[rt-users] Problems with RT::Authen::ExternalAuth::LDAP after upgrade to 4.4

John Andersen john at yvig.com
Wed Feb 10 02:11:12 EST 2016


I'm hoping a second (or more) set of eyes can help me out here.

I upgraded from 4.2.12 to 4.4.0 and somehow broke LDAP authentication.
For background. this particular installation went live 10 years ago and has
been carried over (mostly flawlessly I might add) from version to version
over that 10 years; I try to stay on the most recent stable version.

Things I have done to test so far:

1) Tested with my existing config carried over from the working 4.2.12
install -- NO GOOD

2) I changed my settings to exactly what is in the documentation -- NO GOOD

3) I installed ldap-utils and tested my filters with success.  I'm sure
they work.  I have also confirmed that my ldap user is binding correctly
and can pull permissions.

Interestingly, I have the exact same settings on LDAPImport and it **IS**
working correctly.


The frustrating thing is that, even with debugging turned on (logging to
syslog), I can get no detailed error message on LDAP under either syslog or
the apache log.    All I get is the following message:

-------

Feb  9 23:00:15 rt RT: [21718] FAILED LOGIN for andersjp from 172.28.160.152

-----



Internal auth is working.    Here is my LDAP config.   Any ideas? Happy to
provide any troubleshooting info I have.


Also for what it's worth, the odd-looking ldap filter is a way to filter
out some unwanted data and has been working for years.  I also attempted
adding the '(&(...' to the beginning of the filters (which LDAP Auth seems
to infer automatically for some reason). Again, still wouldn't work.


-----


Set( $ExternalAuthPriority,['LDAP_DIR3']);

Set( $ExternalInfoPriority,['LDAP_DIR3']);

Set( $ExternalServiceUsesSSLorTLS, 0);

Set( $AutoCreateNonExternalUsers, 1);


Set($ExternalSettings,      {

        'LDAP_DIR3'       =>  {


                'type'          => 'ldap',

                'server'        => 'dir3.sch.ad',

                'user'          => 'ldapbind at sch.ad',

                'pass'          => '*censored*',

                'base'          => 'dc=sch,dc=ad',


                # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN
PARENTHESES!

                # YOU **MUST** SPECIFY A filter AND A d_filter!!


                # The filter to use to match RT-Users

                'filter'        =>  '(mail=*)(sAMAccountType=805306368)',

                #'filter'       =>  '(objectClass=*)',


                # The filter that will only match disabled users

                'd_filter'      =>
'(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)',


                #'tls'          =>  0,

                #'ssl_version'  =>  3,

                'net_ldap_args' => [    version =>  3   ],

                #'group'        =>  'GROUP',

                #'group_attr'   =>  'GROUP_ATTR',


                'attr_match_list'       => [    'Name',

                                                'EmailAddress'

                ],


                # The mapping of RT attributes on to LDAP attributes

                'attr_map'      =>  {   'Name'                  =>
'sAMAccountName',

                                        'EmailAddress'          => 'mail',

                                        'Organization'          =>
'company',

                                        'RealName'              => 'cn',

                                        'WorkPhone'             =>
'telephoneNumber',

                                        'MobilePhone'           => 'mobile',

                }

        }

}

);


For some added information, here is the WORKING LDAPImport config:

------

## LDAPImport Settings

Set( $LDAPHost, 'dir3.sch.ad' );

Set( $LDAPUser, 'ldapbind at sch.ad' );

Set( $LDAPPassword, '*censored*' );

Set( $LDAPBase, 'ou=SCH Users,dc=sch,dc=ad' );


Set( $LDAPFilter, '(&(mail=*)(sAMAccountType=805306368))' );

Set( $LDAPDisabledFilter,
'(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))'
);

Set( $LDAPSkipAutogeneratedGroup, 1 );

Set( $LDAPUpdateUsers, 1 );


# Get groups from LDAP too

Set( $LDAPGroupBase, 'ou=SCH Groups,dc=sch,dc=ad' );

Set( $LDAPGroupFilter, '(objectClass=group)' );

Set( $LDAPGroupMapping, {       Name                    => 'cn',

                                Member_Attr             => 'member',

                                Member_Attr_Value       => 'dn'

} );



Set( $LDAPMapping,

{

        'Name'                  =>      'sAMAccountName',

        'EmailAddress'          =>      'mail',

        'Organization'          =>      'company',

        'UserCF.Department'     =>      'department',

        'RealName'              =>      'cn',

        'WorkPhone'             =>      'telephoneNumber',

        'MobilePhone'           =>      'mobile'

}

);



I'd be grateful for any ideas or pointers!

Thank you,

John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20160209/6f06bade/attachment.html>


More information about the rt-users mailing list