[rt-users] External Auth config with RT on Debian

Jeff Solberg jsolberg at intrepidls.com
Mon Jul 1 13:59:53 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Added the following to my site config:

#logging
Set($LogToSyslog    , '');
Set($LogToScreen    , 'debug');
Set($LogToFile      , 'debug');
Set($LogDir, '/var/log/request-tracker4');
Set($LogToFileNamed , "rt.log");    #log to rt.log

# end   /etc/request-tracker4/RT_SiteConfig.d/logging

And restarted apache2, I tried to log in with domain account and this is what is being logged to rt.log

root at admin-rt4:/var/log/request-tracker4# cat rt.log
[Mon Jul  1 17:47:43 2013] [debug]: The RTAddressRegexp option is not set in the config. Not setting this option results in additional SQL queries to check whether each address belongs to RT or not. It is especially important to set this option if RT recieves emails on addresses that are not in the database or config. (/usr/share/request-tracker4/lib/RT/Config.pm:454)
[Mon Jul  1 17:47:43 2013] [warning]: The actual HTTP_HOST (admin-rt4) does NOT match the configured WebDomain (localhost). Perhaps you should Set($WebDomain, 'admin-rt4'); in RT_SiteConfig.pm, otherwise your internal links may be broken. (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:1194)
[Mon Jul  1 17:47:50 2013] [error]: FAILED LOGIN for jsolberg from 10.10.30.63 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
[Mon Jul  1 17:49:46 2013] [info]: Successful login for root from 10.10.30.63 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:745)
[Mon Jul  1 17:53:05 2013] [error]: FAILED LOGIN for jsolberg at xxxxx.com from 10.10.30.63 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)

My guess is the debugging options is not telling us much :(

Jeff



- -----Original Message-----
From: rt-users-bounces at lists.bestpractical.com [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Kevin Falcone
Sent: Monday, July 01, 2013 9:29 AM
To: rt-users at lists.bestpractical.com
Subject: [secure] Re: [rt-users] External Auth config with RT on Debian
Sensitivity: Confidential

