Re: [rt-users] I can't authenticate via LDAP; I don't see the log messages I expect
On 3/9/2011 18:56, Thomas Sibley wrote: On 09 Mar 2011 19:25, Micah R Ledbetter wrote: Should I file a bug report somewhere with what happened? I'd be happy to if it would be helpful for someone. What RT version are you actually running? You claimed RT 3.8.8, but ExternalAuth 0.08 is known to work with that and upgrading to ExternalAuth 0.08_01 shouldn't have mattered for 3.8.8. http://i.imgur.com/WiA3n.png Pretty sure that's a 3.8.8 there, man. - Micah
Re: [rt-users] I can't authenticate via LDAP; I don't see the log messages I expect
On 09 Mar 2011 19:25, Micah R Ledbetter wrote: > Should I file a bug report somewhere with what happened? I'd be happy to if > it would be helpful for someone. What RT version are you actually running? You claimed RT 3.8.8, but ExternalAuth 0.08 is known to work with that and upgrading to ExternalAuth 0.08_01 shouldn't have mattered for 3.8.8. Thomas
Re: [rt-users] I can't authenticate via LDAP; I don't see the log messages I expect
YES! This worked, thank you so much! In detail, here's what I did. - I removed everything that CPAN had put in /opt/rt3/local/plugins - I downloaded the dev release of external auth - I installed it with a simple `perl Makefile.PL; make; make install` - I removed the example RT_SiteConfig.pm that was created in /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/ Now my logs are full of [debug] lines that pointed me in the right direction, and now Active Directory authentication is finally working. Thanks again. Should I file a bug report somewhere with what happened? I'd be happy to if it would be helpful for someone. - Micah -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Jason Ledford Sent: Tuesday, March 08, 2011 18:48 To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] I can't authenticate via LDAP; I don't see the log messages I expect I am using rt 3.8.9, but I had to update to the dev release of external auth http://search.cpan.org/CPAN/authors/id/F/FA/FALCONE/RT-Authen-ExternalAuth-0 .08_01.tar.gz I was getting results like you, or lack of results. It didn't appear to even be loading the plugin. From: rt-users-boun...@lists.bestpractical.com [rt-users-boun...@lists.bestpractical.com] On Behalf Of Micah R Ledbetter [mledbet...@neuric.com] Sent: Tuesday, March 08, 2011 3:24 PM To: rt-users@lists.bestpractical.com Subject: [rt-users] I can't authenticate via LDAP; I don't see the log messages I expect Hi all, I'm having a problem making RT::Authen::ExternalAuth work with LDAP. Furthermore, when I go to the log to find out what's wrong, I see almost nothing there. I'm on Ubuntu 10.04.1, running RT 3.8.8 installed from source to /opt/rt3, and RT::Authen::ExternalAuth 0.08 installed from CPAN via this command: > PERL5LIB=/opt/rt3/lib cpan RT::Authen::ExternalAuth Here is my RT_SiteConfig.pm: http://pastie.org/1648532 I can log in as root, or any other locally-created user. When I do, I get a message to rt.log that looks like this: > [Tue Mar 8 19:46:18 2011] [info]: Successful login for root from \ > 192.168.55.133 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:430) I cannot log in as any of my Active Directory users. When I do, or when I send a known-bad username/password combination, I get a message to rt.log that looks like this: > [Tue Mar 8 19:45:55 2011] [error]: FAILED LOGIN for mledbetter from \ > 192.168.55.133 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424) Those are the only messages that are EVER logged to the log file. I didn't even realize that there were more things that RT would log, until I ran across this message: http://lists.bestpractical.com/pipermail/rt-users/2010-August/065986.html Why can I not see those log messages? I would very much appreciate help in this regard, because if I could just solve that problem I think I could fix the Active Directory problem myself. Note that when I log in as root (which works because, of course, root is a local user, not an AD user), I can go to the System Configuration page. There, in the "RT Configuration" section, I see this line: > Plugins RT::Authen::ExternalAuthsite config And in the "Loaded perl modules" section, I see this line: > RT::Interface::Web::Request 0.30\ > /opt/rt3/bin/../lib/RT/Interface/Web/Request.pm I'm not sure where to go from here, and I'd appreciate any input. I'd also like to thank trs and jibsheet for helping me on IRC. - Micah
