Re: [rt-users] LDAP authentication problem

[mjames]

I turned on logging on the Domain Controller and tried to auto-create a user by 
email. There weren't any indications on the DC of an LDAP inquiry, so I'm 
wondering if I'm missing a perl module. Whereas command-line ldapsearch 
completes successfully and I see logging on the DC.

I don't see anything indicative in /var/log/messages other than the errors I 
included below. Thanks for any suggestions.

Mike

From: rt-users-boun...@lists.bestpractical.com 
[mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of 
mja...@guesswho.com
Sent: Monday, November 14, 2011 4:28 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] LDAP authentication problem

Hi, I know there are tons of questions on the list about getting LDAP 
authentication to work. And I have done it before at other employers, so I'm 
even more frustrated...

Here's what I've got:
RT 4.0.2 on CentOS 5.7
RT-Authen-ExternalAuth-0.09.tar.gz
Active Directory on Server 2008 R2

I set up the /opt/rt4/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm 
file with the LDAP parameters that I thought would work. Also, I can do a 
successful ldapsearch from the command line against the AD server with the same 
credentials.

Here's an ldapsearch run from the CLI on my RT server. This returns a 
successful result from the domain controller.
[root@host ~]# ldapsearch -h dc-01.mydomain.com -x -b "dc=mydomain,dc=com" -D 
"cn=mike james,cn=users,dc=mydomain,dc=com" -w 'mypasswd' 
"mail=anyu...@mydomain.com<mailto:mail=anyu...@mydomain.com>"

Here's the LDAP portion of my config file. I got the d_filter from a google 
search. It was mentioned in a couple of places as being the correct string for 
disabled users.
# AN EXAMPLE LDAP SERVICE
'My_LDAP'   =>  {   ## GENERIC SECTION
'type'  
=>  'ldap',
'server'
=>  'dc-01.mydomain.com',
'user'  
=>  'cn=mike james,cn=users,dc=mydomain,dc=com',
'pass'  
  =>  'mypasswd',
'base'  
=>  'dc=mydomain,dc=com',
'filter'
=>  '(objectClass=*)',
'd_filter'  
=>  '(userAccountControl:1.2.840.113556.1.4.803:=2))',
'tls'   
=>  0,
'ssl_version'   
=>  3,
'net_ldap_args' 
=> [version =>  3   ],
'attr_match_list'   
=> ['Name',

'EmailAddress'

],
# The mapping of RT 
attributes on to LDAP attributes
'attr_map'  
=>  {   'Name' => 'sAMAccountName',

'EmailAddress' => 'mail',

'RealName' => 'cn'

}

All requests for new tickets are being rejected, and it's making me crazy. Any 
ideas?

Nov 14 15:07:46 x-tracker-01 RT: Use of uninitialized value in join or string 
at /usr/lib/perl5/site_perl/5.8.8/Log/Dispatch.pm line 23. 
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:458)
Nov 14 15:07:46 x-tracker-01 RT: RT::Authen::ExternalAuth::CanonicalizeUserInfo 
returning Comments: Autocreated on ticket submission, Disabled: 0, 
EmailAddress: mja...@mydomain.com<mailto:mja...@mydomain.com>, Name: 
mja...@mydomain.com<mailto:mja...@mydomain.com>, Password: , Privileged: 0, 
RealName:  
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
Nov 14 15:07:46 x-tracker-01 RT: 

[rt-users] LDAP authentication problem

[mjames]

Hi, I know there are tons of questions on the list about getting LDAP 
authentication to work. And I have done it before at other employers, so I'm 
even more frustrated...

Here's what I've got:
RT 4.0.2 on CentOS 5.7
RT-Authen-ExternalAuth-0.09.tar.gz
Active Directory on Server 2008 R2

I set up the /opt/rt4/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm 
file with the LDAP parameters that I thought would work. Also, I can do a 
successful ldapsearch from the command line against the AD server with the same 
credentials.

Here's an ldapsearch run from the CLI on my RT server. This returns a 
successful result from the domain controller.
[root@host ~]# ldapsearch -h dc-01.mydomain.com -x -b "dc=mydomain,dc=com" -D 
"cn=mike james,cn=users,dc=mydomain,dc=com" -w 'mypasswd' 
"mail=anyu...@mydomain.com"

Here's the LDAP portion of my config file. I got the d_filter from a google 
search. It was mentioned in a couple of places as being the correct string for 
disabled users.
# AN EXAMPLE LDAP SERVICE
'My_LDAP'   =>  {   ## GENERIC SECTION
'type'  
=>  'ldap',
'server'
=>  'dc-01.mydomain.com',
'user'  
=>  'cn=mike james,cn=users,dc=mydomain,dc=com',
'pass'  
  =>  'mypasswd',
'base'  
=>  'dc=mydomain,dc=com',
'filter'
=>  '(objectClass=*)',
'd_filter'  
=>  '(userAccountControl:1.2.840.113556.1.4.803:=2))',
'tls'   
=>  0,
'ssl_version'   
=>  3,
'net_ldap_args' 
=> [version =>  3   ],
'attr_match_list'   
=> ['Name',

'EmailAddress'

],
# The mapping of RT 
attributes on to LDAP attributes
'attr_map'  
=>  {   'Name' => 'sAMAccountName',

'EmailAddress' => 'mail',

'RealName' => 'cn'

}

All requests for new tickets are being rejected, and it's making me crazy. Any 
ideas?

Nov 14 15:07:46 x-tracker-01 RT: Use of uninitialized value in join or string 
at /usr/lib/perl5/site_perl/5.8.8/Log/Dispatch.pm line 23. 
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:458)
Nov 14 15:07:46 x-tracker-01 RT: RT::Authen::ExternalAuth::CanonicalizeUserInfo 
returning Comments: Autocreated on ticket submission, Disabled: 0, 
EmailAddress: mja...@mydomain.com, Name: mja...@mydomain.com, Password: , 
Privileged: 0, RealName:  
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
Nov 14 15:07:46 x-tracker-01 RT: User creation failed in mailgateway: Could not 
set user info (/opt/rt4/sbin/../lib/RT/Interface/Email.pm:244)
Nov 14 15:07:46 x-tracker-01 RT: Couldn't load user 
'mja...@mydomain.com'.giving up 
(/opt/rt4/sbin/../lib/RT/Interface/Email.pm:1016)
Nov 14 15:07:46 x-tracker-01 RT: User  'mja...@mydomain.com' could not be 
loaded in the mail gateway (/opt/rt4/sbin/../lib/RT/Interface/Email.pm:244)
Nov 14 15:07:46 x-tracker-01 RT: RT could not load a valid user, and RT's 
configuration does not allow for the creation of a new user for this email 
(mja...@mydomain.com).  You might need to grant 'Everyone' the right 
'CreateTicket' for the queue general. 
(/opt/rt4/sbin/../lib/RT/Interface/Email.pm:244)
Nov 14 15:07:46 x-tracker-01 RT: RT could not load a valid user, and RT's 
configuration does not allow for the creation of a new user for your email. 
(/opt/rt4/sbin/../lib/RT/Interface/Email.pm:244)
Nov 14 15:07:46 x-tracker-01 RT: Could not record email: Could not load a valid 
user (/opt/rt4/share/html/REST/1.0/NoAuth/mail-gateway:75)

Thanks, Mike

RT Training Sessions (http://bestpractical.com/services/training.html)
*  Barcelona, Spain — Nove

Re: [rt-users] LDAP authentication best practices

[Ruslan Zakirov]

To disable auth you can use location directives. For mailgate it's good to
protect path by IP or host name.

Regards, Ruslan. From phone.
05.10.2011 8:06 пользователь "declaya"  написал:
>
>
> Thomas Smith-12 wrote:
>>
>>
>>
>> Discovered another issue... This one isn't strictly RT-related, I don't
>> think.
>>
>> The email gateway is no longer working. When I configured Apache auth,
>> I had to do it at the /opt/rt4 level--otherwise, RT would display the
>> login page without the option to login and SSO wouldn't work. Now the
>> mail gateway is unable to insert new tickets into the database as the
>> area it's trying to access is password protected. Are there any
>> best-practices for lifting the security off of this one directory
>> (NoAuth only, right?) while maintaining SSO on the remainder of the
>> system? Every time I exclude this directory from authentication, SSO
>> breaks.
>>
>>
>>
>
> Hi Thomas,
> I was facing the same problem (and I'm still curios about how to configure
> Apache using SSO with NTLMv2, but thats another problem;) when I changed
the
> login behavior for Apache.
> You have to change the Apache config: The NoAuth directories must be
> excluded from your AD authentication, so you have to set "satisfy any" and
> "Allow from all" for that directories.
>
> So my Apache config looks like this:
>
> [...]
> 
> --->here goes your Auth config for the users
> 
>
> 
> SetHandler modperl
> PerlResponseHandler Plack::Handler::Apache2
> satisfy any
> allow from all
> 
>
> 
> SetHandler modperl
> PerlResponseHandler Plack::Handler::Apache2
> satisfy any
> allow from all
> 
>
> 
> satisfy any
> allow from all
> 
> [...]
>
> I'm not completely sure, which of the directories is the right one, but
> until now it works for me.
> Hope this helps a bit!
>
> Have a nice day!
> --
> View this message in context:
http://old.nabble.com/LDAP-authentication-best-practices-tp32585400p32594359.html
> Sent from the Request Tracker - User mailing list archive at Nabble.com.
>
> 
> RT Training Sessions (http://bestpractical.com/services/training.html)
> * San Francisco, CA, USA October 18 & 19, 2011
> * Washington DC, USA October 31 & November 1, 2011
> * Barcelona, Spain November 28 & 29, 2011

RT Training Sessions (http://bestpractical.com/services/training.html)
*  San Francisco, CA, USA — October 18 & 19, 2011
*  Washington DC, USA — October 31 & November 1, 2011
*  Barcelona, Spain — November 28 & 29, 2011

Re: [rt-users] LDAP authentication best practices

[Thomas Smith]

On Tue, Oct 4, 2011 at 11:06 PM, declaya  wrote:
>
>
> Thomas Smith-12 wrote:
>>
>>
>>
>> Discovered another issue... This one isn't strictly RT-related, I don't
>> think.
>>
>> The email gateway is no longer working. When I configured Apache auth,
>> I had to do it at the /opt/rt4 level--otherwise, RT would display the
>> login page without the option to login and SSO wouldn't work. Now the
>> mail gateway is unable to insert new tickets into the database as the
>> area it's trying to access is password protected. Are there any
>> best-practices for lifting the security off of this one directory
>> (NoAuth only, right?) while maintaining SSO on the remainder of the
>> system? Every time I exclude this directory from authentication, SSO
>> breaks.
>>
>>
>>
>
> Hi Thomas,
> I was facing the same problem (and I'm still curios about how to configure
> Apache using SSO with NTLMv2, but thats another problem;) when I changed the
> login behavior for Apache.
> You have to change the Apache config: The NoAuth directories must be
> excluded from your AD authentication, so you have to set "satisfy any" and
> "Allow from all" for that directories.
>
> So my Apache config looks like this:
>
> [...]
> 
>  --->here goes your Auth config for the users
> 
>
> 
>  SetHandler modperl
>  PerlResponseHandler Plack::Handler::Apache2
>  satisfy any
>  allow from all
> 
>
> 
>  SetHandler modperl
>  PerlResponseHandler Plack::Handler::Apache2
>  satisfy any
>  allow from all
> 
>
> 
>  satisfy any
>  allow from all
> 
> [...]
>
> I'm not completely sure, which of the directories is the right one, but
> until now it works for me.
> Hope this helps a bit!

