[rt-users] Difficulty implementing LDAP/AD Authorization
Alex Peters
alex at peters.net
Wed Jul 30 20:31:05 EDT 2014
RT won't look at any changes you place in example RT_SiteConfig.pm files
included with extensions (if that's why you've included that file in your
previous e-mail). You need to copy the relevant changes into your RT
installation's RT_SiteConfig.pm file.
On 31/07/2014 3:12 am, "Rezty Felty" <rfelty at adknowledge.com> wrote:
> Jxplorer shows successful connection and authentication using the auth
> info I have in rt. Here is my /opt/rt4/etc/RT_SiteConfig.pm:
>
> # Any configuration directives you include here will override
>
> # RT's default configuration file, RT_Config.pm
>
> #
>
> # To include a directive here, just copy the equivalent statement
>
> # from RT_Config.pm and change the value. We've included a single
>
> # sample value below.
>
> #
>
> # This file is actually a perl module, so you can include valid
>
> # perl code, as well.
>
> #
>
> # The converse is also true, if this file isn't valid perl, you're
>
> # going to run into trouble. To check your SiteConfig file, use
>
> # this command:
>
> #
>
> # perl -c /path/to/your/etc/RT_SiteConfig.pm
>
> #
>
> # You must restart your webserver after making changes to this file.
>
>
> Set( $rtname, 'Adknowledge.com');
>
> Set( $WebDomain, 'pkc-tracker02.ak-networks.com');
>
> Set( $WebPort, 443);
>
> # You must install Plugins on your own, this is only an example
>
> # of the correct syntax to use when activating them.
>
> # Plugin( "RT::Extension::QuickDelete" );
>
> # Plugin( "RT::Extension::CommandByMail" );
>
> Set( @Plugins, qw(RT::Authen::ExternalAuth) );
>
> and my /opt/rt4/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm,
> which I would think more important in this case:
>
> =head1 NAME
>
>
> External Authentication Configuration - Sample configs for
> L<RT::Authen::ExternalAuth>
>
>
> =head1 DESCRIPTION
>
>
> L<RT::Authen::ExternalAuth> provides a lot of flexibility
>
> with many configuration options. This file describes these
>
> configuration options and is itself a sample configuration
>
> suitable for dropping into your C<etc/RT_SiteConfig.pm>
>
> file and modifying.
>
>
> =over 4
>
>
> =item C<$ExternalAuthPriority>
>
>
> The order in which the services defined in ExternalSettings
>
> should be used to authenticate users. User is authenticated
>
> if successfully confirmed by any service - no more services
>
> are checked.
>
>
> You should remove services you don't use. For example,
>
> if you're only using My_LDAP, remove My_MySQL and My_SSO_Cookie.
>
>
> =cut
>
>
> Set($ExternalAuthPriority, [ 'My_LDAP',
>
> 'My_MySQL',
>
> 'My_SSO_Cookie'
>
> ]
>
> );
>
>
> =item C<$ExternalInfoPriority>
>
>
> When multiple auth services are available, this value defines
>
> the order in which the services defined in ExternalSettings
>
> should be used to get information about users. This includes
>
> RealName, Tel numbers etc, but also whether or not the user
>
> should be considered disabled.
>
>
> Once a user record is found, no more services are checked.
>
>
> You CANNOT use a SSO cookie to retrieve information.
>
>
> You should remove services you don't use, but you must define
>
> at least one service.
>
>
> =cut
>
>
> Set($ExternalInfoPriority, [ 'My_LDAP',
>
> 'My_MySQL',
>
> ]
>
> );
>
>
> =item C<$ExternalServiceUsesSSLorTLS>
>
>
> If this is set to true, then the relevant packages will
>
> be loaded to use SSL/TLS connections. At the moment,
>
> this just means L<Net::SSLeay>.
