Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please
=> 'postalCode', > 'Country' => 'co' > }, > }, > } ); > > Further assistance will be appreciated. > > -Mathew > > "When you do things right, people won't be sure you've done anything at > all." - God; Futurama > > "We'll get along much better once you accept that you're wrong and > neither am I." - Me > > > On Fri, Oct 18, 2013 at 8:08 PM, Mathew Snyder wrote: > >> I've actually been trying to get debugging turned on for a few days now. >> I've set all of the variables: >> >> Set( $LogToSTDERR, 'debug' ); >> Set( $LogToFile, 'debug' ); >> Set( $LogDir, '/var/log/' ); >> Set( $LogToFileNamed, 'rt.log' ); >> Set( $LogToSyslog, 'debug' ); >> >> I'm not getting any detailed information at all. In fact, the rt.log file >> isn't even being created. I had tried to set the directory to /opt/rt4/log, >> but the file wasn't being created there, either. >> >> >> >> >> -Mathew >> >> "When you do things right, people won't be sure you've done anything at >> all." - God; Futurama >> >> "We'll get along much better once you accept that you're wrong and >> neither am I." - Me >> >> >> On Fri, Oct 18, 2013 at 7:51 AM, Parish, Brent wrote: >> >>> Hi Matthew >>> >>> ** ** >>> >>> It sounds to me like you were authenticating ok initially, but getting >>> an error in creating the user. >>> >>> ** ** >>> >>> And to answer your initial question about the group and group_attr >>> settings, I don’t use those at all and it works fine for me. >>> >>> ** ** >>> >>> I would recommend putting things back to how you first had them (to >>> generate the error your originally posted), turn the log level up to debug, >>> and try again. >>> >>> There are some debug statements within that method that may help >>> identify where it is choking. >>> >>> ** ** >>> >>> **- **Brent >>> >>> ** ** >>> >>> ** ** >>> >>> >>> >>> *From:* Mathew Snyder [mailto:mathew.sny...@gmail.com] >>> *Sent:* Thursday, October 17, 2013 1:50 PM >>> >>> >>> *To:* Jeff Solberg >>> *Cc:* rt-users@lists.bestpractical.com**** >>> >>> *Subject:* Re: [rt-users] I need help with the RT-Authen-ExternalAuth >>> LDAP settings, please >>> >>> >>> >>> I found another thread that indicated that the solution to the second >>> problem was to add @domain to the end of the username. That just reverted >>> to the previous list of errors with a couple new ones. >>> >>> >>> >>> Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $_[1] in >>> join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42. >>> >>> Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $service >>> in hash element at >>> /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm >>> line 611. >>> >>> Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value in string >>> eq at >>> /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm >>> line 613. >>> >>> Oct 17 16:47:50 zen-rt RT: [24673] >>> RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , >>> EmailAddress: , Gecos: user, Name: user, Privileged: >>> >>> Oct 17 16:47:50 zen-rt RT: [24673] Couldn't create user user: Could not >>> set user info >>> >>> Oct 17 16:47:50 zen-rt RT: [24673] FAILED LOGIN for user from >>> 192.168.236.102 >>> >>> >>> >>> >>> >>> >>> >>> >>> *From:* rt-users-boun...@lists.bestpractical.com [mailto: >>> rt-users-boun...@lists.bestpractical.com] *On Behalf Of *Mathew Snyder >>> >>> *Sent:* Thursday, October 17, 2013 1:19 PM >>> *To:* rt-users@lists.bestpractical.com >>> *Subject:* [rt-users] I need help with the RT-Authen-ExternalAuth LDAP >>> settings, please >>> >>> >>> >>> >>> These are the settings I
Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please
er. > > > > > -Mathew > > "When you do things right, people won't be sure you've done anything at > all." - God; Futurama > > "We'll get along much better once you accept that you're wrong and > neither am I." - Me > > > On Fri, Oct 18, 2013 at 7:51 AM, Parish, Brent wrote: > >> Hi Matthew >> >> ** ** >> >> It sounds to me like you were authenticating ok initially, but getting an >> error in creating the user. >> >> ** ** >> >> And to answer your initial question about the group and group_attr >> settings, I don’t use those at all and it works fine for me. >> >> ** ** >> >> I would recommend putting things back to how you first had them (to >> generate the error your originally posted), turn the log level up to debug, >> and try again. >> >> There are some debug statements within that method that may help identify >> where it is choking. >> >> ** ** >> >> **- **Brent >> >> ** ** >> >> ** ** >> >> >> >> *From:* Mathew Snyder [mailto:mathew.sny...