Thank you! I did something similar, just used a different method. What
I found to work best, at least for my situation, was to add the
following to the Directory directive for /opt/rt4.


... LDAP auth stuff omitted ...

SetEnvIf Request_URI "^/(NoAuth|REST/1.0/NoAuth)(.*)$" allow
Order allow,deny
Allow from env=allow
Satisfy Any


So far, this seems to be working and I haven't yet found any issues in
the tests that I've done--LDAP authentication is triggered if one
accesses any directory but the ones listed in the SetEnvIf statement.

I'd welcome the input if anyone knows of a better or cleaner way to
achieve this result.

RT Training Sessions (http://bestpractical.com/services/training.html)
*  San Francisco, CA, USA  October 18 & 19, 2011
*  Washington DC, USA  October 31 & November 1, 2011
*  Barcelona, Spain  November 28 & 29, 2011

Re: [rt-users] LDAP authentication best practices

[declaya]

Thomas Smith-12 wrote:
> 
> 
> 
> Discovered another issue... This one isn't strictly RT-related, I don't
> think.
> 
> The email gateway is no longer working. When I configured Apache auth,
> I had to do it at the /opt/rt4 level--otherwise, RT would display the
> login page without the option to login and SSO wouldn't work. Now the
> mail gateway is unable to insert new tickets into the database as the
> area it's trying to access is password protected. Are there any
> best-practices for lifting the security off of this one directory
> (NoAuth only, right?) while maintaining SSO on the remainder of the
> system? Every time I exclude this directory from authentication, SSO
> breaks.
> 
> 
> 
 
Hi Thomas,
I was facing the same problem (and I'm still curios about how to configure
Apache using SSO with NTLMv2, but thats another problem;) when I changed the
login behavior for Apache.
You have to change the Apache config: The NoAuth directories must be
excluded from your AD authentication, so you have to set "satisfy any" and
"Allow from all" for that directories.

So my Apache config looks like this:

[...]

  --->here goes your Auth config for the users



  SetHandler modperl
  PerlResponseHandler Plack::Handler::Apache2
  satisfy any
  allow from all



  SetHandler modperl
  PerlResponseHandler Plack::Handler::Apache2
  satisfy any
  allow from all



  satisfy any
  allow from all

[...]

I'm not completely sure, which of the directories is the right one, but
until now it works for me.
Hope this helps a bit!

Have a nice day!
-- 
View this message in context: 
http://old.nabble.com/LDAP-authentication-best-practices-tp32585400p32594359.html
Sent from the Request Tracker - User mailing list archive at Nabble.com.


RT Training Sessions (http://bestpractical.com/services/training.html)
*  San Francisco, CA, USA  October 18 & 19, 2011
*  Washington DC, USA  October 31 & November 1, 2011
*  Barcelona, Spain  November 28 & 29, 2011

Re: [rt-users] LDAP authentication best practices

[Thomas Smith]

On Tue, Oct 4, 2011 at 8:42 PM, Thomas Smith  wrote:
> Thanks Kevin! That setting worked!
>
> On Tue, Oct 4, 2011 at 1:37 PM, Kevin Falcone  
> wrote:
>> On Tue, Oct 04, 2011 at 01:22:24PM -0700, Thomas Smith wrote:
>>> Thanks again Ruslan!
>>>
>>> I've got this mostly working but I'm missing something and I'm just
>>> not seeing what that is...
>>>
>>> Apache auth via LDAP (mod_auth_ldap) is working correctly--the user
>>> gets into RT, but no options are available except "Tickets" (along
>>> with Open, Create, etc, within the Tickets menu). And the new user can
>>> see that they're logged in, "Logged in as user". However, their user
>>> account is not being created within the RT database and their are no
>>> available options for their account (no drop-down for "Logged in as
>>> user") under their login.
>>
>> Sounds like users are being created Unprivileged.
>> Use $AutoCreate in RT_SiteConfig.pm if you wish them to be created
>> Privileged.  You can search for and make users Privileged from the
>> user admin pages.  They will not be listed in the list of current
>> users if they are Unprivilged (but will have records in the Users
>> table).
>
> Discovered another issue... This one isn't strictly RT-related, I don't think.
>
> The email gateway is no longer working. When I configured Apache auth,
> I had to do it at the /opt/rt4 level--otherwise, RT would display the
> login page without the option to login and SSO wouldn't work. Now the
> mail gateway is unable to insert new tickets into the database as the
> area it's trying to access is password protected. Are there any
> best-practices for lifting the security off of this one directory
> (NoAuth only, right?) while maintaining SSO on the remainder of the
> system? Every time I exclude this directory from authentication, SSO
> breaks.

Sorry, here are the errors I'm seeing in the maillog regarding rt-mailgate.

Oct  4 20:53:14 hostname postfix/local[12080]: 82FEA7BDE5:
to=,
orig_to=, relay=local, delay=18072,
status=deferred (temporary failure. Command output: An Error Occurred
=  401 Authorization Required )
Oct  4 20:53:14 hostname postfix/local[12079]: 0DDC943BD1:
to=,
orig_to=, relay=local, delay=19194,
status=deferred (temporary failure. Command output: An Error Occurred
=  401 Authorization Required )

RT Training Sessions (http://bestpractical.com/services/training.html)
*  San Francisco, CA, USA  October 18 & 19, 2011
*  Washington DC, USA  October 31 & November 1, 2011
*  Barcelona, Spain  November 28 & 29, 2011

Re: [rt-users] LDAP authentication best practices

[Thomas Smith]

Thanks Kevin! That setting worked!

On Tue, Oct 4, 2011 at 1:37 PM, Kevin Falcone  wrote:
> On Tue, Oct 04, 2011 at 01:22:24PM -0700, Thomas Smith wrote:
>> Thanks again Ruslan!
>>
>> I've got this mostly working but I'm missing something and I'm just
>> not seeing what that is...
>>
>> Apache auth via LDAP (mod_auth_ldap) is working correctly--the user
>> gets into RT, but no options are available except "Tickets" (along
>> with Open, Create, etc, within the Tickets menu). And the new user can
>> see that they're logged in, "Logged in as user". However, their user
>> account is not being created within the RT database and their are no
>> available options for their account (no drop-down for "Logged in as
>> user") under their login.
>
> Sounds like users are being created Unprivileged.
> Use $AutoCreate in RT_SiteConfig.pm if you wish them to be created
> Privileged.  You can search for and make users Privileged from the
> user admin pages.  They will not be listed in the list of current
> users if they are Unprivilged (but will have records in the Users
> table).

Discovered another issue... This one isn't strictly RT-related, I don't think.

The email gateway is no longer working. When I configured Apache auth,
I had to do it at the /opt/rt4 level--otherwise, RT would display the
login page without the option to login and SSO wouldn't work. Now the
mail gateway is unable to insert new tickets into the database as the
area it's trying to access is password protected. Are there any
best-practices for lifting the security off of this one directory
(NoAuth only, right?) while maintaining SSO on the remainder of the
system? Every time I exclude this directory from authentication, SSO
breaks.

~ Tom

RT Training Sessions (http://bestpractical.com/services/training.html)
*  San Francisco, CA, USA  October 18 & 19, 2011
*  Washington DC, USA  October 31 & November 1, 2011
*  Barcelona, Spain  November 28 & 29, 2011

Re: [rt-users] LDAP authentication best practices

[Kevin Falcone]

On Tue, Oct 04, 2011 at 01:22:24PM -0700, Thomas Smith wrote:
> Thanks again Ruslan!
> 
> I've got this mostly working but I'm missing something and I'm just
> not seeing what that is...
> 
> Apache auth via LDAP (mod_auth_ldap) is working correctly--the user
> gets into RT, but no options are available except "Tickets" (along
> with Open, Create, etc, within the Tickets menu). And the new user can
> see that they're logged in, "Logged in as user". However, their user
> account is not being created within the RT database and their are no
> available options for their account (no drop-down for "Logged in as
> user") under their login.

Sounds like users are being created Unprivileged.
Use $AutoCreate in RT_SiteConfig.pm if you wish them to be created
Privileged.  You can search for and make users Privileged from the
user admin pages.  They will not be listed in the list of current
users if they are Unprivilged (but will have records in the Users
table).

-kevin

> I'm seeing these errors when each new user connects to RT.
> 
> [Tue Oct  4 20:04:22 2011] [debug]: Attempting to use external auth
> service: My_LDAP
> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
> [Tue Oct  4 20:04:22 2011] [debug]: SSO Failed and no user to test
> with. Nexting 
> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
> [Tue Oct  4 20:04:22 2011] [debug]: Autohandler called ExternalAuth.
> Response: (0, No User)
> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
> 
> If the user already exists, however, login works fine and the user is
> able to function as expected in RT.
> 
> What am I missing here? I've looked at (and for) the various "auto
> create" options but haven't gotten very far with this. WebExternalAuth
> and WebExternalAuto are both set to 1.
> 
> 
> On Mon, Oct 3, 2011 at 3:19 PM, Ruslan Zakirov  wrote:
> > Hi,
> >
> >
> > On Tue, Oct 4, 2011 at 12:14 AM, Thomas Smith  wrote:
> >> Thanks Ruslan!
> >>
> >> Yes, I am looking for SSO. I also left out RT (4.0.2) and Apache
> >
> > If you need SSO then you should teach your apache to do that. You do
> > SSO in apache
> > then use WebExternalAuth option so RT pickups user name from apache.
> > In combination
> > you can use either LDAPImport or ExternalAuth extensions to fetch
> > additional info from
> > LDAP and keep it up to date in RT.
> >
> >
> >> (2.0.63) versions. This server is currently running on COS 4.8 but
> >> will soon be upgraded to 6. I also performed the RT upgrade from 3.8.8
> >> last night (not sure if that matters for this question though).
> >>
> >> On Mon, Oct 3, 2011 at 3:03 PM, Ruslan Zakirov  
> >> wrote:
> >>> Hi,
> >>>
> >>> On Mon, Oct 3, 2011 at 11:28 PM, Thomas Smith  
> >>> wrote:
>  Hi,
> 
>  I'm looking at using LDAP athentication to auth against a Win2k8 R2 AD
>  server. I've seen a few different ways to do this on the website and
>  through Google-ing but none are consistent and none cover all that I'd
>  like to accomplish with this.
> 
>  What I'd like to do is this:
> 
>     * Authenticate users against AD who login through the web
>  interface. As part of this authentication (for non-existent RT users),
>  create the user's account using their AD username as their RT Username
>  and their AD primary SMTP address as their RT Email.
>     * When non-existing users submit a ticket via email, have RT check
>  that email against AD and if it find a user associated with that
>  email, create a new account using the user's AD username as RT's
>  Username and the user's AD email address as RT's Email.
>     * Reject all other requests (and auto creations) for users who
>  don't already exist in AD or the local RT user database.
> 
>  Is it possible to do all of these things?
> >>>
> >>>
> >>> See http://requesttracker.wikia.com/wiki/LDAP
> >>>
> >>> You didn't say if you need SSO or not.
> >>>
> >>> To check and add users when they send emails and don't exist in the
> >>> system, you need RT::Authen::ExternalAuth. If you need SSO and LDAP is
> >>> quite static then you can use apache for SSO and LDAPImport [1] to
> >>> periodically import and/or update users.
> >>>
> >>> [1] 
> >>> http://cpansearch.perl.org/src/FALCONE/RT-Extension-LDAPImport-0.31/README
> >>>
> >>>
> >>>
> >>>
> >>>
> 
>  --
>  Thomas Smith
>  Cell: 602-882-2917
>  
>  RT Training Sessions (http://bestpractical.com/services/training.html)
>  *  San Francisco, CA, USA  October 18 & 19, 2011
>  *  Washington DC, USA  October 31 & November 1, 2011
>  *  Melbourne VIC, Australia  November 28 & 29, 2011
>  *  Barcelona, Spain  November 28 & 29, 2011
> 
> >>>
> >>>
> >>>
> >>> --
> >>> Best regards, Ruslan.
> >>>
> >>
> >>
> >>
> >> --
> >> Thomas Smith
> >> Cell: 602-882-2917
> >>
> >
> >
> >
> > --
> > Best regards, Ruslan.
> >
> 
> 
> 
> -- 
> Thomas Smith