* PGP Signed by an unknown key

On Mon, Jul 01, 2013 at 04:24:51PM +0000, Jeff Solberg wrote:
> > - -----Original Message-----
> > From: rt-users-bounces at lists.bestpractical.com 
> > [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Kevin 
> > Falcone
> > Sent: Monday, July 01, 2013 9:14 AM
> > To: rt-users at lists.bestpractical.com
> > Subject: [secure] Re: [rt-users] External Auth config with RT on 
> > Debian
> > Sensitivity: Confidential
> > 
> > > Old Signed by an unknown key
> > 
> > On Fri, Jun 28, 2013 at 12:29:22PM -0700, jsolberg wrote:
> > > Default settings till here....
> > > #PLUGINS
> > > Set( @Plugins, qw(RT::Authen::ExternalAuth));
> > > 
> > > #External Auth Settings
> > > 
> > > Set($ExternalAuthPriority, [ 'My_LDAP',] ); 
> > > Set($ExternalInfoPriority, [ 'My_LDAP',] ); 
> > > Set($ExternalServiceUsesSSLorTLS, 0); Set($AutoCreateNonExternalUsers, 0); Set($ExternalSettings, {
> > >     'My_LDAP'       =>  {
> > >         'type'                      =>  'ldap',
> > >         'server'                    =>  'dc2.xxxxxx.com',
> > >         'user'                      =>  'cn=Bind
> > > Ldap,ou=User,Logins,dc=intrepidls,dc=com',
> > >         'pass'                    =>  'xxxxxxx',
> > >         'base'                      =>  'dc=xxxx,dc=com',
> > >         'filter'                    => 
> > > '(&(ObjectCategory=User)(ObjectClass=Person))',
> > >         'd_filter'                  => 
> > > '(userAccountControl:1.2.840.113556.1.4.803=2)',
> > >         'group'                     =>  'cn=Domain
> > > Users,ou=Groups_Security,dc=xxxxx,dc=com',
> > >         'group_attr'                =>  'member',
> > >         'tls'                       =>  0,
> > >         'ssl_version'               =>  3,
> > >         'net_ldap_args'             => [    version =>  3, port => 3268   ],
> > >         'group_scope'               =>  'base',
> > >         'group_attr_value'          =>  'GROUP_ATTR_VALUE',
> > >         'attr_match_list' => [
> > >             'Name',
> > >             'EmailAddress',
> > >             'RealName',
> > >         ],
> > >         'attr_map' => {
> > >             'Name' => 'sAMAccountName',
> > >             'EmailAddress' => 'mail',
> > >             'Organization' => 'physicalDeliveryOfficeName',
> > >             'RealName' => 'cn',
> > >             'ExternalAuthId' => 'sAMAccountName',
> > >             'Gecos' => 'sAMAccountName',
> > >             'WorkPhone' => 'telephoneNumber',
> > >             'Address1' => 'streetAddress',
> > >             'City' => 'l',
> > >             'State' => 'st',
> > >             'Zip' => 'postalCode',
> > >             'Country' => 'co'
> > >         },
> > >     },
> > >     # An example SSO cookie service
> > >     'My_SSO_Cookie'  => {
> > >         'type'                      =>  'cookie',
> > >         'name'                      =>  'loginCookieValue',
> > >         'u_table'                   =>  'users',
> > >         'u_field'                   =>  'username',
> > >         'u_match_key'               =>  'userID',
> > >         'c_table'                   =>  'login_cookie',
> > >         'c_field'                   =>  'loginCookieValue',
> > >         'c_match_key'               =>  'loginCookieUserID',
> > >         'db_service_name'           =>  'My_MySQL'
> > >     },
> > > } );
> > > 
> > > 1;
> > > 
> > > I then use update-rt-siteconfig to merge these settings into 
> > > RT_SiteConfig.pm. From what I read this is all correct and "Should"
> > > allow AD accounts to log in. Here is what is logging in the apache2 error log:
> > > 
> > > [Fri Jun 28 19:01:58 2013] [warning]: The actual HTTP_HOST 
> > > (admin-rt4) does NOT match the configured WebDomain (localhost). 
> > > Perhaps you should Set($WebDomain, 'admin-rt4'); in 
> > > RT_SiteConfig.pm, otherwise your internal links may be broken.
> > > (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:1194)
> > > [Fri Jun 28 19:02:09 2013] [error]: FAILED LOGIN for 
> > > jsolberg at xxxxxx.com from 10.10.30.62
> > > (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
> > > [Fri Jun 28 19:02:40 2013] [error]: FAILED LOGIN for jsolberg from
> > > 10.10.30.62 ( 
> > > /usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
> > > [Fri Jun 28 19:02:52 2013] [info]: Successful login for root from
> > > 10.10.30.62 
> > > (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:745)
> > > root at admin-rt4:/usr/share/request-tracker4/lib#
> > 
> > Navigate to Tools -> Configuration -> System Configuration and check that Plugins contains RT::Authen::ExternalAuth.
> > 
> Thanks for your reply. In the sys config it shows the following under PLUGINS:
> 
> Plugins   [
>         'RT::Authen::ExternalAuth'
>           ]

Great - now go make sure your $LogToScreen is set to 'debug' and log in again.

root will always be able to log in because it has a local password set, you're more concerned about getting useful debugging messages for your jsolberg user.

- -kevin

* Unknown Key
* 0x9E42250A

-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.1 (Build 4940)
Charset: us-ascii

wsBVAwUBUdHDnE8vfChWkpdqAQhtUQf8D4xW7+1lNWhskwrlWBqby4bVW2GNnOLe
s4cxkRIMt5ReLeOyLZCUsUb99NuHwkPonIMrfzAHsD4b5J+bpoXI9VHwSA7Ob0EP
r9+lwAAZV+JWq0gC5BRSqZFC9nQhEOcCTQj+YDX5ykhZEBqB7pHb0fvGv1KViT5U
SPusBWr21tvjdH7++/vb0XAdxKT+JTYbjzXmVQG7Mv82A3x9Q01bNQBJ4Xn+tH4R
h/Dny3llTZYhaf1Ms9pWwSAK48gok0G7EpWYKxL5zjWZvjtWgg3ZNlXURE6MNDTv
GKaMeceeDiTZP8tdO/UA9WcxSkiqt7p4qyYigAb5J4RGKJASjCLchQ==
=aMI6
-----END PGP SIGNATURE-----



More information about the rt-users mailing list