Still struggling with trying to get RT externally authenticating with my 2008
Active Directory.
I have been able to accomplish an ldapsearch with the following options
successfully:
ldapsearch -x -b "dc=eiuad,dc=eiu,dc=edu" -D "CN=RT
Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu" -h eiuad.eiu.edu -p 389 -W
"sAMAccountName=blmurphy"
I would like to use the blmurphy as my RT account name. When I execute the
above ldapsearch and input the prompted for password I get back my account
information from the Active Directory. I have the following set in my
RT_SiteConfig.pm but continue to get the externalauth nouser response.
Brian
Set($ExternalSettings, {
# EIUAD Active Directory
'EIUAD' => { ## GENERIC SECTION
# The type of service
(db/ldap/cookie)
'type'
=> 'ldap',
# The server hosting
the service
'server'
=> 'eiuad.eiu.edu',
## SERVICE-SPECIFIC
SECTION
# If you can bind to
your LDAP server anonymously you should
# remove the user and
pass config lines, otherwise specify them here:
#
# The username RT
should use to connect to the LDAP server
'user'
=> 'CN=RT Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu',
# The password RT
should use to connect to the LDAP server
'pass'
=> 'xxxxxxxxx',
#
# The LDAP search base
'base'
=> 'dc=eiuad,dc=eiu,dc=edu',
#
# ALL FILTERS MUST BE
VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU **MUST** SPECIFY
A filter AND A d_filter!!
#
# The filter to use to
match RT-Users
'filter'
=> '(sAMAccountName=*)',
# A catch-all example
filter: '(objectClass=*)'
#
# The filter that will
only match disabled users
'd_filter'
=> '(objectclass=Foo)',
# A catch-none example
d_filter: '(objectClass=FooBarBaz)'
#
# Should we try to use
TLS to encrypt connections?
'tls'
=> 0,
# SSL Version to
provide to Net::SSLeay *if* using SSL
'ssl_version'
=> 3,
# What other args
should I pass to Net::LDAP->new($host,@args)?
'net_ldap_args'
=> [ version => 3 ],
# Does authentication
depend on group membership? What group name?
'group'
=> 'CN=RT_Access,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu',
# What is the attribute
for the group object that determines membership?
'group_attr'
=> 'memberOf',
## RT ATTRIBUTE
MATCHING SECTION
# The list of RT
attributes that uniquely identify a user
# This example shows
what you *can* specify.. I recommend reducing this
# to just the Name and
EmailAddress to save encountering problems later.
'attr_match_list'
=> [ 'Name'
],
# The mapping of RT
attributes on to LDAP attributes
'attr_map'
=> { 'Name' => 'sAMAccountName'
}
}
----- Original Message -----
From: "Brian Murphy" <[email protected]>
To: [email protected]
Sent: Thursday, August 25, 2011 11:59:50 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
I only get the login failed message back from web.pm.
The account I am using is already in RT and being used so is this a problem. I
was assuming the id would exist and just the auth would be done externally.
Brian
----- Original Message -----
From: "Kevin Falcone" <[email protected]>
To: [email protected]
Sent: Thursday, August 25, 2011 9:46:01 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
On Wed, Aug 24, 2011 at 04:42:04PM -0500, Brian Murphy wrote:
> Thanks for the tip on the logging kevin.
>
> Seeing the following, don't know eactly what to make of it.
>
> [Wed Aug 24 21:38:37 2011] [debug]: Attempting to use external auth service:
> EIUAD
> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
> [Wed Aug 24 21:38:37 2011] [debug]: SSO Failed and no user to test with.
> Nexting
> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
> [Wed Aug 24 21:38:37 2011] [debug]: Autohandler called ExternalAuth.
> Response: (0, No User)
> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
Those are the messages you get when the login page pops up.
What do you get after typing your username and password in?
-kevin
> ----- Original Message -----
> From: "Kevin Falcone" <[email protected]>
> To: [email protected]
> Sent: Wednesday, August 24, 2011 4:18:08 PM
> Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
>
> On Wed, Aug 24, 2011 at 01:09:15PM -0500, Brian Murphy wrote:
> > I am trying desparately to get this goingnd am not seeing that my
> > externalauth is even being called. I am attaching my RT_SiteConfig.pm
> > for review. I am a newbie and don't know much about anything RT as
> > yet. I see very little in my /var/log/messages other tham LOGIN failed
> > for xxxxx from web.pm, so I don't really think my externalauth is
> > really in play as of yet. Any assistance in getting this going would
> > be greatly appreciated.