Re: [rt-users] LDAP authentication best practices

[Thomas Smith]

Thanks again Ruslan!

I've got this mostly working but I'm missing something and I'm just
not seeing what that is...

Apache auth via LDAP (mod_auth_ldap) is working correctly--the user
gets into RT, but no options are available except "Tickets" (along
with Open, Create, etc, within the Tickets menu). And the new user can
see that they're logged in, "Logged in as user". However, their user
account is not being created within the RT database and their are no
available options for their account (no drop-down for "Logged in as
user") under their login.

I'm seeing these errors when each new user connects to RT.

[Tue Oct  4 20:04:22 2011] [debug]: Attempting to use external auth
service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Tue Oct  4 20:04:22 2011] [debug]: SSO Failed and no user to test
with. Nexting 
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Tue Oct  4 20:04:22 2011] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)

If the user already exists, however, login works fine and the user is
able to function as expected in RT.

What am I missing here? I've looked at (and for) the various "auto
create" options but haven't gotten very far with this. WebExternalAuth
and WebExternalAuto are both set to 1.


On Mon, Oct 3, 2011 at 3:19 PM, Ruslan Zakirov  wrote:
> Hi,
>
>
> On Tue, Oct 4, 2011 at 12:14 AM, Thomas Smith  wrote:
>> Thanks Ruslan!
>>
>> Yes, I am looking for SSO. I also left out RT (4.0.2) and Apache
>
> If you need SSO then you should teach your apache to do that. You do
> SSO in apache
> then use WebExternalAuth option so RT pickups user name from apache.
> In combination
> you can use either LDAPImport or ExternalAuth extensions to fetch
> additional info from
> LDAP and keep it up to date in RT.
>
>
>> (2.0.63) versions. This server is currently running on COS 4.8 but
>> will soon be upgraded to 6. I also performed the RT upgrade from 3.8.8
>> last night (not sure if that matters for this question though).
>>
>> On Mon, Oct 3, 2011 at 3:03 PM, Ruslan Zakirov  
>> wrote:
>>> Hi,
>>>
>>> On Mon, Oct 3, 2011 at 11:28 PM, Thomas Smith  wrote:
 Hi,

 I'm looking at using LDAP athentication to auth against a Win2k8 R2 AD
 server. I've seen a few different ways to do this on the website and
 through Google-ing but none are consistent and none cover all that I'd
 like to accomplish with this.

 What I'd like to do is this:

    * Authenticate users against AD who login through the web
 interface. As part of this authentication (for non-existent RT users),
 create the user's account using their AD username as their RT Username
 and their AD primary SMTP address as their RT Email.
    * When non-existing users submit a ticket via email, have RT check
 that email against AD and if it find a user associated with that
 email, create a new account using the user's AD username as RT's
 Username and the user's AD email address as RT's Email.
    * Reject all other requests (and auto creations) for users who
 don't already exist in AD or the local RT user database.

 Is it possible to do all of these things?
>>>
>>>
>>> See http://requesttracker.wikia.com/wiki/LDAP
>>>
>>> You didn't say if you need SSO or not.
>>>
>>> To check and add users when they send emails and don't exist in the
>>> system, you need RT::Authen::ExternalAuth. If you need SSO and LDAP is
>>> quite static then you can use apache for SSO and LDAPImport [1] to
>>> periodically import and/or update users.
>>>
>>> [1] 
>>> http://cpansearch.perl.org/src/FALCONE/RT-Extension-LDAPImport-0.31/README
>>>
>>>
>>>
>>>
>>>

 --
 Thomas Smith
 Cell: 602-882-2917
 
 RT Training Sessions (http://bestpractical.com/services/training.html)
 *  San Francisco, CA, USA  October 18 & 19, 2011
 *  Washington DC, USA  October 31 & November 1, 2011
 *  Melbourne VIC, Australia  November 28 & 29, 2011
 *  Barcelona, Spain  November 28 & 29, 2011

>>>
>>>
>>>
>>> --
>>> Best regards, Ruslan.
>>>
>>
>>
>>
>> --
>> Thomas Smith
>> Cell: 602-882-2917
>>
>
>
>
> --
> Best regards, Ruslan.
>



-- 
Thomas Smith
Cell: 602-882-2917

RT Training Sessions (http://bestpractical.com/services/training.html)
*  San Francisco, CA, USA  October 18 & 19, 2011
*  Washington DC, USA  October 31 & November 1, 2011
*  Barcelona, Spain  November 28 & 29, 2011

Re: [rt-users] LDAP authentication best practices

[Ruslan Zakirov]

Hi,


On Tue, Oct 4, 2011 at 12:14 AM, Thomas Smith  wrote:
> Thanks Ruslan!
>
> Yes, I am looking for SSO. I also left out RT (4.0.2) and Apache

If you need SSO then you should teach your apache to do that. You do
SSO in apache
then use WebExternalAuth option so RT pickups user name from apache.
In combination
you can use either LDAPImport or ExternalAuth extensions to fetch
additional info from
LDAP and keep it up to date in RT.


> (2.0.63) versions. This server is currently running on COS 4.8 but
> will soon be upgraded to 6. I also performed the RT upgrade from 3.8.8
> last night (not sure if that matters for this question though).
>
> On Mon, Oct 3, 2011 at 3:03 PM, Ruslan Zakirov  wrote:
>> Hi,
>>
>> On Mon, Oct 3, 2011 at 11:28 PM, Thomas Smith  wrote:
>>> Hi,
>>>
>>> I'm looking at using LDAP athentication to auth against a Win2k8 R2 AD
>>> server. I've seen a few different ways to do this on the website and
>>> through Google-ing but none are consistent and none cover all that I'd
>>> like to accomplish with this.
>>>
>>> What I'd like to do is this:
>>>
>>>    * Authenticate users against AD who login through the web
>>> interface. As part of this authentication (for non-existent RT users),
>>> create the user's account using their AD username as their RT Username
>>> and their AD primary SMTP address as their RT Email.
>>>    * When non-existing users submit a ticket via email, have RT check
>>> that email against AD and if it find a user associated with that
>>> email, create a new account using the user's AD username as RT's
>>> Username and the user's AD email address as RT's Email.
>>>    * Reject all other requests (and auto creations) for users who
>>> don't already exist in AD or the local RT user database.
>>>
>>> Is it possible to do all of these things?
>>
>>
>> See http://requesttracker.wikia.com/wiki/LDAP
>>
>> You didn't say if you need SSO or not.
>>
>> To check and add users when they send emails and don't exist in the
>> system, you need RT::Authen::ExternalAuth. If you need SSO and LDAP is
>> quite static then you can use apache for SSO and LDAPImport [1] to
>> periodically import and/or update users.
>>
>> [1] 
>> http://cpansearch.perl.org/src/FALCONE/RT-Extension-LDAPImport-0.31/README
>>
>>
>>
>>
>>
>>>
>>> --
>>> Thomas Smith
>>> Cell: 602-882-2917
>>> 
>>> RT Training Sessions (http://bestpractical.com/services/training.html)
>>> *  San Francisco, CA, USA  October 18 & 19, 2011
>>> *  Washington DC, USA  October 31 & November 1, 2011
>>> *  Melbourne VIC, Australia  November 28 & 29, 2011
>>> *  Barcelona, Spain  November 28 & 29, 2011
>>>
>>
>>
>>
>> --
>> Best regards, Ruslan.
>>
>
>
>
> --
> Thomas Smith
> Cell: 602-882-2917
>



-- 
Best regards, Ruslan.

RT Training Sessions (http://bestpractical.com/services/training.html)
*  San Francisco, CA, USA  October 18 & 19, 2011
*  Washington DC, USA  October 31 & November 1, 2011
*  Melbourne VIC, Australia  November 28 & 29, 2011
*  Barcelona, Spain  November 28 & 29, 2011

Re: [rt-users] LDAP authentication best practices

[Ruslan Zakirov]

Hi,

On Mon, Oct 3, 2011 at 11:28 PM, Thomas Smith  wrote:
> Hi,
>
> I'm looking at using LDAP athentication to auth against a Win2k8 R2 AD
> server. I've seen a few different ways to do this on the website and
> through Google-ing but none are consistent and none cover all that I'd
> like to accomplish with this.
>
> What I'd like to do is this:
>
>    * Authenticate users against AD who login through the web
> interface. As part of this authentication (for non-existent RT users),
> create the user's account using their AD username as their RT Username
> and their AD primary SMTP address as their RT Email.
>    * When non-existing users submit a ticket via email, have RT check
> that email against AD and if it find a user associated with that
> email, create a new account using the user's AD username as RT's
> Username and the user's AD email address as RT's Email.
>    * Reject all other requests (and auto creations) for users who
> don't already exist in AD or the local RT user database.
>
> Is it possible to do all of these things?


See http://requesttracker.wikia.com/wiki/LDAP

You didn't say if you need SSO or not.

To check and add users when they send emails and don't exist in the
system, you need RT::Authen::ExternalAuth. If you need SSO and LDAP is
quite static then you can use apache for SSO and LDAPImport [1] to
periodically import and/or update users.

[1] http://cpansearch.perl.org/src/FALCONE/RT-Extension-LDAPImport-0.31/README





>
> --
> Thomas Smith
> Cell: 602-882-2917
> 
> RT Training Sessions (http://bestpractical.com/services/training.html)
> *  San Francisco, CA, USA  October 18 & 19, 2011
> *  Washington DC, USA  October 31 & November 1, 2011
> *  Melbourne VIC, Australia  November 28 & 29, 2011
> *  Barcelona, Spain  November 28 & 29, 2011
>



-- 
Best regards, Ruslan.

