-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Kevin Falcone
Sent: Wednesday, November 16, 2011 11:54 AM
To: [email protected]
Subject: Re: [rt-users] External Auth (LDAP) and Mail Attribute
On Tue, Nov 15, 2011 at 03:21:22PM -0500, Thomas Misilo wrote:
>
> >Also - to be clear, you're concentrating on the part of the code that checks
> >to see if a user exists. You're not looking at the later queries that
> >*actually* sync the data.
>
> >-kevin
>
> Okay, I have looked through and checked everything but I cannot any
> errors in rt.log
>
> I see this line: [Tue Nov 15 20:19:22 2011] [debug]: Authentication
> successful. Now updating user information and attempting login.
> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:179)
> but it doesn't talk about any of my mappings.
>
Unfortunately, we haven't seen a full config or log so it's really hard to
comment on what's happening.
-kevin
Full Config:
# Any configuration directives you include here will override
# RT's default configuration file, RT_Config.pm
#
# To include a directive here, just copy the equivalent statement
# from RT_Config.pm and change the value. We've included a single
# sample value below.
#
# This file is actually a perl module, so you can include valid
# perl code, as well.
#
# The converse is also true, if this file isn't valid perl, you're
# going to run into trouble. To check your SiteConfig file, use
# this comamnd:
#
# perl -c /path/to/your/etc/RT_SiteConfig.pm
#
# You must restart your webserver after making changes to this file.
Set( $rtname, 'Evans Library');
Set($Organization, "url.tld");
Set($WebDomain, "url.tld");
Set($WebPort, 80);
Set($WebPath, "/rt");
Set($DatabaseHost, "sqlserver.tld");
Set($DatabaseRTHost, "url.tld");
Set($DatabaseUser, "rt4");
Set($DatabasePassword, q{hello});
Set($DatabaseName, q{rt4});
Set($OwnerEmail, '[email protected]');
Set($LogToSyslog, "debug");
Set($LogToScreen, "debug");
Set($LogToFile, "debug");
Set($CanonicalizeOnCreate, 1);
Set($ValidateUserEmailAddresses, 1);
Set($AutoCreateNonExternalUsers, 1);
Set($ExternalAuthPriority, [ 'AD'
]
);
Set($ExternalAuthPriority, [ 'AD'
]
);
Set($ExternalSettings, {
'AD' => {
'type' => 'ldap',
'server' => 'ad.tld',
'user' => 'CN=user,OU=Group User
Accounts,OU=Groups,DC=ad,DC=tld',
'pass' => 'bindingpassword',
'base' => 'DC=ad,DC=tld',
# The filter to use to match RT-Users
'filter' => '(objectClass=*)',
'd_filter' =>
'(userAccountControl:1.2.840.113556.1.4.803:=2)',
# Should we try to use TLS to encrypt connections?
'tls' => 0,
# SSL Version to provide to Net::SSLeay *if* using SSL
'ssl_version' => 3,
# What other args should I pass to
Net::LDAP->new($host,@args)?
'net_ldap_args' => [ version => 3 ],
# Does authentication depend on group membership? What
group name?
#'group' => 'Internal Site Access',
# What is the attribute for the group object that
determines membership?
#'group_attr' => 'memberOf',
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a
user
# This example shows what you *can* specify.. I
recommend reducing this
# to just the Name and EmailAddress to save
encountering problems later.
'attr_match_list' => [ 'Name',
'EmailAddress'
],
# The mapping of RT attributes on to LDAP attributes
'attr_map' => { 'Name' =>
'sAMAccountName',
'EmailAddress' =>
'mail',
'Organization' =>
'physicalDeliveryOfficeName',
'RealName' =>
'displayName',
'ExternalContactInfoId' => 'dn',
'ExternalAuthId' =>
'sAMAccountName',
'Gecos' =>
'sAMAccountName',
'WorkPhone' =>
'telephoneNumber'
}
}});
Set( @Plugins, (qw(RT::Authen::ExternalAuth)) );
1;
Logs:
[Wed Nov 16 17:26:07 2011] [debug]: You've enabled GraphViz, but we couldn't
load the module: Can't locate GraphViz.pm in @INC (@INC contains:
/opt/rt4/sbin/../local/lib /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib
/opt/rt4/sbin/../lib /usr/lib/perl5/site_perl /usr/share/perl5/site_perl
/usr/lib/perl5/vendor_perl /usr/share/perl5/vendor_perl
/usr/lib/perl5/core_perl /usr/share/perl5/core_perl . /etc/httpd) at
/opt/rt4/sbin/../lib/RT/Config.pm line 558.
