Re: [rt-users] ExternalAuth - loading fine but isn't authenticating to LDAP
Wow. 3 days of on/off debugging and getting frustrated, for a spelling mistake... hahahaha, Much appreciated Kevin. I can now login using an AD Account and it creates it properly in RT. Thanks! Mike. On Mon, Jul 26, 2010 at 5:03 PM, Kevin Falcone falc...@bestpractical.comwrote: On Mon, Jul 26, 2010 at 04:25:21PM -0400, Mike Johnson wrote: [Mon Jul 26 19:52:58 2010] [warning]: DBD::mysql::st execute failed: Unknown column 'Priviledged' in 'field list' at /usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Handle.pm The column is Privileged, not Priviledged. I'm going to assume you've misconfigured something, possibly the AutoCreate setting. Again, I am no perl wiz, and I'm just making guesses as to whats wrong based on these logs... RTFM might work with 3.8.8, I just can't get mine to work. RTFM has a bug with 3.8.8, I just failed to see what it had to do with your RT-Authen-ExternalAuth problems. You can pull a patch from the rtfm repo or wait for 2.4.3rc1 to be released. There should be links if you search the list archives. -kevin Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com -- Mike Johnson Datatel Programmer/Analyst Northern Ontario School of Medicine 955 Oliver Road Thunder Bay, ON P7B 5E1 Phone: (807) 766-7331 Email: mike.john...@nosm.ca Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] ExternalAuth - loading fine but isn't authenticating to LDAP
Hi Kevin,
I'm not a Perl wiz at all, and I'm just grasping at straws trying to
troubleshoot why it isn't working.
Here is the core of the log before the lines I posted...
[Mon Jul 26 19:52:54 2010] [debug]: Reloading RT::User to work around a bug
in RT-3.8.0 and RT-3.8.1
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[Mon Jul 26 19:52:54 2010] [debug]: Attempting to use external auth service:
NOSMLDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Jul 26 19:52:54 2010] [debug]: SSO Failed and no user to test with.
Nexting
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Mon Jul 26 19:52:54 2010] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[Mon Jul 26 19:52:58 2010] [debug]: Reloading RT::User to work around a bug
in RT-3.8.0 and RT-3.8.1
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[Mon Jul 26 19:52:58 2010] [debug]: Attempting to use external auth service:
NOSMLDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Jul 26 19:52:58 2010] [debug]: Calling UserExists with $username
(testuser) and $service (NOSMLDAP)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Mon Jul 26 19:52:58 2010] [debug]: UserExists params:
username: testuser , service: NOSMLDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Mon Jul 26 19:52:58 2010] [debug]: LDAP Search === Base: dc=nosm,dc=local
== Filter:
(((objectCategory=User)(ObjectClass=Person))(sAMAccountName=testuser)) ==
Attrs: cn,mail,sAMAccountName,sAMAccountName
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Mon Jul 26 19:52:58 2010] [debug]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm 20 with:
Disabled: 0, EmailAddress: , Gecos: testuser, Name: testuser, Priviledged:
1, Privileged: 0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:450)
[Mon Jul 26 19:52:58 2010] [debug]: Attempting to get user info using this
external service: NOSMLDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:458)
[Mon Jul 26 19:52:58 2010] [debug]: Attempting to use this canonicalization
key: Name
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472)
[Mon Jul 26 19:52:58 2010] [debug]: LDAP Search === Base: dc=nosm,dc=local
== Filter:
(((objectCategory=User)(ObjectClass=Person))(sAMAccountName=testuser)) ==
Attrs: cn,mail,sAMAccountName,sAMAccountName
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:195)
[Mon Jul 26 19:52:58 2010] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: 0,
EmailAddress: test.u...@normed.ca, ExternalAuthId: testuser, Gecos:
testuser, Name: testuser, Priviledged: 1, Privileged: 0, RealName: Test User
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
[Mon Jul 26 19:52:58 2010] [warning]: DBD::mysql::st execute failed: Unknown
column 'Priviledged' in 'field list' at
/usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Handle.pm line 509, DATA
line 273. (/usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Handle.pm:509)
[Mon Jul 26 19:52:58 2010] [warning]: RT::Handle=HASH(0x2b88760b6e00)
couldn't execute the query 'INSERT INTO Users (Priviledged, RealName,
EmailAddress, Creator, Gecos, LastUpdatedBy, Password, Created, id, Name,
LastUpdated, ExternalAuthId) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)' at
/usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Handle.pm line 522
DBIx::SearchBuilder::Handle::SimpleQuery('RT::Handle=HASH(0x2b88760b6e00)',
'INSERT INTO Users (Priviledged, RealName, EmailAddress, Creat...', 1, 'Test
User', 'test.u...@normed.ca', 1, 'testuser', 1, '*NO-PASSWORD*', ...) called
at /usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Handle.pm line 357
DBIx::SearchBuilder::Handle::Insert('RT::Handle=HASH(0x2b88760b6e00)',
'Users', 'Priviledged', 1, 'RealName', 'Test User', 'EmailAddress',
'test.u...@normed.ca', 'Creator', ...) called at
/usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Handle/mysql.pm line 36
DBIx::SearchBuilder::Handle::mysql::Insert('RT::Handle=HASH(0x2b88760b6e00)',
'Users', 'Priviledged', 1, 'RealName', 'Test User', 'EmailAddress',
'test.u...@normed.ca', 'Creator', ...) called at
/usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Record.pm line 1293
DBIx::SearchBuilder::Record::Create('RT::User=HASH(0x2b8876d75580)',
'Priviledged', 1, 'RealName', 'Test User', 'Creator', 1, 'EmailAddress',
'test.u...@normed.ca', ...) called at /opt/rt3/bin/../lib/RT/Record.pm line
289
RT::Record::Create('RT::User=HASH(0x2b8876d75580)', 'id',
Re: [rt-users] ExternalAuth - loading fine but isn't authenticating to LDAP
Hi Haris,
No go yet.