RT Training Sessions (http://bestpractical.com/services/training.html)
*  San Francisco, CA, USA  October 18 & 19, 2011
*  Washington DC, USA  October 31 & November 1, 2011
*  Melbourne VIC, Australia  November 28 & 29, 2011
*  Barcelona, Spain  November 28 & 29, 2011

[rt-users] LDAP authentication best practices

[Thomas Smith]

Hi,

I'm looking at using LDAP athentication to auth against a Win2k8 R2 AD
server. I've seen a few different ways to do this on the website and
through Google-ing but none are consistent and none cover all that I'd
like to accomplish with this.

What I'd like to do is this:

* Authenticate users against AD who login through the web
interface. As part of this authentication (for non-existent RT users),
create the user's account using their AD username as their RT Username
and their AD primary SMTP address as their RT Email.
* When non-existing users submit a ticket via email, have RT check
that email against AD and if it find a user associated with that
email, create a new account using the user's AD username as RT's
Username and the user's AD email address as RT's Email.
* Reject all other requests (and auto creations) for users who
don't already exist in AD or the local RT user database.

Is it possible to do all of these things?

--
Thomas Smith
Cell: 602-882-2917

RT Training Sessions (http://bestpractical.com/services/training.html)
*  San Francisco, CA, USA  October 18 & 19, 2011
*  Washington DC, USA  October 31 & November 1, 2011
*  Melbourne VIC, Australia  November 28 & 29, 2011
*  Barcelona, Spain  November 28 & 29, 2011

Re: [rt-users] LDAP authentication

[Kevin Gagel]

On Thursday 24/06/2010 at 7:09 am, Guy Baxter  wrote:

Hi,

Is it possible to authenticate via LDAP to RT ?

In particular, Mac OS X's implementation of LDAP (Open DIrectory)

Thanks.



Yes.

See http://wiki.bestpractical.com/view/ExternalAuthentication for 
details.




Kevin W. Gagel
Network Administrator
College of New Caledonia
My Blog:
http://mail.cnc.bc.ca/blogs/gagel
My  Shared Files:
http://mail.cnc.bc.ca/users/gagel



---
The College of New Caledonia
Visit us at http://www.cnc.bc.ca
Virus scanning is done on all incoming and outgoing email.
Anti-spam information for CNC can be found at http://gateway.cnc.bc.ca
---
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] LDAP authentication

[Steve Anderson]

Take a look at http://wiki.bestpractical.com/view/ExternalAuthentication and 
http://wiki.bestpractical.com/view/ExternalAuth

Should cover what you need.

Steve Anderson

-Original Message-
From: rt-users-boun...@lists.bestpractical.com 
[mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Guy Baxter
Sent: 24 June 2010 3:08 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] LDAP authentication

Hi,

Is it possible to authenticate via LDAP to RT ?

In particular, Mac OS X's implementation of LDAP (Open DIrectory)

Thanks.


This email and any attachments are confidential and are intended solely for the 
use of the individual to whom it is addressed. If you are not the intended 
recipient of this email and its attachments, you must take no action based upon 
them, nor must you copy or show them to anyone. Please contact the sender if 
you believe you have received this email in error.  Emails are not secure and 
cannot be guaranteed to be free of errors or viruses.  It is your 
responsibility to scan emails and attachments for viruses before opening them.

Any views or opinions expressed are solely those of the author and do not 
necessarily represent those of The Blackpool Sixth Form College.

#
Scanned by MailMarshal - Marshal's comprehensive email content security 
solution.
Download a free evaluation of MailMarshal at www.marshal.com
#

Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

__
This email has been scanned by Netintelligence
http://www.netintelligence.com/email


BiP Solutions Limited is a company registered in Scotland with Company
Number SC086146 and VAT number 383030966 and having its registered
office at Medius, 60 Pacific Quay, Glasgow, G51 1DZ.


This e-mail (and any attachment) is intended only for the attention of
the addressee(s). Its unauthorised use, disclosure, storage or copying
is not permitted. If you are not the intended recipient, please destroy
all copies and inform the sender by return e-mail.
This e-mail (whether you are the sender or the recipient) may be
monitored, recorded and retained by BiP Solutions Ltd.
E-mail monitoring/ blocking software may be used, and e-mail content may
be read at any time.You have a responsibility to ensure laws are not
broken when composing or forwarding e-mails and their contents.


Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

[rt-users] LDAP authentication

[Guy Baxter]

Hi,

Is it possible to authenticate via LDAP to RT ?

In particular, Mac OS X's implementation of LDAP (Open DIrectory)

Thanks.


This email and any attachments are confidential and are intended solely for the 
use of the individual to whom it is addressed. If you are not the intended 
recipient of this email and its attachments, you must take no action based upon 
them, nor must you copy or show them to anyone. Please contact the sender if 
you believe you have received this email in error.  Emails are not secure and 
cannot be guaranteed to be free of errors or viruses.  It is your 
responsibility to scan emails and attachments for viruses before opening them.

Any views or opinions expressed are solely those of the author and do not 
necessarily represent those of The Blackpool Sixth Form College.

#
Scanned by MailMarshal - Marshal's comprehensive email content security 
solution. 
Download a free evaluation of MailMarshal at www.marshal.com
#

Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] LDAP Authentication Issue

[Kevin Falcone]

On Thu, Jun 10, 2010 at 08:28:56AM -0400, borngunn...@aol.com wrote:
>[Wed Jun 09 16:49:23 2010] [error] Can't locate RT/Authen/ExternalAuth.pm 
> in @INC (@INC
>contains: /opt/rt3/bin/../local/lib /opt/rt3/bin/../lib /etc/perl /u$

You don't appear to have installed RT-Authen-ExternalAuth.
You should check under /opt/rt3/local

-kevin


pgplGIAHGAFWb.pgp
Description: PGP signature

Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

[rt-users] LDAP Authentication Issue

[borngunners]

I have been trying to configure my RT to communicate with my ldap, but I have 
been running into problems. I did install the perl module below is my 
configuration and error after I restart apache (apache failed to restart):


# THE BASICS:

Set($rtname, 'TAG');
Set($Organization, 'TAG');
Set($CorrespondAddress , 'helpd...@test.action.go');
Set($CommentAddress , 'webmas...@test.action.go');
Set($Timezone , 'EDT'); # obviously choose what suits you
Set($MinimumPasswordLength, "8");

# THE DATABASE:

Set($DatabaseType, 'mysql'); # e.g. Pg or mysql

# These are the settings we used above when creating the RT database,
# you MUST set these to what you chose in the section above.

Set($DatabaseUser , 'rtuser');
Set($DatabasePassword , 'wibble');
Set($DatabaseName , 'rt3'); # Ensure this is set to rt3!

# THE WEBSERVER:

Set($WebPath , "");
Set($WebBaseURL , "http://helpdesk.TAG.test.go";;);

#THE EMAIL SERVER

Set($SendmailPath , "/usr/sbin/sendmail");
Set($SendmailArguments,"-oi -t -ODeliveryMode=b -OErrorMode=m");
Set($UseFriendlyFromLine, 1);
Set($FriendlyFromLineFormat, "\"%s via RT\" <%s>");
Set($TruncateLongAttachments, undef);
#THE LDAP SERVER
Set(@Plugins, qw(RT::Authen::ExternalAuth));
Set($EmailCompletionUnprivileged,"privileged");
# Following is LDAP authorization block
Set($ExternalAuthPriority,  [ 'My_LDAP' ]);
Set($ExternalInfoPriority,  [ 'My_LDAP' ]);
Set($AutoCreateNonExternalUsers,1);
Set($ExternalSettings, {
'My_LDAP'   =>  {   ## GENERIC SECTION
'type'  =>  'ldap',
'server'=>  '192.168.5.0',
'user'  =>  'administrator',
'pass'  =>  '*',
'base'  =>  'dc=action,dc=test,dc=go',
# The filter to use to match RT-Users
'filter' => '(sAMAccountName=%u)',
# A catch-all example filter: '(objectClass=*)'
#
# The filter that will only match disabled users
#'d_filter'  =>  '(FILTER_STRING)',
'd_filter' => '(&(objectCategory=person)(objectClass=user))',
# A catch-none example d_filter: '(objectClass=FooBarBaz)'
#
'net_ldap_args' => [version =>  3   ],
# Does authentication depend on group membership? What group name?
#'group' =>  'GROUP_NAME',
# What is the attribute for the group object that determines membership?
#'group_attr'=>  'GROUP_ATTR',
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
'attr_match_list'   => ['Name',
'EmailAddress'
   #'RealName'
   ],
# The mapping of RT attributes on to LDAP attributes
'attr_map'  =>  {   'Name' => 'cn',
'EmailAddress' => 'test.action.go',
'WorkPhone' => 'telephoneNumber',
'MobilePhone' => 'mobile',
'RealName' => 'displayName',
'NickName' => 'preferredName',
'Organization' => 'Location',
'Address1' => 'mailstop',
'City' => 'homeCity',
'State' => 'st',
'Zip' => 'postalCode',
'Country' => 'co'
}
   }
}
);
1;


Error from log is:
[Wed Jun 09 16:26:50 2010] [notice] caught SIGTERM, shutting down
[Wed Jun  9 20:26:53 2010] [error]: The RTAddressRegexp option is not set in 
the config. Not setting this option results in additional SQL queries to check $
[Wed Jun  9 20:27:04 2010] [error]: The RTAddressRegexp option is not set in 
the config. Not setting this option results in additional SQL queries to check $
[Wed Jun 09 16:27:13 2010] [notice] Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.5 
with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.0 configured -- resuming normal$
[Wed Jun 09 16:30:30 2010] [notice] caught SIGTERM, shutting down
[Wed Jun  9 20:30:33 2010] [error]: The RTAddressRegexp option is not set in 
the config. Not setting this option results in additional SQL queries to check $
[Wed Jun  9 20:30:44 2010] [error]: The RTAddressRegexp option is not set in 
the config. Not setting this option results in additional SQL queries to check $
[Wed Jun 09 16:30:53 2010] [notice] Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.5 
with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.0 configured -- resuming normal$
[Wed Jun 09 16:49:20 2010] [notice] caught SIGTERM, shutting down
[Wed Jun 09 16:49:23 2010] [error] Can't locate RT/Authen/ExternalAuth.pm in 
@INC (@INC contains: /opt/rt3/bin/../local/lib /opt/rt3/bin/../lib /etc/perl /u$
[Wed Jun 09 16:49:23 2010] [error] Can't 

Re: [rt-users] LDAP authentication and existing users - done

[Joe Hartley]

To close the thread here, I've changed all the RT accounts to use the AD
login name as the username within RT.  All's well with the
authentication, users can see their tickets in the self-service
interface.

On the downside, a new ticket created by an email from a user unknown to
the system did not get created with the AD username, but that's because
the AD server did not have a value entered for the user's email, a
side-effect of having an email service that does not use our AD for any
authentication.

Thanks for the help!

