[rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please
Mathew Snyder
mathew.snyder at gmail.com
Fri Oct 18 20:57:04 EDT 2013
I seem to be getting closer. I'm down to only the "FAILED LOGIN for user
from..." error.
I've found that in order to get down to just that I have to include the
domain in the username either as
- domain\user
- domain.local\user
- user at domain
- user at domain.local
However, if I use just the username I get
[3221] [Sat Oct 19 00:44:37 2013] [warning]: Use of uninitialized value
$_[1] in join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42.
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:607)
[3221] [Sat Oct 19 00:44:37 2013] [warning]: Use of uninitialized value
$service in hash element at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 611.
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:611)
[3221] [Sat Oct 19 00:44:37 2013] [warning]: Use of uninitialized value in
string eq at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 613.
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:613)
[3221] [Sat Oct 19 00:44:37 2013] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
EmailAddress: , Gecos: user, Name: user, Privileged:
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:685)
[3221] [Sat Oct 19 00:44:37 2013] [error]: Couldn't create user user: Could
not set user info
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:278)
[3221] [Sat Oct 19 00:44:37 2013] [error]: FAILED LOGIN for user from
192.168.236.119 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:814)
The domain does not seem to be getting passed as part of the username when
I attempt to log in. Interestingly, though, when I don't use the domain, I
do get the info line in the log which contains bits of information that
wouldn't otherwise be returned from AD. If I do use the domain that doesn't
get returned, but I'm still unable to log in.
I know my credentials are accurate because they are the same as I use to
log into our VPN and that is tied to AD.
My current settings:
Set($ExternalAuthPriority, [ 'AD' ] );
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings, {
'AD' => {
'type' => 'ldap',
'server' => 'dc1.domain.local',
'base' => 'dc=domain,dc=local',
'user' => 'rtuser',
'pass' => 'xxxxxxxx',
'filter' => '(ObjectClass=*)',
'd_filter' =>
'(userAccountControl:1.2.840.113556.1.4.803=2)',
'group_scope' => 'base',
'tls' => 0,
'ssl_version' => 3,
'net_ldap_args' => [ version => 3 ],
'attr_match_list' => [
'Name',
],
'attr_map' => {
'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'Organization' => 'physicalDeliveryOfficeName',
'RealName' => 'cn',
'ExternalAuthId' => 'sAMAccountName',
'Gecos' => 'sAMAccountName',
'WorkPhone' => 'telephoneNumber',
'Address1' => 'streetAddress',
'City' => 'l',
'State' => 'st',
'Zip' => 'postalCode',
'Country' => 'co'
},
},
} );
Further assistance will be appreciated.
-Mathew
"When you do things right, people won't be sure you've done anything at
all." - God; Futurama
"We'll get along much better once you accept that you're wrong and neither
am I." - Me
On Fri, Oct 18, 2013 at 8:08 PM, Mathew Snyder <mathew.snyder at gmail.com>wrote:
> I've actually been trying to get debugging turned on for a few days now.
> I've set all of the variables:
>
> Set( $LogToSTDERR, 'debug' );
> Set( $LogToFile, 'debug' );
> Set( $LogDir, '/var/log/' );
> Set( $LogToFileNamed, 'rt.log' );
> Set( $LogToSyslog, 'debug' );
>
> I'm not getting any detailed information at all. In fact, the rt.log file
> isn't even being created. I had tried to set the directory to /opt/rt4/log,
> but the file wasn't being created there, either.