@gmail.com] >> *Sent:* Thursday, October 17, 2013 1:50 PM >> >> >> *To:* Jeff Solberg >> *Cc:* rt-users@lists.bestpractical.com >> >> *Subject:* Re: [rt-users] I need help with the RT-Authen-ExternalAuth >> LDAP settings, please >> >> >> >> I found another thread that indicated that the solution to the second >> problem was to add @domain to the end of the username. That just reverted >> to the previous list of errors with a couple new ones. >> >> >> >> Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $_[1] in >> join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42. >> >> Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $service in >> hash element at >> /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm >> line 611. >> >> Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value in string >> eq at >> /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm >> line 613. >> >> Oct 17 16:47:50 zen-rt RT: [24673] >> RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , >> EmailAddress: , Gecos: user, Name: user, Privileged: >> >> Oct 17 16:47:50 zen-rt RT: [24673] Couldn't create user user: Could not >> set user info >> >> Oct 17 16:47:50 zen-rt RT: [24673] FAILED LOGIN for user from >> 192.168.236.102 >> >> >> >> >> >> >> >> >> *From:* rt-users-boun...@lists.bestpractical.com [mailto: >> rt-users-boun...@lists.bestpractical.com] *On Behalf Of *Mathew Snyder >> >> *Sent:* Thursday, October 17, 2013 1:19 PM >> *To:* rt-users@lists.bestpractical.com >> *Subject:* [rt-users] I need help with the RT-Authen-ExternalAuth LDAP >> settings, please >> >> >> >> >> These are the settings I've started with: >> >> >> >> Set($ExternalSettings, { >> >> 'AD' => { >> >> 'type' => 'ldap', >> >> 'server'=> 'domain_controller.example.com',* >> *** >> >> 'base' => 'dc=example,dc=com', >> >> 'user' => 'rtuser', >> >> 'pass' => '', >> >> 'filter'=> '(ObjectClass=*)', >> >> 'tls' => 0, >> >> 'ssl_version' => 3, >> >> 'net_ldap_args' => [version => 3 ], >> >> 'attr_match_list' => [ >> >> 'EmailAddress', >> >> ], >> >> 'attr_map' => { >> >> 'Name' => 'sAMAccountName', >> >> 'EmailAddress' => 'mail', >> >> 'RealName' => 'cn', >> >> }, >> >> >> >> They aren
Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please
I've actually been trying to get debugging turned on for a few days now. I've set all of the variables: Set( $LogToSTDERR, 'debug' ); Set( $LogToFile, 'debug' ); Set( $LogDir, '/var/log/' ); Set( $LogToFileNamed, 'rt.log' ); Set( $LogToSyslog, 'debug' ); I'm not getting any detailed information at all. In fact, the rt.log file isn't even being created. I had tried to set the directory to /opt/rt4/log, but the file wasn't being created there, either. -Mathew "When you do things right, people won't be sure you've done anything at all." - God; Futurama "We'll get along much better once you accept that you're wrong and neither am I." - Me On Fri, Oct 18, 2013 at 7:51 AM, Parish, Brent wrote: > Hi Matthew > > ** ** > > It sounds to me like you were authenticating ok initially, but getting an > error in creating the user. > > ** ** > > And to answer your initial question about the group and group_attr > settings, I don’t use those at all and it works fine for me. > > ** ** > > I would recommend putting things back to how you first had them (to > generate the error your originally posted), turn the log level up to debug, > and try again. > > There are some debug statements within that method that may help identify > where it is choking. > > ** ** > > **- **Brent > > ** ** > > ** ** > > **** > > *From:* Mathew Snyder [mailto:mathew.sny...@gmail.com] > *Sent:* Thursday, October 17, 2013 1:50 PM > > > *To:* Jeff Solberg > *Cc:* rt-users@lists.bestpractical.com > > *Subject:* Re: [rt-users] I need help with the RT-Authen-ExternalAuth > LDAP settings, please > > > > I found another thread that indicated that the solution to the second > problem was to add @domain to the end of the username. That just reverted > to the previous list of errors with a couple new ones. > > > > Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $_[1] in > join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42. > > Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $service in > hash element at > /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm > line 611. > > Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value in string eq > at > /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm > line 613. > > Oct 17 16:47:50 zen-rt RT: [24673] > RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , > EmailAddress: , Gecos: user, Name: user, Privileged: > > Oct 17 16:47:50 zen-rt RT: [24673] Couldn't create user user: Could not > set user info > > Oct 17 16:47:50 zen-rt RT: [24673] FAILED LOGIN for user from > 192.168.236.102**** > > **** > > > > > > > *From:* rt-users-boun...@lists.bestpractical.com [mailto: > rt-users-boun...@lists.bestpractical.com] *On Behalf Of *Mathew Snyder > > *Sent:* Thursday, October 17, 2013 1:19 PM > *To:* rt-users@lists.bestpractical.com > *Subject:* [rt-users] I need help with the RT-Authen-ExternalAuth LDAP > settings, please > > > > > These are the settings I've started with: > > > > Set($ExternalSettings, { > > 'AD' => { > > 'type' => 'ldap', > > 'server'=> 'domain_controller.example.com',** > ** > > 'base' => 'dc=example,dc=com', > > 'user' => 'rtuser', > > 'pass' => '', > > 'filter'=> '(ObjectClass=*)', > > 'tls' => 0, > > 'ssl_version' => 3, > > 'net_ldap_args' => [version => 3 ], > > 'attr_match_list' => [ > > 'EmailAddress', > > ], > > 'attr_map' => { > > 'Name' => 'sAMAccountName', > > 'EmailAddress' => 'mail', > > 'RealName' => 'cn', > > }, > > > > They aren't working. Whenever someone attempts an initial login with just >
Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please
Hi Matthew It sounds to me like you were authenticating ok initially, but getting an error in creating the user. And to answer your initial question about the group and group_attr settings, I don’t use those at all and it works fine for me. I would recommend putting things back to how you first had them (to generate the error your originally posted), turn the log level up to debug, and try again. There are some debug statements within that method that may help identify where it is choking. - Brent From: Mathew Snyder [mailto:mathew.sny...@gmail.com<mailto:mathew.sny...@gmail.com>] Sent: Thursday, October 17, 2013 1:50 PM To: Jeff Solberg Cc: rt-users@lists.bestpractical.com<mailto:rt-users@lists.bestpractical.com> Subject: Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please I found another thread that indicated that the solution to the second problem was to add @domain to the end of the username. That just reverted to the previous list of errors with a couple new ones. Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $_[1] in join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42. Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $service in hash element at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 611. Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value in string eq at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 613. Oct 17 16:47:50 zen-rt RT: [24673] RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , EmailAddress: , Gecos: user, Name: user, Privileged: Oct 17 16:47:50 zen-rt RT: [24673] Couldn't create user user: Could not set user info Oct 17 16:47:50 zen-rt RT: [24673] FAILED LOGIN for user from 192.168.236.102 From: rt-users-boun...@lists.bestpractical.com<mailto:rt-users-boun...@lists.bestpractical.com> [mailto:rt-users-boun...@lists.bestpractical.com<mailto:rt-users-boun...@lists.bestpractical.com>] On Behalf Of Mathew Snyder Sent: Thursday, October 17, 2013 1:19 PM To: rt-users@lists.bestpractical.com<mailto:rt-users@lists.bestpractical.com> Subject: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please These are the settings I've started with: Set($ExternalSettings, { 'AD' => { 'type' => 'ldap', 'server'=> 'domain_controller.example.com<http://domain_controller.example.com>', 'base' => 'dc=example,dc=com', 'user' => 'rtuser', 'pass' => '', 'filter'=> '(ObjectClass=*)', 'tls' => 0, 'ssl_version' => 3, 'net_ldap_args' => [version => 3 ], 'attr_match_list' => [ 'EmailAddress', ], 'attr_map' => { 'Name' => 'sAMAccountName', 'EmailAddress' => 'mail', 'RealName' => 'cn', }, They aren't working. Whenever someone attempts an initial login with just their username (which should create their RT account) the following error is logged: Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string eq at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 613. Oct 17 15:02:29 zen-rt RT: [23131] RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , EmailAddress: , Gecos: user, Name: user, Privileged: Oct 17 16:14:01 zen-rt RT: [24382] Couldn't create user user: Could not set user info Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from 192.168.236.102 When initial logins are attempted with either example\username or example.com<http://example.com>\username only the FAILED LOGIN line is displayed. We also have our Openfire Jabber server authenticating successfully. Those settings are ldap.autoFollowAliasReferrals = true ldap.autoFollowReferrals = false ldap.baseDN = dc=example,dc=com ldap.connectionPoolEnabled = true ldap.debugEnabled = false ldap.emailField = mail ldap.encloseDNs = true ldap.groupDescriptionField = description ldap.groupMemberField = member ldap.groupNameField = cn ldap.groupSearchFilter = (objectClass=group) ldap.host = domain_controller.example.com<http://domain_controller.example.com> ldap.ldapDebugEnabled = false ldap.nameField = cn ldap.port = 389 ldap.searchFilter = (objectClass=*) ldap.usernameField = sAMAccountName I know they don't match up exactly in
Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please