--
Joe Hartley | Sr. Linux SysAdmin
Retail Solutions, Inc. (formerly VeriSign RDS)
40 Sharpe Drive
Cranston, RI 02920
[EMAIL PROTECTED] 
+1 401.824.5040 (o) | +1 401.824.5002 (f)



___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] LDAP authentication and existing users

[Joe Hartley]

I feel like I'm heading deeper and deeper down a rathole here...

From: Rich West [mailto:[EMAIL PROTECTED] 
> With the default settings in 
> local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm, new users 
> will get created with their AD account name.  At least, that is the
way 
> it behaved for me.  

That'll be brilliant, I'll have to find someone who hasn't submitted a
ticket
To try it out!

> The down side was that external users with the same 
> account name (from a different domain, for example) could not open 
> tickets because of conflicting names.  Once I changed the 
> 'attr_match_list' to just the EmailAddress, the accounts started
getting 
> created with the email address as the account name.
>
> More than likely, at some point in time, you adjusted the 
> 'attr_match_list' to only include the email address like so:
> 'attr_match_list'   => ['EmailAddress' ],

I've only been hacking at this a couple of days now, the only change was
to
Make "attr_match_list => ['Name', 'EmailAddress']," which is the new
default.

> However, your users can log in to RT's interface using their email
address.

This is not working for me, but I may be confused as to how it's
supposed to
work.  Example:  User John Doe has submitted a ticket in the past via
email.
A user was created in RT with the username, email and real name of 
[EMAIL PROTECTED]  John was unable to log into RT using his email
address.
The logs show that the error on LDAP authentication is "User not found
or
more than one user found."

What's even worse for me is that if John uses his network username to
log in,
he's successful, but RT creates a new user with the ID, so he doesn't
see his
tickets, and I can't change the username on the user account that is the

requestor of the tickets, because now a user with that name exists.

This Active Directory stuff is of the devil, I tell ya!

Thanks for the info, I appreciate it.

___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] LDAP authentication and existing users

[Rich West]

With the default settings in 
local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm, new users 
will get created with their AD account name.  At least, that is the way 
it behaved for me.  The down side was that external users with the same 
account name (from a different domain, for example) could not open 
tickets because of conflicting names.  Once I changed the 
'attr_match_list' to just the EmailAddress, the accounts started getting 
created with the email address as the account name.

More than likely, at some point in time, you adjusted the 
'attr_match_list' to only include the email address like so:
'attr_match_list'   => ['EmailAddress' ],

The default is like the following:
'attr_match_list'   => ['Name','EmailAddress', 'RealName', 
'WorkPhone', 'Address2' ],

However, your users can log in to RT's interface using their email address.

We're building for our users, outside of RT, a self-service interface, 
complete with forms & faq's.  The forms simply submit email to RT with 
all of the right answers filled out.

As far as adjusting the current accounts.. yes, that can be scripted.  
You'd have to look at the SQL tables to see what needs to be adjusted, 
but it is definitely do-able with minimal effort.

-Rich


Joe Hartley wrote:
> I've been working on using LDAP authentication in our RT 3.6.6
> installation using ExternAuth and have gotten quite a way on my own, but
> have run into a minor speedbump.
>
> People here have gotten used to submitting tickets to RT via email but
> now we want to roll out the self-service interface, and authenticate
> against our Active Directory server to log in.  The problem I have is
> that when RT automatically created the users, the RT username was set to
> the email address of the requestor.
>
> Now, I've discovered that the user cannot access the self-service
> interface unless their username is changed from their email address to
> their AD login.  Has anyone ever seen a script that would take a list of
> email addresses and look up the login name?
>
> Also, does anyone know how I can get RT to use the login name instead of
> the email address when it auto-creates a user upon getting a ticket from
> a new user via email?
>
> Thanks for any pointers tossed out here - I'm a newbie when it comes to
> the world of LDAP and Active Directory!
>
> --
> Joe Hartley | Sr. Linux SysAdmin
> Retail Solutions, Inc. (formerly VeriSign RDS)
> 40 Sharpe Drive
> Cranston, RI 02920
> [EMAIL PROTECTED] 
> +1 401.824.5040 (o) | +1 401.824.5002 (f)
>
>
> ___
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>
> Community help: http://wiki.bestpractical.com
> Commercial support: [EMAIL PROTECTED]
>
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
> Buy a copy at http://rtbook.bestpractical.com
>   
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

[rt-users] LDAP authentication and existing users

[Joe Hartley]

I've been working on using LDAP authentication in our RT 3.6.6
installation using ExternAuth and have gotten quite a way on my own, but
have run into a minor speedbump.

People here have gotten used to submitting tickets to RT via email but
now we want to roll out the self-service interface, and authenticate
against our Active Directory server to log in.  The problem I have is
that when RT automatically created the users, the RT username was set to
the email address of the requestor.

Now, I've discovered that the user cannot access the self-service
interface unless their username is changed from their email address to
their AD login.  Has anyone ever seen a script that would take a list of
email addresses and look up the login name?

Also, does anyone know how I can get RT to use the login name instead of
the email address when it auto-creates a user upon getting a ticket from
a new user via email?

Thanks for any pointers tossed out here - I'm a newbie when it comes to
the world of LDAP and Active Directory!

--
Joe Hartley | Sr. Linux SysAdmin
Retail Solutions, Inc. (formerly VeriSign RDS)
40 Sharpe Drive
Cranston, RI 02920
[EMAIL PROTECTED] 
+1 401.824.5040 (o) | +1 401.824.5002 (f)


___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] Ldap Authentication setup question

[Sean McCreadie]

Mike,

I am downloading the new rev as we speak and will comment shortly.
Thank you very much for all your great help, I appreciate it very much.

Sean

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike
Peachey
Sent: Friday, October 31, 2008 7:35 AM
To: [EMAIL PROTECTED]
Cc: RT Users
Subject: Re: [rt-users] Ldap Authentication setup question

Alan Cheng wrote:
> Mike,
> 
> I would like to report that v0.06_03 is working for my
> RHEL5/RT-3.8.1/Sun Directory Server 6.3. 

Fantastic!

> I am seeing new information in
> my RT log so I know the new version is indeed active.
> 
> [Fri Oct 31 10:17:36 2008] [error]: Working around bug in RT and
> reloading RT::User
>
(/usr/local/rt381/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/Ex
ternalAuth/autohandler/Auth:8)

Indeed. You can thank Kevin Falcone for that.

> 
> For v0.06_03 to work, I have to put in "Set(
> @Plugins,(qw(RT::Authen::ExternalAuth)));" into RT_SiteConfig.pm but
> didn't need this when running 0.05.  I didn't even know this option
> before reading the posting from Michael Mollard. :)

Yeah, will make sure this is at least in the README before a stable
release (if Kevin hasn't put it in already).

> 
> One little comment is that after checking out the source code from
SVN,
> I had to cd to "RT-Authen-ExternalAuth/trunk" instead.

My bad.

> 
> Thanks for releasing this fix!
> 
> Alan

Pleased to help :) Thanks to Kevin for the majority of the work.


Come on then Michael.. one more confirmed happy person and I'm releasing
it :)
-- 
Kind Regards,

__

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com
__
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] Ldap Authentication setup question

[Mike Peachey]

Alan Cheng wrote:
> Mike,
> 
> I would like to report that v0.06_03 is working for my
> RHEL5/RT-3.8.1/Sun Directory Server 6.3. 

Fantastic!

> I am seeing new information in
> my RT log so I know the new version is indeed active.
> 
> [Fri Oct 31 10:17:36 2008] [error]: Working around bug in RT and
> reloading RT::User
> (/usr/local/rt381/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:8)

Indeed. You can thank Kevin Falcone for that.

> 
> For v0.06_03 to work, I have to put in "Set(
> @Plugins,(qw(RT::Authen::ExternalAuth)));" into RT_SiteConfig.pm but
> didn't need this when running 0.05.  I didn't even know this option
> before reading the posting from Michael Mollard. :)

Yeah, will make sure this is at least in the README before a stable
release (if Kevin hasn't put it in already).

> 
> One little comment is that after checking out the source code from SVN,
> I had to cd to "RT-Authen-ExternalAuth/trunk" instead.

My bad.

> 
> Thanks for releasing this fix!
> 
> Alan

Pleased to help :) Thanks to Kevin for the majority of the work.


Come on then Michael.. one more confirmed happy person and I'm releasing
it :)
-- 
Kind Regards,

__

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com
__
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] Ldap Authentication setup question

[Alan Cheng]

Mike,

I would like to report that v0.06_03 is working for my
RHEL5/RT-3.8.1/Sun Directory Server 6.3.  I am seeing new information in
my RT log so I know the new version is indeed active.

[Fri Oct 31 10:17:36 2008] [error]: Working around bug in RT and
reloading RT::User
(/usr/local/rt381/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:8)

For v0.06_03 to work, I have to put in "Set(
@Plugins,(qw(RT::Authen::ExternalAuth)));" into RT_SiteConfig.pm but
didn't need this when running 0.05.  I didn't even know this option
before reading the posting from Michael Mollard. :)

One little comment is that after checking out the source code from SVN,
I had to cd to "RT-Authen-ExternalAuth/trunk" instead.

Thanks for releasing this fix!

Alan

Mike Peachey wrote:
> RT::Authen::ExternalAuth v0.06_03 is now available and is the first (and
> hopefully only) release candidate for v0.06.
>
> Michael Mollard, Sean McCreadie,
>
> Can you please test v0.06_03 as soon as possible and let me know how it
> goes? Having tested myself, it seems good and I'd like to get 0.06 out
> ASAP as it will be the first official release to support RT-3.8.x
>
> Unfortunately, I'm still waiting for CPAN to update with the new
> version, and when it does, it will be available here:
> http://search.cpan.org/CPAN/authors/id/Z/ZO/ZORDRAK/RT-Authen-ExternalAuth-0.06_03.tar.gz
>
> But if you'd like to try it now, you can get it from the BPS SVN server:
>
> $ svn co http://code.bestpractical.com/bps-public/RT-Authen-ExternalAuth
> $ cd RT-Authen-ExternalAuth
> $ perl Makefile.PL
> $ make
> $ make install
>
> and it will overwrite the previous version without conflict.
>
>   

___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] Ldap Authentication setup question

[Mike Peachey]

RT::Authen::ExternalAuth v0.06_03 is now available and is the first (and
hopefully only) release candidate for v0.06.

Michael Mollard, Sean McCreadie,

Can you please test v0.06_03 as soon as possible and let me know how it
goes? Having tested myself, it seems good and I'd like to get 0.06 out
ASAP as it will be the first official release to support RT-3.8.x

Unfortunately, I'm still waiting for CPAN to update with the new
version, and when it does, it will be available here:
http://search.cpan.org/CPAN/authors/id/Z/ZO/ZORDRAK/RT-Authen-ExternalAuth-0.06_03.tar.gz

But if you'd like to try it now, you can get it from the BPS SVN server:

$ svn co http://code.bestpractical.com/bps-public/RT-Authen-ExternalAuth
$ cd RT-Authen-ExternalAuth
$ perl Makefile.PL
$ make
$ make install

and it will overwrite the previous version without conflict.

