[rt-users] rt4 and External Auth to AD 2008 non-ssl
Ruslan Zakirov
ruz at bestpractical.com
Sun Sep 4 09:51:03 EDT 2011
There is one bug with group check. If user who tries to login has no rights
in ldap to see the group then check fails and error in the logs is not very
helpful.
Regards, Ruslan. From phone.
30.08.2011 22:42 пользователь "Brian Murphy" <blmurphy at eiu.edu> написал:
> I have actually gotten auth to work through my active directory.
>
> I still have to debug my group membership attribute as that is what was
tripping me up this last time. Not real sure how to code it.
>
> seeing this failure:
> [Tue Aug 30 16:15:09 2011] [debug]: LDAP Search === Base:
dc=eiuad,dc=eiu,dc=edu == Filter: (member=CN=Murphy, Brian,OU=ITS
Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu) ==
Attrs: dn
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
> [Tue Aug 30 16:15:09 2011] [info]: EIUAD AUTH FAILED: blmurphy
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
> [Tue Aug 30 16:15:09 2011] [debug]: LDAP password validation result: 0
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
> [Tue Aug 30 16:15:09 2011] [debug]: Password Validation Check Result: 0
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
>
> I removed the group check form the SiteConfig and now I can login using my
external active directory credentials. Anyone have an idea what I might be
coding or placing wrong on tryin to use the group memebership?
>
> Thanks for all your input(s).
>
> Brian
>
> ----- Original Message -----
> From: "Brian Murphy" <blmurphy at eiu.edu>
> To: rt-users at lists.bestpractical.com
> Sent: Tuesday, August 30, 2011 11:33:53 AM
> Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
>
> Complaing about validating the password after locating the user entry.
>
> I am now receiving the following out of the external auth:
>
>
> [Tue Aug 30 16:15:09 2011] [debug]: Attempting to use external auth
service: EIUAD
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
> [Tue Aug 30 16:15:09 2011] [debug]: Calling UserExists with $username
(blmurphy) and $service (EIUAD)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
> [Tue Aug 30 16:15:09 2011] [debug]: UserExists params:
> username: blmurphy , service: EIUAD
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
> [Tue Aug 30 16:15:09 2011] [debug]: LDAP Search === Base:
dc=eiuad,dc=eiu,dc=edu == Filter:
(&(objectClass=*)(sAMAccountName=blmurphy)) == Attrs: sAMAccountName
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
> [Tue Aug 30 16:15:09 2011] [debug]: Password validation required for
service - Executing...
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
> [Tue Aug 30 16:15:09 2011] [debug]: Trying external auth service: EIUAD
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
> [Tue Aug 30 16:15:09 2011] [debug]: LDAP Search === Base:
dc=eiuad,dc=eiu,dc=edu == Filter:
(&(sAMAccountName=blmurphy)(objectClass=*)) == Attrs: dn
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
> [Tue Aug 30 16:15:09 2011] [debug]: Found LDAP DN: CN=Murphy\,
Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU
USERS,DC=eiuad,DC=eiu,DC=edu
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
> [Tue Aug 30 16:15:09 2011] [debug]: LDAP Search === Base:
dc=eiuad,dc=eiu,dc=edu == Filter: (member=CN=Murphy, Brian,OU=ITS
Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu) ==
Attrs: dn
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
> [Tue Aug 30 16:15:09 2011] [info]: EIUAD AUTH FAILED: blmurphy
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
> [Tue Aug 30 16:15:09 2011] [debug]: LDAP password validation result: 0
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
> [Tue Aug 30 16:15:09 2011] [debug]: Password Validation Check Result: 0
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
> [Tue Aug 30 16:15:09 2011] [debug]: Autohandler called ExternalAuth.
Response: (0, Password Invalid)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
> [Tue Aug 30 16:15:09 2011] [error]: FAILED LOGIN for blmurphy from
139.67.17.30 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:639)
>
>
> Using the following RT_SiteConfig.pm settings:
>
> Set($ExternalSettings, {
> # EIUAD Active Directory
> 'EIUAD' => { ## GENERIC SECTION
> # The type of service (db/ldap/cookie)
> 'type' => 'ldap',
> # The server hosting the service
> 'server' => 'eiuad.eiu.edu',
> ## SERVICE-SPECIFIC SECTION
> # If you can bind to your LDAP server anonymously you should
> # remove the user and pass config lines, otherwise specify them here:
> #
> # The username RT should use to connect to the LDAP server
> 'user' => 'CN=RT Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu',
> # The password RT should use to connect to the LDAP server
> 'pass' => 'xxxxxxxxx!',
> #
> # The LDAP search base
> #'base' => 'ou=its employees,ou=employee accounts,ou=eiu
users,dc=eiuad,dc=eiu,dc=edu',
> 'base' => 'dc=eiuad,dc=eiu,dc=edu',
> #
> # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
> # YOU **MUST** SPECIFY A filter AND A d_filter!!
> #
> # The filter to use to match RT-Users
> 'filter' => '(objectClass=*)',
> # A catch-all example filter: '(objectClass=*)'
> #
> # The filter that will only match disabled users
> 'd_filter' => '(objectclass=Foo)',
> # A catch-none example d_filter: '(objectClass=FooBarBaz)'
> #
> # Should we try to use TLS to encrypt connections?
> 'tls' => 0,
> # SSL Version to provide to Net::SSLeay *if* using SSL
> 'ssl_version' => 3,
> # What other args should I pass to Net::LDAP->new($host, at args)?