>
>
> =cut
>
>
> Set($ExternalServiceUsesSSLorTLS, 0);
>
>
> =item C<$AutoCreateNonExternalUsers>
>
>
> If this is set to 1, then users should be autocreated by RT
>
> as internal users if they fail to authenticate from an
>
> external service. This is useful if you have users outside
>
> your organization who might interface with RT, perhaps by sending
>
> email to a support email address.
>
>
> =cut
>
>
> Set($AutoCreateNonExternalUsers, 0);
>
>
> =item C<$ExternalSettings>
>
>
> These are the full settings for each external service as a HashOfHashes.
>
> Note that you may have as many external services as you wish. They will
>
> be checked in the order specified in $ExternalAuthPriority and
>
> $ExternalInfoPriority directives above.
>
>
> The outer structure is a key with the authentication option (name of
> external
>
> source). The value is a hash reference with configuration keys and values,
>
> for example:
>
>
> Set($ExternalSettings, {
>
> MyLDAP => {
>
> type => 'ldap',
>
> ... other options ...
>
> },
>
> MyMySQL => {
>
> type => 'db',
>
> ... other options ...
>
> },
>
> ... other sources ...
>
> } );
>
>
> As shown above, each description should have 'type' defined.
>
> The following types are supported:
>
>
> =over 4
>
>
> =item ldap
>
>
> Authenticate against and sync information with LDAP servers.
>
> See L<RT::Authen::ExternalAuth::LDAP> for details.
>
>
> =item db
>
>
> Authenticate against and sync information with external RDBMS,
>
> supported by Perl's L<DBI> interface. See L<RT::Authen::ExternalAuth::DBI>
>
> for details.
>
>
> =item cookie
>
>
> Authenticate by cookie. See L<RT::Authen::ExternalAuth::DBI::Cookie>
>
> for details.
>
>
> =back
>
>
> See the modules noted above for configuration options specific to each
> type.
>
> The following apply to all types.
>
>
> =over 4
>
>
> =item attr_match_list
>
>
> The list of RT attributes that uniquely identify a user. These values
>
> are used, in order, to find users in the selected authentication
>
> source. Each value specified here must have a mapping in the
>
> L</"attr_map"> section below. You can remove values you don't
>
> expect to match, but it's recommended to use 'Name' and 'EmailAddress'
>
> at minimum. For example:
>
>
> 'attr_match_list' => [
>
> 'Name',
>
> 'EmailAddress',
>
> ],
>
>
> You should not use items that can map to multiple users (such as a
>
> RealName or building name).
>
>
> =item attr_map
>
>
> Mapping of RT attributes on to attributes in the external source.
>
> Valid keys are attributes of an
>
> L<RT::User|http://bestpractical.com/rt/docs/latest/RT/User.html>.
>
> The values are attributes from your authentication source.
>
> For example, an LDAP mapping might look like:
>
>
> 'attr_map' => {
>
> 'Name' => 'sAMAccountName',
>
> 'EmailAddress' => 'mail',
>
> 'Organization' => 'physicalDeliveryOfficeName',
>
> 'RealName' => 'cn',
>
> ...