>
> You don't appear to have turned your logging level up, most useful
> logs are at the debug level. LogToScreen is probably the easiest,
> because they'll end up in your apache error log.
>
> -kevin
> >
> > # Any configuration directives you include here will override
> > # RT's default configuration file, RT_Config.pm
> > #
> > # To include a directive here, just copy the equivalent statement
> > # from RT_Config.pm and change the value. We've included a single
> > # sample value below.
> > #
> > # This file is actually a perl module, so you can include valid
> > # perl code, as well.
> > #
> > # The converse is also true, if this file isn't valid perl, you're
> > # going to run into trouble. To check your SiteConfig file, use
> > # this comamnd:
> > #
> > # perl -c /path/to/your/etc/RT_SiteConfig.pm
> > #
> > # You must restart your webserver after making changes to this file.
> >
> >
> > # You must install Plugins on your own, this is only an example
> > # of the correct syntax to use when activating them.
> > # There should only be one @Plugins declaration in your config file.
> > #Set(@Plugins,(qw(RT::Extension::QuickDelete RT::Extension::CommandByMail
> > RT::Extension::ActivityReports)));
> > #Set(@Plugins,(qw(RT::Extension::ActivityReports)));
> > Set(@Plugins,(qw(RT::Extension::ActivityReports RT::Authen::ExternalAuth)));
> >
> > Set( $CorrespondAddress, '' );
> > Set( $rtname, 'EIU ITS Campus Technology' );
> > Set( $DatabaseRequireSSL, '' );
> > Set( $WebPort, '8080' );
> >
> > Set( $DatabaseType, 'mysql' );
> >
> > Set( $SendmailPath, '/usr/sbin/sendmail' );
> > Set( $WebDomain, 'localhost' );
> >
> > Set( $CommentAddress, '' );
> > Set($Timezone, "US/Central");
> > Set($UnsafeEmailCommands, 1);
> > Set($ParseNewMessageForTicketCcs, 1);
> > Set($NotifyActor, 1);
> >
> > Set( $OwnerEmail, '' );
> > Set( $DatabaseUser, 'rt_user' );
> > Set( $DatabasePort, '' );
> > Set( $DatabasePassword, 'RT_pass1-' );
> > Set( $DatabaseAdmin, 'root' );
> > Set( $DatabaseAdminPassword, 'Mtfbwu+1' );
> > Set( $DatabaseHost, 'localhost' );
> > Set( $DatabaseName, 'rt4' );
> > Set( $Organization, 'ITS' );
> > 1;
> > # The order in which the services defined in ExternalSettings
> > # should be used to authenticate users. User is authenticated
> > # if successfully confirmed by any service - no more services
> > # are checked.
> > Set($ExternalAuthPriority, [ 'EIUAD'
> > ]
> > );
> >
> > # The order in which the services defined in ExternalSettings
> > # should be used to get information about users. This includes
> > # RealName, Tel numbers etc, but also whether or not the user
> > # should be considered disabled.
> > #
> > # Once user info is found, no more services are checked.
> > #
> > # You CANNOT use a SSO cookie for authentication.
> > Set($ExternalInfoPriority, [ 'EIUAD'
> > ]
> > );
> >
> > # If this is set to true, then the relevant packages will
> > # be loaded to use SSL/TLS connections. At the moment,
> > # this just means "use Net::SSLeay;"
> > Set($ExternalServiceUsesSSLorTLS, 0);
> >
> > # If this is set to 1, then users should be autocreated by RT
> > # as internal users if they fail to authenticate from an
> > # external service.
> > Set($AutoCreateNonExternalUsers, 0);
> >
> > # These are the full settings for each external service as a HashOfHashes
> > # Note that you may have as many external services as you wish. They will
> > # be checked in the order specified in the Priority directives above.
> > # e.g.