If I run the command the way you've formatted it I get "ldapsearch can't contact ldap server (-1)". However, if I run 'ldapsearch -x -h dc1.example.com -D rtuser -w -b "dc=example,dc=com"' "(sAMAccountName=user") I get all kinds of output: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (sAMAccountName=user) # requesting: ALL # # User Name, Information Systems, HQ Users, EXAMPLE Users, Users, ZEN USERS GROUPS and COMPUTERS, Example.com dn: CN=User Name,OU=Information Systems,OU=HQ Users,OU=EXAMPLE Users,OU=Users ,OU=ZEN USERS GROUPS and COMPUTERS,DC=example,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: User Name sn: Name givenName: User distinguishedName: CN=User Name,OU=Information Systems,OU=HQ Users,OU=EXAMPLE Users,OU=Users,OU=ZEN USERS GROUPS and COMPUTERS,DC=example,DC=com instanceType: 4 whenCreated: 20130930141549.0Z whenChanged: 20131012190321.0Z displayName: User Name uSNCreated: 8802089 uSNChanged: 9320797 name: User Name objectGUID:: f+PyYZ/6lEqKVGVs4/LT1A== userAccountControl: 512 codePage: 0 countryCode: 0 pwdLastSet: 130250241494878224 primaryGroupID: 513 objectSid:: AQUAAAUV4MWjpccIJx5IwuT21g4AAA== accountExpires: 9223372036854775807 sAMAccountName: user sAMAccountType: 805306368 userPrincipalName: un...@example.com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com dSCorePropagationData: 1601010100.0Z lastLogonTimestamp: 130260782012929006 # search reference ref: ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com # search reference ref: ldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com # search reference ref: ldap://example.com/CN=Configuration,DC=example,DC=com # search result search: 2 result: 0 Success # numResponses: 5 # numEntries: 1 # numReferences: 3 -Mathew "When you do things right, people won't be sure you've done anything at all." - God; Futurama "We'll get along much better once you accept that you're wrong and neither am I." - Me On Thu, Oct 17, 2013 at 6:54 PM, Jeff Solberg wrote: > That error code 49 is a generic LDAP error returned when the account > your using to bind has invalid creds, usually a bad or expired password..* > *** > > ** ** > > Do you have ldap tools installed on your RT server? If so run this command > to test your bind account: > > ** ** > > ldapsearch -x -W -D"bindacco...@domain.com" "(sAMAccountName=some_user)”** > ** > > ** ** > > Enter Password of Bind account. > > ** ** > > Let us know the results.. > > ** ** > > Jeff > > ** ** > > *From:* Mathew Snyder [mailto:mathew.sny...@gmail.com] > *Sent:* Thursday, October 17, 2013 3:32 PM > > *To:* Jeff Solberg > *Cc:* rt-users@lists.bestpractical.com > *Subject:* Re: [rt-users] I need help with the RT-Authen-ExternalAuth > LDAP settings, please > > ** ** > > I've tried both the settings indicated by Jeff (excepting the SSO cookie > settings) and Glenn. I'm still getting the > "RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: > LDAP_INVALID_CREDENTIALS 49" error. > > > > > -Mathew > > "When you do things right, people won't be sure you've done anything at > all." - God; Futurama > > ** ** > > "We'll get along much better once you accept that you're wrong and > neither am I." - Me > > ** ** > > On Thu, Oct 17, 2013 at 5:00 PM, Jeff Solberg > wrote: > > Here is a copy of my working ExternalAuth Config..Hope this helps.. > > > > #PLUGINS > > Set( @Plugins, qw(RT::Authen::ExternalAuth)); > > > > #External Auth Settings > > #Set($WebExternalAuth , 1); > > #Set($WebFallbackToInternalAuth , 1); > > #Set(WebExternalAuto , 1); > > Set($ExternalAuthPriority, [ 'My_LDAP',] ); > > Set($ExternalInfoPriority, [ 'My_LDAP',] ); > > Set($ExternalServiceUsesSSLorTLS, 0); > > Set($AutoCreateNonExternalUsers, 0); > > Set($ExternalSettings, { > > 'My_LDAP' => { > > 'type' => 'ldap', > > 'server'=> '10.10.x.x', > > 'user' => 'cn= Bind > Ldap,ou=User_Logins,dc=xxx,dc=xxx', > > 'pass'=> 'x', > > 'base' => 'dc=xxx,dc=xxx', > > '
Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please
I've tried both the settings indicated by Jeff (excepting the SSO cookie settings) and Glenn. I'm still getting the "RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_INVALID_CREDENTIALS 49" error. -Mathew "When you do things right, people won't be sure you've done anything at all." - God; Futurama "We'll get along much better once you accept that you're wrong and neither am I." - Me On Thu, Oct 17, 2013 at 5:00 PM, Jeff Solberg wrote: > Here is a copy of my working ExternalAuth Config..Hope this helps.. > > ** ** > > #PLUGINS > > Set( @Plugins, qw(RT::Authen::ExternalAuth)); > > ** ** > > #External Auth Settings > > #Set($WebExternalAuth , 1); > > #Set($WebFallbackToInternalAuth , 1); > > #Set(WebExternalAuto , 1); > > Set($ExternalAuthPriority, [ 'My_LDAP',] ); > > Set($ExternalInfoPriority, [ 'My_LDAP',] ); > > Set($ExternalServiceUsesSSLorTLS, 0); > > Set($AutoCreateNonExternalUsers, 0); > > Set($ExternalSettings, { > > 'My_LDAP' => { > > 'type' => 'ldap', > > 'server'=> '10.10.x.x', > > 'user' => 'cn= Bind > Ldap,ou=User_Logins,dc=xxx,dc=xxx', > > 'pass'=> 'x', > > 'base' => 'dc=xxx,dc=xxx', > > 'filter'=> > '(&(ObjectCategory=User)(ObjectClass=Person))', > > 