Re: [rt-users] AD integration for external auth

Tue, 07 Jul 2015 13:52:02 -0700

I'm kicking this back to the list only. I've been going round and round with this and I have some more information, but still not a solution. 

ldapsearch works:
ldapsearch -H ldap://file_print.hpm.net -b "dc=hpm,dc=net" -s sub "(sAMAccountName=yans)" -D 'HPM\yans' -x -W uid
But notice that I need to use either 'HPM\yans' for the user or the older 'y...@hpm.net' for the system to allow me to bind to the ldap server. The way we're set up, any user can bind to the server with valid credentials, but anonymous binds are not allowed.
But the way ExternalAuth is set up, I have to provide the ldap userid and password, which in our system would be a real user. 

            'user'                      =>  'rt_ldap_username',
            'pass'                      =>  'rt_ldap_password',
Is there any way to get ExternalAuth to use the credentials entered in the login to bind to the ldap server?
(As near as I can figure, the LDAPImport extension imports the userids from ldap, which is not what I need. I need to authenticate against AD in realtime.) 

--Yan



On 7/7/2015 1:32 PM, Trev wrote:
Sorry about that, review the blog entry I sent you prior. I do see I did add that plugin, again, it's been a while since I wrestled with LDAP authentication. So, I threw my working config with notes, into that blog.
On Tue, Jul 7, 2015 at 1:30 PM, Trev <tre...@onepost.net <mailto:tre...@onepost.net>> wrote: 

    Use --> Plugin( "RT::Extension::LDAPImport" );
    Note the configuration I linked to you prior.
    I had some issues with limited functionality using
    Plugin('RT::Authen::ExternalAuth').. it's been a while actually, I
    may not even have had that extension working.


    On Tue, Jul 7, 2015 at 1:28 PM, Trev <tre...@onepost.net
    <mailto:tre...@onepost.net>> wrote:

        If you mean during the login via RT Gui --  username is,
        sAMAccountName. THere shouldn't be any need to prefix with the
        domain as the domain is already be queried.



        On Tue, Jul 7, 2015 at 1:24 PM, Yan Seiner <y...@seiner.com
        <mailto:y...@seiner.com>> wrote:

            What format do you use for the username?

            When I try hpm\yans which should, in theory, work, I get:

            [5367] [Tue Jul  7 17:07:28 2015] [debug]: LDAP Search
            ===  Base: dc=hpm,dc=net == Filter:
            (&(objectClass=*)(sAMAccountName=hpm\5cyans)) == Attrs:
            sAMAccountName,mail
            
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)

            Notice the mangled sAMAccountName=hpm\5cyans .  If this is
            what it is searching for, then we have a problem.   :)

            --Yan


            On 7/7/2015 11:57 AM, Trev wrote:

            This may help:

            
http://trevthorpe.blogspot.com/2015/01/request-tracker-424-ldap-authentication.html



            On Tue, Jul 7, 2015 at 11:24 AM, Yan Seiner
            <y...@seiner.com <mailto:y...@seiner.com>> wrote:

                I'm coming back to RT after a few years.  I am trying
                to set up external auth against our AD server.

                I have a working implementation for mediawiki, so I
                know that it's possible on our system.  As far as
                possible I've duplicated the options from
                mediawiki/php to rt/perl, but I am still missing
                something important as all login attempts get
                rejected with a NoUser.

                The only thing that I find different (and I'm
                searching my memory from a few years ago when I set
                up mediawiki) there is a line where the user name is
                pre-pended with the domain for AD:

                $wgLDAPSearchStrings = array( 'HPM' =>
                "HPM\\USER-NAME" );

                And I can't find anything like that in the RT config.

                Does anyone have a working AD external auth they can
                share?

                Thanks.

                Here's the logfile snippet:

                [4835] [Tue Jul  7 15:17:14 2015] [debug]: Attempting
                to use external auth service: My_LDAP
                
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:424)
                [4835] [Tue Jul  7 15:17:14 2015] [debug]: Calling
                UserExists with $username (yans) and $service
                (My_LDAP)
                
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:465)
                [4835] [Tue Jul  7 15:17:14 2015] [debug]: UserExists
                params:
                username: yans , service: My_LDAP
                
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)
                [4835] [Tue Jul  7 15:17:14 2015] [debug]: LDAP
                Search ===  Base: ou=Staff,dc=hpm,dc=net == Filter:
                (&(objectClass=inetOrgPerson)(sAMAccountName=yans))
                == Attrs:
                
cn,co,telephoneNumber,l,postalCode,streetAddress,st,sAMAccountName,mail
                
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)
                [4835] [Tue Jul  7 15:17:14 2015] [debug]: User Check
                Failed :: ( My_LDAP ) yans User not found
                
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:483)
                [4835] [Tue Jul  7 15:17:14 2015] [debug]:
                Autohandler called ExternalAuth. Response: (0, No
                User)
                
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
                [4835] [Tue Jul  7 15:17:14 2015] [error]: FAILED
                LOGIN for yans from 10.10.30.51
                (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:810)

                And here's the setup in RTSiteConfig.pm:

                Plugin('RT::Authen::ExternalAuth');
                Set($ExternalAuthPriority, [ 'My_LDAP' ]);
                Set($ExternalInfoPriority, [ 'My_LDAP' ]);
                Set($ExternalSettings, {
                     'My_LDAP'  =>  {
                     'type'  =>  'ldap',
                     'server'  =>  'file_print.hpm.net
                <http://file_print.hpm.net>',
                                # By not passing 'user' and 'pass' we
                are using an anonymous
                                # bind, which some servers to not allow
                     'base'  =>  'dc=hpm,dc=net',
                     'filter'  => '(objectClass=inetOrgPerson)',
                                # Users are allowed to log in via
                email address or account
                                # name
                     'attr_match_list' => [
                           'Name',
                #  'EmailAddress',
                           ],
                                # Import the following properties of
                the user from LDAP upon
                                # login
                                'attr_map' => {
                'Name'         => 'sAMAccountName',
                'EmailAddress' => 'mail',
                'RealName'     => 'cn',
                'WorkPhone'    => 'telephoneNumber',
                'Address1'     => 'streetAddress',
                'City'         => 'l',
                'State'        => 'st',
                                    'Zip'         => 'postalCode',
                'Country'      => 'co',
                                },
                            },
                        } );

Reply via email to