[rt-users] External Auth (LDAP) and Mail Attribute

Thomas Misilo misilot at fit.edu
Wed Nov 16 12:28:05 EST 2011


-----Original Message-----
From: rt-users-bounces at lists.bestpractical.com [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Kevin Falcone
Sent: Wednesday, November 16, 2011 11:54 AM
To: rt-users at lists.bestpractical.com
Subject: Re: [rt-users] External Auth (LDAP) and Mail Attribute

On Tue, Nov 15, 2011 at 03:21:22PM -0500, Thomas  Misilo wrote:
> 
> >Also - to be clear, you're concentrating on the part of the code that checks to see if a user exists.  You're not looking at the later queries that *actually* sync the data.
> 
> >-kevin
> 
> Okay, I have looked through and checked everything but I cannot any 
> errors in rt.log
> 
> I see this line: [Tue Nov 15 20:19:22 2011] [debug]: Authentication successful. Now updating user information and attempting login. (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:179) but it doesn't talk about any of my mappings.
> 

Unfortunately, we haven't seen a full config or log so it's really hard to comment on what's happening.

-kevin


Full Config:

# Any configuration directives you include  here will override 
# RT's default configuration file, RT_Config.pm
#
# To include a directive here, just copy the equivalent statement
# from RT_Config.pm and change the value. We've included a single
# sample value below.
#
# This file is actually a perl module, so you can include valid
# perl code, as well.
#
# The converse is also true, if this file isn't valid perl, you're
# going to run into trouble. To check your SiteConfig file, use
# this comamnd:
#
#   perl -c /path/to/your/etc/RT_SiteConfig.pm
#
# You must restart your webserver after making changes to this file.

Set( $rtname, 'Evans Library');
Set($Organization, "url.tld");
Set($WebDomain, "url.tld");
Set($WebPort, 80);
Set($WebPath, "/rt");
Set($DatabaseHost,   "sqlserver.tld");
Set($DatabaseRTHost, "url.tld");
Set($DatabaseUser, "rt4");
Set($DatabasePassword, q{hello});
Set($DatabaseName, q{rt4});
Set($OwnerEmail, 'owner at url.tld');

Set($LogToSyslog, "debug");
Set($LogToScreen, "debug");
Set($LogToFile, "debug");


Set($CanonicalizeOnCreate, 1);

Set($ValidateUserEmailAddresses, 1);
Set($AutoCreateNonExternalUsers,    1);
Set($ExternalAuthPriority,  [   'AD'
                            ]
);

Set($ExternalAuthPriority,  [   'AD'
                            ]
);

Set($ExternalSettings,      {   
       'AD'       =>  {   
                        'type'                      =>  'ldap',
                        'server'                    =>  'ad.tld',
                        'user'                      =>  'CN=user,OU=Group User Accounts,OU=Groups,DC=ad,DC=tld',
                        'pass'                    =>  'bindingpassword',
                        'base'                      =>  'DC=ad,DC=tld',
                        # The filter to use to match RT-Users
                        'filter'                    =>  '(objectClass=*)',
                        'd_filter'                  =>  '(userAccountControl:1.2.840.113556.1.4.803:=2)',
                        # Should we try to use TLS to encrypt connections?
                        'tls'                       =>  0,
                        # SSL Version to provide to Net::SSLeay *if* using SSL
                        'ssl_version'               =>  3,
                        # What other args should I pass to Net::LDAP->new($host, at args)?
                        'net_ldap_args'             => [    version =>  3   ],
                        # Does authentication depend on group membership? What group name?
                        #'group'                     =>  'Internal Site Access',
                        # What is the attribute for the group object that determines membership?
                        #'group_attr'                =>  'memberOf',
                        ## RT ATTRIBUTE MATCHING SECTION
                        # The list of RT attributes that uniquely identify a user
                        # This example shows what you *can* specify.. I recommend reducing this
                        # to just the Name and EmailAddress to save encountering problems later.
                        'attr_match_list'           => [    'Name',
                                                            'EmailAddress'
                                                        ],
                        # The mapping of RT attributes on to LDAP attributes
                        'attr_map'                  =>  {   'Name' => 'sAMAccountName',
                                                            'EmailAddress' => 'mail',
                                                            'Organization' => 'physicalDeliveryOfficeName',
                                                            'RealName' => 'displayName',
                                                            'ExternalContactInfoId' => 'dn',
                                                            'ExternalAuthId' => 'sAMAccountName',
                                                            'Gecos' => 'sAMAccountName',
                                                            'WorkPhone' => 'telephoneNumber'
                                                        }
                    }});

Set( @Plugins, (qw(RT::Authen::ExternalAuth)) );




