Re: [rt-users] ExternalAuth - loading fine but isn't authenticating to LDAP
Wow. 3 days of on/off debugging and getting frustrated, for a spelling mistake... hahahaha, Much appreciated Kevin. I can now login using an AD Account and it creates it properly in RT. Thanks! Mike. On Mon, Jul 26, 2010 at 5:03 PM, Kevin Falcone wrote: > On Mon, Jul 26, 2010 at 04:25:21PM -0400, Mike Johnson wrote: > >[Mon Jul 26 19:52:58 2010] [warning]: DBD::mysql::st execute failed: > Unknown column > >'Priviledged' in 'field list' at > /usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Handle.pm > > The column is Privileged, not Priviledged. I'm going to assume you've > misconfigured something, possibly the AutoCreate setting. > > >Again, I am no perl wiz, and I'm just making guesses as to whats wrong > based on these logs... > >RTFM might work with 3.8.8, I just can't get mine to work. > > RTFM has a bug with 3.8.8, I just failed to see what it had to do with > your RT-Authen-ExternalAuth problems. You can pull a patch from the > rtfm repo or wait for 2.4.3rc1 to be released. There should be links > if you search the list archives. > > -kevin > > > Discover RT's hidden secrets with RT Essentials from O'Reilly Media. > Buy a copy at http://rtbook.bestpractical.com > -- Mike Johnson Datatel Programmer/Analyst Northern Ontario School of Medicine 955 Oliver Road Thunder Bay, ON P7B 5E1 Phone: (807) 766-7331 Email: mike.john...@nosm.ca Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] ExternalAuth - loading fine but isn't authenticating to LDAP
On Mon, Jul 26, 2010 at 04:25:21PM -0400, Mike Johnson wrote: >[Mon Jul 26 19:52:58 2010] [warning]: DBD::mysql::st execute failed: > Unknown column >'Priviledged' in 'field list' at > /usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Handle.pm The column is Privileged, not Priviledged. I'm going to assume you've misconfigured something, possibly the AutoCreate setting. >Again, I am no perl wiz, and I'm just making guesses as to whats wrong > based on these logs... >RTFM might work with 3.8.8, I just can't get mine to work. RTFM has a bug with 3.8.8, I just failed to see what it had to do with your RT-Authen-ExternalAuth problems. You can pull a patch from the rtfm repo or wait for 2.4.3rc1 to be released. There should be links if you search the list archives. -kevin pgpuxNg9HWJsM.pgp Description: PGP signature Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] ExternalAuth - loading fine but isn't authenticating to LDAP
Hi Kevin, I'm not a Perl wiz at all, and I'm just grasping at straws trying to troubleshoot why it isn't working. Here is the core of the log before the lines I posted... [Mon Jul 26 19:52:54 2010] [debug]: Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14) [Mon Jul 26 19:52:54 2010] [debug]: Attempting to use external auth service: NOSMLDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Mon Jul 26 19:52:54 2010] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92) [Mon Jul 26 19:52:54 2010] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26) [Mon Jul 26 19:52:58 2010] [debug]: Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14) [Mon Jul 26 19:52:58 2010] [debug]: Attempting to use external auth service: NOSMLDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Mon Jul 26 19:52:58 2010] [debug]: Calling UserExists with $username (testuser) and $service (NOSMLDAP) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105) [Mon Jul 26 19:52:58 2010] [debug]: UserExists params: username: testuser , service: NOSMLDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274) [Mon