[rt-users] External Auth config with RT on Debian

Kevin Falcone falcone at bestpractical.com
Tue Jul 2 13:04:34 EDT 2013


On Mon, Jul 01, 2013 at 05:59:53PM +0000, Jeff Solberg wrote:
> 
> Added the following to my site config:

Go back to the System Configuration page and confirm that you see
these settings being read by RT.

If you have the Plugin installed, and the logging configured, then it
isn't being run.  The next things to check are permissions.  Can the
webserver read the callbacks provided by the extension and are they
being run.

-kevin

> #logging
> Set($LogToSyslog    , '');
> Set($LogToScreen    , 'debug');
> Set($LogToFile      , 'debug');
> Set($LogDir, '/var/log/request-tracker4');
> Set($LogToFileNamed , "rt.log");    #log to rt.log
> 
> # end   /etc/request-tracker4/RT_SiteConfig.d/logging
> 
> And restarted apache2, I tried to log in with domain account and this is what is being logged to rt.log
> 
> root at admin-rt4:/var/log/request-tracker4# cat rt.log
> [Mon Jul  1 17:47:43 2013] [debug]: The RTAddressRegexp option is not set in the config. Not setting this option results in additional SQL queries to check whether each address belongs to RT or not. It is especially important to set this option if RT recieves emails on addresses that are not in the database or config. (/usr/share/request-tracker4/lib/RT/Config.pm:454)
> [Mon Jul  1 17:47:43 2013] [warning]: The actual HTTP_HOST (admin-rt4) does NOT match the configured WebDomain (localhost). Perhaps you should Set($WebDomain, 'admin-rt4'); in RT_SiteConfig.pm, otherwise your internal links may be broken. (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:1194)
> [Mon Jul  1 17:47:50 2013] [error]: FAILED LOGIN for jsolberg from 10.10.30.63 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
> [Mon Jul  1 17:49:46 2013] [info]: Successful login for root from 10.10.30.63 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:745)
> [Mon Jul  1 17:53:05 2013] [error]: FAILED LOGIN for jsolberg at xxxxx.com from 10.10.30.63 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
> 
> My guess is the debugging options is not telling us much :(
> 
> Jeff
> 
> 
> 
> - -----Original Message-----
> From: rt-users-bounces at lists.bestpractical.com [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Kevin Falcone
> Sent: Monday, July 01, 2013 9:29 AM
> To: rt-users at lists.bestpractical.com
> Subject: [secure] Re: [rt-users] External Auth config with RT on Debian
> Sensitivity: Confidential
> 
> * PGP Signed by an unknown key
> 
> On Mon, Jul 01, 2013 at 04:24:51PM +0000, Jeff Solberg wrote:
> > > - -----Original Message-----
> > > From: rt-users-bounces at lists.bestpractical.com 
> > > [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Kevin 
> > > Falcone
> > > Sent: Monday, July 01, 2013 9:14 AM
> > > To: rt-users at lists.bestpractical.com
> > > Subject: [secure] Re: [rt-users] External Auth config with RT on 
> > > Debian
> > > Sensitivity: Confidential
> > > 
> > > > Old Signed by an unknown key
> > > 
> > > On Fri, Jun 28, 2013 at 12:29:22PM -0700, jsolberg wrote:
> > > > Default settings till here....
> > > > #PLUGINS
> > > > Set( @Plugins, qw(RT::Authen::ExternalAuth));
> > > > 
> > > > #External Auth Settings
> > > > 
> > > > Set($ExternalAuthPriority, [ 'My_LDAP',] ); 
> > > > Set($ExternalInfoPriority, [ 'My_LDAP',] ); 
> > > > Set($ExternalServiceUsesSSLorTLS, 0); Set($AutoCreateNonExternalUsers, 0); Set($ExternalSettings, {
> > > >     'My_LDAP'       =>  {
> > > >         'type'                      =>  'ldap',
> > > >         'server'                    =>  'dc2.xxxxxx.com',
> > > >         'user'                      =>  'cn=Bind
> > > > Ldap,ou=User,Logins,dc=intrepidls,dc=com',
> > > >         'pass'                    =>  'xxxxxxx',
> > > >         'base'                      =>  'dc=xxxx,dc=com',
> > > >         'filter'                    => 
> > > > '(&(ObjectCategory=User)(ObjectClass=Person))',
> > > >         'd_filter'                  => 
> > > > '(userAccountControl:1.2.840.113556.1.4.803=2)',
> > > >         'group'                     =>  'cn=Domain
> > > > Users,ou=Groups_Security,dc=xxxxx,dc=com',
> > > >         'group_attr'                =>  'member',
