[rt-users] Problems with RT::Authen::ExternalAuth::LDAP after upgrade to 4.4
John Andersen
john at yvig.com
Wed Feb 10 02:11:12 EST 2016
I'm hoping a second (or more) set of eyes can help me out here.
I upgraded from 4.2.12 to 4.4.0 and somehow broke LDAP authentication.
For background. this particular installation went live 10 years ago and has
been carried over (mostly flawlessly I might add) from version to version
over that 10 years; I try to stay on the most recent stable version.
Things I have done to test so far:
1) Tested with my existing config carried over from the working 4.2.12
install -- NO GOOD
2) I changed my settings to exactly what is in the documentation -- NO GOOD
3) I installed ldap-utils and tested my filters with success. I'm sure
they work. I have also confirmed that my ldap user is binding correctly
and can pull permissions.
Interestingly, I have the exact same settings on LDAPImport and it **IS**
working correctly.
The frustrating thing is that, even with debugging turned on (logging to
syslog), I can get no detailed error message on LDAP under either syslog or
the apache log. All I get is the following message:
-------
Feb 9 23:00:15 rt RT: [21718] FAILED LOGIN for andersjp from 172.28.160.152
-----
Internal auth is working. Here is my LDAP config. Any ideas? Happy to
provide any troubleshooting info I have.
Also for what it's worth, the odd-looking ldap filter is a way to filter
out some unwanted data and has been working for years. I also attempted
adding the '(&(...' to the beginning of the filters (which LDAP Auth seems
to infer automatically for some reason). Again, still wouldn't work.
-----
Set( $ExternalAuthPriority,['LDAP_DIR3']);
Set( $ExternalInfoPriority,['LDAP_DIR3']);
Set( $ExternalServiceUsesSSLorTLS, 0);
Set( $AutoCreateNonExternalUsers, 1);
Set($ExternalSettings, {
'LDAP_DIR3' => {
'type' => 'ldap',
'server' => 'dir3.sch.ad',
'user' => 'ldapbind at sch.ad',
'pass' => '*censored*',
'base' => 'dc=sch,dc=ad',
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN
PARENTHESES!
# YOU **MUST** SPECIFY A filter AND A d_filter!!
# The filter to use to match RT-Users
'filter' => '(mail=*)(sAMAccountType=805306368)',
#'filter' => '(objectClass=*)',
# The filter that will only match disabled users
'd_filter' =>
'(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)',
#'tls' => 0,
#'ssl_version' => 3,
'net_ldap_args' => [ version => 3 ],
#'group' => 'GROUP',
#'group_attr' => 'GROUP_ATTR',
'attr_match_list' => [ 'Name',
'EmailAddress'
],
# The mapping of RT attributes on to LDAP attributes
'attr_map' => { 'Name' =>
'sAMAccountName',
'EmailAddress' => 'mail',
'Organization' =>
'company',
'RealName' => 'cn',
'WorkPhone' =>
'telephoneNumber',
'MobilePhone' => 'mobile',
}
}
}
);
For some added information, here is the WORKING LDAPImport config:
------
## LDAPImport Settings
Set( $LDAPHost, 'dir3.sch.ad' );
Set( $LDAPUser, 'ldapbind at sch.ad' );
Set( $LDAPPassword, '*censored*' );
Set( $LDAPBase, 'ou=SCH Users,dc=sch,dc=ad' );
Set( $LDAPFilter, '(&(mail=*)(sAMAccountType=805306368))' );
Set( $LDAPDisabledFilter,
'(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))'
);
Set( $LDAPSkipAutogeneratedGroup, 1 );
Set( $LDAPUpdateUsers, 1 );
# Get groups from LDAP too
Set( $LDAPGroupBase, 'ou=SCH Groups,dc=sch,dc=ad' );
Set( $LDAPGroupFilter, '(objectClass=group)' );
Set( $LDAPGroupMapping, { Name => 'cn',
Member_Attr => 'member',
Member_Attr_Value => 'dn'
} );
Set( $LDAPMapping,
{
'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'Organization' => 'company',
'UserCF.Department' => 'department',
'RealName' => 'cn',
'WorkPhone' => 'telephoneNumber',
'MobilePhone' => 'mobile'
}
);
I'd be grateful for any ideas or pointers!
Thank you,
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20160209/6f06bade/attachment.htm>
More information about the rt-users
mailing list