Jul 26 19:52:58 2010] [debug]: LDAP Search === Base: dc=nosm,dc=local == Filter: (&(&(objectCategory=User)(ObjectClass=Person))(sAMAccountName=testuser)) == Attrs: cn,mail,sAMAccountName,sAMAccountName (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304) [Mon Jul 26 19:52:58 2010] [debug]: RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User /opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm 20 with: Disabled: 0, EmailAddress: , Gecos: testuser, Name: testuser, Priviledged: 1, Privileged: 0 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:450) [Mon Jul 26 19:52:58 2010] [debug]: Attempting to get user info using this external service: NOSMLDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:458) [Mon Jul 26 19:52:58 2010] [debug]: Attempting to use this canonicalization key: Name (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472) [Mon Jul 26 19:52:58 2010] [debug]: LDAP Search === Base: dc=nosm,dc=local == Filter: (&(&(objectCategory=User)(ObjectClass=Person))(sAMAccountName=testuser)) == Attrs: cn,mail,sAMAccountName,sAMAccountName (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:195) [Mon Jul 26 19:52:58 2010] [info]: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: 0, EmailAddress: test.u...@normed.ca, ExternalAuthId: testuser, Gecos: testuser, Name: testuser, Priviledged: 1, Privileged: 0, RealName: Test User (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536) [Mon Jul 26 19:52:58 2010] [warning]: DBD::mysql::st execute failed: Unknown column 'Priviledged' in 'field list' at /usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Handle.pm line 509, line 273. (/usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Handle.pm:509) [Mon Jul 26 19:52:58 2010] [warning]: RT::Handle=HASH(0x2b88760b6e00) couldn't execute the query 'INSERT INTO Users (Priviledged, RealName, EmailAddress, Creator, Gecos, LastUpdatedBy, Password, Created, id, Name, LastUpdated, ExternalAuthId) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)' at /usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Handle.pm line 522 DBIx::SearchBuilder::Handle::SimpleQuery('RT::Handle=HASH(0x2b88760b6e00)', 'INSERT INTO Users (Priviledged, RealName, EmailAddress, Creat...', 1, 'Test User', 'test.u...@normed.ca', 1, 'testuser', 1, '*NO-PASSWORD*', ...) called at /usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Handle.pm line 357 DBIx::SearchBuilder::Handle::Insert('RT::Handle=HASH(0x2b88760b6e00)', 'Users', 'Priviledged', 1, 'RealName', 'Test User', 'EmailAddress', 'test.u...@normed.ca', 'Creator', ...) called at /usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Handle/mysql.pm line 36 DBIx::SearchBuilder::Handle::mysql::Insert('RT::Handle=HASH(0x2b88760b6e00)', 'Users', 'Priviledged', 1, 'RealName', 'Test User', 'EmailAddress', 'test.u...@normed.ca', 'Creator', ...) called at /usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Record.pm line 1293 DBIx::SearchBuilder::Record::Create('RT::User=HASH(0x2b8876d75580)', 'Priviledged', 1, 'RealName', 'Test User', 'Creator', 1, 'EmailAddress', 'test.u...@normed.ca', ...) called at /opt/rt3/bin/../lib/RT/Record.pm line 289 RT::Record::Create('RT::User=HASH(0x2b8876d75580)', 'id',
Re: [rt-users] ExternalAuth - loading fine but isn't authenticating to LDAP
