[rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please

Mathew Snyder mathew.snyder at gmail.com
Fri Oct 18 21:10:02 EDT 2013


I have solved this problem!

I had the $AutoCreateNonExternalUsers set to 0. I changed it to 1.

I completely misinterpreted this setting. I have an AD account which I
thought would be considered internal and therefore be created when I first
logged in.

Frankly, I'm still confused about what I was thinking. Either way, it works.


-Mathew

"When you do things right, people won't be sure you've done anything at
all." - God; Futurama

"We'll get along much better once you accept that you're wrong and neither
am I." - Me


On Fri, Oct 18, 2013 at 8:57 PM, Mathew Snyder <mathew.snyder at gmail.com>wrote:

> I seem to be getting closer. I'm down to only the "FAILED LOGIN for user
> from..." error.
>
> I've found that in order to get down to just that I have to include the
> domain in the username either as
>
>    - domain\user
>    - domain.local\user
>    - user at domain
>    - user at domain.local
>
> However, if I use just the username I get
>
> [3221] [Sat Oct 19 00:44:37 2013] [warning]: Use of uninitialized value
> $_[1] in join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42.
> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:607)
> [3221] [Sat Oct 19 00:44:37 2013] [warning]: Use of uninitialized value
> $service in hash element at
> /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
> line 611.
> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:611)
> [3221] [Sat Oct 19 00:44:37 2013] [warning]: Use of uninitialized value in
> string eq at
> /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
> line 613.
> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:613)
> [3221] [Sat Oct 19 00:44:37 2013] [info]:
> RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
> EmailAddress: , Gecos: user, Name: user, Privileged:
>  (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:685)
> [3221] [Sat Oct 19 00:44:37 2013] [error]: Couldn't create user user:
> Could not set user info
> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:278)
> [3221] [Sat Oct 19 00:44:37 2013] [error]: FAILED LOGIN for user from
> 192.168.236.119 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:814)
>
> The domain does not seem to be getting passed as part of the username when
> I attempt to log in. Interestingly, though, when I don't use the domain, I
> do get the info line in the log which contains bits of information that
> wouldn't otherwise be returned from AD. If I do use the domain that doesn't
> get returned, but I'm still unable to log in.
>
> I know my credentials are accurate because they are the same as I use to
> log into our VPN and that is tied to AD.
>
> My current settings:
>
> Set($ExternalAuthPriority,  [ 'AD' ] );
> Set($ExternalServiceUsesSSLorTLS,    0);
> Set($AutoCreateNonExternalUsers,    0);
> Set($ExternalSettings, {
>     'AD'       =>  {
>         'type'                      =>  'ldap',
>         'server'                    =>  'dc1.domain.local',
>         'base'                      =>  'dc=domain,dc=local',
>         'user'                      =>  'rtuser',
>         'pass'                      =>  'xxxxxxxx',
>         'filter'                    =>  '(ObjectClass=*)',
>         'd_filter'                  =>
>  '(userAccountControl:1.2.840.113556.1.4.803=2)',
>         'group_scope'               =>  'base',
>         'tls'                       =>  0,
>         'ssl_version'               =>  3,
>         'net_ldap_args'             => [    version =>  3   ],
>         'attr_match_list' => [
>             'Name',
>         ],
>         'attr_map' => {
>             'Name' => 'sAMAccountName',
>             'EmailAddress' => 'mail',
>             'Organization' => 'physicalDeliveryOfficeName',