'd_filter' => > '(userAccountControl:1.2.840.113556.1.4.803=2)', > > # 'group' => 'cn=Domain > Users,ou=Groups_Security,dc=xxx,dc=xxx', > > # 'group_attr'=> 'member', > > 'tls' => 0, > > 'ssl_version' => 3, > > 'net_ldap_args' => [version => 3 ], > > 'group_scope' => 'base', > > #'group_attr_value' => 'GROUP_ATTR_VALUE', > > 'attr_match_list' => [ > > 'Name', > > 'EmailAddress', > > ], > > 'attr_map' => { > > 'Name' => 'sAMAccountName', > > 'EmailAddress' => 'mail', > > 'Organization' => 'physicalDeliveryOfficeName', > > 'RealName' => 'cn', > > 'ExternalAuthId' => 'sAMAccountName', > > 'Gecos' => 'sAMAccountName', > > 'WorkPhone' => 'telephoneNumber', > > 'Address1' => 'streetAddress', > > 'City' => 'l', > > 'State' => 'st', > > 'Zip' => 'postalCode', > > 'Country' => 'co' > > }, > > }, > > # An example SSO cookie service > > 'My_SSO_Cookie' => { > > 'type' => 'cookie', > > 'name' => 'loginCookieValue', > > 'u_table' => 'users', > > 'u_field' => 'username', > > 'u_match_key' => 'userID', > > 'c_table' => 'login_cookie', > > 'c_field' => 'loginCookieValue', > > 'c_match_key' => 'loginCookieUserID', > > 'db_service_name' => 'My_MySQL' > > }, > > ** ** > > *From:* Mathew Snyder [mailto:mathew.sny...@gmail.com] > *Sent:* Thursday, October 17, 2013 1:50 PM > > *To:* Jeff Solberg > *Cc:* rt-users@lists.bestpractical.com > *Subject:* Re: [rt-users] I need help with the R
Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 These are the settings I've used in the past... Set( $ExternalAuthPriority, ['My_LDAP']); Set( $ExternalServiceUsesSSLorTLS, 0); Set( $AutoCreateNonExternalUsers, 1); Set( $ExternalInfoPriority, ['My_LDAP']); Set( $ExternalSettings, {'My_LDAP' => { ## GENERIC SECTION 'type' => 'ldap', 'server'=> 'myserver.intranet.local', 'port' => '389', 'user' => 'myROuser@intranet.local', 'pass' => 'password', 'base' => 'dc=intranet,dc=local', 'filter'=> '(objectClass=*)', 'd_filter' => '(userAccountControl:1.2.840.113556.1.4.803:=2)', 'net_ldap_args' => [version => 3 ], 'attr_match_list' => ['Name', 'EmailAddress' ], 'attr_map' => { 'Name' => 'sAMAccountName', 'EmailAddress' => 'mail', 'RealName' => 'cn', 'ExternalAuthId' => 'sAMAccountName', 'Gecos' => 'sAMAccountName', 'WorkPhone' => 'telephoneNumber', } }, }); Hopefully this helps you out.. Best, - --Glenn -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJgT38ACgkQf5MxTDXTimEWCwCgkmTZOoPQNtX4+JRea8nlQePW tcIAnj175zP7D0SZ7H18+M+Q4S4imWW6 =7JJf -END PGP SIGNATURE-
Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please
I found another thread that indicated that the solution to the second problem was to add @domain to the end of the username. That just reverted to the previous list of errors with a couple new ones. Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $_[1] in join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42. Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $service in hash element at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 611. Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value in string eq at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 613. Oct 17 16:47:50 zen-rt RT: [24673] RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , EmailAddress: , Gecos: user, Name: user, Privileged: Oct 17 16:47:50 zen-rt RT: [24673] Couldn't create user user: Could not set user info Oct 17 16:47:50 zen-rt RT: [24673] FAILED LOGIN for user from 192.168.236.102 -Mathew "When you do things right, people won't be sure you've done anything at all." - God; Futurama "We'll get along much better once you accept that you're wrong and neither am I." - Me On Thu, Oct 17, 2013 at 4:39 PM, Mathew Snyder wrote: > I didn't know the OU until a few moments ago so I only entered > "cn=user,dc=example,dc=com". That did seem to make a difference. However, > I'm still not able to log in. Perhaps for other reasons, though: > > Oct 17 16:33:11 zen-rt RT: [24525] > RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: > LDAP_INVALID_CREDENTIALS 49 > Oct 17 16:33:11 zen-rt RT: [24525] FAILED LOGIN for example\user from > 192.168.236.102 > > I know I'm entering my username and password correctly and have again > tried just the username, example\username, and example.com\username. I'm > wondering if the LDAP_INVALID_CREDENTIALS error is because of the missing > OU. I do know it now, but how do I enter an OU that has two words? I was > told it is example.com/Special Accounts. > > -Mathew > > "When you do things right, people won't be sure you've done anything at > all." - God; Futurama > > "We'll get along much better once you accept that you're wrong and > neither am I." - Me > > > On Thu, Oct 17, 2013 at 4:27 PM, Jeff Solberg wrote: > >> For your ‘server’ try using IP rather than hostname. >> >> Second for the ‘user’ field try using the DN name for your AD Binding >> user…{cn=some_user,ou=some_ou,dc=some_domain,dc=com >> >> ** ** >> >> Hope this helps.. >> >> ** ** >> >> Jeff >> >> ** ** >> >> ** ** >> >> ** ** >> >> *From:* rt-users-boun...