On Mon, Jul 26, 2010 at 04:09:01PM -0400, Mike Johnson wrote: >Something is preventing the user from being created... based on the INSERT > language I see, it >looks like RTFM doesn't work with 3.8.8??? I dunno, it's trying to use a > field called >Priviledged in the User table... which doesn't exist? Please provide the actual failing code you're seeing. Privileged is a user attribute stored in a different table. Why do you believe that RTFM is causing conflicts with this? -kevin pgpZvadjQgi7K.pgp Description: PGP signature Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] ExternalAuth - loading fine but isn't authenticating to LDAP
Ok, so I turned on rt.logging and surprise!!! apparently it is touching our LDAP, even though AD doesn't log it by default(stupid AD). Now I'm seeing a few things in the debug level logging First thing that really stands out is ... [error]: Couldn't create user mjohnson: Could not create user (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129) [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26) Something is preventing the user from being created... based on the INSERT language I see, it looks like RTFM doesn't work with 3.8.8??? I dunno, it's trying to use a field called Priviledged in the User table... which doesn't exist? I'm not sure if I"m on the right track, but it would be nice if anyone has experienced this or has any thoughts to let me know! Mike. On Mon, Jul 26, 2010 at 2:19 PM, Mike Johnson wrote: > So, > > After a few days of searching and testing, I've come to the conclusion that > RT simply isn't sending anything to our LDAP server to authenticate... > > RT is still using RT's regular authentication method. > > Can anyone tell me what's wrong with my setup? RT doesn't complain when I > boot it up, yet ExternalAuth will not even attempt to authenticate to my > LDAP when I try to login. > > I've used SoftTerra's LDAP browser to ensure the "service rt"(account name > is svc_rt) can bind to the LDAP and I even gave it update rights during > troubleshooting... this is also how I figured out that RT isn't binding, > only the LDAP browser connections are showing up in the Event log. > > I've also verified that my RT box can hit the ldap port(by "telnet to > myad.mydomain.local 389") > > I'm lost on where to go next > > Here are all the LDAP/ExternalAuth related settings in my config... > # LDAP SETTINGS > Set($ExternalAuthPriority,['NOSMLDAP']); > Set($ExternalInfoPriority,['NOSMLDAP']); > Set($ExternalServiceUSersSSLorTLS,0); > Set($AutoCreateNonExternalUsers,1); > Set($WebExternalAuto,1); > Set($AutoCreate,{Priviledged =>1}); > Set($ExternalSettings, { > 'NOSMLDAP' => { > > 'type' => 'ldap', > > 'server'=> '', > > 'user' => 'cn=service rt,ou=Users,ou=Northern Ontario > School of Medicine,dc=nosm,dc=local', > > 'pass'=> '', > > 'base' => 'dc=nosm,dc=local', > > 'filter'=> '(&(objectCategory=User) > (ObjectClass=Person))', > > > 'd_filter' => > '(userAccountControl:1.2.840.113556.1.4.803:=2)', > > 'tls' => 0, > > 'ssl_version' => 3, > > > 'net_ldap_args' => [version => 3 ], > > 'group' => 'cn=Staff,ou=Groups,ou=Northern Ontario > School of Medicine,dc=nosm,dc=local', > > 'group_attr'=> 'member', > > > 'attr_match_list' => ['Name', > > 'EmailAddress' > > ], > > 'attr_map' => { 'Name' => 'sAMAccountName', > > 'EmailAddress' => 'mail', > > 'RealName' => 'cn', > > 'ExternalAuthId' => 'sAMAccountName' > > } > } > } > ); > Set(@Plugins,qw(RT::Authen::ExternalAuth)); > > > As I indicated before > > CentOS 5.5 > RT3.8.8 > ExternalAuth 0.8 > LDAP = Windows 2003 AD > Help would be much appreciated. > > Thanks! > Mike. > > > On Fri, Jul 23, 2010 at 10:03 AM, Mike Johnson wrote: > >> I found another guide that outlines how to setup ExternalAuth for AD on >> the wiki >> >> http://wiki.bestpractical.com/view/CentOS5InstallPlusSome >> >> Others following this thread might find it useful... >> >> I did learn that you're looking for the full cn/ou path for your user, not >> just a username...