>
> },
>
>
> =back
>
>
> =cut
>
>
> Set($ExternalSettings, {
>
> # AN EXAMPLE DB SERVICE
>
> 'My_MySQL' => {
>
> 'type' => 'db',
>
> 'server' => 'server.domain.tld',
>
> 'database' => 'DB_NAME',
>
> 'table' => 'USERS_TABLE',
>
> 'user' => 'DB_USER',
>
> 'pass' => 'DB_PASS',
>
> 'port' => 'DB_PORT',
>
> 'dbi_driver' => 'DBI_DRIVER',
>
> 'u_field' => 'username',
>
> 'p_field' => 'password',
>
> 'p_enc_pkg' => 'Crypt::MySQL',
>
> 'p_enc_sub' => 'password',
>
> 'd_field' => 'disabled',
>
> 'd_values' => ['0'],
>
> 'attr_match_list' => [
>
> 'Gecos',
>
> 'Name',
>
> ],
>
> 'attr_map' => {
>
> 'Name' => 'username',
>
> 'EmailAddress' => 'email',
>
> 'ExternalAuthId' => 'username',
>
> 'Gecos' => 'userID',
>
> },
>
> },
>
> # AN EXAMPLE LDAP SERVICE
>
> 'My_LDAP' => {
>
> 'type' => 'ldap',
>
> 'server' => '10.201.0.200',
>
> 'user' => 'apacheldap at adknowledge.com',
>
> 'pass' => ‘redacted',
>
> 'base' => 'dc=adknowledge,dc=com',
>
> 'filter' => '(FILTER_STRING)',
>
> 'd_filter' => '(FILTER_STRING)',
>
> 'group' => 'GROUP_NAME',
>
> 'group_attr' => 'GROUP_ATTR',
>
> 'tls' => 0,
>
> 'ssl_version' => 3,
>
> 'net_ldap_args' => [ version => 3 ],
>
> 'group_scope' => 'base',
>
> 'group_attr_value' => 'GROUP_ATTR_VALUE',
>
> 'attr_match_list' => [
>
> 'Name',
>
> 'EmailAddress',
>
> 'RealName',
>
> ],
>
> 'attr_map' => {
>
> 'Name' => 'sAMAccountName',
>
> 'EmailAddress' => 'mail',
>
> 'Organization' => 'physicalDeliveryOfficeName',
>
> 'RealName' => 'cn',
>
> 'ExternalAuthId' => 'sAMAccountName',
>
> 'Gecos' => 'sAMAccountName',
>
> 'WorkPhone' => 'telephoneNumber',
>
> 'Address1' => 'streetAddress',
>
> 'City' => 'l',
>
> 'State' => 'st',
>
> 'Zip' => 'postalCode',
>
> 'Country' => 'co'
>
> },
>
> },
>
> # An example SSO cookie service
>
> 'My_SSO_Cookie' => {
>
> 'type' => 'cookie',
>
> 'name' => 'loginCookieValue',
>
> 'u_table' => 'users',
>
> 'u_field' => 'username',
>
> 'u_match_key' => 'userID',
>
> 'c_table' => 'login_cookie',
>
> 'c_field' => 'loginCookieValue',
>
> 'c_match_key' => 'loginCookieUserID',
>
> 'db_service_name' => 'My_MySQL'
>
> },
>
> } );
>
>
> 1;
>
> Thanks,
> Rezty Felty
> Senior Linux Administrator
> Adknowledge
> 816-559-1196
>
> From: Marco Agostini <comunelevico at gmail.com>
> Date: Wednesday, July 30, 2014 at 11:38 AM
> To: Rezty Felty <rfelty at adknowledge.com>
> Subject: Re: [rt-users] Difficulty implementing LDAP/AD Authorization
>
>
> Il 30/lug/2014 17:34 "Rezty Felty" <rfelty at adknowledge.com> ha scritto:
> >
> > I have a new install of RT 4.2.4 running on Centos 6.4 64 bit with
> Apache 2.2.15. I have installed RT::Authen::ExternalAuth and Net::LDAP,
> and have configured
> my /opt/rt4/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm with
> the right server address and LDAP user and password, and added Set(
> @Plugins, qw(RT::Authen::ExternalAuth) ); to the
> file /opt/rt4/etc/RT_SiteConfig.pm. I have restarted https, restarted the
> entire server, but i continue to see the same results, e.g. I can log in to
> RT with the default installed root account, but when I try any AD user, it
> fails, and the error I receive in both /var/log/messages and
> /var/log/httpd/error_log is the same: “FAILED LOGIN for <user> from
> <serveraddress> (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:811)
> >
> > Any suggestions on where to begin troubleshooting this would be
> appreciated.
> >
>
> Use these tool http://jxplorer.org/ to test the parameter that you are
> using in RT.
>
> Post the content of /opt/rt4/etc/RT_SiteConfig.pm
>
> --
> RT Training - Boston, September 9-10
> http://bestpractical.com/training
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20140731/639d7b92/attachment.htm>
More information about the rt-users
mailing list