> > #
> > Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP','Other-DB']);
> > #
> > Set($ExternalSettings, {
> > # EIUAD Active Directory
> > 'EIUAD' => { ## GENERIC SECTION
> > # The type of
> > service (db/ldap/cookie)
> > 'type'
> > => 'ldap',
> > # The server
> > hosting the service
> > 'server'
> > => 'xxxxx.xxx.edu',
> > ## SERVICE-SPECIFIC
> > SECTION
> > # If you can bind
> > to your LDAP server anonymously you should
> > # remove the user
> > and pass config lines, otherwise specify them here:
> > #
> > # The username RT
> > should use to connect to the LDAP server
> > 'user'
> > => 'rtauth',
> > # The password RT
> > should use to connect to the LDAP server
> > 'pass'
> > => 'xxxxxxx,
> > #
> > # The LDAP search
> > base
> > 'base'
> > => 'dc=xxxxx,dc=xxx,dc=edu',
> > #
> > # ALL FILTERS MUST
> > BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
> > # YOU **MUST**
> > SPECIFY A filter AND A d_filter!!
> > #
> > # The filter to use
> > to match RT-Users
> > 'filter'
> > => '(objectclass=person)',
> > # A catch-all
> > example filter: '(objectClass=*)'
> > #
> > # The filter that
> > will only match disabled users
> > 'd_filter'
> > => '(objectclass=Foo)',
> > # A catch-none
> > example d_filter: '(objectClass=FooBarBaz)'
> > #
> > # Should we try to
> > use TLS to encrypt connections?
> > 'tls'
> > => 0,
> > # SSL Version to
> > provide to Net::SSLeay *if* using SSL
> > 'ssl_version'
> > => 3,
> > # What other args
> > should I pass to Net::LDAP->new($host,@args)?
> > 'net_ldap_args'
> > => [ version => 3 ],
> > # Does
> > authentication depend on group membership? What group name?
> > 'group'
> > => 'rt_access',
> > # What is the
> > attribute for the group object that determines membership?
> > 'group_attr'
> > => 'memberOf',
> > ## RT ATTRIBUTE
> > MATCHING SECTION
> > # The list of RT
> > attributes that uniquely identify a user
> > # This example shows
> > what you *can* specify.. I recommend reducing this
> > # to just the Name
> > and EmailAddress to save encountering problems later.
> > 'attr_match_list'
> > => [ 'Name'
> >
> > ],
> > # The mapping of RT
> > attributes on to LDAP attributes
> > 'attr_map'
> > => { 'Name' => 'sAMAccountName'
> >
> > }
> > }
> > }
> > );
> >
> > 1;
>
> --------
> RT Training Sessions (http://bestpractical.com/services/training.html)
> * Chicago, IL, USA � September 26 & 27, 2011
> * San Francisco, CA, USA � October 18 & 19, 2011
> * Washington DC, USA � October 31 & November 1, 2011
> * Melbourne VIC, Australia � November 28 & 29, 2011
> * Barcelona, Spain � November 28 & 29, 2011
> --------
> RT Training Sessions (http://bestpractical.com/services/training.html)
> * Chicago, IL, USA September 26 & 27, 2011
> * San Francisco, CA, USA October 18 & 19, 2011
> * Washington DC, USA October 31 & November 1, 2011
> * Melbourne VIC, Australia November 28 & 29, 2011
> * Barcelona, Spain November 28 & 29, 2011
--------
RT Training Sessions (http://bestpractical.com/services/training.html)
* Chicago, IL, USA � September 26 & 27, 2011
* San Francisco, CA, USA � October 18 & 19, 2011
* Washington DC, USA � October 31 & November 1, 2011
* Melbourne VIC, Australia � November 28 & 29, 2011
* Barcelona, Spain � November 28 & 29, 2011
--------
RT Training Sessions (http://bestpractical.com/services/training.html)
* Chicago, IL, USA September 26 & 27, 2011
* San Francisco, CA, USA October 18 & 19, 2011
* Washington DC, USA October 31 & November 1, 2011
* Melbourne VIC, Australia November 28 & 29, 2011
* Barcelona, Spain November 28 & 29, 2011
--------
RT Training Sessions (http://bestpractical.com/services/training.html)
* Chicago, IL, USA September 26 & 27, 2011
* San Francisco, CA, USA October 18 & 19, 2011
* Washington DC, USA October 31 & November 1, 2011
* Melbourne VIC, Australia November 28 & 29, 2011
* Barcelona, Spain November 28 & 29, 2011
