Re: [rt-users] ExternalAuth - loading fine but isn't authenticating to LDAP
Wow. 3 days of on/off debugging and getting frustrated, for a spelling mistake... hahahaha, Much appreciated Kevin. I can now login using an AD Account and it creates it properly in RT. Thanks! Mike. On Mon, Jul 26, 2010 at 5:03 PM, Kevin Falcone falc...@bestpractical.comwrote: On Mon, Jul 26, 2010 at 04:25:21PM -0400, Mike Johnson wrote: [Mon Jul 26 19:52:58 2010] [warning]: DBD::mysql::st execute failed: Unknown column 'Priviledged' in 'field list' at /usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Handle.pm The column is Privileged, not Priviledged. I'm going to assume you've misconfigured something, possibly the AutoCreate setting. Again, I am no perl wiz, and I'm just making guesses as to whats wrong based on these logs... RTFM might work with 3.8.8, I just can't get mine to work. RTFM has a bug with 3.8.8, I just failed to see what it had to do with your RT-Authen-ExternalAuth problems. You can pull a patch from the rtfm repo or wait for 2.4.3rc1 to be released. There should be links if you search the list archives. -kevin Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com -- Mike Johnson Datatel Programmer/Analyst Northern Ontario School of Medicine 955 Oliver Road Thunder Bay, ON P7B 5E1 Phone: (807) 766-7331 Email: mike.john...@nosm.ca Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] ExternalAuth - loading fine but isn't authenticating to LDAP
Hi Kevin, I'm not a Perl wiz at all, and I'm just grasping at straws trying to troubleshoot why it isn't working. Here is the core of the log before the lines I posted... [Mon Jul 26 19:52:54 2010] [debug]: Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14) [Mon Jul 26 19:52:54 2010] [debug]: Attempting to use external auth service: NOSMLDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Mon Jul 26 19:52:54 2010] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92) [Mon Jul 26 19:52:54 2010] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26) [Mon Jul 26 19:52:58 2010] [debug]: Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14) [Mon Jul 26 19:52:58 2010] [debug]: Attempting to use external auth service: NOSMLDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Mon Jul 26 19:52:58 2010] [debug]: Calling UserExists with $username (testuser) and $service (NOSMLDAP) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105) [Mon Jul 26 19:52:58 2010] [debug]: UserExists params: username: testuser , service: NOSMLDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274) [Mon Jul 26 19:52:58 2010] [debug]: LDAP Search === Base: dc=nosm,dc=local == Filter: (((objectCategory=User)(ObjectClass=Person))(sAMAccountName=testuser)) == Attrs: cn,mail,sAMAccountName,sAMAccountName (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304) [Mon Jul 26 19:52:58 2010] [debug]: RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User /opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm 20 with: Disabled: 0, EmailAddress: , Gecos: testuser, Name: testuser, Priviledged: 1, Privileged: 0 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:450) [Mon Jul 26 19:52:58 2010] [debug]: Attempting to get user info using this external service: NOSMLDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:458) [Mon Jul 26 19:52:58 2010] [debug]: Attempting to use this canonicalization key: Name (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472) [Mon Jul 26 19:52:58 2010] [debug]: LDAP Search === Base: dc=nosm,dc=local == Filter: (((objectCategory=User)(ObjectClass=Person))(sAMAccountName=testuser)) == Attrs: cn,mail,sAMAccountName,sAMAccountName (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:195) [Mon Jul 26 19:52:58 2010] [info]: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: 0, EmailAddress: test.u...@normed.ca, ExternalAuthId: testuser, Gecos: testuser, Name: testuser, Priviledged: 1, Privileged: 0, RealName: Test User (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536) [Mon Jul 26 19:52:58 2010] [warning]: DBD::mysql::st execute failed: Unknown column 'Priviledged' in 'field list' at /usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Handle.pm line 509, DATA line 273. (/usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Handle.pm:509) [Mon Jul 26 19:52:58 2010] [warning]: RT::Handle=HASH(0x2b88760b6e00) couldn't execute the query 'INSERT INTO Users (Priviledged, RealName, EmailAddress, Creator, Gecos, LastUpdatedBy, Password, Created, id, Name, LastUpdated, ExternalAuthId) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)' at /usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Handle.pm line 522 DBIx::SearchBuilder::Handle::SimpleQuery('RT::Handle=HASH(0x2b88760b6e00)', 'INSERT INTO Users (Priviledged, RealName, EmailAddress, Creat...', 1, 'Test User', 'test.u...