[rt-users] Automatically Set "Let this user be granted rights"

Chris Ditri Cditri at experi-metal.com
Tue Apr 8 09:46:24 EDT 2014


Hi Jon,

I did add the My_SSO_Cookie thing back, just to troubleshoot.  Normally, it is not there.  I removed it again, however.  I removed the second (redundant) ExternalAuthPriority entry.  Thanks for that catch.

Using
Plugin( "RT::Authen::ExternalAuth" );
Plugin( "RT::Extension::LDAPImport" );

Doesn't work.  I need the "Set(@Plugins..." part.


The interesting thing is that when I do not have  "Set(@Plugins, qw(RT::Extension::LDAPImport));" in my config, then I get all the errors in my log file, including the bit about the email already exists (logging is set to debug).  If I do have that line in my config, all I get in my log file is "FAILED LOGIN for jjjameson from 118.128.73.X (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)".  Even though I have the log file set to debug, I get no more output than a simple login failure.



I tried switching uid to sAMAccountName, but that did no better.  With no output in the logs, I'm at a complete loss on how to troubleshoot this.  I don't know if using the import carries over the password hash into rt's own database, or if it checks it against the ldap/AD server.  Since I can see the rest of the user information, perhaps it has to do with the password itself?  I don't know...



Thanks again for your help.



-Chris







From: rt-users-bounces at lists.bestpractical.com [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Jon Witts
Sent: Tuesday, April 08, 2014 3:53 AM
To: rt-users at lists.bestpractical.com
Subject: Re: [rt-users] Automatically Set "Let this user be granted rights"

Hi there,

I can only see you setting the ExternalAuth plugin there not the LDAPImport plugin too.

Rather than:
Set( @Plugins, qw(RT::Authen::ExternalAuth) );

My Plugins section looks like this:
Plugin( "RT::Authen::ExternalAuth" );
Plugin( "RT::Extension::LDAPImport" );

Also you are setting $ExternalAuthPriority twice, and both times calling ExternalAuths which are not defined ('My_SSO_Cookie', 'My_Oracle','SecondaryLDAP','Other-DB'). I think you should only be doing as follows:
Set($ExternalAuthPriority,  [ 'My_LDAP',
                            ]
);

I have my ldap bind user defined as a fully qualified ldap string rather than just a username...

In your LDAPImport settings try changing:
Set($LDAPMapping, {Name         => 'uid'

To:
Set($LDAPMapping, {Name         => 'sAMAccountName',

And as it appears you are using Microsoft AD for your LDAP server it would probably be worth setting:
Set($LDAPSizeLimit, 1000);

Too.

Jon



-----------------------------------------------------

Jon Witts
Director of Digital Strategy
Queen Margaret's School
Escrick Park
York YO19 6EU

Telephone: 01904 727600
Fax: 01904 728150

Website: www.queenmargarets.com<http://www.queenmargarets.com/>

From: Chris Ditri [mailto:Cditri at experi-metal.com]
Sent: 07 April 2014 22:20
To: Jon Witts; rt-users at lists.bestpractical.com<mailto:rt-users at lists.bestpractical.com>
Subject: RE: [rt-users] Automatically Set "Let this user be granted rights"

Hi Jon, and thanks.

Set($WebDomain, 'rt.my-company.com');
Set($LDAPHost, 'QZXW-dc.my-company.com');
Set($LDAPUser, 'cn=rtuser,ou=utility,ou=QZXW Users,dc=my-company,dc=com');
Set($LDAPPassword, 'MyPW1234');
Set($LDAPBase, 'ou=QZXW Users,dc=my-company,dc=com');
Set($LDAPFilter, '(&)');
Set($LDAPUpdateUsers, 1);
Set($LDAPMapping, {Name         => 'uid', # required
                   EmailAddress => 'mail',
                   RealName     => 'cn',
                   WorkPhone    => 'telephoneNumber',
                   Organization => 'departmentName'});
Set($ExternalAuthPriority,  [   'My_LDAP',
                                'My_SSO_Cookie'
                            ]
);
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalInfoPriority,  [   'My_LDAP'
                            ]
);

Set($ExternalServiceUsesSSLorTLS,    0);

Set($AutoCreateNonExternalUsers,    0);

Set($ExternalAuthPriority,['My_LDAP','My_Oracle','SecondaryLDAP','Other-DB']);
Set($ExternalSettings,      {   # AN EXAMPLE DB SERVICE
                                'My_LDAP'       =>  {   ## GENERIC SECTION
                                                        # The type of service (db/ldap/cookie)
                                                        'type'                      =>  'ldap',
                                                        # The server hosting the service
                                                        'server'                    =>  'QZXW-dc.my-company.com',
                                                        ## SERVICE-SPECIFIC SECTION
                                                        # If you can bind to your LDAP server anonymously you should
                                                        # remove the user and pass config lines, otherwise specify them here:
                                                        #
                                                        # The username RT should use to connect to the LDAP server
                                                        'user'                      =>  'joeadmin at my-company.com',

