[rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please

Mathew Snyder mathew.snyder at gmail.com
Thu Oct 17 21:50:10 EDT 2013


If I run the command the way you've formatted it I get "ldapsearch can't
contact ldap server (-1)".

However, if I run 'ldapsearch -x -h dc1.example.com -D rtuser -w xxxxxxxx
-b "dc=example,dc=com"' "(sAMAccountName=user") I get all kinds of output:

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (sAMAccountName=user)
# requesting: ALL
#

# User Name, Information Systems, HQ Users, EXAMPLE Users, Users, ZEN USERS
 GROUPS and COMPUTERS, Example.com
dn: CN=User Name,OU=Information Systems,OU=HQ Users,OU=EXAMPLE
Users,OU=Users
 ,OU=ZEN USERS GROUPS and COMPUTERS,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: User Name
sn: Name
givenName: User
distinguishedName: CN=User Name,OU=Information Systems,OU=HQ
Users,OU=EXAMPLE
  Users,OU=Users,OU=ZEN USERS GROUPS and COMPUTERS,DC=example,DC=com
instanceType: 4
whenCreated: 20130930141549.0Z
whenChanged: 20131012190321.0Z
displayName: User Name
uSNCreated: 8802089
uSNChanged: 9320797
name: User Name
objectGUID:: f+PyYZ/6lEqKVGVs4/LT1A==
userAccountControl: 512
codePage: 0
countryCode: 0
pwdLastSet: 130250241494878224
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA4MWjpccIJx5IwuT21g4AAA==
accountExpires: 9223372036854775807
sAMAccountName: user
sAMAccountType: 805306368
userPrincipalName: uname at example.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 130260782012929006

# search reference
ref: ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com

# search reference
ref: ldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com

# search reference
ref: ldap://example.com/CN=Configuration,DC=example,DC=com

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3


-Mathew

"When you do things right, people won't be sure you've done anything at
all." - God; Futurama

"We'll get along much better once you accept that you're wrong and neither
am I." - Me


On Thu, Oct 17, 2013 at 6:54 PM, Jeff Solberg <jsolberg at intrepidls.com>wrote:

>  That error code 49 is a generic LDAP error returned when the account
> your using to bind has invalid creds, usually a bad or expired password..*
> ***
>
> ** **
>
> Do you have ldap tools installed on your RT server? If so run this command
> to test your bind account:****
>
> ** **
>
> ldapsearch -x -W -D"bindaccount at domain.com" "(sAMAccountName=some_user)”**
> **
>
> ** **
>
> Enter Password of Bind account.****
>
> ** **
>
> Let us know the results..****
>
> ** **
>
> Jeff****
>
> ** **
>
> *From:* Mathew Snyder [mailto:mathew.snyder at gmail.com]
> *Sent:* Thursday, October 17, 2013 3:32 PM
>
> *To:* Jeff Solberg
> *Cc:* rt-users at lists.bestpractical.com
> *Subject:* Re: [rt-users] I need help with the RT-Authen-ExternalAuth
> LDAP settings, please****
>
>  ** **
>
> I've tried both the settings indicated by Jeff (excepting the SSO cookie
> settings) and Glenn. I'm still getting the
> "RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind:
> LDAP_INVALID_CREDENTIALS 49" error.****
>
>
> ****
>
> -Mathew
>
> "When you do things right, people won't be sure you've done anything at
> all." - God; Futurama****
>
> ** **
>
> "We'll get along much better once you accept that you're wrong and
> neither am I." - Me****
>
> ** **
>
> On Thu, Oct 17, 2013 at 5:00 PM, Jeff Solberg <jsolberg at intrepidls.com>
> wrote:****
>
> Here is a copy of my working ExternalAuth Config..Hope this helps..****
>
>  ****
>
> #PLUGINS****
>
> Set( @Plugins, qw(RT::Authen::ExternalAuth));****
>
>  ****
>
> #External Auth Settings****
>
> #Set($WebExternalAuth , 1);****
>
> #Set($WebFallbackToInternalAuth , 1);****
>
> #Set(WebExternalAuto , 1);****
>
> Set($ExternalAuthPriority, [ 'My_LDAP',] );****
>
> Set($ExternalInfoPriority, [ 'My_LDAP',] );****
>
> Set($ExternalServiceUsesSSLorTLS, 0);****
>
> Set($AutoCreateNonExternalUsers, 0);****
>
> Set($ExternalSettings, {****
>
>     'My_LDAP'       =>  {****
>
>         'type'                      =>  'ldap',****
>
>         'server'                    =>  '10.10.x.x',****
>
>         'user'                      =>  'cn= Bind
> Ldap,ou=User_Logins,dc=xxx,dc=xxx',****
>
>         'pass'                    =>  'xxxxx',****
>
>         'base'                      =>  'dc=xxx,dc=xxx',****
>
>         'filter'                    =>
> '(&(ObjectCategory=User)(ObjectClass=Person))',****
>
>         'd_filter'                  =>
> '(userAccountControl:1.2.840.113556.1.4.803=2)',****
>
> #       'group'                     =>  'cn=Domain
> Users,ou=Groups_Security,dc=xxx,dc=xxx',****
>
> #       'group_attr'                =>  'member',****
>
>         'tls'                       =>  0,****
>
>         'ssl_version'               =>  3,****
>
>         'net_ldap_args'             => [    version =>  3 ],****
>
>         'group_scope'               =>  'base',****
>
> #        'group_attr_value'          =>  'GROUP_ATTR_VALUE',****
>
>         'attr_match_list' => [****
>
>             'Name',****
>
>             'EmailAddress',****
>
>         ],****
>
>         'attr_map' => {****
>
>             'Name' => 'sAMAccountName',****
>
>             'EmailAddress' => 'mail',****
>
>             'Organization' => 'physicalDeliveryOfficeName',****
>
>             'RealName' => 'cn',****
>
>             'ExternalAuthId' => 'sAMAccountName',****
>
>             'Gecos' => 'sAMAccountName',****
>
>             'WorkPhone' => 'telephoneNumber',****
>
>             'Address1' => 'streetAddress',****
>
>             'City' => 'l',****
>
>             'State' => 'st',****
>
>             'Zip' => 'postalCode',****
>
>             'Country' => 'co'****
>
>         },****
>
>     },****
>
>     # An example SSO cookie service****
>
>     'My_SSO_Cookie'  => {****
>
>         'type'                      =>  'cookie',****
>
>         'name'                      =>  'loginCookieValue',****
>
>         'u_table'                   =>  'users',****
>
>         'u_field'                   =>  'username',****
>
>         'u_match_key'               =>  'userID',****
>
>         'c_table'                   =>  'login_cookie',****
>
>         'c_field'                   =>  'loginCookieValue',****
>
>         'c_match_key'               =>  'loginCookieUserID',****
>
>         'db_service_name'           =>  'My_MySQL'****
>
>     },****
>
>  ****
>
> *From:* Mathew Snyder [mailto:mathew.snyder at gmail.com]
> *Sent:* Thursday, October 17, 2013 1:50 PM****
>
>
> *To:* Jeff Solberg
> *Cc:* rt-users at lists.bestpractical.com****
>
> *Subject:* Re: [rt-users] I need help with the RT-Authen-ExternalAuth
> LDAP settings, please****
>
>  ****
>
> I found another thread that indicated that the solution to the second
> problem was to add @domain to the end of the username. That just reverted
> to the previous list of errors with a couple new ones.****
>
>  ****
>
> Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $_[1] in
> join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42.****
>
> Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $service in
> hash element at
> /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
> line 611.****
>
> Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value in string eq
> at
> /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
> line 613.****
>
> Oct 17 16:47:50 zen-rt RT: [24673]
> RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
> EmailAddress: , Gecos: user, Name: user, Privileged: ****
>
> Oct 17 16:47:50 zen-rt RT: [24673] Couldn't create user user: Could not
> set user info****
>