(I forgot that's how LDAP finds users) >> >> Haris you might want to check that in your config... didn't help me >> *shrug* but might help you. >> >> Thanks! >> Mike. >> >> >> >> >> On Fri, Jul 23, 2010 at 9:18 AM, Mike Johnson wrote: >> >>> Hi Haris, >>> >>> No go yet. >>> >>> Kenneth did send some info for me to check out, perhaps it may help >>> you... >>> >>> **Kenneth's email cut/pasted** >>> Mike, >>> First off, check to see how you've set $WebExternalAuto. I'm not sure how >>> that would affect LDAP if it was turned on. >>> Second, I'll assume you've set your "Plugins" appropriately to include >>> "RT::Authen::ExternalAuth". >>> Thirdly, you have to make sure certain LDAP parameters are consistent >>> (ie. if you're using TLS, etc.). >>> Below is what we use for our list of parameters: >>> >>> Set($ExternalAuthPriority, [ 'My_LDAP' ] ); >>> Set($ExternalInfoPriority, [ 'My_LDAP' ] ); >>> Set($ExternalServiceUsesSSLorTLS, 1); >>> Set($AutoCreateNonExternalUsers, 0); >>> >>> Set( >>> $ExternalSettings, >>> { >>> 'My_LDAP' => >>>{ >
Re: [rt-users] ExternalAuth - loading fine but isn't authenticating to LDAP
So, After a few days of searching and testing, I've come to the conclusion that RT simply isn't sending anything to our LDAP server to authenticate... RT is still using RT's regular authentication method. Can anyone tell me what's wrong with my setup? RT doesn't complain when I boot it up, yet ExternalAuth will not even attempt to authenticate to my LDAP when I try to login. I've used SoftTerra's LDAP browser to ensure the "service rt"(account name is svc_rt) can bind to the LDAP and I even gave it update rights during troubleshooting... this is also how I figured out that RT isn't binding, only the LDAP browser connections are showing up in the Event log. I've also verified that my RT box can hit the ldap port(by "telnet to myad.mydomain.local 389") I'm lost on where to go next Here are all the LDAP/ExternalAuth related settings in my config... # LDAP SETTINGS Set($ExternalAuthPriority,['NOSMLDAP']); Set($ExternalInfoPriority,['NOSMLDAP']); Set($ExternalServiceUSersSSLorTLS,0); Set($AutoCreateNonExternalUsers,1); Set($WebExternalAuto,1); Set($AutoCreate,{Priviledged =>1}); Set($ExternalSettings, { 'NOSMLDAP' => { 'type' => 'ldap', 'server'=> '', 'user' => 'cn=service rt,ou=Users,ou=Northern Ontario School of Medicine,dc=nosm,dc=local', 'pass'=> '', 'base' => 'dc=nosm,dc=local', 'filter'=> '(&(objectCategory=User) (ObjectClass=Person))', 'd_filter' => '(userAccountControl:1.2.840.113556.1.4.803:=2)', 'tls' => 0, 'ssl_version' => 3, 'net_ldap_args' => [version => 3 ], 'group' => 'cn=Staff,ou=Groups,ou=Northern Ontario School of Medicine,dc=nosm,dc=local', 'group_attr'=> 'member', 'attr_match_list' => ['Name', 'EmailAddress' ], 'attr_map' => { 'Name' => 'sAMAccountName', 'EmailAddress' => 'mail', 'RealName' => 'cn', 'ExternalAuthId' => 'sAMAccountName' } } } ); Set(@Plugins,qw(RT::Authen::ExternalAuth)); As I indicated before CentOS 5.5 RT3.8.8 ExternalAuth 0.8 LDAP = Windows 2003 AD Help would be much appreciated. Thanks! Mike. On Fri, Jul 23, 2010 at 10:03 AM, Mike Johnson wrote: > I found another guide that outlines how to setup ExternalAuth for AD on the > wiki > > http://wiki.bestpractical.com/view/CentOS5InstallPlusSome > > Others following this thread might find it useful... > > I did learn that you're looking for the full cn/ou path for your user, not > just a username...