@normed.ca', 1, 'testuser', 1, '*NO-PASSWORD*', ...) called at /usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Handle.pm line 357 DBIx::SearchBuilder::Handle::Insert('RT::Handle=HASH(0x2b88760b6e00)', 'Users', 'Priviledged', 1, 'RealName', 'Test User', 'EmailAddress', 'test.u...@normed.ca', 'Creator', ...) called at /usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Handle/mysql.pm line 36 DBIx::SearchBuilder::Handle::mysql::Insert('RT::Handle=HASH(0x2b88760b6e00)', 'Users', 'Priviledged', 1, 'RealName', 'Test User', 'EmailAddress', 'test.u...@normed.ca', 'Creator', ...) called at /usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Record.pm line 1293 DBIx::SearchBuilder::Record::Create('RT::User=HASH(0x2b8876d75580)', 'Priviledged', 1, 'RealName', 'Test User', 'Creator', 1, 'EmailAddress', 'test.u...@normed.ca', ...) called at /opt/rt3/bin/../lib/RT/Record.pm line 289 RT::Record::Create('RT::User=HASH(0x2b8876d75580)', 'id',
Re: [rt-users] ExternalAuth - loading fine but isn't authenticating to LDAP
Hi Haris, No go yet. Kenneth did send some info for me to check out, perhaps it may help you... **Kenneth's email cut/pasted** Mike, First off, check to see how you've set $WebExternalAuto. I'm not sure how that would affect LDAP if it was turned on. Second, I'll assume you've set your Plugins appropriately to include RT::Authen::ExternalAuth. Thirdly, you have to make sure certain LDAP parameters are consistent (ie. if you're using TLS, etc.). Below is what we use for our list of parameters: Set($ExternalAuthPriority, [ 'My_LDAP' ] ); Set($ExternalInfoPriority, [ 'My_LDAP' ] ); Set($ExternalServiceUsesSSLorTLS, 1); Set($AutoCreateNonExternalUsers, 0); Set( $ExternalSettings, { 'My_LDAP' = { ‘type’= 'ldap', ‘server’ = 'ldap.lbl.gov’, ‘user’= ‘’, ‘pass’= ‘’, ‘base’= 'ou=People,o=name of our company,c=US’, ‘filter’ = '((status that equals active)(|(dicision code)))’, ‘d_filter’ = '(!(|(lblEmpStat=Staff)(lblEmpStat=Guest)))', ‘tls’= 1, ‘net_ldap_args’= [ version = 3], ‘attr_match_list’ = ['Name', 'EmailAddress', 'RealName', 'uid' ], ‘attr_map’= {'Name' = 'uid', 'EmailAddress'= 'mail', 'Organization' = ‘o’, 'RealName' = 'cn', 'ExternalAuthId' = 'uid', 'Gecos' = 'uid', 'WorkPhone' = 'telephonenumber', 'Address1' = 'lblmailstop', 'Address2' = 'postaladdress’ } } } ); 1; I don't think the attr_map would affect this, but your match list could. Anyway, check it all out cause if there are any inconsistencies (like TLS being used and on), it will fail. Hope this helps. Kenn LBNL *** end cut/paste** On Thu, Jul 22, 2010 at 7:23 PM, M.F.Haris mfha...@gmail.com wrote: hi Mike, I am also facing the same problem and i have checked my configuration over and over, also compared with some available on internet. in my case i didn't enter any attribute with blank value like 'group' attribute in your case. but rest of the things are similar to what i have entered. I get a message 'Failed to Login with user (myuser) ... ' do you get the same error message? please share your experience if you are able to solve this crap. thanks Haris On Thu, Jul 22, 2010 at 3:59 PM, Mike Johnson mike.john...@nosm.cawrote: Hi everyone, Where do I start debugging my setup?? I have CentOS5.5, RT3.8.8, ExternalAuth 0.8 attempting to connect to an Active Drectory LDAP. Everything loads fine(I get no errors from my config files). I've loaded the ExternalAuth plugin, but when I attempt to login to the UI with an LDAP user, I get an invalid user/pass. The only error/logging I can find anywhere is in syslog and that just tells me the same thing... I'm connecting to an Active Directory server, and with some googling/rt-users searching I found the following settings to use. 'filter'= '(objectCategory=User)', 'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803:=2)', I've left group and group_attr blank(is that allowed?) as I want all users found under my base DN to be able to use RT. In the attr_match_list I have name and email address only In attr_map I have the sAMAccountName mail and cn mapped to their respective places in RT. I've tested the user/pass I'm using(our LDAP is setup to not allow anonymous unfortunately, so I have to use an account to bind. I can't seem to find where ExternalAuth would toss an error out for me to read if it's failling because of the arguments I've set... Any help would be appreciated. -- Mike Johnson Datatel Programmer/Analyst Northern Ontario School of Medicine 955 Oliver Road Thunder Bay, ON P7B 5E1 Phone: (807) 766-7331 Email: mike.john...@nosm.ca Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com -- Mike Johnson Datatel Programmer/Analyst Northern Ontario School of Medicine 955 Oliver Road Thunder Bay, ON P7B 5E1 Phone: (807) 766-7331 Email: mike.john...@nosm.ca Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at
