[rt-users] Problems with RT::Authen::ExternalAuth::LDAP after upgrade to 4.4
John Andersen
john at yvig.com
Thu Feb 11 00:59:10 EST 2016
Oh man! Thanks for that catch! I see now that Shawn told me exactly that
and I saw what I expected to see instead.
On Wed, Feb 10, 2016 at 9:55 PM, Julian De Marchi <jdemarchi at pivit.com.au>
wrote:
> Set( $WebExternalAuth, 1 ); to Set( $ExternalAuth, 1 );
> > On 11 Feb 2016, at 3:44 PM, John Andersen <john at yvig.com> wrote:
> >
> > One more thing I should note is that I'm quite sure there is not even an
> attempt to talk to the LDAP (Active Directory) server. I log all auth
> attempts to the domain controllers and no attempts are showing in the
> logs. I don't believe the requests are ever leaving the RT server.
> >
> >
> >
> > On Wed, Feb 10, 2016 at 9:27 PM, John Andersen <john at yvig.com> wrote:
> > Sorry, forgot to include the relevant part of the config. Here is is
> again:
> >
> > Set( $WebExternalAuth, 1 );
> > Set( $ExternalAuthPriority,['LDAP_DIR3']);
> > Set( $ExternalInfoPriority,['LDAP_DIR3']);
> > Set( $ExternalServiceUsesSSLorTLS, 0);
> > Set( $AutoCreateNonExternalUsers, 1);
> >
> > Set($ExternalSettings, {
> > 'LDAP_DIR3' => {
> >
> > 'type' => 'ldap',
> > 'server' => 'dir3.sch.ad',
> > 'user' => 'ldapbind at sch.ad',
> > 'pass' => '**********',
> > 'base' => 'dc=sch,dc=ad',
> >
> >
> > 'filter' => '(mail=*)(sAMAccountType=805306368)',
> > 'd_filter' =>
> '(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)',
> >
> > 'tls' => 0,
> > 'ssl_version' => 3,
> > 'net_ldap_args' => [ version => 3 ],
> > #'group' => 'GROUP',
> > #'group_attr' => 'GROUP_ATTR',
> >
> > 'attr_match_list' => [ 'Name',
> > 'EmailAddress'
> > ],
> >
> > # The mapping of RT attributes on to LDAP attributes
> > 'attr_map' => { 'Name' => 'sAMAccountName',
> > 'EmailAddress' => 'mail',
> > 'Organization' => 'company',
> > 'RealName' => 'cn',
> > 'WorkPhone' => 'telephoneNumber',
> > 'MobilePhone' => 'mobile',
> > }
> > }
> > }
> > );
> >
> >
> > On Wed, Feb 10, 2016 at 9:07 PM, John Andersen <john at yvig.com> wrote:
> > Thank you for the response Shawn. I had rolled back to 4.2.12 but I
> threw up a test server based on my current production server and ran
> through the upgrade again, this time with your suggestion. Same result.
> What is maddening is that there don't seem to be any errors or anything.
> Other than telling me "FAILED LOGIN" I can't find anything in the logs that
> would point me in the right direction. In syslog I simply get:
> >
> >
> > Feb 10 21:02:27 rt RT: [5018] FAILED LOGIN for andersjp from
> 70.199.131.228
> >
> >
> >
> > My LDAP config now looks like this:
> > ---------
> >
> > Set($ExternalSettings, { # SCH LDAP Settings
> > 'LDAP_DIR3' => { ## GENERIC SECTION
> >
> > 'type' => 'ldap',
> > 'server' => 'dir3.sch.ad',
> > 'user' => 'ldapbind at sch.ad',
> > 'pass' => '********',
> > 'base' => 'dc=sch,dc=ad',
> >
> >
> > 'filter' => '(mail=*)(sAMAccountType=805306368)',
> > 'd_filter' =>
> '(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)',
> >
> > 'tls' => 0,
> > 'ssl_version' => 3,
> > 'net_ldap_args' => [ version => 3 ],
> > #'group' => 'GROUP',
> > #'group_attr' => 'GROUP_ATTR',
> >
> > 'attr_match_list' => [ 'Name',
> > 'EmailAddress'
> > ],
> >
> > # The mapping of RT attributes on to LDAP attributes
> > 'attr_map' => { 'Name' => 'sAMAccountName',
> > 'EmailAddress' => 'mail',
> > 'Organization' => 'company',
> > 'RealName' => 'cn',
> > 'WorkPhone' => 'telephoneNumber',
> > 'MobilePhone' => 'mobile',
> > }
> > }
> > }
> > );
> >
> >
> > -John
> >
> > On Wed, Feb 10, 2016 at 9:20 AM, Shawn Moore <shawn at bestpractical.com>
> wrote:
> > Hi John,
> >
> > On 2016年2月10日 at 2:11:18, John Andersen (john at yvig.com) wrote:
> > > For background. this particular installation went live 10 years ago
> and has
> > > been carried over (mostly flawlessly I might add) from version to
> version
> > > over that 10 years; I try to stay on the most recent stable version.
> >
> > I’m very happy to hear that RT has been running smoothly for you for so
> long!
> >
> > > Set( $ExternalAuthPriority,['LDAP_DIR3']);
> > > Set( $ExternalInfoPriority,['LDAP_DIR3']);
> > > Set( $ExternalServiceUsesSSLorTLS, 0);
> > > Set( $AutoCreateNonExternalUsers, 1);
> > > Set($ExternalSettings, {
> > > ...
> > > );
> >
> > Could you try adding this as well?
> >
> > Set( $ExternalAuth, 1 );
> >
> > > I'd be grateful for any ideas or pointers!
> >
> > Please let us know if that gets you back up and running. We’ll do a
> better job about this in 4.4.1.
> >
> > > Thank you,
> > > John
> >
> > Thanks!
> > Shawn
> >
> > ---------
> > RT 4.4 and RTIR Training Sessions (
> http://bestpractical.com/services/training.html)
> > * Hamburg Germany March 14 & 15, 2016
> >
> >
> >
> >
> > ______________________________________________________________________
> > This email has been scanned by the Symantec Email Security.cloud service.
> > For more information please visit http://www.symanteccloud.com
> > ______________________________________________________________________
> >
> > ---------
> > RT 4.4 and RTIR Training Sessions (
> http://bestpractical.com/services/training.html)
> > * Hamburg Germany — March 14 & 15, 2016
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20160210/4b837734/attachment.htm>
More information about the rt-users
mailing list