(I forgot that's how LDAP finds users) > > Haris you might want to check that in your config... didn't help me *shrug* > but might help you. > > Thanks! > Mike. > > > > > On Fri, Jul 23, 2010 at 9:18 AM, Mike Johnson wrote: > >> Hi Haris, >> >> No go yet. >> >> Kenneth did send some info for me to check out, perhaps it may help you... >> >> **Kenneth's email cut/pasted** >> Mike, >> First off, check to see how you've set $WebExternalAuto. I'm not sure how >> that would affect LDAP if it was turned on. >> Second, I'll assume you've set your "Plugins" appropriately to include >> "RT::Authen::ExternalAuth". >> Thirdly, you have to make sure certain LDAP parameters are consistent (ie. >> if you're using TLS, etc.). >> Below is what we use for our list of parameters: >> >> Set($ExternalAuthPriority, [ 'My_LDAP' ] ); >> Set($ExternalInfoPriority, [ 'My_LDAP' ] ); >> Set($ExternalServiceUsesSSLorTLS, 1); >> Set($AutoCreateNonExternalUsers, 0); >> >> Set( >> $ExternalSettings, >> { >> 'My_LDAP' => >>{ >> ‘type’=> 'ldap', >> ‘server’ => 'ldap.lbl.gov’, >> ‘user’=> ‘’, >> ‘pass’=> ‘’, >> ‘base’=> 'ou=People,o=name of our company,c=US’, >> ‘filter’ => '(&(status that equals active)(|(dicision >> code)))’, >> ‘d_filter’ => '(!(|(lblEmpStat=Staff)(lblEmpStat=Guest)))', >> ‘tls’=> 1, >> ‘net_ldap_args’=> [ version => 3], >> ‘attr_match_list’ => ['Name', >> 'EmailAddress', >> 'RealName', >> 'uid' >> ], >> ‘attr_map’=> {'Name' => 'uid', >> 'EmailAddress'=> >> 'mail', >> 'Organization' => >> ‘o’, >> 'RealName' => >> 'cn', >> 'ExternalAuthId' =
Re: [rt-users] ExternalAuth - loading fine but isn't authenticating to LDAP
I found another guide that outlines how to setup ExternalAuth for AD on the wiki http://wiki.bestpractical.com/view/CentOS5InstallPlusSome Others following this thread might find it useful... I did learn that you're looking for the full cn/ou path for your user, not just a username...(I forgot that's how LDAP finds users) Haris you might want to check that in your config... didn't help me *shrug* but might help you. Thanks! Mike. On Fri, Jul 23, 2010 at 9:18 AM, Mike Johnson wrote: > Hi Haris, > > No go yet. > > Kenneth did send some info for me to check out, perhaps it may help you... > > **Kenneth's email cut/pasted** > Mike, > First off, check to see how you've set $WebExternalAuto. I'm not sure how > that would affect LDAP if it was turned on. > Second, I'll assume you've set your "Plugins" appropriately to include > "RT::Authen::ExternalAuth". > Thirdly, you have to make sure certain LDAP parameters are consistent (ie. > if you're using TLS, etc.). > Below is what we use for our list of parameters: > > Set($ExternalAuthPriority, [ 'My_LDAP' ] ); > Set($ExternalInfoPriority, [ 'My_LDAP' ] ); > Set($ExternalServiceUsesSSLorTLS, 1); > Set($AutoCreateNonExternalUsers, 0); > > Set( > $ExternalSettings, > { > 'My_LDAP' => >{ > ‘type’=> 'ldap', > ‘server’ => 'ldap.lbl.gov’, > ‘user’=> ‘’, > ‘pass’=> ‘’, > ‘base’=> 'ou=People,o=name of our company,c=US’, > ‘filter’ => '(&(status that equals active)(|(dicision > code)))’, > ‘d_filter’ => '(!