[rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please

Mathew Snyder mathew.snyder at gmail.com
Fri Oct 18 20:57:04 EDT 2013


I seem to be getting closer. I'm down to only the "FAILED LOGIN for user
from..." error.

I've found that in order to get down to just that I have to include the
domain in the username either as

   - domain\user
   - domain.local\user
   - user at domain
   - user at domain.local

However, if I use just the username I get

[3221] [Sat Oct 19 00:44:37 2013] [warning]: Use of uninitialized value
$_[1] in join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42.
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:607)
[3221] [Sat Oct 19 00:44:37 2013] [warning]: Use of uninitialized value
$service in hash element at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 611.
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:611)
[3221] [Sat Oct 19 00:44:37 2013] [warning]: Use of uninitialized value in
string eq at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 613.
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:613)
[3221] [Sat Oct 19 00:44:37 2013] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
EmailAddress: , Gecos: user, Name: user, Privileged:
 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:685)
[3221] [Sat Oct 19 00:44:37 2013] [error]: Couldn't create user user: Could
not set user info
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:278)
[3221] [Sat Oct 19 00:44:37 2013] [error]: FAILED LOGIN for user from
192.168.236.119 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:814)

The domain does not seem to be getting passed as part of the username when
I attempt to log in. Interestingly, though, when I don't use the domain, I
do get the info line in the log which contains bits of information that
wouldn't otherwise be returned from AD. If I do use the domain that doesn't
get returned, but I'm still unable to log in.

I know my credentials are accurate because they are the same as I use to
log into our VPN and that is tied to AD.

My current settings:

Set($ExternalAuthPriority,  [ 'AD' ] );
Set($ExternalServiceUsesSSLorTLS,    0);
Set($AutoCreateNonExternalUsers,    0);
Set($ExternalSettings, {
    'AD'       =>  {
        'type'                      =>  'ldap',
        'server'                    =>  'dc1.domain.local',
        'base'                      =>  'dc=domain,dc=local',
        'user'                      =>  'rtuser',
        'pass'                      =>  'xxxxxxxx',
        'filter'                    =>  '(ObjectClass=*)',
        'd_filter'                  =>
 '(userAccountControl:1.2.840.113556.1.4.803=2)',
        'group_scope'               =>  'base',
        'tls'                       =>  0,
        'ssl_version'               =>  3,
        'net_ldap_args'             => [    version =>  3   ],
        'attr_match_list' => [
            'Name',
        ],
        'attr_map' => {
            'Name' => 'sAMAccountName',
            'EmailAddress' => 'mail',
            'Organization' => 'physicalDeliveryOfficeName',
            'RealName' => 'cn',
            'ExternalAuthId' => 'sAMAccountName',
            'Gecos' => 'sAMAccountName',
            'WorkPhone' => 'telephoneNumber',
            'Address1' => 'streetAddress',
            'City' => 'l',
            'State' => 'st',
            'Zip' => 'postalCode',
            'Country' => 'co'
        },
    },
} );

Further assistance will be appreciated.

-Mathew

"When you do things right, people won't be sure you've done anything at
all." - God; Futurama

"We'll get along much better once you accept that you're wrong and neither
am I." - Me


On Fri, Oct 18, 2013 at 8:08 PM, Mathew Snyder <mathew.snyder at gmail.com>wrote:

> I've actually been trying to get debugging turned on for a few days now.
> I've set all of the variables:
>
> Set( $LogToSTDERR, 'debug' );
> Set( $LogToFile, 'debug' );
> Set( $LogDir, '/var/log/' );
> Set( $LogToFileNamed, 'rt.log' );
> Set( $LogToSyslog, 'debug' );
>
> I'm not getting any detailed information at all. In fact, the rt.log file
> isn't even being created. I had tried to set the directory to /opt/rt4/log,
> but the file wasn't being created there, either.
>
>
>
>
> -Mathew
>
> "When you do things right, people won't be sure you've done anything at
> all." - God; Futurama
>
> "We'll get along much better once you accept that you're wrong and
> neither am I." - Me
>
>
> On Fri, Oct 18, 2013 at 7:51 AM, Parish, Brent <bparish at cognex.com> wrote:
>
>> Hi Matthew****
>>
>> ** **
>>
>> It sounds to me like you were authenticating ok initially, but getting an
>> error in creating the user.****
>>
>> ** **
>>
>> And to answer your initial question about the group and group_attr
>> settings, I don’t use those at all and it works fine for me.****
>>
>> ** **
>>
>> I would recommend putting things back to how you first had them (to
>> generate the error your originally posted), turn the log level up to debug,
>> and try again.****
>>
>> There are some debug statements within that method that may help identify
>> where it is choking.****
>>
>> ** **
>>
>> **-          **Brent****
>>
>> ** **
>>
>> ** **
>>
>>  ****
>>
>> *From:* Mathew Snyder [mailto:mathew.snyder at gmail.com]
>> *Sent:* Thursday, October 17, 2013 1:50 PM****
>>
>>
>> *To:* Jeff Solberg
>> *Cc:* rt-users at lists.bestpractical.com****
>>
>> *Subject:* Re: [rt-users] I need help with the RT-Authen-ExternalAuth
>> LDAP settings, please****
>>
>>  ****
>>
>> I found another thread that indicated that the solution to the second
>> problem was to add @domain to the end of the username. That just reverted
>> to the previous list of errors with a couple new ones.****
>>
>>  ****
>>
>> Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $_[1] in
>> join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42.****
>>
>> Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $service in
>> hash element at
>> /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
>> line 611.****
>>
>> Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value in string
>> eq at
>> /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
>> line 613.****
>>
>> Oct 17 16:47:50 zen-rt RT: [24673]
>> RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
>> EmailAddress: , Gecos: user, Name: user, Privileged: ****
>>
>> Oct 17 16:47:50 zen-rt RT: [24673] Couldn't create user user: Could not
>> set user info****
>>
>> Oct 17 16:47:50 zen-rt RT: [24673] FAILED LOGIN for user from
>> 192.168.236.102****
>>
>>  ****
>>
>>
>>  ****
>>
>>  ****
>>
>> *From:* rt-users-bounces at lists.bestpractical.com [mailto:
>> rt-users-bounces at lists.bestpractical.com] *On Behalf Of *Mathew Snyder
>>
>> *Sent:* Thursday, October 17, 2013 1:19 PM
>> *To:* rt-users at lists.bestpractical.com
>> *Subject:* [rt-users] I need help with the RT-Authen-ExternalAuth LDAP
>> settings, please
>> ****
>>
>>  ****
>>
>> These are the settings I've started with:****
>>
>>  ****
>>
>> Set($ExternalSettings, {****
>>
>>     'AD'       =>  {****
>>
>>         'type'                      =>  'ldap',****
>>
>>         'server'                    =>  'domain_controller.example.com',*
>> ***
>>
>>         'base'                      =>  'dc=example,dc=com',****
>>
>>         'user'                      =>  'rtuser',****
>>
>>         'pass'                      =>  '********',****
>>
>>         'filter'                    =>  '(ObjectClass=*)',****
>>
>>         'tls'                       =>  0,****
>>
>>         'ssl_version'               =>  3,****
>>
>>         'net_ldap_args'             => [    version =>  3   ],****
>>
>>         'attr_match_list' => [****
>>
>>             'EmailAddress',****
>>
>>         ],****
>>
>>         'attr_map' => {****
>>
>>             'Name' => 'sAMAccountName',****
>>
>>             'EmailAddress' => 'mail',****
>>
>>             'RealName' => 'cn',****
>>
>>         },****
>>
>>  ****
>>
>> They aren't working. Whenever someone attempts an initial login with just
>> their username (which should create their RT account) the following error
>> is logged:****
>>
>> Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string
>> eq at
>> /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
>> line 613.****
>>
>> Oct 17 15:02:29 zen-rt RT: [23131]
>> RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
>> EmailAddress: , Gecos: user, Name: user, Privileged:****
>>
>> Oct 17 16:14:01 zen-rt RT: [24382] Couldn't create user user: Could not
>> set user info****
>>
>> Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from
>> 192.168.236.102****
>>
>>  ****
>>
>> When initial logins are attempted with either example\username or
>> example.com\username only the FAILED LOGIN line is displayed.****
>>
>>  ****
>>
>> We also have our Openfire Jabber server authenticating successfully.
>> Those settings are****
>>
>> ldap.autoFollowAliasReferrals = true****
>>
>> ldap.autoFollowReferrals = false****
>>
>> ldap.baseDN = dc=example,dc=com****
>>
>> ldap.connectionPoolEnabled = true****
>>
>> ldap.debugEnabled = false****
>>
>> ldap.emailField = mail****
>>
>> ldap.encloseDNs = true****
>>
>> ldap.groupDescriptionField = description****
>>
>> ldap.groupMemberField = member****
>>
>> ldap.groupNameField = cn****
>>
>> ldap.groupSearchFilter = (objectClass=group)****
>>
>> ldap.host = domain_controller.example.com****
>>
>> ldap.ldapDebugEnabled = false****
>>
>> ldap.nameField = cn****
>>
>> ldap.port = 389****
>>
>> ldap.searchFilter = (objectClass=*)****
>>
>> ldap.usernameField = sAMAccountName****
>>
>>  ****
>>
>>  ****
>>
>> I know they don't match up exactly in terms of what Openfire calls the
>> settings vs. what RT does, but I'm hoping someone can help me sort out what
>> should be plugged in where on the RT side. For example, I don't know what
>> the group_attr or group_attr_value setting should contain (if anything) in
>> the RT_SiteConfig.pm file. Basically, anything from the "group" settings.
>> ****
>>
>>  ****
>>
>> -Mathew
>>
>> "When you do things right, people won't be sure you've done anything at
>> all." - God; Futurama****
>>
>>  ****
>>
>> "We'll get along much better once you accept that you're wrong and
>> neither am I." - Me****
>>
>>  ****
>>
>>  ****
>>
>>  ****
>>
>> ** **
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20131018/de468799/attachment.htm>


More information about the rt-users mailing list