                                                        # The password RT should use to connect to the LDAP server
                                                        'pass'                    =>  'majorlycrypticpw',

                                                        #
                                                        # The LDAP search base
                                                        'base'                      =>  'ou=QZXW USERS,dc=my-company,dc=com',
                                                        #
                                                        # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
                                                        # YOU **MUST** SPECIFY A filter AND A d_filter!!
                                                        #
                                                        # The filter to use to match RT-Users
                                                        'filter'                    =>  '(&)',  ##(I have flip-flopped between this and the one suggested in the generic config, either seems to work)
                                                        # A catch-all example filter: '(objectClass=*)'
                                                        #
                                                        # The filter that will only match disabled users
                                                        'd_filter'                  =>  '',
                                                        # A catch-none example d_filter: '(objectClass=FooBarBaz)'
                                                        #
                                                        # Should we try to use TLS to encrypt connections?
                                                        'tls'                       =>  1,
                                                        # SSL Version to provide to Net::SSLeay *if* using SSL
                                                        'ssl_version'               =>  3,
                                                        # What other args should I pass to Net::LDAP->new($host, at args)?
                                                        'net_ldap_args'             => [    version =>  3   ],
                                                        # Does authentication depend on group membership? What group name?
                                                        # What is the attribute for the group object that determines membership?
                                                        # What is the attribute of the user entry that should be matched against group_attr above? (Optional; defaults to 'dn')
                                                        ## RT ATTRIBUTE MATCHING SECTION
                                                        # The list of RT attributes that uniquely identify a user
                                                        # This example shows what you *can* specify.. I recommend reducing this
                                                        # to just the Name and EmailAddress to save encountering problems later.
                                                        'attr_match_list'           => [    'Name',
                                                                                            'EmailAddress',
                                                                                            'RealName',
                                                                                            'WorkPhone',
                                                                                            'Address2'
                                                                                        ],
                                                        # The mapping of RT attributes on to LDAP attributes
                                                        'attr_map'                  =>  {   'Name' => 'sAMAccountName',
                                                                                            'EmailAddress' => 'mail',
                                                                                            'Organization' => 'physicalDeliveryOfficeName',
                                                                                            'RealName' => 'cn',
                                                                                            'ExternalAuthId' => 'sAMAccountName',
                                                                                            'Gecos' => 'sAMAccountName',
                                                                                            'WorkPhone' => 'telephoneNumber',
                                                                                            'Address1' => 'streetAddress',
                                                                                            'City' => 'l',
                                                                                            'State' => 'st',
                                                                                            'Zip' => 'postalCode',
                                                                                            'Country' => 'co'
                                                                                        }
                                                    },
                                }
);

1;
my $zone = "UTC";
$zone=`/bin/cat /etc/timezone`
    if -f "/etc/timezone";
chomp $zone;
Set($Timezone, $zone);

Set($rtname, 'rt.my-company.com');
Set($Organization, 'RT.my-company.com');

Set($CorrespondAddress , 'maintenance at my-company.com');
Set($CommentAddress , 'maintenance at my-company.com');
Set($RTAddressRegexp , '^maintenance(-comment)?\@(maintenance|rt)\.(my-company\.com|rt\.my-company\.com)$');

Set($WebPath , "/rt");
Set($WebBaseURL , "http://rt.my-company.com");

Set($LogToSyslog    , 'debug');
Set($LogToScreen    , 'info');

Set($LogToFile , 'debug'); #debug is very noisy
Set($LogDir, '/var/log/request-tracker4');
Set($LogToFileNamed , "rt.log");    #log to rt.log

my %typemap = (
    mysql   => 'mysql',
    pgsql   => 'Pg',
    sqlite3 => 'SQLite',
);

Set($DatabaseType, $typemap{mysql} || "UNKNOWN");

Set($DatabaseHost, 'localhost');
Set($DatabasePort, '');

Set($DatabaseUser , 'rtuser');
Set($DatabasePassword , 'QZXWBuild07');

my $dbc_dbname = 'rtdb'; if ( "mysql" eq "sqlite3" ) { Set ($DatabaseName, '' . '/' . $dbc_dbname); } else { Set ($DatabaseName, $dbc_dbname); }
1;
Spam - www.smoothwall.net<http://www.smoothwall.net/>

________________________________
DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S. Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.


This email has been processed by Smoothwall Anti-Spam - www.smoothwall.net<http://www.smoothwall.net/>

________________________________
DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S. Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20140408/afb5deb4/attachment.htm>


More information about the rt-users mailing list