Re: [rt-users] ExternalAuth - loading fine but isn't authenticating to LDAP
I found another guide that outlines how to setup ExternalAuth for AD on the wiki http://wiki.bestpractical.com/view/CentOS5InstallPlusSome Others following this thread might find it useful... I did learn that you're looking for the full cn/ou path for your user, not just a username...(I forgot that's how LDAP finds users) Haris you might want to check that in your config... didn't help me *shrug* but might help you. Thanks! Mike. On Fri, Jul 23, 2010 at 9:18 AM, Mike Johnson mike.john...@nosm.ca wrote: Hi Haris, No go yet. Kenneth did send some info for me to check out, perhaps it may help you... **Kenneth's email cut/pasted** Mike, First off, check to see how you've set $WebExternalAuto. I'm not sure how that would affect LDAP if it was turned on. Second, I'll assume you've set your Plugins appropriately to include RT::Authen::ExternalAuth. Thirdly, you have to make sure certain LDAP parameters are consistent (ie. if you're using TLS, etc.). Below is what we use for our list of parameters: Set($ExternalAuthPriority, [ 'My_LDAP' ] ); Set($ExternalInfoPriority, [ 'My_LDAP' ] ); Set($ExternalServiceUsesSSLorTLS, 1); Set($AutoCreateNonExternalUsers, 0); Set( $ExternalSettings, { 'My_LDAP' = { ‘type’= 'ldap', ‘server’ = 'ldap.lbl.gov’, ‘user’= ‘’, ‘pass’= ‘’, ‘base’= 'ou=People,o=name of our company,c=US’, ‘filter’ = '((status that equals active)(|(dicision code)))’, ‘d_filter’ = '(!(|(lblEmpStat=Staff)(lblEmpStat=Guest)))', ‘tls’= 1, ‘net_ldap_args’= [ version = 3], ‘attr_match_list’ = ['Name', 'EmailAddress', 'RealName', 'uid' ], ‘attr_map’= {'Name' = 'uid', 'EmailAddress'= 'mail', 'Organization' = ‘o’, 'RealName' = 'cn', 'ExternalAuthId' = 'uid', 'Gecos' = 'uid', 'WorkPhone' = 'telephonenumber', 'Address1' = 'lblmailstop', 'Address2' = 'postaladdress’ } } } ); 1; I don't think the attr_map would affect this, but your match list could. Anyway, check it all out cause if there are any inconsistencies (like TLS being used and on), it will fail. Hope this helps. Kenn LBNL *** end cut/paste** On Thu, Jul 22, 2010 at 7:23 PM, M.F.Haris mfha...@gmail.com wrote: hi Mike, I am also facing the same problem and i have checked my configuration over and over, also compared with some available on internet. in my case i didn't enter any attribute with blank value like 'group' attribute in your case. but rest of the things are similar to what i have entered. I get a message 'Failed to Login with user (myuser) ... ' do you get the same error message? please share your experience if you are able to solve this crap. thanks Haris On Thu, Jul 22, 2010 at 3:59 PM, Mike Johnson mike.john...@nosm.cawrote: Hi everyone, Where do I start debugging my setup?? I have CentOS5.5, RT3.8.8, ExternalAuth 0.8 attempting to connect to an Active Drectory LDAP. Everything loads fine(I get no errors from my config files). I've loaded the ExternalAuth plugin, but when I attempt to login to the UI with an LDAP user, I get an invalid user/pass. The only error/logging I can find anywhere is in syslog and that just tells me the same thing... I'm connecting to an Active Directory server, and with some googling/rt-users searching I found the following settings to use. 'filter'= '(objectCategory=User)', 'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803:=2)', I've left group and group_attr blank(is that allowed?) as I want all users found under my base DN to be able to use RT. In the attr_match_list I have name and email address only In attr_map I have the sAMAccountName mail and cn mapped to their respective places in RT. I've tested the user/pass I'm using(our LDAP is setup to not allow anonymous unfortunately, so I have to use an account to bind. I can't seem to find where ExternalAuth would toss an error out for me to read if it's failling because of the arguments I've set... Any help would be
