[rt-users] AD integration for external auth
Trev
trevor at onepost.net
Tue Jul 7 17:06:26 EDT 2015
Generally speaking, it is typical to create an 'LDAP User' for binding, and
reading purposes within AD itself.
LDAPImport does authenticate against the users in AD. And builds the user
records within RT as I have mapped in my example.
Cronjob to do the import, maybe every 15 minutes. Makes it much easier to
use AD groups within RT as well.
Very dynamic...
On Tue, Jul 7, 2015 at 4:50 PM, Yan Seiner <yan at seiner.com> wrote:
> I'm kicking this back to the list only. I've been going round and round
> with this and I have some more information, but still not a solution.
>
> ldapsearch works:
>
> ldapsearch -H ldap://file_print.hpm.net -b "dc=hpm,dc=net" -s sub
> "(sAMAccountName=yans)" -D 'HPM\yans' -x -W uid
>
> But notice that I need to use either 'HPM\yans' for the user or the older '
> yans at hpm.net' for the system to allow me to bind to the ldap server. The
> way we're set up, any user can bind to the server with valid credentials,
> but anonymous binds are not allowed.
>
> But the way ExternalAuth is set up, I have to provide the ldap userid and
> password, which in our system would be a real user.
>
> 'user' => 'rt_ldap_username',
> 'pass' => 'rt_ldap_password',
>
> Is there any way to get ExternalAuth to use the credentials entered in the
> login to bind to the ldap server?
>
> (As near as I can figure, the LDAPImport extension imports the userids
> from ldap, which is not what I need. I need to authenticate against AD in
> realtime.)
>
> --Yan
>
>
>
> On 7/7/2015 1:32 PM, Trev wrote:
>
> Sorry about that, review the blog entry I sent you prior. I do see I did
> add that plugin, again, it's been a while since I wrestled with LDAP
> authentication. So, I threw my working config with notes, into that blog.
>
>
>
> On Tue, Jul 7, 2015 at 1:30 PM, Trev <trevor at onepost.net> wrote:
>
>> Use --> Plugin( "RT::Extension::LDAPImport" );
>> Note the configuration I linked to you prior.
>> I had some issues with limited functionality using Plugin('RT::Authen::ExternalAuth').. it's been a while actually, I may not even have had that extension working.
>>
>>
>> On Tue, Jul 7, 2015 at 1:28 PM, Trev < <trevor at onepost.net>
>> trevor at onepost.net> wrote:
>>
>>> If you mean during the login via RT Gui -- username is, sAMAccountName.
>>> THere shouldn't be any need to prefix with the domain as the domain is
>>> already be queried.
>>>
>>>
>>>
>>> On Tue, Jul 7, 2015 at 1:24 PM, Yan Seiner < <yan at seiner.com>
>>> yan at seiner.com> wrote:
>>>
>>>> What format do you use for the username?
>>>>
>>>> When I try hpm\yans which should, in theory, work, I get:
>>>>
>>>> [5367] [Tue Jul 7 17:07:28 2015] [debug]: LDAP Search === Base:
>>>> dc=hpm,dc=net == Filter: (&(objectClass=*)(sAMAccountName=hpm\5cyans)) ==
>>>> Attrs: sAMAccountName,mail
>>>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)
>>>>
>>>> Notice the mangled sAMAccountName=hpm\5cyans . If this is what it is
>>>> searching for, then we have a problem. :)
>>>>
>>>> --Yan
>>>>
>>>>
>>>> On 7/7/2015 11:57 AM, Trev wrote:
>>>>
>>>> This may help:
>>>>
>>>>
>>>> http://trevthorpe.blogspot.com/2015/01/request-tracker-424-ldap-authentication.html
>>>>
>>>>
>>>>
>>>> On Tue, Jul 7, 2015 at 11:24 AM, Yan Seiner < <yan at seiner.com>
>>>> yan at seiner.com> wrote:
>>>>
>>>>> I'm coming back to RT after a few years. I am trying to set up
>>>>> external auth against our AD server.