-- 
Kind Regards,

__

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com
__
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] Ldap Authentication setup question

[Mike Peachey]

Mike Peachey wrote:
> Michael Mollard wrote:
>> Sean,
>> Identical to my error.  I did find a 'make fixperms' which I stumbled
>> across, not documented anywhere I could find, alongside 'make testdeps',
>> and 'make fixdeps'.  But it didn't change anything.  Same errors.
>>
>> If I ever get this going, I may need to write a wiki article for the
>> 'rest of us' who are new at this.  If I ever get it working ;-)
>>
>> Keep in touch Sean, if I find anything I'll let you know.
> 
> Be aware, this has been identified as a bug and we are working on it.
> 
> In the meantime, you can circumvent the problem by turning on Devel mode
> if you need to.

Update:

This issue is fixed in RT's development trunk and will be covered by
RT-3.8.2, but we're now testing a workaround patch to force ExternalAuth
to work around the bug and co-exist with RT-3.8.1.
-- 
Kind Regards,

__

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com
__
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] Ldap Authentication setup question

[Mike Peachey]

Michael Mollard wrote:
> Thanks Mike, nice to know I'm not going nuts.  Can you give me a quick
> pointer on turning on Devel mode.

I'll give you a very small pointer:

$RTHOME/etc/RT_Config.pm

-- 
Kind Regards,

__

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com
__
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] Ldap Authentication setup question

[Michael Mollard]

Thanks Mike, nice to know I'm not going nuts.  Can you give me a quick 
pointer on turning on Devel mode.



Michael Mollard
Network Administrator
Moreton Bay College
Email: [EMAIL PROTECTED]
Web: http://www.mbc.qld.edu.au
Phone: (Direct) 07 3907 5712 / (Mob) 0417 631 801 
Fax: 07 3390 8919




Mike Peachey wrote:

Michael Mollard wrote:
  

Sean,
Identical to my error.  I did find a 'make fixperms' which I stumbled
across, not documented anywhere I could find, alongside 'make testdeps',
and 'make fixdeps'.  But it didn't change anything.  Same errors.

If I ever get this going, I may need to write a wiki article for the
'rest of us' who are new at this.  If I ever get it working ;-)

Keep in touch Sean, if I find anything I'll let you know.



Be aware, this has been identified as a bug and we are working on it.

In the meantime, you can circumvent the problem by turning on Devel mode
if you need to.
  
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] Ldap Authentication setup question

[Mike Peachey]

Michael Mollard wrote:
> Sean,
> Identical to my error.  I did find a 'make fixperms' which I stumbled
> across, not documented anywhere I could find, alongside 'make testdeps',
> and 'make fixdeps'.  But it didn't change anything.  Same errors.
> 
> If I ever get this going, I may need to write a wiki article for the
> 'rest of us' who are new at this.  If I ever get it working ;-)
> 
> Keep in touch Sean, if I find anything I'll let you know.

Be aware, this has been identified as a bug and we are working on it.

In the meantime, you can circumvent the problem by turning on Devel mode
if you need to.
-- 
Kind Regards,

__

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com
__
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] Ldap Authentication setup question

[Michael Mollard]

Sean,
Identical to my error.  I did find a 'make fixperms' which I stumbled 
across, not documented anywhere I could find, alongside 'make testdeps', 
and 'make fixdeps'.  But it didn't change anything.  Same errors.


If I ever get this going, I may need to write a wiki article for the 
'rest of us' who are new at this.  If I ever get it working ;-)


Keep in touch Sean, if I find anything I'll let you know.

Michael Mollard
Network Administrator
Moreton Bay College
Email: [EMAIL PROTECTED]
Web: http://www.mbc.qld.edu.au
Phone: (Direct) 07 3907 5712 / (Mob) 0417 631 801 
Fax: 07 3390 8919




Sean McCreadie wrote:

Hello,

Ive been battling trying to get AD external Authentication going as
well.  Im pretty new at RT also, but I have read over all the docs and
these posts several times trying to get it working.  I am having the
exact same issue as Michael in this thread, and I haven't been able to
resolve.  Have either of you figured out a solution?  When I got to my
servers URL I am presented with the normal login screen, but if I try to
login as root, I get this error:

RT::User::UpdateFromExternal Unimplemented in HTML::Mason::Commands.
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu
th/autohandler/Auth line 82)

If I refresh in the browser it then takes me to roots home screen and
everything functions as normal.  I can logout and repeat, I have to
refresh once to get in.  If I try to login as an AD user, I get this
error:


Can't call method "Disabled" on an undefined value at
/opt/rt3/bin/../lib/RT/User_Overlay.pm line 971.


I have drilled over my RT_SiteConfig.pm and compared it to the ones
posted on the lists.  I turned on logging to file and it didn't generate
anything I could see that was related.  I checked file permissions on
the files listed below and they are OK.  


 Thanks in advance for all the great help.

Sean


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike
Peachey
Sent: Monday, October 27, 2008 2:55 AM
To: Michael Mollard; RT Users
Subject: Re: [rt-users] Ldap Authentication setup question

Michael Mollard wrote:
  

Mike,
Let me know when you're up and about again.  I've installed


RT::Authen::ExternalAuth v.06_2 and now just logging in as local root
generates this error.
  

RT::User::UpdateFromExternal Unimplemented in HTML::Mason::Commands.


(/srv/www/vhosts/rt.mbc.qld.edu.au/local/plugins/RT-Authen-ExternalAuth/
html/Callbacks/ExternalAuth/autohandler/Auth line 73)

This generally means that the User_Vendor.pm has not been found in the
right place to make its methods available. UpdateFromExternal is an
RT::User method, RT looks in User.pm and doesn't find it, ande then
checks for its existence in User_Local.pm and User_Vendor.pm. Obviously
it's just not finding or is unable to read User_Vendor.pm.

File permissions perhaps?

  
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] Ldap Authentication setup question

[Sean McCreadie]

Hello,

Ive been battling trying to get AD external Authentication going as
well.  Im pretty new at RT also, but I have read over all the docs and
these posts several times trying to get it working.  I am having the
exact same issue as Michael in this thread, and I haven't been able to
resolve.  Have either of you figured out a solution?  When I got to my
servers URL I am presented with the normal login screen, but if I try to
login as root, I get this error:

RT::User::UpdateFromExternal Unimplemented in HTML::Mason::Commands.
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu
th/autohandler/Auth line 82)

If I refresh in the browser it then takes me to roots home screen and
everything functions as normal.  I can logout and repeat, I have to
refresh once to get in.  If I try to login as an AD user, I get this
error:


Can't call method "Disabled" on an undefined value at
/opt/rt3/bin/../lib/RT/User_Overlay.pm line 971.


I have drilled over my RT_SiteConfig.pm and compared it to the ones
posted on the lists.  I turned on logging to file and it didn't generate
anything I could see that was related.  I checked file permissions on
the files listed below and they are OK.  

 Thanks in advance for all the great help.

Sean


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike
Peachey
Sent: Monday, October 27, 2008 2:55 AM
To: Michael Mollard; RT Users
Subject: Re: [rt-users] Ldap Authentication setup question

Michael Mollard wrote:
> Mike,
> Let me know when you're up and about again.  I've installed
RT::Authen::ExternalAuth v.06_2 and now just logging in as local root
generates this error.
> 
> RT::User::UpdateFromExternal Unimplemented in HTML::Mason::Commands.
(/srv/www/vhosts/rt.mbc.qld.edu.au/local/plugins/RT-Authen-ExternalAuth/
html/Callbacks/ExternalAuth/autohandler/Auth line 73)

This generally means that the User_Vendor.pm has not been found in the
right place to make its methods available. UpdateFromExternal is an
RT::User method, RT looks in User.pm and doesn't find it, ande then
checks for its existence in User_Local.pm and User_Vendor.pm. Obviously
it's just not finding or is unable to read User_Vendor.pm.

File permissions perhaps?

-- 
Kind Regards,

__

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com
__
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] Ldap Authentication setup question

[Mike Peachey]

Michael Mollard wrote:
> Mike,
> Let me know when you're up and about again.  I've installed 
> RT::Authen::ExternalAuth v.06_2 and now just logging in as local root 
> generates this error.
> 
> RT::User::UpdateFromExternal Unimplemented in HTML::Mason::Commands. 
> (/srv/www/vhosts/rt.mbc.qld.edu.au/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth
>  line 73)

This generally means that the User_Vendor.pm has not been found in the
right place to make its methods available. UpdateFromExternal is an
RT::User method, RT looks in User.pm and doesn't find it, ande then
checks for its existence in User_Local.pm and User_Vendor.pm. Obviously
it's just not finding or is unable to read User_Vendor.pm.

File permissions perhaps?

-- 
Kind Regards,

__

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com
__
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] Ldap Authentication setup question

[John McCoy]

So I have just gotten this working with RHEL5, RT-3.8.1, 
ExternalAuth-0.06_02 and eDIR.


A few things i had to hack:
/opt/rt3/local/lib/RT/User_Vendor.pm
Change line 1050 from:
$msg = $ldap->bind($ldap_user, password => $ldap_pass);
to:
$msg = $ldap->bind($ldap_user, ); #This fixed the Novell null 
password idiocy


I also had to import or eDIR CA (not sure this is really needed)
certutil -A -d /etc/pki/nssdb -n "root ca cert" -t "CT,C,C" -i 
~/eDirCACert.pem
My Netware Admin exported this for me from Console1; Security --> 
Organizational CA


Modify /etc/openldap/ldap.conf to use the CA too
[EMAIL PROTECTED]:~]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example, dc=com
#URIldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT  12
#TIMELIMIT  15
#DEREF  never

TLS_CACERT /etc/pki/tls/certs/eDirCACert.pem
# Self signed server cert (nothing to do with eDir)
TLS_CERT /etc/pki/tls/certs/server.crt
TLS_KEY /etc/pki/tls/private/server.key

I had to use the short name of the eDir server as its Certificate was 
not FQDN (stupid!)
I also did not define d_filter but plan too just my Netware Admin is in 
training.


  'base'  =>  'o=ggu',
  'filter'=>  
'(objectClass=Person)',

  'd_filter'  =>  '',
  'tls'   =>  1,


Hope this is useful for anybody trying to get this to work with eDir.



Mike Peachey wrote:

Michael Mollard wrote:
  

Mike,
RE: the wiki 'PostInstall'
although I have progressed slightly, I think I didn't realise that I needed to 
put
Set( @Plugins,(qw(RT::Authen::ExternalAuth)));



I will add this when I can, this was not required for 3.6 installs.

  


--
*
John McCoy, Jr
Sr. Systems and Network Administrator
Enterprise Technology Services
Golden Gate University
*

___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] Ldap Authentication setup question

[Mike Peachey]

Michael Mollard wrote:
> Mike,
> RE: the wiki 'PostInstall'
> although I have progressed slightly, I think I didn't realise that I needed 
> to put
> Set( @Plugins,(qw(RT::Authen::ExternalAuth)));

I will add this when I can, this was not required for 3.6 installs.

