[rt-users] Problems with RT::Authen::ExternalAuth::LDAP after upgrade to 4.4
John Andersen
john at yvig.com
Thu Feb 11 00:44:06 EST 2016
One more thing I should note is that I'm quite sure there is not even an
attempt to talk to the LDAP (Active Directory) server. I log all auth
attempts to the domain controllers and no attempts are showing in the logs.
I don't believe the requests are ever leaving the RT server.
On Wed, Feb 10, 2016 at 9:27 PM, John Andersen <john at yvig.com> wrote:
> Sorry, forgot to include the relevant part of the config. Here is is
> again:
>
> Set( $WebExternalAuth, 1 );
>
> Set( $ExternalAuthPriority,['LDAP_DIR3']);
>
> Set( $ExternalInfoPriority,['LDAP_DIR3']);
>
> Set( $ExternalServiceUsesSSLorTLS, 0);
>
> Set( $AutoCreateNonExternalUsers, 1);
>
>
> Set($ExternalSettings, {
>
> 'LDAP_DIR3' => {
>
>
> 'type' => 'ldap',
>
> 'server' => 'dir3.sch.ad',
>
> 'user' => 'ldapbind at sch.ad',
>
> 'pass' => '**********',
>
> 'base' => 'dc=sch,dc=ad',
>
>
>
> 'filter' => '(mail=*)(sAMAccountType=805306368)',
>
> 'd_filter' =>
> '(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)',
>
>
> 'tls' => 0,
>
> 'ssl_version' => 3,
>
> 'net_ldap_args' => [ version => 3 ],
>
> #'group' => 'GROUP',
>
> #'group_attr' => 'GROUP_ATTR',
>
>
> 'attr_match_list' => [ 'Name',
>
> 'EmailAddress'
>
> ],
>
>
> # The mapping of RT attributes on to LDAP attributes
>
> 'attr_map' => { 'Name' => 'sAMAccountName',
>
> 'EmailAddress' => 'mail',
>
> 'Organization' => 'company',
>
> 'RealName' => 'cn',
>
> 'WorkPhone' => 'telephoneNumber',
>
> 'MobilePhone' => 'mobile',
>
> }
>
> }
>
> }
>
> );
>
>
> On Wed, Feb 10, 2016 at 9:07 PM, John Andersen <john at yvig.com> wrote:
>
>> Thank you for the response Shawn. I had rolled back to 4.2.12 but I
>> threw up a test server based on my current production server and ran
>> through the upgrade again, this time with your suggestion. Same result.
>> What is maddening is that there don't seem to be any errors or anything.
>> Other than telling me "FAILED LOGIN" I can't find anything in the logs that
>> would point me in the right direction. In syslog I simply get:
>>
>>
>> Feb 10 21:02:27 rt RT: [5018] FAILED LOGIN for andersjp from
>> 70.199.131.228
>>
>>
>>
>> My LDAP config now looks like this:
>> ---------
>>
>> Set($ExternalSettings, { # SCH LDAP Settings
>> 'LDAP_DIR3' => { ## GENERIC SECTION
>>
>> 'type' => 'ldap',
>> 'server' => 'dir3.sch.ad',
>> 'user' => 'ldapbind at sch.ad',
>> 'pass' => '********',
>> 'base' => 'dc=sch,dc=ad',
>>
>>
>> 'filter' => '(mail=*)(sAMAccountType=805306368)',
>> 'd_filter' =>
>> '(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)',
>>
>> 'tls' => 0,
>> 'ssl_version' => 3,
>> 'net_ldap_args' => [ version => 3 ],
>> #'group' => 'GROUP',
>> #'group_attr' => 'GROUP_ATTR',
>>
>> 'attr_match_list' => [ 'Name',
>> 'EmailAddress'
>> ],
>>
>> # The mapping of RT attributes on to LDAP attributes
>> 'attr_map' => { 'Name' => 'sAMAccountName',
>> 'EmailAddress' => 'mail',
>> 'Organization' => 'company',
>> 'RealName' => 'cn',
>> 'WorkPhone' => 'telephoneNumber',
>> 'MobilePhone' => 'mobile',
>> }
>> }
>> }
>> );
>>
>>
>> -John
>>
>> On Wed, Feb 10, 2016 at 9:20 AM, Shawn Moore <shawn at bestpractical.com>
>> wrote:
>>
>>> Hi John,
>>>
>>> On 2016年2月10日 at 2:11:18, John Andersen (john at yvig.com) wrote:
>>> > For background. this particular installation went live 10 years ago
>>> and has
>>> > been carried over (mostly flawlessly I might add) from version to
>>> version
>>> > over that 10 years; I try to stay on the most recent stable version.
>>>
>>> I’m very happy to hear that RT has been running smoothly for you for so
>>> long!
>>>
>>> > Set( $ExternalAuthPriority,['LDAP_DIR3']);
>>> > Set( $ExternalInfoPriority,['LDAP_DIR3']);
>>> > Set( $ExternalServiceUsesSSLorTLS, 0);
>>> > Set( $AutoCreateNonExternalUsers, 1);
>>> > Set($ExternalSettings, {
>>> > ...
>>> > );
>>>
>>> Could you try adding this as well?
>>>
>>> Set( $ExternalAuth, 1 );
>>>
>>> > I'd be grateful for any ideas or pointers!
>>>
>>> Please let us know if that gets you back up and running. We’ll do a
>>> better job about this in 4.4.1.
>>>
>>> > Thank you,
>>> > John
>>>
>>> Thanks!
>>> Shawn
>>>
>>> ---------
>>> RT 4.4 and RTIR Training Sessions (
>>> http://bestpractical.com/services/training.html)
>>> * Hamburg Germany March 14 & 15, 2016
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20160210/2173e7b1/attachment.htm>
More information about the rt-users
mailing list