Kenneth did send some info for me to check out, perhaps it may help you...
**Kenneth's email cut/pasted**
Mike,
First off, check to see how you've set $WebExternalAuto. I'm not sure how
that would affect LDAP if it was turned on.
Second, I'll assume you've set your Plugins appropriately to include
RT::Authen::ExternalAuth.
Thirdly, you have to make sure certain LDAP parameters are consistent (ie.
if you're using TLS, etc.).
Below is what we use for our list of parameters:
Set($ExternalAuthPriority, [ 'My_LDAP' ] );
Set($ExternalInfoPriority, [ 'My_LDAP' ] );
Set($ExternalServiceUsesSSLorTLS, 1);
Set($AutoCreateNonExternalUsers, 0);
Set(
$ExternalSettings,
{
'My_LDAP' =
{
‘type’= 'ldap',
‘server’ = 'ldap.lbl.gov’,
‘user’= ‘’,
‘pass’= ‘’,
‘base’= 'ou=People,o=name of our company,c=US’,
‘filter’ = '((status that equals active)(|(dicision
code)))’,
‘d_filter’ = '(!(|(lblEmpStat=Staff)(lblEmpStat=Guest)))',
‘tls’= 1,
‘net_ldap_args’= [ version = 3],
‘attr_match_list’ = ['Name',
'EmailAddress',
'RealName',
'uid'
],
‘attr_map’= {'Name' = 'uid',
'EmailAddress'=
'mail',
'Organization' =
‘o’,
'RealName' =
'cn',
'ExternalAuthId' =
'uid',
'Gecos'
= 'uid',
'WorkPhone' =
'telephonenumber',
'Address1' =
'lblmailstop',
'Address2' =
'postaladdress’
}
}
}
);
1;
I don't think the attr_map would affect this, but your match list could.
Anyway, check it all out cause if there are any inconsistencies (like TLS
being used and on), it will fail.
Hope this helps.
Kenn
LBNL
*** end cut/paste**
On Thu, Jul 22, 2010 at 7:23 PM, M.F.Haris mfha...@gmail.com wrote:
hi Mike,
I am also facing the same problem and i have checked my configuration over
and over, also compared with some available on internet.
in my case i didn't enter any attribute with blank value like 'group'
attribute in your case. but rest of the things are similar to what i have
entered.
I get a message 'Failed to Login with user (myuser) ... '
do you get the same error message? please share your experience if you are
able to solve this crap.
thanks
Haris
On Thu, Jul 22, 2010 at 3:59 PM, Mike Johnson mike.john...@nosm.cawrote:
Hi everyone,
Where do I start debugging my setup??
I have CentOS5.5, RT3.8.8, ExternalAuth 0.8 attempting to connect to an
Active Drectory LDAP.
Everything loads fine(I get no errors from my config files). I've loaded
the ExternalAuth plugin, but when I attempt to login to the UI with an LDAP
user, I get an invalid user/pass. The only error/logging I can find
anywhere is in syslog and that just tells me the same thing...
I'm connecting to an Active Directory server, and with some
googling/rt-users searching I found the following settings to use.
'filter'= '(objectCategory=User)',
'd_filter' =
'(userAccountControl:1.2.840.113556.1.4.803:=2)',
I've left group and group_attr blank(is that allowed?) as I want all users
found under my base DN to be able to use RT.
In the attr_match_list I have name and email address only
In attr_map I have the sAMAccountName mail and cn mapped to their
respective places in RT.