@lists.bestpractical.com [mailto: >> rt-users-boun...@lists.bestpractical.com] *On Behalf Of *Mathew Snyder >> *Sent:* Thursday, October 17, 2013 1:19 PM >> *To:* rt-users@lists.bestpractical.com >> *Subject:* [rt-users] I need help with the RT-Authen-ExternalAuth LDAP >> settings, please >> >> ** ** >> >> These are the settings I've started with: >> >> ** ** >> >> Set($ExternalSettings, { >> >> 'AD' => { >> >> 'type' => 'ldap', >> >> 'server'=> 'domain_controller.example.com',* >> *** >> >> 'base' => 'dc=example,dc=com', >> >> 'user' => 'rtuser', >> >> 'pass' => '', >> >> 'filter'=> '(ObjectClass=*)', >> >> 'tls' => 0, >> >> 'ssl_version' => 3, >> >> 'net_ldap_args' => [version => 3 ], >> >> 'attr_match_list' => [ >> >> 'EmailAddress', >> >> ], >> >> 'attr_map' => { >> >> 'Name' => 'sAMAccountName', >> >> 'EmailAddress' => 'mail', >> >> 'RealName' => 'cn', >> >> }, >> >> ** ** >> >> They aren't working. Whenever someone attempts an initial login with j
Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please
You shouldn’t need to preface the domain in your username string. Also to enter in an OU with 2 words just simply enter it is “OU=Special Accounts”.. To verify the CN name for your Bind account in AD, do a find/search on your bind user account, right-click on the object and select properties. Choose the Attribute Editor tab and scroll down to “distringuishedName”. This will give you the exact name. Jeff From: Mathew Snyder [mailto:mathew.sny...@gmail.com] Sent: Thursday, October 17, 2013 1:40 PM To: Jeff Solberg Cc: rt-users@lists.bestpractical.com Subject: Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please I didn't know the OU until a few moments ago so I only entered "cn=user,dc=example,dc=com". That did seem to make a difference. However, I'm still not able to log in. Perhaps for other reasons, though: Oct 17 16:33:11 zen-rt RT: [24525] RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_INVALID_CREDENTIALS 49 Oct 17 16:33:11 zen-rt RT: [24525] FAILED LOGIN for example\user from 192.168.236.102 I know I'm entering my username and password correctly and have again tried just the username, example\username, and example.com<http://example.com>\username. I'm wondering if the LDAP_INVALID_CREDENTIALS error is because of the missing OU. I do know it now, but how do I enter an OU that has two words? I was told it is example.com/Special<http://example.com/Special> Accounts. -Mathew "When you do things right, people won't be sure you've done anything at all." - God; Futurama "We'll get along much better once you accept that you're wrong and neither am I." - Me On Thu, Oct 17, 2013 at 4:27 PM, Jeff Solberg mailto:jsolb...@intrepidls.com>> wrote: For your ‘server’ try using IP rather than hostname. Second for the ‘user’ field try using the DN name for your AD Binding user…{cn=some_user,ou=some_ou,dc=some_domain,dc=com Hope this helps.. Jeff From: rt-users-boun...@lists.bestpractical.com<mailto:rt-users-boun...@lists.bestpractical.com> [mailto:rt-users-boun...@lists.bestpractical.com<mailto:rt-users-boun...@lists.bestpractical.com>] On Behalf Of Mathew Snyder Sent: Thursday, October 17, 2013 1:19 PM To: rt-users@lists.bestpractical.com<mailto:rt-users@lists.bestpractical.com> Subject: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please These are the settings I've started with: Set($ExternalSettings, { 'AD' => { 'type' => 'ldap', 'server'=> 'domain_controller.example.com<http://domain_controller.example.com>', 'base' => 'dc=example,dc=com', 'user' => 'rtuser', 'pass' => '', 'filter'=> '(ObjectClass=*)', 'tls' => 0, 'ssl_version' => 3, 'net_ldap_args' => [version => 3 ], 'attr_match_list' => [ 'EmailAddress', ], 'attr_map' => { 'Name' => 'sAMAccountName', 'EmailAddress' => 'mail', 'RealName' => 'cn', }, They aren't working. Whenever someone attempts an initial login with just their username (which should create their RT account) the following error is logged: Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string eq at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 613. Oct 17 15:02:29 zen-rt RT: [23131] RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , EmailAddress: , Gecos: user, Name: user, Privileged: Oct 17 16:14:01 zen-rt RT: [24382] Couldn't create user user: Could not set user info Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from 192.168.236.102 When initial logins are attempted with either example\username or example.com<http://example.com>\username only the FAILED LOGIN line is displayed. We also have our Openfire Jabber server authenticating successfully. Those settings are ldap.autoFollowAliasReferrals = true ldap.autoFollowReferrals = false ldap.baseDN = dc=example,dc=com ldap.connectionPoolEnabled = true ldap.debugEnabled = false ldap.emailField = mail ldap.encloseDNs = true ldap.groupDescriptionField = description ldap.groupMemberField = member ldap.groupNameField = cn ldap.groupSearchFilter = (objectClass=group) ldap.host = domain_controller.example.com<http://domain_controller.example.com> ldap.ldapDebugEnabled =
Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please
I didn't know the OU until a few moments ago so I only entered "cn=user,dc=example,dc=com". That did seem to make a difference. However, I'm still not able to log in. Perhaps for other reasons, though: Oct 17 16:33:11 zen-rt RT: [24525] RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_INVALID_CREDENTIALS 49 Oct 17 16:33:11 zen-rt RT: [24525] FAILED LOGIN for example\user from 192.168.236.102 I know I'm entering my username and password correctly and have again tried just the username, example\username, and example.com\username. I'm wondering if the LDAP_INVALID_CREDENTIALS error is because of the missing OU. I do know it now, but how do I enter an OU that has two words? I was told it is example.com/Special Accounts. -Mathew "When you do things right, people won't be sure you've done anything at all." - God; Futurama "We'll get along much better once you accept that you're wrong and neither am I." - Me On Thu, Oct 17, 2013 at 4:27 PM, Jeff Solberg wrote: > For your ‘server’ try using IP rather than hostname. > > Second for the ‘user’ field try using the DN name for your AD Binding > user…{cn=some_user,ou=some_ou,dc=some_domain,dc=com > > ** ** > > Hope this helps.. > > ** ** > > Jeff > > ** ** > > ** ** > > ** ** > > *From:* rt-users-boun...@lists.bestpractical.com [mailto: > rt-users-boun...@lists.bestpractical.com] *On Behalf Of *Mathew Snyder > *Sent:* Thursday, October 17, 2013 1:19 PM > *To:* rt-users@lists.bestpractical.com > *Subject:* [rt-users] I need help with the RT-Authen-ExternalAuth LDAP > settings, please > > ** ** > > These are the settings I've started with: > > ** ** > > Set($ExternalSettings, { > > 'AD' => { > > 'type' => 'ldap', > > 'server'=> 'domain_controller.example.com',** > ** > > 'base' => 'dc=example,dc=com', > > 'user' => 'rtuser', > > 'pass' => '', > > 'filter'=> '(ObjectClass=*)', > > 'tls' => 0, > > 'ssl_version' => 3, > > 'net_ldap_args' => [version => 3 ], > > 'attr_match_list' => [ > > 'EmailAddress', > > ], > > 'attr_map' => { > > 'Name' => 'sAMAccountName', > > 'EmailAddress' => 'mail', > > 'RealName' => 'cn', > > }, > > ** ** > > They aren't working. Whenever someone attempts an initial login with just > their username (which should create their RT account) the following error > is logged: > > Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string eq > at > /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm > line 613. > > Oct 17 15:02:29 zen-rt RT: [23131] > RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , > EmailAddress: , Gecos: user, Name: user, Privileged: > > Oct 17 16:14:01 zen-rt RT: [24382] Couldn't create user user: Could not > set user info > > Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from > 192.168.236.102 > > ** ** > > When initial logins are attempted with either example\username or > example.com\username only the FAILED LOGIN line is displayed. > > ** ** > > We also have our Openfire Jabber server authenticating successfully. Those > settings are > > ldap.autoFollowAliasReferrals = true > > ldap.autoFollowReferrals = false > > ldap.baseDN = dc=example,dc=com > > ldap.connectionPoolEnabled = true > > ldap.debugEnabled = false > > ldap.emailField = mail > > ldap.encloseDNs = true > > ldap.groupDescriptionField = description > > ldap.groupMemberField = member > > ldap.groupNameField = cn > > ldap.groupSearchFilter = (objectClass=group) > > ldap.host = domain_controller.example.com > > ldap.ldapDebugEnabled = false > > ldap.nameField = cn > > ldap.port = 389 > > ldap.searchFilter = (objectClass=*) > > ldap.usernameField = sAMAccountName > > ** ** > > ** ** > > I know they don't match up exactly in terms of what Openfire calls the > settings vs. what RT does, but I'm hoping someone can help me sort out what > should be plugged in where on the RT side. For example, I don't know what > the group_attr or group_attr_value setting should contain (if anything) in > the RT_SiteConfig.pm file. Basically, anything from the "group" settings.* > *** > > ** ** > > -Mathew > > "When you do things right, people won't be sure you've done anything at > all." - God; Futurama > > ** ** > > "We'll get along much better once you accept that you're wrong and > neither am I." - Me >
Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please