>
>
>
>
> -Mathew
>
> "When you do things right, people won't be sure you've done anything at
> all." - God; Futurama
>
> "We'll get along much better once you accept that you're wrong and
> neither am I." - Me
>
>
> On Fri, Oct 18, 2013 at 7:51 AM, Parish, Brent <bparish at cognex.com> wrote:
>
>> Hi Matthew****
>>
>> ** **
>>
>> It sounds to me like you were authenticating ok initially, but getting an
>> error in creating the user.****
>>
>> ** **
>>
>> And to answer your initial question about the group and group_attr
>> settings, I don’t use those at all and it works fine for me.****
>>
>> ** **
>>
>> I would recommend putting things back to how you first had them (to
>> generate the error your originally posted), turn the log level up to debug,
>> and try again.****
>>
>> There are some debug statements within that method that may help identify
>> where it is choking.****
>>
>> ** **
>>
>> **- **Brent****
>>
>> ** **
>>
>> ** **
>>
>> ****
>>
>> *From:* Mathew Snyder [mailto:mathew.snyder at gmail.com]
>> *Sent:* Thursday, October 17, 2013 1:50 PM****
>>
>>
>> *To:* Jeff Solberg
>> *Cc:* rt-users at lists.bestpractical.com****
>>
>> *Subject:* Re: [rt-users] I need help with the RT-Authen-ExternalAuth
>> LDAP settings, please****
>>
>> ****
>>
>> I found another thread that indicated that the solution to the second
>> problem was to add @domain to the end of the username. That just reverted
>> to the previous list of errors with a couple new ones.****
>>
>> ****
>>
>> Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $_[1] in
>> join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42.****
>>
>> Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $service in
>> hash element at
>> /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
>> line 611.****
>>
>> Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value in string
>> eq at
>> /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
>> line 613.****
>>
>> Oct 17 16:47:50 zen-rt RT: [24673]
>> RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
>> EmailAddress: , Gecos: user, Name: user, Privileged: ****
>>
>> Oct 17 16:47:50 zen-rt RT: [24673] Couldn't create user user: Could not
>> set user info****
>>
>> Oct 17 16:47:50 zen-rt RT: [24673] FAILED LOGIN for user from
>> 192.168.236.102****
>>
>> ****
>>
>>
>> ****
>>
>> ****
>>
>> *From:* rt-users-bounces at lists.bestpractical.com [mailto:
>> rt-users-bounces at lists.bestpractical.com] *On Behalf Of *Mathew Snyder
>>
>> *Sent:* Thursday, October 17, 2013 1:19 PM
>> *To:* rt-users at lists.bestpractical.com
>> *Subject:* [rt-users] I need help with the RT-Authen-ExternalAuth LDAP
>> settings, please
>> ****
>>
>> ****
>>
>> These are the settings I've started with:****
>>
>> ****
>>
>> Set($ExternalSettings, {****
>>
>> 'AD' => {****
>>
>> 'type' => 'ldap',****
>>
>> 'server' => 'domain_controller.example.com',*
>> ***
>>
>> 'base' => 'dc=example,dc=com',****
>>
>> 'user' => 'rtuser',****
>>
>> 'pass' => '********',****
>>
>> 'filter' => '(ObjectClass=*)',****
>>
>> 'tls' => 0,****
>>
>> 'ssl_version' => 3,****
>>
>> 'net_ldap_args' => [ version => 3 ],****
>>
>> 'attr_match_list' => [****
>>
>> 'EmailAddress',****
>>
>> ],****
>>
>> 'attr_map' => {****
>>
>> 'Name' => 'sAMAccountName',****
>>
>> 'EmailAddress' => 'mail',****
>>
>> 'RealName' => 'cn',****
>>
>> },****
>>
>> ****
>>
>> They aren't working. Whenever someone attempts an initial login with just
>> their username (which should create their RT account) the following error
>> is logged:****
>>
>> Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string
>> eq at
>> /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
>> line 613.****
>>
>> Oct 17 15:02:29 zen-rt RT: [23131]
>> RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
>> EmailAddress: , Gecos: user, Name: user, Privileged:****
>>
>> Oct 17 16:14:01 zen-rt RT: [24382] Couldn't create user user: Could not
>> set user info****
>>
>> Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from
>> 192.168.236.102****
>>
>> ****
>>
>> When initial logins are attempted with either example\username or
>> example.com\username only the FAILED LOGIN line is displayed.****
>>
>> ****
>>
>> We also have our Openfire Jabber server authenticating successfully.
>> Those settings are****
>>
>> ldap.autoFollowAliasReferrals = true****
>>
>> ldap.autoFollowReferrals = false****
>>
>> ldap.baseDN = dc=example,dc=com****
>>
>> ldap.connectionPoolEnabled = true****
>>
>> ldap.debugEnabled = false****
>>
>> ldap.emailField = mail****
>>
>> ldap.encloseDNs = true****
>>
>> ldap.groupDescriptionField = description****
>>
>> ldap.groupMemberField = member****
>>
>> ldap.groupNameField = cn****
>>
>> ldap.groupSearchFilter = (objectClass=group)****
>>
>> ldap.host = domain_controller.example.com****
>>
>> ldap.ldapDebugEnabled = false****
>>
>> ldap.nameField = cn****
>>
>> ldap.port = 389****
>>
>> ldap.searchFilter = (objectClass=*)****
>>
>> ldap.usernameField = sAMAccountName****
>>
>> ****
>>
>> ****
>>
>> I know they don't match up exactly in terms of what Openfire calls the
>> settings vs. what RT does, but I'm hoping someone can help me sort out what
>> should be plugged in where on the RT side. For example, I don't know what
>> the group_attr or group_attr_value setting should contain (if anything) in
>> the RT_SiteConfig.pm file. Basically, anything from the "group" settings.
>> ****
>>
>> ****
>>
>> -Mathew
>>
>> "When you do things right, people won't be sure you've done anything at
>> all." - God; Futurama****
>>
>> ****
>>
>> "We'll get along much better once you accept that you're wrong and
>> neither am I." - Me****
>>
>> ****
>>
>> ****
>>
>> ****
>>
>> ** **
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20131018/de468799/attachment.htm>
More information about the rt-users
mailing list