(|(lblEmpStat=Staff)(lblEmpStat=Guest)))', > ‘tls’=> 1, > ‘net_ldap_args’=> [ version => 3], > ‘attr_match_list’ => ['Name', > 'EmailAddress', > 'RealName', > 'uid' > ], > ‘attr_map’=> {'Name' => 'uid', > 'EmailAddress'=> > 'mail', > 'Organization' => > ‘o’, > 'RealName' => > 'cn', > 'ExternalAuthId' => > 'uid', > 'Gecos' > => 'uid', > 'WorkPhone' => > 'telephonenumber', > 'Address1' => > 'lblmailstop', > 'Address2' => > 'postaladdress’ > } >} > } >); > 1; > > I don't think the attr_map would affect this, but your match list could. > Anyway, check it all out cause if there are any inconsistencies (like TLS > being used and on), it will fail. > Hope this helps. > Kenn > LBNL > > *** end cut/paste** > > On Thu, Jul 22, 2010 at 7:23 PM, M.F.Haris wrote: > >> hi Mike, >> I am also facing the same problem and i have checked my configuration over >> and over, also compared with some available on internet. >> in my case i didn't enter any attribute with blank value like 'group' >> attribute in your case. but rest of the things are similar to what i have >> entered. >> >> I get a message 'Failed to Login with user (myuser) ... ' >> >> do you get the same error message? please share your experience if you are >> able to solve this crap. >> >> thanks >> Haris >> >> >> On Thu, Jul 22, 2010 at 3:59 PM, Mike Johnson wrote: >> >>> Hi everyone, >>> >>> Where do I start debugging my setup?? >>> >>> I have CentOS5.5, RT3.8.8, ExternalAuth 0.8 attempting to connect to an >>> Active Drectory LDAP. >>> >>> Everything loads fine(I get no errors from my config files). I've loaded >>> the ExternalAuth plugin, but when I attempt to login to the UI with an LDAP >>> user, I get an invalid user/pass. The only error/logging I can find >>> anywhere is in syslog and that just tells me the same thing... >>> >>> I'm connecting to an Active Directory server, and with some >>> googling/rt-users searching I found the following settings to use. >>> >>> 'filter'=> '(objectCategory=User)', >>> 'd_filter' => >>> '(userAccountControl:1.2.840.113556.1.4.803:=2)', >>> >>> >>> I've left group and group_attr blank(is that allowed?) as I want all >>> users found under my base DN to be able to use RT. >>> >>> In the attr_match_list I have name and email address only >>> In attr_map I have the sAMAccountName mail and cn mapped to their >>> respective places in RT. >>> >>> I've tested the user/pass I'm using(our LDAP is setup to not allow >>> anonymous unfortunately, so I have to use an account to b
Re: [rt-users] ExternalAuth - loading fine but isn't authenticating to LDAP
Hi Haris, No go yet. Kenneth did send some info for me to check out, perhaps it may help you... **Kenneth's email cut/pasted** Mike, First off, check to see how you've set $WebExternalAuto. I'm not sure how that would affect LDAP if it was turned on. Second, I'll assume you've set your "Plugins" appropriately to include "RT::Authen::ExternalAuth". Thirdly, you have to make sure certain LDAP parameters are consistent (ie. if you're using TLS, etc.). Below is what we use for our list of parameters: Set($ExternalAuthPriority, [ 'My_LDAP' ] ); Set($ExternalInfoPriority, [ 'My_LDAP' ] ); Set($ExternalServiceUsesSSLorTLS, 1); Set($AutoCreateNonExternalUsers, 0); Set( $ExternalSettings, { 'My_LDAP' => { ‘type’=> 'ldap', ‘server’ => 'ldap.lbl.gov’, ‘user’=> ‘’, ‘pass’=> ‘’, ‘base’=> 'ou=People,o=name of our company,c=US’, ‘filter’ => '(&(status that equals active)(|(dicision code)))’, ‘d_filter’ => '(!(|(lblEmpStat=Staff)(lblEmpStat=Guest)))', ‘tls’=> 1, ‘net_ldap_args’=> [ version => 3], ‘attr_match_list’ => ['Name', 'EmailAddress', 'RealName', 'uid' ], ‘attr_map’=> {'Name' => 'uid', 'EmailAddress'=> 'mail', 'Organization' => ‘o’, 'RealName' => 'cn', 'ExternalAuthId' => 'uid', 'Gecos' => 'uid', 'WorkPhone' => 'telephonenumber', 'Address1' => 'lblmailstop', 'Address2' => 'postaladdress’ } } } ); 1; I don't think the attr_map would affect this, but your match list could. Anyway, check it all out cause if there are any inconsistencies (like TLS being used and on), it will fail. Hope this helps. Kenn LBNL *** end cut/paste** On Thu, Jul 