For your ‘server’ try using IP rather than hostname. Second for the ‘user’ field try using the DN name for your AD Binding user…{cn=some_user,ou=some_ou,dc=some_domain,dc=com Hope this helps.. Jeff From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Mathew Snyder Sent: Thursday, October 17, 2013 1:19 PM To: rt-users@lists.bestpractical.com Subject: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please These are the settings I've started with: Set($ExternalSettings, { 'AD' => { 'type' => 'ldap', 'server'=> 'domain_controller.example.com<http://domain_controller.example.com>', 'base' => 'dc=example,dc=com', 'user' => 'rtuser', 'pass' => '', 'filter'=> '(ObjectClass=*)', 'tls' => 0, 'ssl_version' => 3, 'net_ldap_args' => [version => 3 ], 'attr_match_list' => [ 'EmailAddress', ], 'attr_map' => { 'Name' => 'sAMAccountName', 'EmailAddress' => 'mail', 'RealName' => 'cn', }, They aren't working. Whenever someone attempts an initial login with just their username (which should create their RT account) the following error is logged: Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string eq at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 613. Oct 17 15:02:29 zen-rt RT: [23131] RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , EmailAddress: , Gecos: user, Name: user, Privileged: Oct 17 16:14:01 zen-rt RT: [24382] Couldn't create user user: Could not set user info Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from 192.168.236.102 When initial logins are attempted with either example\username or example.com<http://example.com>\username only the FAILED LOGIN line is displayed. We also have our Openfire Jabber server authenticating successfully. Those settings are ldap.autoFollowAliasReferrals = true ldap.autoFollowReferrals = false ldap.baseDN = dc=example,dc=com ldap.connectionPoolEnabled = true ldap.debugEnabled = false ldap.emailField = mail ldap.encloseDNs = true ldap.groupDescriptionField = description ldap.groupMemberField = member ldap.groupNameField = cn ldap.groupSearchFilter = (objectClass=group) ldap.host = domain_controller.example.com<http://domain_controller.example.com> ldap.ldapDebugEnabled = false ldap.nameField = cn ldap.port = 389 ldap.searchFilter = (objectClass=*) ldap.usernameField = sAMAccountName I know they don't match up exactly in terms of what Openfire calls the settings vs. what RT does, but I'm hoping someone can help me sort out what should be plugged in where on the RT side. For example, I don't know what the group_attr or group_attr_value setting should contain (if anything) in the RT_SiteConfig.pm file. Basically, anything from the "group" settings. -Mathew "When you do things right, people won't be sure you've done anything at all." - God; Futurama "We'll get along much better once you accept that you're wrong and neither am I." - Me
[rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please
These are the settings I've started with: Set($ExternalSettings, { 'AD' => { 'type' => 'ldap', 'server'=> 'domain_controller.example.com', 'base' => 'dc=example,dc=com', 'user' => 'rtuser', 'pass' => '', 'filter'=> '(ObjectClass=*)', 'tls' => 0, 'ssl_version' => 3, 'net_ldap_args' => [version => 3 ], 'attr_match_list' => [ 'EmailAddress', ], 'attr_map' => { 'Name' => 'sAMAccountName', 'EmailAddress' => 'mail', 'RealName' => 'cn', }, They aren't working. Whenever someone attempts an initial login with just their username (which should create their RT account) the following error is logged: Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string eq at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 613. Oct 17 15:02:29 zen-rt RT: [23131] RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , EmailAddress: , Gecos: user, Name: user, Privileged: Oct 17 16:14:01 zen-rt RT: [24382] Couldn't create user user: Could not set user info Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from 192.168.236.102 When initial logins are attempted with either example\username or example.com\username only the FAILED LOGIN line is displayed. We also have our Openfire Jabber server authenticating successfully. Those settings are ldap.autoFollowAliasReferrals = true ldap.autoFollowReferrals = false ldap.baseDN = dc=example,dc=com ldap.connectionPoolEnabled = true ldap.debugEnabled = false ldap.emailField = mail ldap.encloseDNs = true ldap.groupDescriptionField = description ldap.groupMemberField = member ldap.groupNameField = cn ldap.groupSearchFilter = (objectClass=group) ldap.host = domain_controller.example.com ldap.ldapDebugEnabled = false ldap.nameField = cn ldap.port = 389 ldap.searchFilter = (objectClass=*) ldap.usernameField = sAMAccountName I know they don't match up exactly in terms of what Openfire calls the settings vs. what RT does, but I'm hoping someone can help me sort out what should be plugged in where on the RT side. For example, I don't know what the group_attr or group_attr_value setting should contain (if anything) in the RT_SiteConfig.pm file. Basically, anything from the "group" settings. -Mathew "When you do things right, people won't be sure you've done anything at all." - God; Futurama "We'll get along much better once you accept that you're wrong and neither am I." - Me