-- 
Kind Regards,

__

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com
__
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] Ldap Authentication setup question

[Mike Peachey]

Michael Mollard wrote:
> 

I'm sorry I'm not concentrating on replies at the moment, but I'm trying
to recover from being hit from behind at about 50mph on my way home from
work on Monday.

One thing I can tell you is this:

You *M*U*S*T* specify a d_filter!

When I get a chance I will try to update the wiki to make this more
clear, but I cannot state it clearly enough, if you don't specify a
d_filter, ExternalAuth will probably not work at all.
-- 
Kind Regards,

__

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com
__
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] Ldap Authentication setup question

[Michael Mollard]

Mike,
As part of my troubleshooting process, I have tried to wipe my rt installation 
and restart (I'm testing on a local VM, so not a  big deal).
I have deleted my <$RT_HOME> (/srv/www/vhosts/rt.mbc.qld.edu.au/*).  Is that 
enough to reinstall from scratch or are there other things which should be 
'tidied up'?

My Reinstall Process:
-installed rt3.8.1 as per instructions
-make initialize-database
-restarted apache2

(tested login as root/password, all works ok)

-Installed RT-Authen-ExternalAuth-0.06_02
-restarted apache
(left my RT_SiteConfig.pm unmodified to test 'local only' root/password again - 
still works fine)
Modified my RT_SiteConif.pm file with :

Set( @Plugins,(qw(RT::Authen::ExternalAuth)));

Set($ExternalAuthPriority,  [ 'My_LDAP' ] );
Set($ExternalInfoPriority,  [ 'My_LDAP' ] );
Set($ExternalServiceUsesSSLorTLS,0);
Set($AutoCreateNonExternalUsers,0);
Set($ExternalSettings,  {   'My_LDAP'   =>  {   
'type'  
=>  'ldap',
'auth'  
=>  1,
'info'  
=>  1,
'server'
=>  'ldap.mbc.qld.edu.au',
#'user' 
=>  'cn=ldaphelpdesk,ou=ldap,ou=lab,o=mbc',
#'pass' 
=>  '',
'base'  
=>  'ou=lab,o=mbc',
'filter'
=>  '(objectClass=Person)',
#'d_filter' 
 =>  '(FILTER_STRING)',
'tls'   
=>  0,
'net_ldap_args' 
=> [version =>  3   ],
'group' 
=>  'cn=GRP_Staff,ou=lab,o=mbc',
'group_attr'
=>  'groupMembership',
'attr_match_list'   
=> ['Name',

'EmailAddress' 

],
'attr_map'  
=>  {   'Name' => 'cn',

'EmailAddress' => 'mail',

'Organization' => 'l',

'RealName' => 'cn',

'ExternalAuthId' => 'cn',

#'Gecos' => 'sAMAccountName',

'WorkPhone' => 'telephoneNumber',

'Address1' => 'streetAddress',

'City' => 'l',

'State' => 'st',

'Zip' => 'postalCode',

'Country' => 'co'

}
}
}
);

-restarted apache
-tested root/password (which should work as a local account)
I get this error in the browser:
RT::User::UpdateFromExternal Unimplemented in HTML::Mason::Commands. 
(/srv/www/vhosts/rt.mbc.qld.edu.au/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth
 line 73)

If I go to http://rt.mbc.qld.edu.au (my default rt home), I go straight to the 
dashboard, already logged in as root.  
 
If I logout and try and login as a valid ldap user (bogust/bogust - see log 
below) I get this error in the browser:
Can't call method "Disabled" on an undefined value at 
/srv/www/vhosts/rt.mbc.qld.edu.au/bin/../lib/RT/User_Overlay.pm line 971.
(If I go to http://rt.mbc.qld.edu.au ( http://rt.mbc.qld.edu.au/ ) (my default 
rt home), I get the login screen)


 
This i

Re: [rt-users] Ldap Authentication setup question

[Kevin Falcone]

On Oct 22, 2008, at 5:20 PM, Michael Mollard wrote:

> Before I installed v .06 I 'rm-Rf /srv/www/vhosts/rt.mbc.qld.edu.au/ 
> local/plugins/RT-Authen-ExternalAuth', then did a full install of  
> the module.
> But just to be certain, I removed the 2 files you mentioned, and  
> then did a complete re-install of the RT-Authen-ExternalAuth module.

The bug was it installed into plugins AND local rather than just  
plugins/

> Same error in rt.log file.
> Same error in browser, except different line number:
> Can't call method "Disabled" on an undefined value at /srv/www/ 
> vhosts/rt.mbc.qld.edu.au/bin/../lib/RT/User_Overlay.pm line 971.

That is new and exciting.
Try turning on LogStackTraces in your config so we can see what is  
calling IsPassword
incorrectly.

-kevin

 Kevin Falcone <[EMAIL PROTECTED]> 23/10/2008 9:46 am >>>
>
> On Oct 22, 2008, at 4:10 PM, Michael Mollard wrote:
>
>> Thanks for the assistance.
>> I have downloaded and installed the latest version of RT-Authen-
>> ExternalAuth-0.06_02, with RT 3.8.1(latest)
>> I seem to have gotten a step further, but still have some issues.
>>
>> When I try and authenticate with an ldap account, my browser reports:
>> "Can't call method "Disabled" on an undefined value at /srv/www/
>> vhosts/rt.mbc.qld.edu.au/bin/../local/lib/RT/User_Vendor.pm line
>> 351, line 273."
>
> I assume you previously installed 0.05?
> You should go delete /srv/www/vhosts/rt.mbc.qld.au/local/lib/RT/
> User_vendor.pm and RT/Authen/ExternalAuth.pm
>
> 0.05 had a bug where .pm files were being double installed
>
> 0.06_02 contains a patch for this bug
>
> -kevin
>
>>
>>
>> and my ./var/log/rt.log says:
>> [Thu Oct 23 00:11:07 2008] [warning]: Transaction->Create couldn't,
>> as you didn't specify an object type and id (/srv/www/vhosts/
>> rt.mbc.qld.edu.au/bin/../lib/RT/Record.pm:1439)
>> [Thu Oct 23 00:11:07 2008] [error]: Couldn't get principal for not
>> loaded object (/srv/www/vhosts/rt.mbc.qld.edu.au/bin/../lib/RT/
>> User_Overlay.pm:1113)
>>
>> It seems to be connectiong to my ldap, (which was more than it was
>> doing) but fails soon after.  Am I missing something?
>>
>> Here is my RT_Siteconfig.pm
>>
>> Set( $rtname, 'mbc.qld.edu.au');
>> Set($LogToSyslog, 'debug');
>> Set($LogToScreen, 'debug');
>> Set($LogToFile  , 'debug');
>> Set($LogDir, 'var/log');
>> Set($LogToFileNamed , "rt.log");#log to rt.log
>>
>> #Set(@Plugins,(qw(Extension::QuickDelete)));
>> Set( @Plugins, qw(RT::Authen::ExternalAuth) );
>> Set($ExternalAuthPriority,  [ 'My_LDAP' ] );
>> Set($ExternalInfoPriority,  [ 'My_LDAP' ] );
>> Set($ExternalServiceUsesSSLorTLS,0);
>> Set($AutoCreateNonExternalUsers,0);
>> Set($ExternalSettings,  {   'My_LDAP'   =>  {
>>
>> 'type'  =>  'ldap',
>>
>> 'auth'  =>  1,
>>
>> 'info'  =>  1,
>>
>> 'server'=>  'ldap.mbc.qld.edu.au',
>>
>> #'user' =>  'ldaphelpdesk',
>>
>> #'pass' =>  'rt_ldap_password',
>>
>> 'base'  =>  'ou=lab,o=mbc',
>>
>> 'filter'=>  '(objectClass=inetOrgPerson)',
>>
>> #'d_filter'  =>  '(FILTER_STRING)',
>>
>> 'tls'   =>  0,
>>
>> 'net_ldap_args' => [version =>  3   ],
>>
>> 'group' =>  'cn=GRP_Staff,ou=lab,o=mbc',
>>
>> 'group_attr'=>  'groupMembership',
>>
>> 'attr_match_list'   => ['Name',
>>  
>>  'EmailAddress
>> ',
>>  
>>  #'RealName
>> ',
>>  
>>  #'WorkPhone
>> ',
>>  
>>  #'Address2
>> '
>>  
>> ],
>>
>> 'attr_map'  =>  {   'Name' => 'cn',
>>  
>>  'EmailAddress
>> ' => 'mail',
>>  
>>  'Organization
>> ' => 'l',
>>  
>>  'RealName
>> ' => 'cn',
>>  
>>  #'ExternalAuthId
>> ' => 'sAMAccountName',
>>  
>>  #'Gecos
>> ' => 'sAMAccountName',
>>  
>>  'WorkPhone
>> ' => 'telephoneNumber',
>>  
>>  'Address1
>

Re: [rt-users] Ldap Authentication setup question

[Michael Mollard]

Before I installed v .06 I 'rm-Rf 
/srv/www/vhosts/rt.mbc.qld.edu.au/local/plugins/RT-Authen-ExternalAuth', then 
did a full install of the module.

But just to be certain, I removed the 2 files you mentioned, and then did a 
complete re-install of the RT-Authen-ExternalAuth module.

Same error in rt.log file.
Same error in browser, except different line number:
Can't call method "Disabled" on an undefined value at 
/srv/www/vhosts/rt.mbc.qld.edu.au/bin/../lib/RT/User_Overlay.pm line 971.

Thanks for all the prompt assistance.

Michael.


Michael Mollard
Network Administrator
Moreton Bay College
[EMAIL PROTECTED]
http://www.mbc.qld.edu.au
Ph: (Direct) 07 3907 5712 / (Mob) 0417 631 801 
Fax: 07 3390 8919 ( http://www.mbc.qld.edu.au )


>>> Kevin Falcone <[EMAIL PROTECTED]> 23/10/2008 9:46 am >>>

On Oct 22, 2008, at 4:10 PM, Michael Mollard wrote:

> Thanks for the assistance.
> I have downloaded and installed the latest version of RT-Authen- 
> ExternalAuth-0.06_02, with RT 3.8.1(latest)
> I seem to have gotten a step further, but still have some issues.
>
> When I try and authenticate with an ldap account, my browser reports:
> "Can't call method "Disabled" on an undefined value at /srv/www/ 
> vhosts/rt.mbc.qld.edu.au/bin/../local/lib/RT/User_Vendor.pm line  
> 351, line 273."