Re: [rt-users] I can't authenticate via LDAP; I don't see the log messages I expect
THANK YOU! This worked for me - I am now getting a lot more stuff logged to rt.log! What I did, in detail: - I removed what CPAN had installed to /opt/rt3/local/plugins - I downloaded and installed the dev release of external auth - I installed it via `perl Makefile.PL; make; make install` - I removed the default RT_SiteConfig.pm it created in /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc Now my each failed login produces these lines in rt.log: -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Jason Ledford Sent: Tuesday, March 08, 2011 18:48 To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] I can't authenticate via LDAP; I don't see the log messages I expect I am using rt 3.8.9, but I had to update to the dev release of external auth http://search.cpan.org/CPAN/authors/id/F/FA/FALCONE/RT-Authen-ExternalAuth-0 .08_01.tar.gz I was getting results like you, or lack of results. It didn't appear to even be loading the plugin. From: rt-users-boun...@lists.bestpractical.com [rt-users-boun...@lists.bestpractical.com] On Behalf Of Micah R Ledbetter [mledbet...@neuric.com] Sent: Tuesday, March 08, 2011 3:24 PM To: rt-users@lists.bestpractical.com Subject: [rt-users] I can't authenticate via LDAP; I don't see the log messages I expect Hi all, I'm having a problem making RT::Authen::ExternalAuth work with LDAP. Furthermore, when I go to the log to find out what's wrong, I see almost nothing there. I'm on Ubuntu 10.04.1, running RT 3.8.8 installed from source to /opt/rt3, and RT::Authen::ExternalAuth 0.08 installed from CPAN via this command: > PERL5LIB=/opt/rt3/lib cpan RT::Authen::ExternalAuth Here is my RT_SiteConfig.pm: http://pastie.org/1648532 I can log in as root, or any other locally-created user. When I do, I get a message to rt.log that looks like this: > [Tue Mar 8 19:46:18 2011] [info]: Successful login for root from \ > 192.168.55.133 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:430) I cannot log in as any of my Active Directory users. When I do, or when I send a known-bad username/password combination, I get a message to rt.log that looks like this: > [Tue Mar 8 19:45:55 2011] [error]: FAILED LOGIN for mledbetter from \ > 192.168.55.133 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424) Those are the only messages that are EVER logged to the log file. I didn't even realize that there were more things that RT would log, until I ran across this message: http://lists.bestpractical.com/pipermail/rt-users/2010-August/065986.html Why can I not see those log messages? I would very much appreciate help in this regard, because if I could just solve that problem I think I could fix the Active Directory problem myself. Note that when I log in as root (which works because, of course, root is a local user, not an AD user), I can go to the System Configuration page. There, in the "RT Configuration" section, I see this line: > Plugins RT::Authen::ExternalAuthsite config And in the "Loaded perl modules" section, I see this line: > RT::Interface::Web::Request 0.30\ > /opt/rt3/bin/../lib/RT/Interface/Web/Request.pm I'm not sure where to go from here, and I'd appreciate any input. I'd also like to thank trs and jibsheet for helping me on IRC. - Micah
Re: [rt-users] I can't authenticate via LDAP; I don't see the log messages I expect
