On Thu, 2016-07-14 at 19:19 +0000, Landon Stewart wrote: > Hello, > > I have a working mod_authnz_ldap configuration for apache 2.4 (on a > virtualhost on the same server) but I cannot seem to convert the configuration > to a valid RT::Authen::ExternalAuth::LDAP configuration. At one point I could > see in var/log/rt.log that it was at least checking the nested groups for > membership but the filter didn't look quite right. I have since changed that > configuration and it seems to stall for a minute and then fail. It gets my > real name from the AD service but then cannot match the sub/nested group > filter I think? > > The apache configuration that works is: > <Location /adirectoryname> > LogLevel debug > AuthName "Password protected. Enter your AD username and password." > AuthType Basic > AuthBasicProvider ldap > AuthLDAPURL > "ldap://ldap.server.hostname/OU=iweb,DC=corp,DC=iweb,DC=com?sAMAccountName?sub > ?(objectClass=*)" > AuthLDAPGroupAttribute member > AuthLDAPGroupAttributeIsDN on > AuthLDAPBindDN "ldapbinduserstring" > AuthLDAPBindPassword ldapbindpass > Require ldap-filter > memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS,OU=Groupes,OU=iWeb,DC= > corp,DC=iweb,DC=com > </Location> > > > So far I've got this in RT_SiteConfig.pm for RT: > ...snipped... > Set($ExternalSettings, { > 'My_LDAP' => { > 'type' => 'ldap', > 'server' => 'corp.iweb.com', > 'user' => 'ldapbinduserstring', > 'pass' => 'ldapbindpass', > 'base' => 'OU=iweb,DC=corp,DC=iweb,DC=com', > 'filter' => '(objectClass=*)', > 'd_filter' => 'UserAccountControl:1.2.840.113556.1.4.803:=2', > 'group' => 'RTIR_WEB_SC_ACCESS', > 'group_scope' => 'sub', > > 'group_attr' => 'memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS', > 'group_attr_value' => 'OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com', > 'tls' => 0, > 'attr_match_list' => [ > 'Name', > 'EmailAddress', > ], > 'attr_map' => { > 'Name' => 'sAMAccountName', > 'EmailAddress' => 'mail', > 'Organization' => 'physicalDeliveryOfficeName', > 'RealName' => 'cn', > 'ExternalAuthId' => 'sAMAccountName', > 'Gecos' => 'sAMAccountName', > }, > }, > } ); > ...snipped... > Plugin('RT::IR', 'RT::Authen::ExternalAuth'); > > The log entries with the above configuration are: > [28280] [Thu Jul 14 19:12:14 2016] [debug]: Attempting to use external auth > service: My_LDAP (/opt/rt4/local/plugins/RT-Authen- > ExternalAuth/lib/RT/Authen/ExternalAuth.pm:424) > [28280] [Thu Jul 14 19:12:14 2016] [debug]: Calling UserExists with $username > (lstewart) and $service (My_LDAP) (/opt/rt4/local/plugins/RT-Authen- > ExternalAuth/lib/RT/Authen/ExternalAuth.pm:465) > [28280] [Thu Jul 14 19:12:14 2016] [debug]: UserExists params: > username: lstewart , service: My_LDAP (/opt/rt4/local/plugins/RT-Authen- > ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439) > [28280] [Thu Jul 14 19:12:14 2016] [debug]: LDAP Search === Base: > OU=iweb,DC=corp,DC=iweb,DC=com == Filter: > (&(objectClass=*)(sAMAccountName=lstewart)) == > Attrs: sAMAccountName,physicalDeliveryOfficeName,mail,cn,sAMAccountName,sAMAcc > ountName (/opt/rt4/local/plugins/RT-Authen- > ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469) > [28280] [Thu Jul 14 19:12:14 2016] [debug]: Password validation required for > service - Executing... (/opt/rt4/local/plugins/RT-Authen- > ExternalAuth/lib/RT/Authen/ExternalAuth.pm:517) > [28280] [Thu Jul 14 19:12:14 2016] [debug]: Trying external auth service: > My_LDAP (/opt/rt4/local/plugins/RT-Authen- > ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:153) > [28280] [Thu Jul 14 19:14:14 2016] [debug]: LDAP Search === Base: > OU=iweb,DC=corp,DC=iweb,DC=com == Filter: > (&(sAMAccountName=lstewart)(objectClass=*)) == Attrs: > dn,OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com (/opt/rt4/local/plugins/RT- > Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:186) > [28280] [Thu Jul 14 19:14:14 2016] [debug]: Found LDAP DN: CN=Landon > Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com > (/opt/rt4/local/plugins/RT-Authen- > ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:220) > [28280] [Thu Jul 14 19:14:15 2016] [debug]: Attribute > 'OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com' has no value; falling back to > 'CN=Landon Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com' > (/opt/rt4/local/plugins/RT-Authen- > ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:249) > [28280] [Thu Jul 14 19:14:15 2016] [debug]: LDAP Search === Base: > RTIR_WEB_SC_ACCESS == Scope: sub == Filter: > (memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS=CN=Landon Stewart,OU= > Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com) == Attrs: dn > (/opt/rt4/local/plugins/RT-Authen- > ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:256) > [28280] [Thu Jul 14 19:14:15 2016] [critical]: Search for > (memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS=CN=Landon > Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com) failed: > LDAP_INVALID_DN_SYNTAX 34 (/opt/rt4/local/plugins/RT-Authen- > ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274) > [28280] [Thu Jul 14 19:14:15 2016] [debug]: LDAP password validation result: 0 > (/opt/rt4/local/plugins/RT-Authen- > ExternalAuth/lib/RT/Authen/ExternalAuth.pm:696) > [28280] [Thu Jul 14 19:14:15 2016] [debug]: Password Validation Check > Result: 0 (/opt/rt4/local/plugins/RT-Authen- > ExternalAuth/lib/RT/Authen/ExternalAuth.pm:521) > [28280] [Thu Jul 14 19:14:15 2016] [debug]: Autohandler called ExternalAuth. > Response: (0, Password Invalid) (/opt/rt4/local/plugins/RT-Authen- > ExternalAuth/html/Elements/DoAuth:11) > [28280] [Thu Jul 14 19:14:15 2016] [error]: FAILED LOGIN for lstewart from > xx.xx.xx.xx (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:810) > > > -- > Landon Stewart > Lead Analyst - Abuse and Security Management > INTERNAP ® > [email protected] • www.internap.com > > --------- > RT 4.4 and RTIR Training Sessions https://bestpractical.com/training > * Los Angeles - September, 2016
Your setup looks perfectly fine, but I may be missing something because I haven't used AD. I use OpenLDAP with rt-ldapimport script for authentication and rt-ldapimport --no-users --import to sync users (enabled Group member syncing in the importer). Works good. May be give that a try? -- Nilesh --------- RT 4.4 and RTIR Training Sessions https://bestpractical.com/training * Los Angeles - September, 2016