I've tested the user/pass I'm using(our LDAP is setup to not allow
anonymous unfortunately, so I have to use an account to bind.
I can't seem to find where ExternalAuth would toss an error out for me to
read if it's failling because of the arguments I've set...
Any help would be appreciated.
--
Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.john...@nosm.ca
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
--
Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.john...@nosm.ca
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at
Re: [rt-users] ExternalAuth - loading fine but isn't authenticating to LDAP
I found another guide that outlines how to setup ExternalAuth for AD on the
wiki
http://wiki.bestpractical.com/view/CentOS5InstallPlusSome
Others following this thread might find it useful...
I did learn that you're looking for the full cn/ou path for your user, not
just a username...(I forgot that's how LDAP finds users)
Haris you might want to check that in your config... didn't help me *shrug*
but might help you.
Thanks!
Mike.
On Fri, Jul 23, 2010 at 9:18 AM, Mike Johnson mike.john...@nosm.ca wrote:
Hi Haris,
No go yet.
Kenneth did send some info for me to check out, perhaps it may help you...
**Kenneth's email cut/pasted**
Mike,
First off, check to see how you've set $WebExternalAuto. I'm not sure how
that would affect LDAP if it was turned on.
Second, I'll assume you've set your Plugins appropriately to include
RT::Authen::ExternalAuth.
Thirdly, you have to make sure certain LDAP parameters are consistent (ie.
if you're using TLS, etc.).
Below is what we use for our list of parameters:
Set($ExternalAuthPriority, [ 'My_LDAP' ] );
Set($ExternalInfoPriority, [ 'My_LDAP' ] );
Set($ExternalServiceUsesSSLorTLS, 1);
Set($AutoCreateNonExternalUsers, 0);
Set(
$ExternalSettings,
{
'My_LDAP' =
{
‘type’= 'ldap',
‘server’ = 'ldap.lbl.gov’,
‘user’= ‘’,
‘pass’= ‘’,
‘base’= 'ou=People,o=name of our company,c=US’,
‘filter’ = '((status that equals active)(|(dicision
code)))’,
‘d_filter’ = '(!(|(lblEmpStat=Staff)(lblEmpStat=Guest)))',
‘tls’= 1,
‘net_ldap_args’= [ version = 3],
‘attr_match_list’ = ['Name',
'EmailAddress',
'RealName',
'uid'
],
‘attr_map’= {'Name' = 'uid',
'EmailAddress'=
'mail',
'Organization' =
‘o’,
'RealName' =
'cn',
'ExternalAuthId' =
'uid',
'Gecos'
= 'uid',
'WorkPhone' =
'telephonenumber',
'Address1' =
'lblmailstop',
'Address2' =
'postaladdress’
}
}
}
);
1;
I don't think the attr_map would affect this, but your match list could.
Anyway, check it all out cause if there are any inconsistencies (like TLS
being used and on), it will fail.
Hope this helps.
Kenn
LBNL
*** end cut/paste**
On Thu, Jul 22, 2010 at 7:23 PM, M.F.Haris mfha...@gmail.com wrote:
hi Mike,
I am also facing the same problem and i have checked my configuration over
and over, also compared with some available on internet.
in my case i didn't enter any attribute with blank value like 'group'
attribute in your case. but rest of the things are similar to what i have
entered.
I get a message 'Failed to Login with user (myuser) ... '
do you get the same error message? please share your experience if you are
able to solve this crap.
thanks
Haris
On Thu, Jul 22, 2010 at 3:59 PM, Mike Johnson mike.john...@nosm.cawrote:
Hi everyone,
Where do I start debugging my setup??
I have CentOS5.5, RT3.8.8, ExternalAuth 0.8 attempting to connect to an
Active Drectory LDAP.
Everything loads fine(I get no errors from my config files). I've loaded
the ExternalAuth plugin, but when I attempt to login to the UI with an LDAP
user, I get an invalid user/pass. The only error/logging I can find
anywhere is in syslog and that just tells me the same thing...
I'm connecting to an Active Directory server, and with some
googling/rt-users searching I found the following settings to use.
'filter'= '(objectCategory=User)',
'd_filter' =
'(userAccountControl:1.2.840.113556.1.4.803:=2)',
I've left group and group_attr blank(is that allowed?) as I want all
users found under my base DN to be able to use RT.
In the attr_match_list I have name and email address only
In attr_map I have the sAMAccountName mail and cn mapped to their
respective places in RT.
I've tested the user/pass I'm using(our LDAP is setup to not allow
anonymous unfortunately, so I have to use an account to bind.
I can't seem to find where ExternalAuth would toss an error out for me to
read if it's failling because of the arguments I've set...
