[rt-users] Problems with RT::Authen::ExternalAuth::LDAP after upgrade to 4.4

John Andersen john at yvig.com
Thu Feb 11 01:07:48 EST 2016


BINGO!  That nailed it.  Thanks again Shawn and Julian.  I will try to read
responses more carefully in the future!  :)

On Wed, Feb 10, 2016 at 9:59 PM, John Andersen <john at yvig.com> wrote:

> Oh man!  Thanks for that catch!  I see now that Shawn told me exactly that
> and I saw what I expected to see instead.
>
>
>
> On Wed, Feb 10, 2016 at 9:55 PM, Julian De Marchi <jdemarchi at pivit.com.au>
> wrote:
>
>> Set( $WebExternalAuth, 1 ); to Set( $ExternalAuth, 1 );
>> > On 11 Feb 2016, at 3:44 PM, John Andersen <john at yvig.com> wrote:
>> >
>> > One more thing I should note is that I'm quite sure there is not even
>> an attempt to talk to the LDAP (Active Directory) server.  I log all auth
>> attempts to the domain controllers and no attempts are showing in the
>> logs.   I don't believe the requests are ever leaving the RT server.
>> >
>> >
>> >
>> > On Wed, Feb 10, 2016 at 9:27 PM, John Andersen <john at yvig.com> wrote:
>> > Sorry, forgot to include the relevant part of the config.  Here is is
>> again:
>> >
>> > Set( $WebExternalAuth, 1 );
>> > Set( $ExternalAuthPriority,['LDAP_DIR3']);
>> > Set( $ExternalInfoPriority,['LDAP_DIR3']);
>> > Set( $ExternalServiceUsesSSLorTLS, 0);
>> > Set( $AutoCreateNonExternalUsers, 1);
>> >
>> > Set($ExternalSettings,      {
>> >         'LDAP_DIR3'       =>  {
>> >
>> >                 'type'          =>  'ldap',
>> >                 'server'        =>  'dir3.sch.ad',
>> >                 'user'          => 'ldapbind at sch.ad',
>> >                 'pass'          =>  '**********',
>> >                 'base'          =>  'dc=sch,dc=ad',
>> >
>> >
>> >                 'filter'   =>  '(mail=*)(sAMAccountType=805306368)',
>> >                 'd_filter' =>
>> '(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)',
>> >
>> >                 'tls'                       =>  0,
>> >                 'ssl_version'               =>  3,
>> >                 'net_ldap_args'             => [    version =>  3   ],
>> >                 #'group'                     =>  'GROUP',
>> >                 #'group_attr'                =>  'GROUP_ATTR',
>> >
>> >                 'attr_match_list'       => [    'Name',
>> >                                                 'EmailAddress'
>> >                 ],
>> >
>> >                 # The mapping of RT attributes on to LDAP attributes
>> >                 'attr_map'      =>  {   'Name' => 'sAMAccountName',
>> >                                         'EmailAddress' => 'mail',
>> >                                         'Organization' => 'company',
>> >                                         'RealName' => 'cn',
>> >                                         'WorkPhone' =>
>> 'telephoneNumber',
>> >                                         'MobilePhone' => 'mobile',
>> >                 }
>> >         }
>> > }
>> > );
>> >
>> >
>> > On Wed, Feb 10, 2016 at 9:07 PM, John Andersen <john at yvig.com> wrote:
>> > Thank you for the response Shawn.   I had rolled back to 4.2.12 but I
>> threw up a test server based on my current production server and ran
>> through the upgrade again, this time with your suggestion.  Same result.
>>  What is maddening is that there don't seem to be any errors or anything.
>> Other than telling me "FAILED LOGIN" I can't find anything in the logs that
>> would point me in the right direction.   In syslog I simply get:
>> >
>> >
>> > Feb 10 21:02:27 rt RT: [5018] FAILED LOGIN for andersjp from
>> 70.199.131.228
>> >
>> >
>> >
>> > My LDAP config now looks like this:
>> > ---------
>> >
>> > Set($ExternalSettings,      {   # SCH LDAP Settings
>> >         'LDAP_DIR3'       =>  {   ## GENERIC SECTION
>> >
>> >                 'type'          =>  'ldap',
>> >                 'server'        =>  'dir3.sch.ad',
>> >                 'user'          => 'ldapbind at sch.ad',
>> >                 'pass'          =>  '********',
>> >                 'base'          =>  'dc=sch,dc=ad',
>> >
>> >
>> >                 'filter'   =>  '(mail=*)(sAMAccountType=805306368)',
>> >                 'd_filter' =>
>> '(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)',
>> >
>> >                 'tls'                       =>  0,
>> >                 'ssl_version'               =>  3,
>> >                 'net_ldap_args'             => [    version =>  3   ],
>> >                 #'group'                     =>  'GROUP',
>> >                 #'group_attr'                =>  'GROUP_ATTR',
>> >
>> >                 'attr_match_list'       => [    'Name',
>> >                                                 'EmailAddress'
>> >                 ],
>> >
>> >                 # The mapping of RT attributes on to LDAP attributes
>> >                 'attr_map'      =>  {   'Name' => 'sAMAccountName',
>> >                                         'EmailAddress' => 'mail',
>> >                                         'Organization' => 'company',
>> >                                         'RealName' => 'cn',
>> >                                         'WorkPhone' =>
>> 'telephoneNumber',
>> >                                         'MobilePhone' => 'mobile',
>> >                 }
>> >         }
>> > }
>> > );
>> >
>> >
>> > -John
>> >
>> > On Wed, Feb 10, 2016 at 9:20 AM, Shawn Moore <shawn at bestpractical.com>
>> wrote:
>> > Hi John,
>> >
>> > On 2016年2月10日 at 2:11:18, John Andersen (john at yvig.com) wrote:
>> > > For background. this particular installation went live 10 years ago
>> and has
>> > > been carried over (mostly flawlessly I might add) from version to
>> version
>> > > over that 10 years; I try to stay on the most recent stable version.
>> >
>> > I’m very happy to hear that RT has been running smoothly for you for so
>> long!
>> >
>> > > Set( $ExternalAuthPriority,['LDAP_DIR3']);
>> > > Set( $ExternalInfoPriority,['LDAP_DIR3']);
>> > > Set( $ExternalServiceUsesSSLorTLS, 0);
>> > > Set( $AutoCreateNonExternalUsers, 1);
>> > > Set($ExternalSettings, {
>> > > ...
>> > > );
>> >
>> > Could you try adding this as well?
>> >
>> > Set( $ExternalAuth, 1 );
>> >
>> > > I'd be grateful for any ideas or pointers!
>> >
>> > Please let us know if that gets you back up and running. We’ll do a
>> better job about this in 4.4.1.
>> >
>> > > Thank you,
>> > > John
>> >
>> > Thanks!
>> > Shawn
>> >
>> > ---------
>> > RT 4.4 and RTIR Training Sessions (
>> http://bestpractical.com/services/training.html)
>> > * Hamburg Germany  March 14 & 15, 2016
>> >
>> >
>> >
>> >
>> > ______________________________________________________________________
>> > This email has been scanned by the Symantec Email Security.cloud
>> service.
>> > For more information please visit http://www.symanteccloud.com
>> > ______________________________________________________________________
>> >
>> > ---------
>> > RT 4.4 and RTIR Training Sessions (
>> http://bestpractical.com/services/training.html)
>> > * Hamburg Germany — March 14 & 15, 2016
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20160210/77951e5a/attachment.html>


More information about the rt-users mailing list