22, 2010 at 7:23 PM, M.F.Haris wrote: > hi Mike, > I am also facing the same problem and i have checked my configuration over > and over, also compared with some available on internet. > in my case i didn't enter any attribute with blank value like 'group' > attribute in your case. but rest of the things are similar to what i have > entered. > > I get a message 'Failed to Login with user (myuser) ... ' > > do you get the same error message? please share your experience if you are > able to solve this crap. > > thanks > Haris > > > On Thu, Jul 22, 2010 at 3:59 PM, Mike Johnson wrote: > >> Hi everyone, >> >> Where do I start debugging my setup?? >> >> I have CentOS5.5, RT3.8.8, ExternalAuth 0.8 attempting to connect to an >> Active Drectory LDAP. >> >> Everything loads fine(I get no errors from my config files). I've loaded >> the ExternalAuth plugin, but when I attempt to login to the UI with an LDAP >> user, I get an invalid user/pass. The only error/logging I can find >> anywhere is in syslog and that just tells me the same thing... >> >> I'm connecting to an Active Directory server, and with some >> googling/rt-users searching I found the following settings to use. >> >> 'filter'=> '(objectCategory=User)', >> 'd_filter' => >> '(userAccountControl:1.2.840.113556.1.4.803:=2)', >> >> >> I've left group and group_attr blank(is that allowed?) as I want all users >> found under my base DN to be able to use RT. >> >> In the attr_match_list I have name and email address only >> In attr_map I have the sAMAccountName mail and cn mapped to their >> respective places in RT. >> >> I've tested the user/pass I'm using(our LDAP is setup to not allow >> anonymous unfortunately, so I have to use an account to bind. >> >> I can't seem to find where ExternalAuth would toss an error out for me to >> read if it's failling because of the arguments I've set... >> >> Any help would be appreciated. >> -- >> Mike Johnson >> Datatel Programmer/Analyst >> Northern Ontario School of Medicine >> 955 Oliver Road >> Thunder Bay, ON P7B 5E1 >> Phone: (807) 766-7331 >> Email: mike.john...@nosm.ca >> >> >> Discover RT's hidden secrets with RT Essentials from O'Reilly Media. >> Buy a copy at http://rtbook.bestpractical.com >> > > -- Mike Johnson Datatel Programmer/Analyst Northern Ontario School of Medicine 955 Oliver Road Thunder Bay, ON P7B 5E1 Phone: (807) 766-7331 Email: mike.john...@nosm.ca Discov
Re: [rt-users] ExternalAuth - loading fine but isn't authenticating to LDAP
Mike, First off, check to see how you've set $WebExternalAuto. I'm not sure how that would affect LDAP if it was turned on. Second, I'll assume you've set your "Plugins" appropriately to include "RT::Authen::ExternalAuth". Thirdly, you have to make sure certain LDAP parameters are consistent (ie. if you're using TLS, etc.). Below is what we use for our list of parameters: *Set($ExternalAuthPriority, [ 'My_LDAP' ] );* *Set($ExternalInfoPriority, [ 'My_LDAP' ] );* *Set($ExternalServiceUsesSSLorTLS, 1);* *Set($AutoCreateNonExternalUsers, 0);* *Set(* *$ExternalSettings,* * {* *'My_LDAP' =>* * {* *‘type’=> 'ldap',* *‘server’ => 'ldap.lbl.gov’,* *‘user’=> ‘’,* *‘pass’=> ‘’,* *‘base’=> 'ou=People,o=name of our company,c=US’,* *‘filter’ => '(&(status that equals active)(|(dicision code)))’,* *‘d_filter’ => '(!