(/opt/rt4/sbin/../lib/RT/Config.pm:559)
[Wed Nov 16 17:26:07 2011] [debug]: The RTAddressRegexp option is not set in
the config. Not setting this option results in additional SQL queries to check
whether each address belongs to RT or not. It is especially important to set
this option if RT recieves emails on addresses that are not in the database or
config. (/opt/rt4/sbin/../lib/RT/Config.pm:454)
[Wed Nov 16 17:26:09 2011] [debug]: You've enabled GraphViz, but we couldn't
load the module: Can't locate GraphViz.pm in @INC (@INC contains:
/opt/rt4/sbin/../local/lib /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib
/opt/rt4/sbin/../lib /usr/lib/perl5/site_perl /usr/share/perl5/site_perl
/usr/lib/perl5/vendor_perl /usr/share/perl5/vendor_perl
/usr/lib/perl5/core_perl /usr/share/perl5/core_perl . /etc/httpd) at
/opt/rt4/sbin/../lib/RT/Config.pm line 558.
(/opt/rt4/sbin/../lib/RT/Config.pm:559)
[Wed Nov 16 17:26:09 2011] [debug]: The RTAddressRegexp option is not set in
the config. Not setting this option results in additional SQL queries to check
whether each address belongs to RT or not. It is especially important to set
this option if RT recieves emails on addresses that are not in the database or
config. (/opt/rt4/sbin/../lib/RT/Config.pm:454)
[Wed Nov 16 17:26:18 2011] [debug]: ExternalInfoPriority not defined. User
information (including user enabled/disabled cannot be externally-sourced
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:40)
[Wed Nov 16 17:26:18 2011] [debug]: Attempting to use external auth service: AD
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Wed Nov 16 17:26:18 2011] [debug]: SSO Failed and no user to test with.
Nexting
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Wed Nov 16 17:26:18 2011] [debug]: Autohandler called ExternalAuth. Response:
(0, No User)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[Wed Nov 16 17:26:18 2011] [debug]: ExternalInfoPriority not defined. User
information (including user enabled/disabled cannot be externally-sourced
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:40)
[Wed Nov 16 17:26:18 2011] [debug]: Attempting to use external auth service: AD
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Wed Nov 16 17:26:18 2011] [debug]: SSO Failed and no user to test with.
Nexting
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Wed Nov 16 17:26:18 2011] [debug]: Autohandler called ExternalAuth. Response:
(0, No User)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[Wed Nov 16 17:26:24 2011] [debug]: ExternalInfoPriority not defined. User
information (including user enabled/disabled cannot be externally-sourced
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:40)
[Wed Nov 16 17:26:24 2011] [debug]: Attempting to use external auth service: AD
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Wed Nov 16 17:26:24 2011] [debug]: Calling UserExists with $username (iamuser)
and $service (AD)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Wed Nov 16 17:26:24 2011] [debug]: UserExists params:
username: iamuser , service: AD
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Wed Nov 16 17:26:24 2011] [debug]: LDAP Search === Base: DC=AD,DC=tld ==
Filter: (&(objectClass=*)(sAMAccountName=iamuser)) == Attrs:
telephoneNumber,displayName,dn,physicalDeliveryOfficeName,mail,sAMAccountName,sAMAccountName,sAMAccountName
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Wed Nov 16 17:26:24 2011] [debug]: Password validation required for service -
Executing...
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
[Wed Nov 16 17:26:24 2011] [debug]: Trying external auth service: AD
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
[Wed Nov 16 17:26:24 2011] [debug]: LDAP Search === Base: DC=AD,DC=tld ==
Filter: (&(sAMAccountName=iamuser)(objectClass=*)) == Attrs: dn
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
[Wed Nov 16 17:26:24 2011] [debug]: Found LDAP DN:
CN=iamuser,OU=People,DC=AD,DC=tld
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
[Wed Nov 16 17:26:24 2011] [info]: RT::Authen::ExternalAuth::LDAP::GetAuth
External Auth OK ( AD ): iamuser
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:139)
[Wed Nov 16 17:26:24 2011] [debug]: LDAP password validation result: 1
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
[Wed Nov 16 17:26:24 2011] [debug]: Password Validation Check Result: 1
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
[Wed Nov 16 17:26:24 2011] [debug]: Authentication successful. Now updating
user information and attempting login.
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:179)
[Wed Nov 16 17:26:24 2011] [info]: Successful login for iamuser from
163.118.10.111
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:219)
[Wed Nov 16 17:26:24 2011] [debug]: Autohandler called ExternalAuth. Response:
(1, Successful login)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
--------
RT Training Sessions (http://bestpractical.com/services/training.html)
* Barcelona, Spain November 28 & 29, 2011
