[rt-users] External Auth config with RT on Debian

jsolberg jsolberg at intrepidls.com
Fri Jun 28 15:29:22 EDT 2013 

Hi All,

I have ran into a wits end situation and am now going to ask the experts. I
have been given the task of standing up RT for my company. So far that part
has gone ok. I am able to get to login page and log in with local ROOT
account. That part is working. I have even played around with theme colors
to match my company's color scheme etc etc..It was brought to my attention
that we need to intergrate AD authentication into RT. In doing that i
reached out to google and found what I had thought to be some promising
information. I downloaded and installed the RT::Authen:ExternalAuth Plugin
by doing the following:

cpan -i RT::Authen::ExternalAuth

It ran and i entered in the path it wanted for RT.pm and away it went. It
made and it installed like it should. I then took the sample
RT_SiteConfig.pm in /usr/share/local/request-tracker4/plugins/xxxx and
copied it to /etc/request-tracker4/RT_SiteConfig.d/external auth. I then
make that file look like this:

Default settings till here....
#PLUGINS
Set( @Plugins, qw(RT::Authen::ExternalAuth));

#External Auth Settings

Set($ExternalAuthPriority, [ 'My_LDAP',] );
Set($ExternalInfoPriority, [ 'My_LDAP',] );
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings, {
    'My_LDAP'       =>  {
        'type'                      =>  'ldap',
        'server'                    =>  'dc2.xxxxxx.com',
        'user'                      =>  'cn=Bind
Ldap,ou=User,Logins,dc=intrepidls,dc=com',
        'pass'                    =>  'xxxxxxx',
        'base'                      =>  'dc=xxxx,dc=com',
        'filter'                    => 
'(&(ObjectCategory=User)(ObjectClass=Person))',
        'd_filter'                  => 
'(userAccountControl:1.2.840.113556.1.4.803=2)',
        'group'                     =>  'cn=Domain
Users,ou=Groups_Security,dc=xxxxx,dc=com',
        'group_attr'                =>  'member',
        'tls'                       =>  0,
        'ssl_version'               =>  3,
        'net_ldap_args'             => [    version =>  3, port => 3268   ],
        'group_scope'               =>  'base',
        'group_attr_value'          =>  'GROUP_ATTR_VALUE',
        'attr_match_list' => [
            'Name',
            'EmailAddress',
            'RealName',
        ],
        'attr_map' => {
            'Name' => 'sAMAccountName',
            'EmailAddress' => 'mail',
            'Organization' => 'physicalDeliveryOfficeName',
            'RealName' => 'cn',
            'ExternalAuthId' => 'sAMAccountName',
            'Gecos' => 'sAMAccountName',
            'WorkPhone' => 'telephoneNumber',
            'Address1' => 'streetAddress',
            'City' => 'l',
            'State' => 'st',
            'Zip' => 'postalCode',
            'Country' => 'co'
        },
    },
    # An example SSO cookie service
    'My_SSO_Cookie'  => {
        'type'                      =>  'cookie',
        'name'                      =>  'loginCookieValue',
        'u_table'                   =>  'users',
        'u_field'                   =>  'username',
        'u_match_key'               =>  'userID',
        'c_table'                   =>  'login_cookie',
        'c_field'                   =>  'loginCookieValue',
        'c_match_key'               =>  'loginCookieUserID',
        'db_service_name'           =>  'My_MySQL'
    },
} );

1;

I then use update-rt-siteconfig to merge these settings into
RT_SiteConfig.pm. From what I read this is all correct and "Should" allow AD
accounts to log in. Here is what is logging in the apache2 error log:

[Fri Jun 28 19:01:58 2013] [warning]: The actual HTTP_HOST (admin-rt4) does
NOT match the configured WebDomain (localhost). Perhaps you should
Set($WebDomain, 'admin-rt4'); in RT_SiteConfig.pm, otherwise your internal
links may be broken.
(/usr/share/request-tracker4/lib/RT/Interface/Web.pm:1194)
[Fri Jun 28 19:02:09 2013] [error]: FAILED LOGIN for jsolberg at xxxxxx.com
from 10.10.30.62 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
[Fri Jun 28 19:02:40 2013] [error]: FAILED LOGIN for jsolberg from
10.10.30.62 ( /usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
[Fri Jun 28 19:02:52 2013] [info]: Successful login for root from
10.10.30.62 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:745)
root at admin-rt4:/usr/share/request-tracker4/lib#

Notice the SUCCESSFUL login from ROOT. I really hope I am just missing
something really simple but from what I can see its not even sending the
request to the AD server as I can type in the wrong password 10 times and it
is not locking the account out. I have other servers configured to use LDAP
and using the same bind account so i know my LDAP settings are correct. I
have tried more than one AD account to no avail. I installed all the Request
Tracker componants via apt-get install. PLEASE HELP!

Thanks.

Jeff









--
View this message in context: http://requesttracker.8502.n7.nabble.com/External-Auth-config-with-RT-on-Debian-tp54486.html
Sent from the Request Tracker - User mailing list archive at Nabble.com.

More information about the rt-users mailing list