(|(lblEmpStat=Staff)(lblEmpStat=Guest)))',* *‘tls’=> 1,* *‘net_ldap_args’=> [ version => 3],* *‘attr_match_list’ => ['Name',* * 'EmailAddress',* * 'RealName',* * 'uid'* *],* *‘attr_map’=> {'Name' => 'uid',* * 'EmailAddress'=> 'mail',* * 'Organization' => ‘o’,* * 'RealName' => 'cn',* * 'ExternalAuthId' => 'uid',* * 'Gecos' => 'uid',* * 'WorkPhone' => 'telephonenumber',* * 'Address1' => 'lblmailstop',* * 'Address2' => 'postaladdress’* * }* * }* * }* * );* *1;* ** I don't think the attr_map would affect this, but your match list could. Anyway, check it all out cause if there are any inconsistencies (like TLS being *used* and *on*), it will fail. Hope this helps. Kenn LBNL On Thu, Jul 22, 2010 at 6:59 AM, Mike Johnson wrote: > Hi everyone, > > Where do I start debugging my setup?? > > I have CentOS5.5, RT3.8.8, ExternalAuth 0.8 attempting to connect to an > Active Drectory LDAP. > > Everything loads fine(I get no errors from my config files). I've loaded > the ExternalAuth plugin, but when I attempt to login to the UI with an LDAP > user, I get an invalid user/pass. The only error/logging I can find > anywhere is in syslog and that just tells me the same thing... > > I'm connecting to an Active Directory server, and with some > googling/rt-users searching I found the following settings to use. > > 'filter'=> '(objectCategory=User)', > 'd_filter' => > '(userAccountControl:1.2.840.113556.1.4.803:=2)', > > > I've left group and group_attr blank(is that allowed?) as I want all users > found under my base DN to be able to use RT. > > In the attr_match_list I have name and email address only > In attr_map I have the sAMAccountName mail and cn mapped to their > respective places in RT. > > I've tested the user/pass I'm using(our LDAP is setup to not allow > anonymous unfortunately, so I have to use an account to bind. > > I can't seem to find where ExternalAuth would toss an error out for me to > read if it's failling because of the arguments I've set... > > Any help would be appreciated. > -- > Mike Johnson > Datatel Programmer/Analyst > Northern Ontario School of Medicine > 955 Oliver Road > Thunder Bay, ON P7B 5E1 > Phone: (807) 766-7331 > Email: mike.john...@nosm.ca > > > Discover RT's hidden secrets with RT Essentials from O'Reilly Media. > Buy a copy at http://rtbook.bestpractical.com > Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
[rt-users] ExternalAuth - loading fine but isn't authenticating to LDAP
Hi everyone, Where do I start debugging my setup?? I have CentOS5.5, RT3.8.8, ExternalAuth 0.8 attempting to connect to an Active Drectory LDAP. Everything loads fine(I get no errors from my config files). I've loaded the ExternalAuth plugin, but when I attempt to login to the UI with an LDAP user, I get an invalid user/pass. The only error/logging I can find anywhere is in syslog and that just tells me the same thing... I'm connecting to an Active Directory server, and with some googling/rt-users searching I found the following settings to use. 'filter'=> '(objectCategory=User)', 'd_filter' => '(userAccountControl:1.2.840.113556.1.4.803:=2)', I've left group and group_attr blank(is that allowed?) as I want all users found under my base DN to be able to use RT. In the attr_match_list I have name and email address only In attr_map I have the sAMAccountName mail and cn mapped to their respective places in RT. I've tested the user/pass I'm using(our LDAP is setup to not allow anonymous unfortunately, so I have to use an account to bind. I can't seem to find where ExternalAuth would toss an error out for me to read if it's failling because of the arguments I've set... Any help would be appreciated. -- Mike Johnson Datatel Programmer/Analyst Northern Ontario School of Medicine 955 Oliver Road Thunder Bay, ON P7B 5E1 Phone: (807) 766-7331 Email: mike.john...@nosm.ca Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com