1;


Logs:

[Wed Nov 16 17:26:07 2011] [debug]: You've enabled GraphViz, but we couldn't load the module: Can't locate GraphViz.pm in @INC (@INC contains: /opt/rt4/sbin/../local/lib /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib /opt/rt4/sbin/../lib /usr/lib/perl5/site_perl /usr/share/perl5/site_perl /usr/lib/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib/perl5/core_perl /usr/share/perl5/core_perl . /etc/httpd) at /opt/rt4/sbin/../lib/RT/Config.pm line 558. (/opt/rt4/sbin/../lib/RT/Config.pm:559)
[Wed Nov 16 17:26:07 2011] [debug]: The RTAddressRegexp option is not set in the config. Not setting this option results in additional SQL queries to check whether each address belongs to RT or not. It is especially important to set this option if RT recieves emails on addresses that are not in the database or config. (/opt/rt4/sbin/../lib/RT/Config.pm:454)
[Wed Nov 16 17:26:09 2011] [debug]: You've enabled GraphViz, but we couldn't load the module: Can't locate GraphViz.pm in @INC (@INC contains: /opt/rt4/sbin/../local/lib /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib /opt/rt4/sbin/../lib /usr/lib/perl5/site_perl /usr/share/perl5/site_perl /usr/lib/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib/perl5/core_perl /usr/share/perl5/core_perl . /etc/httpd) at /opt/rt4/sbin/../lib/RT/Config.pm line 558. (/opt/rt4/sbin/../lib/RT/Config.pm:559)
[Wed Nov 16 17:26:09 2011] [debug]: The RTAddressRegexp option is not set in the config. Not setting this option results in additional SQL queries to check whether each address belongs to RT or not. It is especially important to set this option if RT recieves emails on addresses that are not in the database or config. (/opt/rt4/sbin/../lib/RT/Config.pm:454)
[Wed Nov 16 17:26:18 2011] [debug]: ExternalInfoPriority not defined. User information (including user enabled/disabled cannot be externally-sourced (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:40)
[Wed Nov 16 17:26:18 2011] [debug]: Attempting to use external auth service: AD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Wed Nov 16 17:26:18 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Wed Nov 16 17:26:18 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[Wed Nov 16 17:26:18 2011] [debug]: ExternalInfoPriority not defined. User information (including user enabled/disabled cannot be externally-sourced (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:40)
[Wed Nov 16 17:26:18 2011] [debug]: Attempting to use external auth service: AD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Wed Nov 16 17:26:18 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Wed Nov 16 17:26:18 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[Wed Nov 16 17:26:24 2011] [debug]: ExternalInfoPriority not defined. User information (including user enabled/disabled cannot be externally-sourced (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:40)
[Wed Nov 16 17:26:24 2011] [debug]: Attempting to use external auth service: AD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Wed Nov 16 17:26:24 2011] [debug]: Calling UserExists with $username (iamuser) and $service (AD) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Wed Nov 16 17:26:24 2011] [debug]: UserExists params:
username: iamuser , service: AD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Wed Nov 16 17:26:24 2011] [debug]: LDAP Search ===  Base: DC=AD,DC=tld == Filter: (&(objectClass=*)(sAMAccountName=iamuser)) == Attrs: telephoneNumber,displayName,dn,physicalDeliveryOfficeName,mail,sAMAccountName,sAMAccountName,sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Wed Nov 16 17:26:24 2011] [debug]: Password validation required for service - Executing... (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
[Wed Nov 16 17:26:24 2011] [debug]: Trying external auth service: AD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
[Wed Nov 16 17:26:24 2011] [debug]: LDAP Search ===  Base: DC=AD,DC=tld == Filter: (&(sAMAccountName=iamuser)(objectClass=*)) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
[Wed Nov 16 17:26:24 2011] [debug]: Found LDAP DN: CN=iamuser,OU=People,DC=AD,DC=tld (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
[Wed Nov 16 17:26:24 2011] [info]: RT::Authen::ExternalAuth::LDAP::GetAuth External Auth OK ( AD ): iamuser (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:139)
[Wed Nov 16 17:26:24 2011] [debug]: LDAP password validation result: 1 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
[Wed Nov 16 17:26:24 2011] [debug]: Password Validation Check Result:  1 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
[Wed Nov 16 17:26:24 2011] [debug]: Authentication successful. Now updating user information and attempting login. (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:179)
[Wed Nov 16 17:26:24 2011] [info]: Successful login for iamuser from 163.118.10.111 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:219)
[Wed Nov 16 17:26:24 2011] [debug]: Autohandler called ExternalAuth. Response: (1, Successful login) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)



More information about the rt-users mailing list