[rt-users] AD integration for external auth
Yan Seiner
yan at seiner.com
Tue Jul 7 16:50:32 EDT 2015
I'm kicking this back to the list only. I've been going round and round
with this and I have some more information, but still not a solution.
ldapsearch works:
ldapsearch -H ldap://file_print.hpm.net -b "dc=hpm,dc=net" -s sub
"(sAMAccountName=yans)" -D 'HPM\yans' -x -W uid
But notice that I need to use either 'HPM\yans' for the user or the
older 'yans at hpm.net' for the system to allow me to bind to the ldap
server. The way we're set up, any user can bind to the server with
valid credentials, but anonymous binds are not allowed.
But the way ExternalAuth is set up, I have to provide the ldap userid
and password, which in our system would be a real user.
'user' => 'rt_ldap_username',
'pass' => 'rt_ldap_password',
Is there any way to get ExternalAuth to use the credentials entered in
the login to bind to the ldap server?
(As near as I can figure, the LDAPImport extension imports the userids
from ldap, which is not what I need. I need to authenticate against AD
in realtime.)
--Yan
On 7/7/2015 1:32 PM, Trev wrote:
> Sorry about that, review the blog entry I sent you prior. I do see I
> did add that plugin, again, it's been a while since I wrestled with
> LDAP authentication. So, I threw my working config with notes, into
> that blog.
>
>
>
> On Tue, Jul 7, 2015 at 1:30 PM, Trev <trevor at onepost.net
> <mailto:trevor at onepost.net>> wrote:
>
> Use --> Plugin( "RT::Extension::LDAPImport" );
> Note the configuration I linked to you prior.
> I had some issues with limited functionality using
> Plugin('RT::Authen::ExternalAuth').. it's been a while actually, I
> may not even have had that extension working.
>
>
> On Tue, Jul 7, 2015 at 1:28 PM, Trev <trevor at onepost.net
> <mailto:trevor at onepost.net>> wrote:
>
> If you mean during the login via RT Gui -- username is,
> sAMAccountName. THere shouldn't be any need to prefix with the
> domain as the domain is already be queried.
>
>
>
> On Tue, Jul 7, 2015 at 1:24 PM, Yan Seiner <yan at seiner.com
> <mailto:yan at seiner.com>> wrote:
>
> What format do you use for the username?
>
> When I try hpm\yans which should, in theory, work, I get:
>
> [5367] [Tue Jul 7 17:07:28 2015] [debug]: LDAP Search
> === Base: dc=hpm,dc=net == Filter:
> (&(objectClass=*)(sAMAccountName=hpm\5cyans)) == Attrs:
> sAMAccountName,mail
> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)
>
> Notice the mangled sAMAccountName=hpm\5cyans . If this is
> what it is searching for, then we have a problem. :)
>
> --Yan
>
>
> On 7/7/2015 11:57 AM, Trev wrote:
>> This may help:
>>
>> http://trevthorpe.blogspot.com/2015/01/request-tracker-424-ldap-authentication.html
>>
>>
>>
>> On Tue, Jul 7, 2015 at 11:24 AM, Yan Seiner
>> <yan at seiner.com <mailto:yan at seiner.com>> wrote:
>>
>> I'm coming back to RT after a few years. I am trying
>> to set up external auth against our AD server.
>>
>> I have a working implementation for mediawiki, so I
>> know that it's possible on our system. As far as
>> possible I've duplicated the options from
>> mediawiki/php to rt/perl, but I am still missing
>> something important as all login attempts get
>> rejected with a NoUser.
>>
>> The only thing that I find different (and I'm
>> searching my memory from a few years ago when I set
>> up mediawiki) there is a line where the user name is
>> pre-pended with the domain for AD:
>>
>> $wgLDAPSearchStrings = array( 'HPM' =>
>> "HPM\\USER-NAME" );
>>
>> And I can't find anything like that in the RT config.
>>
>> Does anyone have a working AD external auth they can
>> share?
>>
>> Thanks.
>>
>> Here's the logfile snippet:
>>
>> [4835] [Tue Jul 7 15:17:14 2015] [debug]: Attempting
>> to use external auth service: My_LDAP
>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:424)
>> [4835] [Tue Jul 7 15:17:14 2015] [debug]: Calling
>> UserExists with $username (yans) and $service
>> (My_LDAP)
>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:465)
>> [4835] [Tue Jul 7 15:17:14 2015] [debug]: UserExists
>> params:
>> username: yans , service: My_LDAP
>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)
>> [4835] [Tue Jul 7 15:17:14 2015] [debug]: LDAP
>> Search === Base: ou=Staff,dc=hpm,dc=net == Filter:
>> (&(objectClass=inetOrgPerson)(sAMAccountName=yans))
>> == Attrs:
>> cn,co,telephoneNumber,l,postalCode,streetAddress,st,sAMAccountName,mail
>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)
>> [4835] [Tue Jul 7 15:17:14 2015] [debug]: User Check
>> Failed :: ( My_LDAP ) yans User not found
>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:483)
>> [4835] [Tue Jul 7 15:17:14 2015] [debug]:
>> Autohandler called ExternalAuth. Response: (0, No
>> User)
>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
>> [4835] [Tue Jul 7 15:17:14 2015] [error]: FAILED
>> LOGIN for yans from 10.10.30.51
>> (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:810)
>>
>> And here's the setup in RTSiteConfig.pm:
>>
>> Plugin('RT::Authen::ExternalAuth');
>> Set($ExternalAuthPriority, [ 'My_LDAP' ]);
>> Set($ExternalInfoPriority, [ 'My_LDAP' ]);
>> Set($ExternalSettings, {
>> 'My_LDAP' => {
>> 'type' => 'ldap',
>> 'server' => 'file_print.hpm.net
>> <http://file_print.hpm.net>',
>> # By not passing 'user' and 'pass' we
>> are using an anonymous
>> # bind, which some servers to not allow
>> 'base' => 'dc=hpm,dc=net',
>> 'filter' => '(objectClass=inetOrgPerson)',
>> # Users are allowed to log in via
>> email address or account
>> # name
>> 'attr_match_list' => [
>> 'Name',
>> # 'EmailAddress',
>> ],
>> # Import the following properties of
>> the user from LDAP upon
>> # login
>> 'attr_map' => {
>> 'Name' => 'sAMAccountName',
>> 'EmailAddress' => 'mail',
>> 'RealName' => 'cn',
>> 'WorkPhone' => 'telephoneNumber',
>> 'Address1' => 'streetAddress',
>> 'City' => 'l',
>> 'State' => 'st',
>> 'Zip' => 'postalCode',
>> 'Country' => 'co',
>> },
>> },
>> } );
>>
>>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20150707/4a099c50/attachment.htm>
More information about the rt-users
mailing list