Can you remove the d_filter you have? Its different than what I have 'd_filter' => '(userAccountControl=514)',
Jason Ledford Systems Analyst The Biltmore Company One North Pack Square Asheville, NC 28801 (828) 225-6127 ________________________________________ From: rt-users-boun...@lists.bestpractical.com [rt-users-boun...@lists.bestpractical.com] On Behalf Of Val Polyakov [...@polyakov.me] Sent: Monday, September 27, 2010 1:19 PM To: John Alberts Cc: rt-users@lists.bestpractical.com Subject: Re: [rt-users] ldap externalauth problem ldapsearch works, i can find myself using: ldapsearch -LLL -x -H ldap://ADserver:389 -b 'ou=users,ou=yonkers,dc=mydomain,dc=org' -D 'cn=rt,ou=Service Accounts,ou=Users,ou=HIGHSECURITY,dc=mydomain,dc=org' -w 'rtPassword' '(&(ObjectClass=Person)(cn=Polyakov, Valeriy))' I also turned on debug loging for externalauth, and here's what I see in the log. the password im providing is correct, it seems to be able to find my account, but then I get an auth failure.. why ? :/ [Mon Sep 27 17:11:18 2010] [debug]: Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14) [Mon Sep 27 17:11:18 2010] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Mon Sep 27 17:11:18 2010] [debug]: Calling UserExists with $username (polyva) and $service (My_LDAP) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105) [Mon Sep 27 17:11:18 2010] [debug]: UserExists params: username: polyva , service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274) [Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base: ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter: (&(&(ObjectCategory=User))(sAMAccountName=polyva)) == Attrs: l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,mail (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304) [Mon Sep 27 17:11:18 2010] [debug]: Password validation required for service - Executing... (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155) [Mon Sep 27 17:11:18 2010] [debug]: Trying external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16) [Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base: ou=Users,ou=Yonkers,dc=consumer,dc=org == Filter: (&(sAMAccountName=polyva)(&(ObjectCategory=User))) == Attrs: dn (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43) [Mon Sep 27 17:11:18 2010] [debug]: Found LDAP DN: CN=Polyakov\, Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75) [Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base: ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter: (member=CN=Polyakov, Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org) == Attrs: dn (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100) [Mon Sep 27 17:11:18 2010] [info]: My_LDAP AUTH FAILED: polyva (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127) [Mon Sep 27 17:11:18 2010] [debug]: LDAP password validation result: 0 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334) [Mon Sep 27 17:11:18 2010] [debug]: Password Validation Check Result: 0 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159) [Mon Sep 27 17:11:18 2010] [debug]: Autohandler called ExternalAuth. Response: (0, Password Invalid) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26) [Mon Sep 27 17:11:18 2010] [error]: FAILED LOGIN for polyva from 192.168.110.125 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424) > Val, > Have you verified that ldapsearch works for you on this box? > > I used something like this to test: > > > ldapsearch -LLL -x -H ldap://<ldap server>:389 -b > 'DC=corp,DC=something,DC=com' -D 'ldapu...@corp.something.com' -w > '<ldapuser password>' '(&(ObjectClass=Person)(cn=<username to search > for))' > > > I had to request from our Windows AD guys to allow the ldapuser to be able > to read all user information. I also had to have them open the firewall > to our server, because by default, they only allow certain servers to > query the AD servers. > > John > > > > On 09/27/2010 10:14 AM, Val Polyakov wrote: > > Trying to get my RT 3.8.8 on RHEL5 to authenticate against our corporate > AD. > > I followed this guide here: > http://wiki.bestpractical.com/view/CentOS5InstallPlusSome > > I also checked that apache has access to over here > (RT-Authen-ExternalAuth > dir was chgrp -R'ed and chmod -R 770'ed): > > [r...@rt plugins]# pwd > /opt/rt3/local/plugins > [r...@rt plugins]# ls -ltr > total 4 > drwxrwx--- 5 root apache 4096 Sep 13 14:16 RT-Authen-ExternalAuth > [r...@rt plugins]# ps awwwux |grep httpd > root 2313 0.1 4.1 348008 83360 ? Ss 10:32 0:02 > /usr/sbin/httpd > apache 2317 0.0 4.1 350272 82612 ? S 10:32 0:00 > /usr/sbin/httpd > apache 2318 0.0 4.1 350272 82616 ? S 10:32 0:00 > /usr/sbin/httpd > apache 2319 0.0 4.0 348204 82216 ? S 10:32 0:00 > /usr/sbin/httpd > apache 2320 0.0 4.1 350272 82684 ? S 10:32 0:00 > /usr/sbin/httpd > apache 2321 0.0 4.1 350928 83388 ? S 10:32 0:00 > /usr/sbin/httpd > apache 2322 0.0 4.1 350272 82616 ? S 10:32 0:00 > /usr/sbin/httpd > apache 2323 0.0 4.1 350272 82616 ? S 10:32 0:00 > /usr/sbin/httpd > apache 2324 0.0 4.1 350668 83172 ? S 10:32 0:00 > /usr/sbin/httpd > root 3537 0.0 0.0 61148 708 pts/0 R+ 11:06 0:00 grep > httpd > [r...@rt plugins]# > > when I set this up and tried to login with my AD account for the first > time, here's what I saw in /var/log/httpd/error_log : > > > [r...@rt autohandler]# tail -f /var/log/httpd/error_log > [Mon Sep 27 14:32:29 2010] [info]: > RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: 101 > Truman Avenue, City: Yonkers, Country: United States, Disabled: 0, > EmailAddress: vpolya...@consumer.org, ExternalAuthId: POLYVA, Gecos: > POLYVA, Name: POLYVA, Organization: 1-8D, Privileged: 0, RealName: > Polyakov, Valeriy, State: NY, WorkPhone: (914) 378-2577, Zip: 10703 > > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536) > [Mon Sep 27 14:32:29 2010] [info]: Autocreated external user POLYVA ( 36 > ) > > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:132) > [Mon Sep 27 14:32:29 2010] [info]: My_LDAP AUTH FAILED: polyva > > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127) > > .... > > And ever since then when I try to login I only see this: > > [Mon Sep 27 14:52:31 2010] [info]: My_LDAP AUTH FAILED: polyva > > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127) > [Mon Sep 27 14:52:31 2010] [error]: FAILED LOGIN for polyva from > 192.168.110.125 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424) > > > my /opt/rt3/etc/RT_SiteConfig.pm and > /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc are attached > > > Any suggestions? > > > > RT Training in Washington DC, USA on Oct 25 & 26 2010 > Last one this year -- Learn how to get the most out of RT! > > > -- > John Alberts > Hosted Services > Exlibris USA > john.albe...@exlibrisgroup.com > cell: 1-508-878-2197 > RT Training in Washington DC, USA on Oct 25 & 26 2010 Last one this year -- Learn how to get the most out of RT! RT Training in Washington DC, USA on Oct 25 & 26 2010 Last one this year -- Learn how to get the most out of RT!