[rt-users] External Auth config with RT on Debian
Jeff Solberg
jsolberg at intrepidls.com
Mon Jul 1 12:38:18 EDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Do I just add the $SetToLog options anywhere in the RT_SiteConfig.pm?
- -----Original Message-----
From: rt-users-bounces at lists.bestpractical.com [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Kevin Falcone
Sent: Monday, July 01, 2013 9:29 AM
To: rt-users at lists.bestpractical.com
Subject: [secure] Re: [rt-users] External Auth config with RT on Debian
Sensitivity: Confidential
* PGP Signed by an unknown key
On Mon, Jul 01, 2013 at 04:24:51PM +0000, Jeff Solberg wrote:
> > - -----Original Message-----
> > From: rt-users-bounces at lists.bestpractical.com
> > [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Kevin
> > Falcone
> > Sent: Monday, July 01, 2013 9:14 AM
> > To: rt-users at lists.bestpractical.com
> > Subject: [secure] Re: [rt-users] External Auth config with RT on
> > Debian
> > Sensitivity: Confidential
> >
> > > Old Signed by an unknown key
> >
> > On Fri, Jun 28, 2013 at 12:29:22PM -0700, jsolberg wrote:
> > > Default settings till here....
> > > #PLUGINS
> > > Set( @Plugins, qw(RT::Authen::ExternalAuth));
> > >
> > > #External Auth Settings
> > >
> > > Set($ExternalAuthPriority, [ 'My_LDAP',] );
> > > Set($ExternalInfoPriority, [ 'My_LDAP',] );
> > > Set($ExternalServiceUsesSSLorTLS, 0); Set($AutoCreateNonExternalUsers, 0); Set($ExternalSettings, {
> > > 'My_LDAP' => {
> > > 'type' => 'ldap',
> > > 'server' => 'dc2.xxxxxx.com',
> > > 'user' => 'cn=Bind
> > > Ldap,ou=User,Logins,dc=intrepidls,dc=com',
> > > 'pass' => 'xxxxxxx',
> > > 'base' => 'dc=xxxx,dc=com',
> > > 'filter' =>
> > > '(&(ObjectCategory=User)(ObjectClass=Person))',
> > > 'd_filter' =>
> > > '(userAccountControl:1.2.840.113556.1.4.803=2)',
> > > 'group' => 'cn=Domain
> > > Users,ou=Groups_Security,dc=xxxxx,dc=com',
> > > 'group_attr' => 'member',
> > > 'tls' => 0,
> > > 'ssl_version' => 3,
> > > 'net_ldap_args' => [ version => 3, port => 3268 ],
> > > 'group_scope' => 'base',
> > > 'group_attr_value' => 'GROUP_ATTR_VALUE',
> > > 'attr_match_list' => [
> > > 'Name',
> > > 'EmailAddress',
> > > 'RealName',
> > > ],
> > > 'attr_map' => {
> > > 'Name' => 'sAMAccountName',
> > > 'EmailAddress' => 'mail',
> > > 'Organization' => 'physicalDeliveryOfficeName',
> > > 'RealName' => 'cn',
> > > 'ExternalAuthId' => 'sAMAccountName',
> > > 'Gecos' => 'sAMAccountName',
> > > 'WorkPhone' => 'telephoneNumber',
> > > 'Address1' => 'streetAddress',
> > > 'City' => 'l',
> > > 'State' => 'st',
> > > 'Zip' => 'postalCode',
> > > 'Country' => 'co'
> > > },
> > > },
> > > # An example SSO cookie service
> > > 'My_SSO_Cookie' => {
> > > 'type' => 'cookie',
> > > 'name' => 'loginCookieValue',
> > > 'u_table' => 'users',
> > > 'u_field' => 'username',
> > > 'u_match_key' => 'userID',
> > > 'c_table' => 'login_cookie',
> > > 'c_field' => 'loginCookieValue',
> > > 'c_match_key' => 'loginCookieUserID',
> > > 'db_service_name' => 'My_MySQL'
> > > },
> > > } );
> > >
> > > 1;
> > >
> > > I then use update-rt-siteconfig to merge these settings into
> > > RT_SiteConfig.pm. From what I read this is all correct and "Should"
> > > allow AD accounts to log in. Here is what is logging in the apache2 error log:
> > >
> > > [Fri Jun 28 19:01:58 2013] [warning]: The actual HTTP_HOST
> > > (admin-rt4) does NOT match the configured WebDomain (localhost).
> > > Perhaps you should Set($WebDomain, 'admin-rt4'); in
> > > RT_SiteConfig.pm, otherwise your internal links may be broken.
> > > (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:1194)
> > > [Fri Jun 28 19:02:09 2013] [error]: FAILED LOGIN for
> > > jsolberg at xxxxxx.com from 10.10.30.62
> > > (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
> > > [Fri Jun 28 19:02:40 2013] [error]: FAILED LOGIN for jsolberg from
> > > 10.10.30.62 (
> > > /usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
> > > [Fri Jun 28 19:02:52 2013] [info]: Successful login for root from
> > > 10.10.30.62
> > > (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:745)
> > > root at admin-rt4:/usr/share/request-tracker4/lib#
> >
> > Navigate to Tools -> Configuration -> System Configuration and check that Plugins contains RT::Authen::ExternalAuth.
> >
> Thanks for your reply. In the sys config it shows the following under PLUGINS:
>
> Plugins [
> 'RT::Authen::ExternalAuth'
> ]
Great - now go make sure your $LogToScreen is set to 'debug' and log in again.
root will always be able to log in because it has a local password set, you're more concerned about getting useful debugging messages for your jsolberg user.
- -kevin
* Unknown Key
* 0x9E42250A
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.1 (Build 4940)
Charset: us-ascii
wsBVAwUBUdGwfU8vfChWkpdqAQgoxgf+IW3MwbDxATCMSx7dEOEgPjjTY2ZfJD0z
7Ez7SM+J0ke7+ljDhRYkZC7uMX2XF9O1N1JY1mv1O390ECPNUmXegDd54gmp7KHh
Er9zx6AT77ZavXpf43nwGFty4pmlQfDRf5YfhDWJu8qQe+MivSHLbqw50JDKHNYe
/R3A3DwC20Eukc76AQUpKJxDQrxL7mty8BxEaOgXquPl/S8JUWbJTpuTvL1cLoG5
yyfRECXvxrCYQKwttst5iaEQlPZ3zu0ja+sE10+dwdEW9oYC6/RBHlus3fASJxVj
siDp0h56GDQFDmgCm0oMVRQEh5kPMu01U4PP2TA+X66rKFSQyl69ng==
=4cdn
-----END PGP SIGNATURE-----
More information about the rt-users
mailing list