Any help would be
[rt-users] ExternalAuth - loading fine but isn't authenticating to LDAP
Hi everyone, Where do I start debugging my setup?? I have CentOS5.5, RT3.8.8, ExternalAuth 0.8 attempting to connect to an Active Drectory LDAP. Everything loads fine(I get no errors from my config files). I've loaded the ExternalAuth plugin, but when I attempt to login to the UI with an LDAP user, I get an invalid user/pass. The only error/logging I can find anywhere is in syslog and that just tells me the same thing... I'm connecting to an Active Directory server, and with some googling/rt-users searching I found the following settings to use. 'filter'= '(objectCategory=User)', 'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803:=2)', I've left group and group_attr blank(is that allowed?) as I want all users found under my base DN to be able to use RT. In the attr_match_list I have name and email address only In attr_map I have the sAMAccountName mail and cn mapped to their respective places in RT. I've tested the user/pass I'm using(our LDAP is setup to not allow anonymous unfortunately, so I have to use an account to bind. I can't seem to find where ExternalAuth would toss an error out for me to read if it's failling because of the arguments I've set... Any help would be appreciated. -- Mike Johnson Datatel Programmer/Analyst Northern Ontario School of Medicine 955 Oliver Road Thunder Bay, ON P7B 5E1 Phone: (807) 766-7331 Email: mike.john...@nosm.ca Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] ExternalAuth - loading fine but isn't authenticating to LDAP
Mike,
First off, check to see how you've set $WebExternalAuto. I'm not sure how
that would affect LDAP if it was turned on.
Second, I'll assume you've set your Plugins appropriately to include
RT::Authen::ExternalAuth.
Thirdly, you have to make sure certain LDAP parameters are consistent (ie.
if you're using TLS, etc.).
Below is what we use for our list of parameters:
*Set($ExternalAuthPriority, [ 'My_LDAP' ] );*
*Set($ExternalInfoPriority, [ 'My_LDAP' ] );*
*Set($ExternalServiceUsesSSLorTLS, 1);*
*Set($AutoCreateNonExternalUsers, 0);*
*Set(*
*$ExternalSettings,*
* {*
*'My_LDAP' =*
* {*
*‘type’= 'ldap',*
*‘server’ = 'ldap.lbl.gov’,*
*‘user’= ‘’,*
*‘pass’= ‘’,*
*‘base’= 'ou=People,o=name of our company,c=US’,*
*‘filter’ = '((status that equals active)(|(dicision
code)))’,*
*‘d_filter’ = '(!(|(lblEmpStat=Staff)(lblEmpStat=Guest)))',*
*‘tls’= 1,*
*‘net_ldap_args’= [ version = 3],*
*‘attr_match_list’ = ['Name',*
* 'EmailAddress',*
* 'RealName',*
* 'uid'*
*],*
*‘attr_map’= {'Name' = 'uid',*
* 'EmailAddress'=
'mail',*
* 'Organization' =
‘o’,*
* 'RealName' =
'cn',*
* 'ExternalAuthId' =
'uid',*
* 'Gecos'
= 'uid',*
* 'WorkPhone' =
'telephonenumber',*
* 'Address1' =
'lblmailstop',*
* 'Address2' =
'postaladdress’*
* }*
* }*
* }*
* );*
*1;*
**
I don't think the attr_map would affect this, but your match list could.
Anyway, check it all out cause if there are any inconsistencies (like TLS
being *used* and *on*), it will fail.
Hope this helps.
Kenn
LBNL
On Thu, Jul 22, 2010 at 6:59 AM, Mike Johnson mike.john...@nosm.ca wrote:
Hi everyone,
Where do I start debugging my setup??
I have CentOS5.5, RT3.8.8, ExternalAuth 0.8 attempting to connect to an
Active Drectory LDAP.
Everything loads fine(I get no errors from my config files). I've loaded
the ExternalAuth plugin, but when I attempt to login to the UI with an LDAP
user, I get an invalid user/pass. The only error/logging I can find
anywhere is in syslog and that just tells me the same thing...
I'm connecting to an Active Directory server, and with some
googling/rt-users searching I found the following settings to use.
'filter'= '(objectCategory=User)',
'd_filter' =
'(userAccountControl:1.2.840.113556.1.4.803:=2)',
I've left group and group_attr blank(is that allowed?) as I want all users
found under my base DN to be able to use RT.
In the attr_match_list I have name and email address only
In attr_map I have the sAMAccountName mail and cn mapped to their
respective places in RT.
I've tested the user/pass I'm using(our LDAP is setup to not allow
anonymous unfortunately, so I have to use an account to bind.
I can't seem to find where ExternalAuth would toss an error out for me to
read if it's failling because of the arguments I've set...
Any help would be appreciated.
--
Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.john...@nosm.ca
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