>             'RealName' => 'cn',
>              'ExternalAuthId' => 'sAMAccountName',
>             'Gecos' => 'sAMAccountName',
>             'WorkPhone' => 'telephoneNumber',
>             'Address1' => 'streetAddress',
>             'City' => 'l',
>             'State' => 'st',
>             'Zip' => 'postalCode',
>             'Country' => 'co'
>         },
>     },
> } );
>
> Further assistance will be appreciated.
>
> -Mathew
>
> "When you do things right, people won't be sure you've done anything at
> all." - God; Futurama
>
> "We'll get along much better once you accept that you're wrong and
> neither am I." - Me
>
>
> On Fri, Oct 18, 2013 at 8:08 PM, Mathew Snyder <mathew.snyder at gmail.com>wrote:
>
>> I've actually been trying to get debugging turned on for a few days now.
>> I've set all of the variables:
>>
>> Set( $LogToSTDERR, 'debug' );
>> Set( $LogToFile, 'debug' );
>> Set( $LogDir, '/var/log/' );
>> Set( $LogToFileNamed, 'rt.log' );
>> Set( $LogToSyslog, 'debug' );
>>
>> I'm not getting any detailed information at all. In fact, the rt.log file
>> isn't even being created. I had tried to set the directory to /opt/rt4/log,
>> but the file wasn't being created there, either.
>>
>>
>>
>>
>> -Mathew
>>
>> "When you do things right, people won't be sure you've done anything at
>> all." - God; Futurama
>>
>> "We'll get along much better once you accept that you're wrong and
>> neither am I." - Me
>>
>>
>> On Fri, Oct 18, 2013 at 7:51 AM, Parish, Brent <bparish at cognex.com>wrote:
>>
>>> Hi Matthew****
>>>
>>> ** **
>>>
>>> It sounds to me like you were authenticating ok initially, but getting
>>> an error in creating the user.****
>>>
>>> ** **
>>>
>>> And to answer your initial question about the group and group_attr
>>> settings, I don’t use those at all and it works fine for me.****
>>>
>>> ** **
>>>
>>> I would recommend putting things back to how you first had them (to
>>> generate the error your originally posted), turn the log level up to debug,
>>> and try again.****
>>>
>>> There are some debug statements within that method that may help
>>> identify where it is choking.****
>>>
>>> ** **
>>>
>>> **-          **Brent****
>>>
>>> ** **
>>>
>>> ** **
>>>
>>>  ****
>>>
>>> *From:* Mathew Snyder [mailto:mathew.snyder at gmail.com]
>>> *Sent:* Thursday, October 17, 2013 1:50 PM****
>>>
>>>
>>> *To:* Jeff Solberg
>>> *Cc:* rt-users at lists.bestpractical.com****
>>>
>>> *Subject:* Re: [rt-users] I need help with the RT-Authen-ExternalAuth
>>> LDAP settings, please****
>>>
>>>  ****
>>>
>>> I found another thread that indicated that the solution to the second
>>> problem was to add @domain to the end of the username. That just reverted
>>> to the previous list of errors with a couple new ones.****
>>>
>>>  ****
>>>
>>> Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $_[1] in
>>> join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42.****
>>>
>>> Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $service
>>> in hash element at
>>> /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
>>> line 611.****
>>>
>>> Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value in string
>>> eq at
>>> /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
>>> line 613.****
>>>
>>> Oct 17 16:47:50 zen-rt RT: [24673]
>>> RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
>>> EmailAddress: , Gecos: user, Name: user, Privileged: ****
>>>
>>> Oct 17 16:47:50 zen-rt RT: [24673] Couldn't create user user: Could not
>>> set user info****
>>>
>>> Oct 17 16:47:50 zen-rt RT: [24673] FAILED LOGIN for user from
>>> 192.168.236.102****
>>>
>>>  ****
>>>
>>>
>>>  ****
>>>
>>>  ****
>>>
>>> *From:* rt-users-bounces at lists.bestpractical.com [mailto:
>>> rt-users-bounces at lists.bestpractical.com] *On Behalf Of *Mathew Snyder
>>>
>>> *Sent:* Thursday, October 17, 2013 1:19 PM