>>>>>
>>>>> I have a working implementation for mediawiki, so I know that it's
>>>>> possible on our system. As far as possible I've duplicated the options
>>>>> from mediawiki/php to rt/perl, but I am still missing something important
>>>>> as all login attempts get rejected with a NoUser.
>>>>>
>>>>> The only thing that I find different (and I'm searching my memory from
>>>>> a few years ago when I set up mediawiki) there is a line where the user
>>>>> name is pre-pended with the domain for AD:
>>>>>
>>>>> $wgLDAPSearchStrings = array( 'HPM' => "HPM\\USER-NAME" );
>>>>>
>>>>> And I can't find anything like that in the RT config.
>>>>>
>>>>> Does anyone have a working AD external auth they can share?
>>>>>
>>>>> Thanks.
>>>>>
>>>>> Here's the logfile snippet:
>>>>>
>>>>> [4835] [Tue Jul 7 15:17:14 2015] [debug]: Attempting to use external
>>>>> auth service: My_LDAP
>>>>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:424)
>>>>> [4835] [Tue Jul 7 15:17:14 2015] [debug]: Calling UserExists with
>>>>> $username (yans) and $service (My_LDAP)
>>>>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:465)
>>>>> [4835] [Tue Jul 7 15:17:14 2015] [debug]: UserExists params:
>>>>> username: yans , service: My_LDAP
>>>>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)
>>>>> [4835] [Tue Jul 7 15:17:14 2015] [debug]: LDAP Search === Base:
>>>>> ou=Staff,dc=hpm,dc=net == Filter:
>>>>> (&(objectClass=inetOrgPerson)(sAMAccountName=yans)) == Attrs:
>>>>> cn,co,telephoneNumber,l,postalCode,streetAddress,st,sAMAccountName,mail
>>>>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)
>>>>> [4835] [Tue Jul 7 15:17:14 2015] [debug]: User Check Failed :: (
>>>>> My_LDAP ) yans User not found
>>>>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:483)
>>>>> [4835] [Tue Jul 7 15:17:14 2015] [debug]: Autohandler called
>>>>> ExternalAuth. Response: (0, No User)
>>>>> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
>>>>> [4835] [Tue Jul 7 15:17:14 2015] [error]: FAILED LOGIN for yans from
>>>>> 10.10.30.51 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:810)
>>>>>
>>>>> And here's the setup in RTSiteConfig.pm:
>>>>>
>>>>> Plugin('RT::Authen::ExternalAuth');
>>>>> Set($ExternalAuthPriority, [ 'My_LDAP' ]);
>>>>> Set($ExternalInfoPriority, [ 'My_LDAP' ]);
>>>>> Set($ExternalSettings, {
>>>>> 'My_LDAP' => {
>>>>> 'type' => 'ldap',
>>>>> 'server' => 'file_print.hpm.net',
>>>>> # By not passing 'user' and 'pass' we are using an
>>>>> anonymous
>>>>> # bind, which some servers to not allow
>>>>> 'base' => 'dc=hpm,dc=net',
>>>>> 'filter' => '(objectClass=inetOrgPerson)',
>>>>> # Users are allowed to log in via email address or
>>>>> account
>>>>> # name
>>>>> 'attr_match_list' => [
>>>>> 'Name',
>>>>> # 'EmailAddress',
>>>>> ],
>>>>> # Import the following properties of the user from
>>>>> LDAP upon
>>>>> # login
>>>>> 'attr_map' => {
>>>>> 'Name' => 'sAMAccountName',
>>>>> 'EmailAddress' => 'mail',
>>>>> 'RealName' => 'cn',
>>>>> 'WorkPhone' => 'telephoneNumber',
>>>>> 'Address1' => 'streetAddress',
>>>>> 'City' => 'l',
>>>>> 'State' => 'st',
>>>>> 'Zip' => 'postalCode',
>>>>> 'Country' => 'co',
>>>>> },
>>>>> },
>>>>> } );
>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20150707/c1e947a9/attachment.htm>
More information about the rt-users
mailing list