> Oct 17 16:47:50 zen-rt RT: [24673] FAILED LOGIN for user from
> 192.168.236.102****
>
>  ****
>
>
> ****
>
> -Mathew
>
> "When you do things right, people won't be sure you've done anything at
> all." - God; Futurama****
>
>  ****
>
> "We'll get along much better once you accept that you're wrong and
> neither am I." - Me****
>
>  ****
>
> On Thu, Oct 17, 2013 at 4:39 PM, Mathew Snyder <mathew.snyder at gmail.com>
> wrote:****
>
> I didn't know the OU until a few moments ago so I only entered
> "cn=user,dc=example,dc=com". That did seem to make a difference. However,
> I'm still not able to log in. Perhaps for other reasons, though:****
>
>  ****
>
> Oct 17 16:33:11 zen-rt RT: [24525]
> RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind:
> LDAP_INVALID_CREDENTIALS 49****
>
> Oct 17 16:33:11 zen-rt RT: [24525] FAILED LOGIN for example\user from
> 192.168.236.102****
>
>  ****
>
> I know I'm entering my username and password correctly and have again
> tried just the username, example\username, and example.com\username. I'm
> wondering if the LDAP_INVALID_CREDENTIALS error is because of the missing
> OU. I do know it now, but how do I enter an OU that has two words? I was
> told it is example.com/Special Accounts.****
>
>
> ****
>
> -Mathew
>
> "When you do things right, people won't be sure you've done anything at
> all." - God; Futurama****
>
>  ****
>
> "We'll get along much better once you accept that you're wrong and
> neither am I." - Me****
>
>  ****
>
> On Thu, Oct 17, 2013 at 4:27 PM, Jeff Solberg <jsolberg at intrepidls.com>
> wrote:****
>
> For your ‘server’ try using IP rather than hostname.****
>
> Second for the ‘user’ field try using the DN name for your AD Binding
> user…{cn=some_user,ou=some_ou,dc=some_domain,dc=com****
>
>  ****
>
> Hope this helps..****
>
>  ****
>
> Jeff****
>
>  ****
>
>  ****
>
>  ****
>
> *From:* rt-users-bounces at lists.bestpractical.com [mailto:
> rt-users-bounces at lists.bestpractical.com] *On Behalf Of *Mathew Snyder
> *Sent:* Thursday, October 17, 2013 1:19 PM
> *To:* rt-users at lists.bestpractical.com
> *Subject:* [rt-users] I need help with the RT-Authen-ExternalAuth LDAP
> settings, please****
>
>  ****
>
> These are the settings I've started with:****
>
>  ****
>
> Set($ExternalSettings, {****
>
>     'AD'       =>  {****
>
>         'type'                      =>  'ldap',****
>
>         'server'                    =>  'domain_controller.example.com',**
> **
>
>         'base'                      =>  'dc=example,dc=com',****
>
>         'user'                      =>  'rtuser',****
>
>         'pass'                      =>  '********',****
>
>         'filter'                    =>  '(ObjectClass=*)',****
>
>         'tls'                       =>  0,****
>
>         'ssl_version'               =>  3,****
>
>         'net_ldap_args'             => [    version =>  3   ],****
>
>         'attr_match_list' => [****
>
>             'EmailAddress',****
>
>         ],****
>
>         'attr_map' => {****
>
>             'Name' => 'sAMAccountName',****
>
>             'EmailAddress' => 'mail',****
>
>             'RealName' => 'cn',****
>
>         },****
>
>  ****
>
> They aren't working. Whenever someone attempts an initial login with just
> their username (which should create their RT account) the following error
> is logged:****
>
> Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string eq
> at
> /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
> line 613.****
>
> Oct 17 15:02:29 zen-rt RT: [23131]
> RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
> EmailAddress: , Gecos: user, Name: user, Privileged:****
>
> Oct 17 16:14:01 zen-rt RT: [24382] Couldn't create user user: Could not
> set user info****
>
> Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from
> 192.168.236.102****
>
>  ****
>
> When initial logins are attempted with either example\username or
> example.com\username only the FAILED LOGIN line is displayed.****
>
>  ****
>
> We also have our Openfire Jabber server authenticating successfully. Those
> settings are****
>
> ldap.autoFollowAliasReferrals = true****
>
> ldap.autoFollowReferrals = false****
>
> ldap.baseDN = dc=example,dc=com****
>
> ldap.connectionPoolEnabled = true****
>
> ldap.debugEnabled = false****
>
> ldap.emailField = mail****
>
> ldap.encloseDNs = true****
>
> ldap.groupDescriptionField = description****
>
> ldap.groupMemberField = member****
>
> ldap.groupNameField = cn****
>
> ldap.groupSearchFilter = (objectClass=group)****
>
> ldap.host = domain_controller.example.com****
>
> ldap.ldapDebugEnabled = false****
>
> ldap.nameField = cn****
>
> ldap.port = 389****
>
> ldap.searchFilter = (objectClass=*)****
>
> ldap.usernameField = sAMAccountName****
>
>  ****
>
>  ****
>
> I know they don't match up exactly in terms of what Openfire calls the
> settings vs. what RT does, but I'm hoping someone can help me sort out what
> should be plugged in where on the RT side. For example, I don't know what
> the group_attr or group_attr_value setting should contain (if anything) in
> the RT_SiteConfig.pm file. Basically, anything from the "group" settings.*
> ***
>
>  ****
>
> -Mathew
>
> "When you do things right, people won't be sure you've done anything at
> all." - God; Futurama****
>
>  ****
>
> "We'll get along much better once you accept that you're wrong and
> neither am I." - Me****
>
>  ****
>
>  ****
>
> ** **
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20131017/257c9042/attachment.htm>


More information about the rt-users mailing list