmail, 'rootmail');
Set($WebBaseURL, "http://rt2.library.ucsc.edu"<http://rt2.library.ucsc.edu>);
# $LogoURL points to the URL of the RT logo displayed in the web UI
Set($LogoURL , $WebImagesURL . "library.gif");
Set($LogToFile, 'error');
1;
and the external auth config:
# The order in which the services defined in ExternalSettings
# should be used to authenticate users. User is authenticated
# if successfully confirmed by any service - no more services
# are checked.
Set($ExternalAuthPriority, [ 'My_LDAP',
]
);
# The order in which the services defined in ExternalSettings
# should be used to get information about users. This includes
# RealName, Tel numbers etc, but also whether or not the user
# should be considered disabled.
#
# Once user info is found, no more services are checked.
#
# You CANNOT use a SSO cookie for authentication.
Set($ExternalInfoPriority, [
'My_LDAP'
]
);
# If this is set to true, then the relevant packages will
# be loaded to use SSL/TLS connections. At the moment,
# this just means "use Net::SSLeay;"
Set($ExternalServiceUsesSSLorTLS, 0);
# If this is set to 1, then users should be autocreated by RT
# as internal users if they fail to authenticate from an
# external service.
Set($AutoCreateNonExternalUsers, 0);
# These are the full settings for each external service as a HashOfHashes
# Note that you may have as many external services as you wish. They will
# be checked in the order specified in the Priority directives above.
# e.g.
# Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP','Other-DB']);
#
Set($ExternalSettings, {
# AN EXAMPLE DB SERVICE
'My_MySQL' => {
## GENERIC SECTION
# The type of service (db/ldap/cookie)
'type' => 'db',
# The server hosting the service
'server' => 'rt2.library.ucsc.edu',
## SERVICE-SPECIFIC SECTION
# The database name
'database' => 'rt3',
# The database table
'table' => 'Users',
# The user to connect to the database as
'user' => 'root',
# The password to use to connect with
'pass' => 'xxxxxxxx',
# The port to use to connect with (e.g. 3306)
'port' => '3306',
# The name of the Perl DBI driver to use (e.g. mysql)
'dbi_driver' => 'mysql',
# The field in the table that holds usernames
'u_field' => 'Name',
# The field in the table that holds passwords
'p_field' => 'Password',
# The Perl package & subroutine used to encrypt passwords
# e.g. if the passwords are stored using the MySQL v3.23 "PASSWORD"
# function, then you will need Crypt::MySQL::password, but for the
# MySQL4+ password function you will need Crypt::MySQL::password41
# Alternatively, you could use Digest::MD5::md5_hex or any other
# encryption subroutine you can load in your perl installation
'p_enc_pkg' => 'Crypt::MySQL',
'p_enc_sub' => 'password',
# If your p_enc_sub takes a salt as a second parameter,
# uncomment this line to add your salt
#'p_salt' => 'SALT',
#
# The field and values in the table that determines if a user should
# be disabled. For example, if the field is 'user_status' and the values
# are ['0','1','2','disabled'] then the user will be disabled if their
# user_status is set to '0','1','2' or the string 'disabled'.
# Otherwise, they will be considered enabled.
'd_field' => 'disabled',
'd_values' => ['0'],
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
'attr_match_list' => [ 'Gecos',
'Name'
],
# The mapping of RT attributes on to field names
'attr_map' => { 'Name' => 'username',
'EmailAddress' => 'email',
'ExternalAuthId' => 'username',
'Gecos' => 'userID'
}
},
# AN EXAMPLE LDAP SERVICE
'My_LDAP' => {
## GENERIC SECTION
# The type of service (db/ldap/cookie)
'type' => 'ldap',
# The server hosting the service
'server' => 'dir1.library.ucsc.edu',
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
#
# The username RT should use to connect to the LDAP server
'user' => 'cn=admin,dc=ucsc,dc=edu',
# The password RT should use to connect to the LDAP server
'pass' => 'xxxxxxxx',
#
# The LDAP search base
'base' => 'ou=people,dc=ucsc,dc=edu',
#
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU **MUST** SPECIFY A filter AND A d_filter!!
#
# The filter to use to match RT-Users
'filter' => '(objectClass=person)',
# A catch-all example filter: '(objectClass=*)'
#
# The filter that will only match disabled users
'd_filter' => '(objectClass=FooBarBaz)',
# A catch-none example d_filter: '(objectClass=FooBarBaz)'
#
# Should we try to use TLS to encrypt connections?
'tls' => 0,
# SSL Version to provide to Net::SSLeay *if* using SSL
'ssl_version' => 3,
# What other args should I pass to Net::LDAP->new($host, at args)?
'net_ldap_args' => [ version => 3 ],
# Does authentication depend on group membership? What group name?
'group' => 'staff',
# What is the attribute for the group object that determines membership?
'group_attr' => 'ou=group,dc=ucsc,dc=edu',
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you *can* specify.. I recommend reducing this
# to just the Name and EmailAddress to save encountering problems later.
'attr_match_list' => [ 'Name',
'EmailAddress',
],
# The mapping of RT attributes on to LDAP attributes
'attr_map' => { 'Name' => 'uid',
'EmailAddress' => 'mail',
'RealName' => 'cn',
'ExternalAuthId' => 'uid',
'Gecos' => 'gecos',
'WorkPhone' => 'telephoneNumber',
}
},
# An example SSO cookie service
'My_SSO_Cookie' => {
# # The type of service (db/ldap/cookie)
'type' => 'cookie',
# The name of the cookie to be used
'name' => 'loginCookieValue',
# The users table
'u_table' => 'users',
# The username field in the users table
'u_field' => 'username',
# The field in the users table that uniquely identifies a user
# and also exists in the cookies table
'u_match_key' => 'userID',
# The cookies table
'c_table' => 'login_cookie',
# The field that stores cookie values
'c_field' => 'loginCookieValue',
# The field in the cookies table that uniquely identifies a user
# and also exists in the users table
'c_match_key' => 'loginCookieUserID',
# The DB service in this configuration to use to lookup the cookie information
'db_service_name' => 'My_MySQL'
}
}
);
1;
Any help would be appreciated. Thanks.
Wes
On 1/12/2011 4:14 PM, Kevin Falcone wrote:
On Wed, Jan 12, 2011 at 04:01:08PM -0800, Wes Modes wrote:
[Wed Jan 12 23:31:22 2011] [error]: AUTH FAILED, Couldn't Load Password Encryption Package.
Error: Can't locate Crypt/MySQL.pm in @INC (@INC contains: /usr/local/rt/lib
What are you doing to load that?
You should send along the other parts of your RT_SiteConfig.pm, it
appears you've got something 'interesting' running. Did you tell
RT-Authen-ExternalAuth to look at LDAP and a mysql database?
-kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20110113/b9c35683/attachment.htm>
More information about the rt-users
mailing list