I am using rt 3.8.9, but I had to update to the dev release of external auth http://search.cpan.org/CPAN/authors/id/F/FA/FALCONE/RT-Authen-ExternalAuth-0.08_01.tar.gz I was getting results like you, or lack of results. It didn't appear to even be loading the plugin. From: rt-users-boun...@lists.bestpractical.com [rt-users-boun...@lists.bestpractical.com] On Behalf Of Micah R Ledbetter [mledbet...@neuric.com] Sent: Tuesday, March 08, 2011 3:24 PM To: rt-users@lists.bestpractical.com Subject: [rt-users] I can't authenticate via LDAP; I don't see the log messages I expect Hi all, I'm having a problem making RT::Authen::ExternalAuth work with LDAP. Furthermore, when I go to the log to find out what's wrong, I see almost nothing there. I'm on Ubuntu 10.04.1, running RT 3.8.8 installed from source to /opt/rt3, and RT::Authen::ExternalAuth 0.08 installed from CPAN via this command: > PERL5LIB=/opt/rt3/lib cpan RT::Authen::ExternalAuth Here is my RT_SiteConfig.pm: http://pastie.org/1648532 I can log in as root, or any other locally-created user. When I do, I get a message to rt.log that looks like this: > [Tue Mar 8 19:46:18 2011] [info]: Successful login for root from \ > 192.168.55.133 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:430) I cannot log in as any of my Active Directory users. When I do, or when I send a known-bad username/password combination, I get a message to rt.log that looks like this: > [Tue Mar 8 19:45:55 2011] [error]: FAILED LOGIN for mledbetter from \ > 192.168.55.133 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424) Those are the only messages that are EVER logged to the log file. I didn't even realize that there were more things that RT would log, until I ran across this message: http://lists.bestpractical.com/pipermail/rt-users/2010-August/065986.html Why can I not see those log messages? I would very much appreciate help in this regard, because if I could just solve that problem I think I could fix the Active Directory problem myself. Note that when I log in as root (which works because, of course, root is a local user, not an AD user), I can go to the System Configuration page. There, in the "RT Configuration" section, I see this line: > Plugins RT::Authen::ExternalAuthsite config And in the "Loaded perl modules" section, I see this line: > RT::Interface::Web::Request 0.30\ > /opt/rt3/bin/../lib/RT/Interface/Web/Request.pm I'm not sure where to go from here, and I'd appreciate any input. I'd also like to thank trs and jibsheet for helping me on IRC. - Micah
Re: [rt-users] I can't authenticate via LDAP; I don't see the log messages I expect
On 3/8/2011 5:37 PM, Mark Farver wrote: You might turn up the log level, add: Set($LogToScreen, 'debug'); And see if anything interesting turns up in the Apache logs. You could also try using the same credentials, hostname etc with ldapsearch on the command line to verify that you have AD configured correctly. Mark Actually, LogToScreen is already set in my RT_SiteConfig.pm and the only thing I get out of Apache's error.log is this stuff: [Tue Mar 08 17:45:27 2011] [info] [client 192.168.55.133] Connection to child 5 established (server alpha:443) [Tue Mar 08 17:45:27 2011] [info] Seeding PRNG with 648 bytes of entropy [Tue Mar 08 17:45:27 2011] [info] Initial (No.1) HTTPS request received for child 5 (server alpha:443) [Tue Mar 8 23:45:27 2011] [error]: FAILED LOGIN for mledbetter from 192.168.55.133 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424) [Tue Mar 08 17:45:27 2011] [info] Subsequent (No.2) HTTPS request received for child 5 (server alpha:443) [Tue Mar 08 17:45:27 2011] [info] [client 192.168.55.133] Spelling fix: /rt/NoAuth/RichText/fckeditor.js: 1 candidates from https://alpha/rt/, referer: https://alpha/rt/ [Tue Mar 08 17:45:27 2011] [info] Subsequent (No.3) HTTPS request received for child 5 (server alpha:443) [Tue Mar 08 17:45:27 2011] [info] [client 192.168.55.133] Spelling fix: /rt/NoAuth/RichText/fckeditor.js: 1 candidates from https://alpha/rt/, referer: https://alpha/rt/ [Tue Mar 08 17:45:42 2011] [info] [client 192.168.55.133] (70007)The timeout specified has expired: SSL input filter read failed. [Tue Mar 08 17:45:42 2011] [info] [client 192.168.55.133] Connection closed to child 5 with standard shutdown (server alpha:443) And I'm not even sure that those [info] lines don't come from apache itself anyway. At any rate, there is no evidence that it's even trying LDAP authentication. As