>>> *To:* rt-users at lists.bestpractical.com
>>> *Subject:* [rt-users] I need help with the RT-Authen-ExternalAuth LDAP
>>> settings, please
>>> ****
>>>
>>>  ****
>>>
>>> These are the settings I've started with:****
>>>
>>>  ****
>>>
>>> Set($ExternalSettings, {****
>>>
>>>     'AD'       =>  {****
>>>
>>>         'type'                      =>  'ldap',****
>>>
>>>         'server'                    =>  'domain_controller.example.com',
>>> ****
>>>
>>>         'base'                      =>  'dc=example,dc=com',****
>>>
>>>         'user'                      =>  'rtuser',****
>>>
>>>         'pass'                      =>  '********',****
>>>
>>>         'filter'                    =>  '(ObjectClass=*)',****
>>>
>>>         'tls'                       =>  0,****
>>>
>>>         'ssl_version'               =>  3,****
>>>
>>>         'net_ldap_args'             => [    version =>  3   ],****
>>>
>>>         'attr_match_list' => [****
>>>
>>>             'EmailAddress',****
>>>
>>>         ],****
>>>
>>>         'attr_map' => {****
>>>
>>>             'Name' => 'sAMAccountName',****
>>>
>>>             'EmailAddress' => 'mail',****
>>>
>>>             'RealName' => 'cn',****
>>>
>>>         },****
>>>
>>>  ****
>>>
>>> They aren't working. Whenever someone attempts an initial login with
>>> just their username (which should create their RT account) the following
>>> error is logged:****
>>>
>>> Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string
>>> eq at
>>> /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
>>> line 613.****
>>>
>>> Oct 17 15:02:29 zen-rt RT: [23131]
>>> RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
>>> EmailAddress: , Gecos: user, Name: user, Privileged:****
>>>
>>> Oct 17 16:14:01 zen-rt RT: [24382] Couldn't create user user: Could not
>>> set user info****
>>>
>>> Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from
>>> 192.168.236.102****
>>>
>>>  ****
>>>
>>> When initial logins are attempted with either example\username or
>>> example.com\username only the FAILED LOGIN line is displayed.****
>>>
>>>  ****
>>>
>>> We also have our Openfire Jabber server authenticating successfully.
>>> Those settings are****
>>>
>>> ldap.autoFollowAliasReferrals = true****
>>>
>>> ldap.autoFollowReferrals = false****
>>>
>>> ldap.baseDN = dc=example,dc=com****
>>>
>>> ldap.connectionPoolEnabled = true****
>>>
>>> ldap.debugEnabled = false****
>>>
>>> ldap.emailField = mail****
>>>
>>> ldap.encloseDNs = true****
>>>
>>> ldap.groupDescriptionField = description****
>>>
>>> ldap.groupMemberField = member****
>>>
>>> ldap.groupNameField = cn****
>>>
>>> ldap.groupSearchFilter = (objectClass=group)****
>>>
>>> ldap.host = domain_controller.example.com****
>>>
>>> ldap.ldapDebugEnabled = false****
>>>
>>> ldap.nameField = cn****
>>>
>>> ldap.port = 389****
>>>
>>> ldap.searchFilter = (objectClass=*)****
>>>
>>> ldap.usernameField = sAMAccountName****
>>>
>>>  ****
>>>
>>>  ****
>>>
>>> I know they don't match up exactly in terms of what Openfire calls the
>>> settings vs. what RT does, but I'm hoping someone can help me sort out what
>>> should be plugged in where on the RT side. For example, I don't know what
>>> the group_attr or group_attr_value setting should contain (if anything) in
>>> the RT_SiteConfig.pm file. Basically, anything from the "group" settings.
>>> ****
>>>
>>>  ****
>>>
>>> -Mathew
>>>
>>> "When you do things right, people won't be sure you've done anything at
>>> all." - God; Futurama****
>>>
>>>  ****
>>>
>>> "We'll get along much better once you accept that you're wrong and
>>> neither am I." - Me****
>>>
>>>  ****
>>>
>>>  ****
>>>
>>>  ****
>>>
>>> ** **
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20131018/99236dc5/attachment.htm>


More information about the rt-users mailing list