[rt-users] ExternalAuth - loading fine but isn't authenticating to LDAP
Hi everyone, Where do I start debugging my setup?? I have CentOS5.5, RT3.8.8, ExternalAuth 0.8 attempting to connect to an Active Drectory LDAP. Everything loads fine(I get no errors from my config files). I've loaded the ExternalAuth plugin, but when I attempt to login to the UI with an LDAP user, I get an invalid user/pass. The only error/logging I can find anywhere is in syslog and that just tells me the same thing... I'm connecting to an Active Directory server, and with some googling/rt-users searching I found the following settings to use. 'filter'= '(objectCategory=User)', 'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803:=2)', I've left group and group_attr blank(is that allowed?) as I want all users found under my base DN to be able to use RT. In the attr_match_list I have name and email address only In attr_map I have the sAMAccountName mail and cn mapped to their respective places in RT. I've tested the user/pass I'm using(our LDAP is setup to not allow anonymous unfortunately, so I have to use an account to bind. I can't seem to find where ExternalAuth would toss an error out for me to read if it's failling because of the arguments I've set... Any help would be appreciated. -- Mike Johnson Datatel Programmer/Analyst Northern Ontario School of Medicine 955 Oliver Road Thunder Bay, ON P7B 5E1 Phone: (807) 766-7331 Email: mike.john...@nosm.ca Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] ExternalAuth - loading fine but isn't authenticating to LDAP
Mike, First off, check to see how you've set $WebExternalAuto. I'm not sure how that would affect LDAP if it was turned on. Second, I'll assume you've set your Plugins appropriately to include RT::Authen::ExternalAuth. Thirdly, you have to make sure certain LDAP parameters are consistent (ie. if you're using TLS, etc.). Below is what we use for our list of parameters: *Set($ExternalAuthPriority, [ 'My_LDAP' ] );* *Set($ExternalInfoPriority, [ 'My_LDAP' ] );* *Set($ExternalServiceUsesSSLorTLS, 1);* *Set($AutoCreateNonExternalUsers, 0);* *Set(* *$ExternalSettings,* * {* *'My_LDAP' =* * {* *‘type’= 'ldap',* *‘server’ = 'ldap.lbl.gov’,* *‘user’= ‘’,* *‘pass’= ‘’,* *‘base’= 'ou=People,o=name of our company,c=US’,* *‘filter’ = '((status that equals active)(|(dicision code)))’,* *‘d_filter’ = '(!(|(lblEmpStat=Staff)(lblEmpStat=Guest)))',* *‘tls’= 1,* *‘net_ldap_args’= [ version = 3],* *‘attr_match_list’ = ['Name',* * 'EmailAddress',* * 'RealName',* * 'uid'* *],* *‘attr_map’= {'Name' = 'uid',* * 'EmailAddress'= 'mail',* * 'Organization' = ‘o’,* * 'RealName' = 'cn',* * 'ExternalAuthId' = 'uid',* * 'Gecos' = 'uid',* * 'WorkPhone' = 'telephonenumber',* * 'Address1' = 'lblmailstop',* * 'Address2' = 'postaladdress’* * }* * }* * }* * );* *1;* ** I don't think the attr_map would affect this, but your match list could. Anyway, check it all out cause if there are any inconsistencies (like TLS being *used* and *on*), it will fail. Hope this helps. Kenn LBNL On Thu, Jul 22, 2010 at 6:59 AM, Mike Johnson mike.john...@nosm.ca wrote: Hi everyone, Where do I start debugging my setup?? I have CentOS5.5, RT3.8.8, ExternalAuth 0.8 attempting to connect to an Active Drectory LDAP. Everything loads fine(I get no errors from my config files). I've loaded the ExternalAuth plugin, but when I attempt to login to the UI with an LDAP user, I get an invalid user/pass. The only error/logging I can find anywhere is in syslog and that just tells me the same thing... I'm connecting to an Active Directory server, and with some googling/rt-users searching I found the following settings to use. 'filter'= '(objectCategory=User)', 'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803:=2)', I've left group and group_attr blank(is that allowed?) as I want all users found under my base DN to be able to use RT. In the attr_match_list I have name and email address only In attr_map I have the sAMAccountName mail and cn mapped to their respective places in RT. I've tested the user/pass I'm using(our LDAP is setup to not allow anonymous unfortunately, so I have to use an account to bind. I can't seem to find where ExternalAuth would toss an error out for me to read if it's failling because of the arguments I've set... Any help would be appreciated. -- Mike Johnson Datatel Programmer/Analyst Northern Ontario School of Medicine 955 Oliver Road Thunder Bay, ON P7B 5E1 Phone: (807) 766-7331 Email: mike.john...@nosm.ca Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com