> > > >         'tls'                       =>  0,
> > > >         'ssl_version'               =>  3,
> > > >         'net_ldap_args'             => [    version =>  3, port => 3268   ],
> > > >         'group_scope'               =>  'base',
> > > >         'group_attr_value'          =>  'GROUP_ATTR_VALUE',
> > > >         'attr_match_list' => [
> > > >             'Name',
> > > >             'EmailAddress',
> > > >             'RealName',
> > > >         ],
> > > >         'attr_map' => {
> > > >             'Name' => 'sAMAccountName',
> > > >             'EmailAddress' => 'mail',
> > > >             'Organization' => 'physicalDeliveryOfficeName',
> > > >             'RealName' => 'cn',
> > > >             'ExternalAuthId' => 'sAMAccountName',
> > > >             'Gecos' => 'sAMAccountName',
> > > >             'WorkPhone' => 'telephoneNumber',
> > > >             'Address1' => 'streetAddress',
> > > >             'City' => 'l',
> > > >             'State' => 'st',
> > > >             'Zip' => 'postalCode',
> > > >             'Country' => 'co'
> > > >         },
> > > >     },
> > > >     # An example SSO cookie service
> > > >     'My_SSO_Cookie'  => {
> > > >         'type'                      =>  'cookie',
> > > >         'name'                      =>  'loginCookieValue',
> > > >         'u_table'                   =>  'users',
> > > >         'u_field'                   =>  'username',
> > > >         'u_match_key'               =>  'userID',
> > > >         'c_table'                   =>  'login_cookie',
> > > >         'c_field'                   =>  'loginCookieValue',
> > > >         'c_match_key'               =>  'loginCookieUserID',
> > > >         'db_service_name'           =>  'My_MySQL'
> > > >     },
> > > > } );
> > > > 
> > > > 1;
> > > > 
> > > > I then use update-rt-siteconfig to merge these settings into 
> > > > RT_SiteConfig.pm. From what I read this is all correct and "Should"
> > > > allow AD accounts to log in. Here is what is logging in the apache2 error log:
> > > > 
> > > > [Fri Jun 28 19:01:58 2013] [warning]: The actual HTTP_HOST 
> > > > (admin-rt4) does NOT match the configured WebDomain (localhost). 
> > > > Perhaps you should Set($WebDomain, 'admin-rt4'); in 
> > > > RT_SiteConfig.pm, otherwise your internal links may be broken.
> > > > (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:1194)
> > > > [Fri Jun 28 19:02:09 2013] [error]: FAILED LOGIN for 
> > > > jsolberg at xxxxxx.com from 10.10.30.62
> > > > (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
> > > > [Fri Jun 28 19:02:40 2013] [error]: FAILED LOGIN for jsolberg from
> > > > 10.10.30.62 ( 
> > > > /usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
> > > > [Fri Jun 28 19:02:52 2013] [info]: Successful login for root from
> > > > 10.10.30.62 
> > > > (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:745)
> > > > root at admin-rt4:/usr/share/request-tracker4/lib#
> > > 
> > > Navigate to Tools -> Configuration -> System Configuration and check that Plugins contains RT::Authen::ExternalAuth.
> > > 
> > Thanks for your reply. In the sys config it shows the following under PLUGINS:
> > 
> > Plugins   [
> >         'RT::Authen::ExternalAuth'
> >           ]
> 
> Great - now go make sure your $LogToScreen is set to 'debug' and log in again.
> 
> root will always be able to log in because it has a local password set, you're more concerned about getting useful debugging messages for your jsolberg user.
> 
> - -kevin
> 
> * Unknown Key
> * 0x9E42250A
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Universal 3.2.1 (Build 4940)
> Charset: us-ascii
> 
> wsBVAwUBUdHDnE8vfChWkpdqAQhtUQf8D4xW7+1lNWhskwrlWBqby4bVW2GNnOLe
> s4cxkRIMt5ReLeOyLZCUsUb99NuHwkPonIMrfzAHsD4b5J+bpoXI9VHwSA7Ob0EP
> r9+lwAAZV+JWq0gC5BRSqZFC9nQhEOcCTQj+YDX5ykhZEBqB7pHb0fvGv1KViT5U
> SPusBWr21tvjdH7++/vb0XAdxKT+JTYbjzXmVQG7Mv82A3x9Q01bNQBJ4Xn+tH4R
> h/Dny3llTZYhaf1Ms9pWwSAK48gok0G7EpWYKxL5zjWZvjtWgg3ZNlXURE6MNDTv
> GKaMeceeDiTZP8tdO/UA9WcxSkiqt7p4qyYigAb5J4RGKJASjCLchQ==
> =aMI6
> -----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 235 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20130702/1dc81910/attachment.sig>


More information about the rt-users mailing list