for running ldapsearch with the credentials in my RT_SiteConfig.pm, I've already tried that and it works. If I run this command: > ldapsearch -h fattire -p 3268 -D rtldap -w 'PASSWORD' \ > -b 'ou=Services,dc=neuric,dc=internal' And it will return my RT Users group: > dn: CN=RT Users,OU=Services,DC=neuric,DC=internal > ... etc ... I've tried setting the 'user' in $ExternalSettings to 'rtldap' and the full 'cn=rtldap,ou=Services,dc=internal,dc=local' because I've seen it both ways online, but neither one works, or produces any different log output. However, going any further toward debugging this without any LDAP related logging at all is obviously no fun, and I'd really like to actually get logging working before jumping ahead and trying to just troubleshoot through a black box. Thanks for your suggestions. - Micah
Re: [rt-users] I can't authenticate via LDAP; I don't see the log messages I expect
Mark, Thanks for the reply. On 3/8/2011 4:41 PM, Mark Farver wrote: I'm having a problem making RT::Authen::ExternalAuth work with LDAP. Furthermore, when I go to the log to find out what's wrong, I see almost nothing there. It took me a very long time to figure this problem out, eventually figuring it out with strace. RT::ExternalAuth created an example /opt/rt3/local/etc/RT_SiteConfig.pm file that was overriding my /opt/rt3/etc/RT_SiteConfig.pm file. Since the example file created by ExternalAuth has very little in it it was breaking my config. Copying the required contents into my SiteConfig and deleting the example was all it took to start getting meaningful errors. I did find another RT_SiteConfig.pm, not inside /opt/rt3/local/etc, but inside /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/ -- however, when I deleted it and restarted apache, there was no change in the logging behavior. I ran a "find /opt/rt3 -name \*Config\*" just to be sure, but it didn't find any config file that I didn't already know about. I also checked in /etc/ but I found nothing there of interest either. Good eye, though. Any other ideas? - Micah
[rt-users] I can't authenticate via LDAP; I don't see the log messages I expect
Hi all, I'm having a problem making RT::Authen::ExternalAuth work with LDAP. Furthermore, when I go to the log to find out what's wrong, I see almost nothing there. I'm on Ubuntu 10.04.1, running RT 3.8.8 installed from source to /opt/rt3, and RT::Authen::ExternalAuth 0.08 installed from CPAN via this command: > PERL5LIB=/opt/rt3/lib cpan RT::Authen::ExternalAuth Here is my RT_SiteConfig.pm: http://pastie.org/1648532 I can log in as root, or any other locally-created user. When I do, I get a message to rt.log that looks like this: > [Tue Mar 8 19:46:18 2011] [info]: Successful login for root from \ > 192.168.55.133 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:430) I cannot log in as any of my Active Directory users. When I do, or when I send a known-bad username/password combination, I get a message to rt.log that looks like this: > [Tue Mar 8 19:45:55 2011] [error]: FAILED LOGIN for mledbetter from \ > 192.168.55.133 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424) Those are the only messages that are EVER logged to the log file. I didn't even realize that there were more things that RT would log, until I ran across this message: http://lists.bestpractical.com/pipermail/rt-users/2010-August/065986.html Why can I not see those log messages? I would very much appreciate help in this regard, because if I could just solve that problem I think I could fix the Active Directory problem myself. Note that when I log in as root (which works because, of course, root is a local user, not an AD user), I can go to the System Configuration page. There, in the "RT Configuration" section, I see this line: > Plugins RT::Authen::ExternalAuthsite config And in the "Loaded perl modules" section, I see this line: > RT::Interface::Web::Request 0.30\ > /opt/rt3/bin/../lib/RT/Interface/Web/Request.pm I'm not sure where to go from here, and I'd appreciate any input. I'd also like to thank trs and jibsheet for helping me on IRC. - Micah