> 'net_ldap_args' => [ version => 3 ],
> # Does authentication depend on group membership? What group name?
> 'group' => 'CN=RT_Access,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu',
> # What is the attribute for the group object that determines membership?
> 'group_attr' => 'member',
> ## RT ATTRIBUTE MATCHING SECTION
> # The list of RT attributes that uniquely identify a user
> # This example shows what you *can* specify.. I recommend reducing this
> # to just the Name and EmailAddress to save encountering problems later.
> 'attr_match_list' => [ 'Name'
> ],
> # The mapping of RT attributes on to LDAP attributes
> 'attr_map' => { 'Name' => 'sAMAccountName'
> }
> }
> }
> );
>
> ----- Original Message -----
> From: "Brian Murphy" <blmurphy at eiu.edu>
> To: rt-users at lists.bestpractical.com
> Sent: Tuesday, August 30, 2011 10:59:08 AM
> Subject: Fwd: [rt-users] rt4 and External Auth to AD 2008 non-ssl
>
>
> Well, sh**! Sometimes the simplest are the most difficult. I was way too
close to the forest to see the trees on that one. Having a . instead of the
, in my base string was causing me to not be able to find the entry. I have
my filter set to () and am using the sAMAccountName and finding the user
account, but now it refuses my password. here is what I get in the log. Any
ideas. I know my password and am using it for other accounts.
>
> [Tue Aug 30 15:48:14 2011] [debug]: Attempting to use external auth
service: EIUAD
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
> [Tue Aug 30 15:48:14 2011] [debug]: Calling UserExists with $username
(blmurphy) and $service (EIUAD)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
> [Tue Aug 30 15:48:14 2011] [debug]: UserExists params:
> username: blmurphy , service: EIUAD
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
> [Tue Aug 30 15:48:14 2011] [debug]: LDAP Search === Base:
dc=eiuad,dc=eiu,dc=edu == Filter: (&(sAMAccountName=blmurphy)) == Attrs:
sAMAccountName
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
> [Tue Aug 30 15:48:14 2011] [debug]: Password validation required for
service - Executing...
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
> [Tue Aug 30 15:48:14 2011] [debug]: Trying external auth service: EIUAD
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
> [Tue Aug 30 15:48:14 2011] [debug]: LDAP Search === Base:
dc=eiuad,dc=eiu,dc=edu == Filter: (&(sAMAccountName=blmurphy)) == Attrs: dn
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
> [Tue Aug 30 15:48:14 2011] [debug]: Found LDAP DN: CN=Murphy\,
Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU
USERS,DC=eiuad,DC=eiu,DC=edu
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
> [Tue Aug 30 15:48:14 2011] [debug]: LDAP Search === Base:
dc=eiuad,dc=eiu,dc=edu == Filter: (member=CN=Murphy, Brian,OU=ITS
Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu) ==
Attrs: dn
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
> [Tue Aug 30 15:48:14 2011] [info]: EIUAD AUTH FAILED: blmurphy
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
> [Tue Aug 30 15:48:14 2011] [debug]: LDAP password validation result: 0
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
> [Tue Aug 30 15:48:14 2011] [debug]: Password Validation Check Result: 0
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
> [Tue Aug 30 15:48:14 2011] [debug]: Autohandler called ExternalAuth.
Response: (0, Password Invalid)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
> [Tue Aug 30 15:48:14 2011] [error]: FAILED LOGIN for blmurphy from
139.67.17.30 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:639)
> [Tue Aug 30 15:48:17 2011] [debug]: Attempting to use external auth
service: EIUAD
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
> [Tue Aug 30 15:48:17 2011] [debug]: SSO Failed and no user to test with.
Nexting
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
> [Tue Aug 30 15:48:17 2011] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
>
> ----- Original Message -----
> From: "David Chandek-Stark" <david.chandek.stark at duke.edu>
> To: "Brian Murphy" <blmurphy at eiu.edu>, rt-users at lists.bestpractical.com
> Sent: Tuesday, August 30, 2011 10:41:54 AM
> Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
>
> I'm guessing your base should have a comma b/w "eiu" and "dc" -- I.e.,
> "dc=eiuad,dc=eiu,dc=edu".
>
> --D
>
> On 8/30/11 11:34 AM, "Brian Murphy" <blmurphy at eiu.edu> wrote:
>>[Tue Aug 30 15:29:48 2011] [debug]: LDAP Search === Base:
>>dc=eiuad,dc=eiu.dc=edu == Filter: (&(sAMAccountName=blmurphy)) == Attrs:
>>sAMAccountName
>>(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/
>>LDAP.pm:304)
>
> --------
> RT Training Sessions (http://bestpractical.com/services/training.html)
> * Chicago, IL, USA September 26 & 27, 2011
> * San Francisco, CA, USA October 18 & 19, 2011
> * Washington DC, USA October 31 & November 1, 2011
> * Melbourne VIC, Australia November 28 & 29, 2011
> * Barcelona, Spain November 28 & 29, 2011
> --------
> RT Training Sessions (http://bestpractical.com/services/training.html)
> * Chicago, IL, USA September 26 & 27, 2011
> * San Francisco, CA, USA October 18 & 19, 2011
> * Washington DC, USA October 31 & November 1, 2011
> * Melbourne VIC, Australia November 28 & 29, 2011
> * Barcelona, Spain November 28 & 29, 2011
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20110904/828c750d/attachment.htm>
More information about the rt-users
mailing list