I assume you previously installed 0.05?
You should go delete /srv/www/vhosts/rt.mbc.qld.au/local/lib/RT/ 
User_vendor.pm and RT/Authen/ExternalAuth.pm

0.05 had a bug where .pm files were being double installed

0.06_02 contains a patch for this bug

-kevin

>
>
> and my ./var/log/rt.log says:
> [Thu Oct 23 00:11:07 2008] [warning]: Transaction->Create couldn't,  
> as you didn't specify an object type and id (/srv/www/vhosts/ 
> rt.mbc.qld.edu.au/bin/../lib/RT/Record.pm:1439)
> [Thu Oct 23 00:11:07 2008] [error]: Couldn't get principal for not  
> loaded object (/srv/www/vhosts/rt.mbc.qld.edu.au/bin/../lib/RT/ 
> User_Overlay.pm:1113)
>
> It seems to be connectiong to my ldap, (which was more than it was  
> doing) but fails soon after.  Am I missing something?
>
> Here is my RT_Siteconfig.pm
>
> Set( $rtname, 'mbc.qld.edu.au');
> Set($LogToSyslog, 'debug');
> Set($LogToScreen, 'debug');
> Set($LogToFile  , 'debug');
> Set($LogDir, 'var/log');
> Set($LogToFileNamed , "rt.log");#log to rt.log
>
> #Set(@Plugins,(qw(Extension::QuickDelete)));
> Set( @Plugins, qw(RT::Authen::ExternalAuth) );
> Set($ExternalAuthPriority,  [ 'My_LDAP' ] );
> Set($ExternalInfoPriority,  [ 'My_LDAP' ] );
> Set($ExternalServiceUsesSSLorTLS,0);
> Set($AutoCreateNonExternalUsers,0);
> Set($ExternalSettings,  {   'My_LDAP'   =>  {
> 
> 'type'  =>  'ldap',
> 
> 'auth'  =>  1,
> 
> 'info'  =>  1,
> 
> 'server'=>  'ldap.mbc.qld.edu.au',
> 
> #'user' =>  'ldaphelpdesk',
> 
> #'pass' =>  'rt_ldap_password',
> 
> 'base'  =>  'ou=lab,o=mbc',
> 
> 'filter'=>  '(objectClass=inetOrgPerson)',
> 
> #'d_filter'  =>  '(FILTER_STRING)',
> 
> 'tls'   =>  0,
> 
> 'net_ldap_args' => [version =>  3   ],
> 
> 'group' =>  'cn=GRP_Staff,ou=lab,o=mbc',
> 
> 'group_attr'=>  'groupMembership',
> 
> 'attr_match_list'   => ['Name',
>   
>  'EmailAddress 
> ',
>   
>  #'RealName 
> ',
>   
>  #'WorkPhone 
> ',
>   
>  #'Address2 
> '
>   
> ],
> 
> 'attr_map'  =>  {   'Name' => 'cn',
>   
>  'EmailAddress 
> ' => 'mail',
>

Re: [rt-users] Ldap Authentication setup question

[Kevin Falcone]

On Oct 22, 2008, at 4:47 PM, Eli Altman wrote:

> This sounds like you need the User_Vendor patch.. I know it's been  
> known to work with earlier versions of the ExternalAuth, but is it  
> still needed for the newest version?
>
> http://www.gossamer-threads.com/lists/rt/users/77139?search_string=ldap%25
>
> I imagine Mike will be back with words of advice, but may as well  
> make a backup and give this a shot.

For the archives:

This patch has been applied to 0.06_02 but if you have an old version  
laying around
in local/ you may need to delete it.

I'm checking in an update to the README which will be in the next  
release

-kevin

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
> ] On Behalf Of Michael Mollard
> Sent: Wednesday, October 22, 2008 4:10 PM
> To: [EMAIL PROTECTED]; RT Users
> Subject: Re: [rt-users] Ldap Authentication setup question
>
> Thanks for the assistance.
> I have downloaded and installed the latest version of RT-Authen- 
> ExternalAuth-0.06_02, with RT 3.8.1(latest)
> I seem to have gotten a step further, but still have some issues.
>
> When I try and authenticate with an ldap account, my browser reports:
> "Can't call method "Disabled" on an undefined value at /srv/www/ 
> vhosts/rt.mbc.qld.edu.au/bin/../local/lib/RT/User_Vendor.pm line  
> 351, line 273."
>
> and my ./var/log/rt.log says:
> [Thu Oct 23 00:11:07 2008] [warning]: Transaction->Create couldn't,  
> as you didn't specify an object type and id (/srv/www/vhosts/ 
> rt.mbc.qld.edu.au/bin/../lib/RT/Record.pm:1439)
> [Thu Oct 23 00:11:07 2008] [error]: Couldn't get principal for not  
> loaded object (/srv/www/vhosts/rt.mbc.qld.edu.au/bin/../lib/RT/ 
> User_Overlay.pm:1113)
>
> It seems to be connectiong to my ldap, (which was more than it was  
> doing) but fails soon after.  Am I missing something?
>
> Here is my RT_Siteconfig.pm
>
> Set( $rtname, 'mbc.qld.edu.au');
> Set($LogToSyslog, 'debug');
> Set($LogToScreen, 'debug');
> Set($LogToFile  , 'debug');
> Set($LogDir, 'var/log');
> Set($LogToFileNamed , "rt.log");#log to rt.log
>
> #Set(@Plugins,(qw(Extension::QuickDelete)));
> Set( @Plugins, qw(RT::Authen::ExternalAuth) );
> Set($ExternalAuthPriority,  [ 'My_LDAP' ] );
> Set($ExternalInfoPriority,  [ 'My_LDAP' ] );
> Set($ExternalServiceUsesSSLorTLS,0);
> Set($AutoCreateNonExternalUsers,0);
> Set($ExternalSettings,  {   'My_LDAP'   =>  {
> 
> 'type'  =>  'ldap',
> 
> 'auth'  =>  1,
> 
> 'info'  =>  1,
> 
> 'server'=>  'ldap.mbc.qld.edu.au',
> 
> #'user' =>  'ldaphelpdesk',
> 
> #'pass' =>  'rt_ldap_password',
> 
> 'base'  =>  'ou=lab,o=mbc',
> 
> 'filter'=>  '(objectClass=inetOrgPerson)',
> 
> #'d_filter'  =>  '(FILTER_STRING)',
> 
> 'tls'   =>  0,
> 
> 'net_ldap_args' => [version =>  3   ],
> 
> 'group' =>  'cn=GRP_Staff,ou=lab,o=mbc',
> 
> 'group_attr'=>  'groupMembership',
> 
> 'attr_match_list'   => ['Name',
>   
>  'EmailAddress 
> ',
>   
>  #'RealName 
> ',
>   
>  

Re: [rt-users] Ldap Authentication setup question

[Eli Altman]

This sounds like you need the User_Vendor patch.. I know it's been known to 
work with earlier versions of the ExternalAuth, but is it still needed for the 
newest version?

http://www.gossamer-threads.com/lists/rt/users/77139?search_string=ldap%25

I imagine Mike will be back with words of advice, but may as well make a backup 
and give this a shot.


Elias

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Mollard
Sent: Wednesday, October 22, 2008 4:10 PM
To: [EMAIL PROTECTED]; RT Users
Subject: Re: [rt-users] Ldap Authentication setup question

Thanks for the assistance.
I have downloaded and installed the latest version of 
RT-Authen-ExternalAuth-0.06_02, with RT 3.8.1(latest)
I seem to have gotten a step further, but still have some issues.

When I try and authenticate with an ldap account, my browser reports:
"Can't call method "Disabled" on an undefined value at 
/srv/www/vhosts/rt.mbc.qld.edu.au/bin/../local/lib/RT/User_Vendor.pm line 351, 
line 273."

and my ./var/log/rt.log says:
[Thu Oct 23 00:11:07 2008] [warning]: Transaction->Create couldn't, as you 
didn't specify an object type and id 
(/srv/www/vhosts/rt.mbc.qld.edu.au/bin/../lib/RT/Record.pm:1439)
[Thu Oct 23 00:11:07 2008] [error]: Couldn't get principal for not loaded 
object (/srv/www/vhosts/rt.mbc.qld.edu.au/bin/../lib/RT/User_Overlay.pm:1113)

It seems to be connectiong to my ldap, (which was more than it was doing) but 
fails soon after.  Am I missing something?

Here is my RT_Siteconfig.pm

Set( $rtname, 'mbc.qld.edu.au');
Set($LogToSyslog, 'debug');
Set($LogToScreen, 'debug');
Set($LogToFile  , 'debug');
Set($LogDir, 'var/log');
Set($LogToFileNamed , "rt.log");#log to rt.log

#Set(@Plugins,(qw(Extension::QuickDelete)));
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalAuthPriority,  [ 'My_LDAP' ] );
Set($ExternalInfoPriority,  [ 'My_LDAP' ] );
Set($ExternalServiceUsesSSLorTLS,0);
Set($AutoCreateNonExternalUsers,0);
Set($ExternalSettings,  {   'My_LDAP'   =>  {
'type'  
=>  'ldap',
'auth'  
=>  1,
'info'  
=>  1,
'server'
=>  'ldap.mbc.qld.edu.au',
#'user' 
=>  'ldaphelpdesk',
#'pass' 
=>  'rt_ldap_password',
'base'  
=>  'ou=lab,o=mbc',
'filter'
=>  '(objectClass=inetOrgPerson)',
#'d_filter' 
 =>  '(FILTER_STRING)',
'tls'   
=>  0,
'net_ldap_args' 
=> [version =>  3   ],
'group' 
=>  'cn=GRP_Staff,ou=lab,o=mbc',
'group_attr'
=>  'groupMembership',
'attr_match_list'   
=> ['Name',

'EmailAddress',

#'RealName',

#'WorkPhone',

#'Address2'

   ],
'attr_map'  
=>  {   'Name' => 'cn',

'EmailAddress' => 'mail',

'Organization' => 'l',
 

Re: [rt-users] Ldap Authentication setup question

[Kevin Falcone]

On Oct 22, 2008, at 4:10 PM, Michael Mollard wrote:

> Thanks for the assistance.
> I have downloaded and installed the latest version of RT-Authen- 
> ExternalAuth-0.06_02, with RT 3.8.1(latest)
> I seem to have gotten a step further, but still have some issues.
>
> When I try and authenticate with an ldap account, my browser reports:
> "Can't call method "Disabled" on an undefined value at /srv/www/ 
> vhosts/rt.mbc.qld.edu.au/bin/../local/lib/RT/User_Vendor.pm line  
> 351, line 273."

I assume you previously installed 0.05?
You should go delete /srv/www/vhosts/rt.mbc.qld.au/local/lib/RT/ 
User_vendor.pm and RT/Authen/ExternalAuth.pm

0.05 had a bug where .pm files were being double installed

0.06_02 contains a patch for this bug

-kevin

>
>
> and my ./var/log/rt.log says:
> [Thu Oct 23 00:11:07 2008] [warning]: Transaction->Create couldn't,  
> as you didn't specify an object type and id (/srv/www/vhosts/ 
> rt.mbc.qld.edu.au/bin/../lib/RT/Record.pm:1439)
> [Thu Oct 23 00:11:07 2008] [error]: Couldn't get principal for not  
> loaded object (/srv/www/vhosts/rt.mbc.qld.edu.au/bin/../lib/RT/ 
> User_Overlay.pm:1113)
>
> It seems to be connectiong to my ldap, (which was more than it was  
> doing) but fails soon after.  Am I missing something?
>
> Here is my RT_Siteconfig.pm
>
> Set( $rtname, 'mbc.qld.edu.au');
> Set($LogToSyslog, 'debug');
> Set($LogToScreen, 'debug');
> Set($LogToFile  , 'debug');
> Set($LogDir, 'var/log');
> Set($LogToFileNamed , "rt.log");#log to rt.log
>
> #Set(@Plugins,(qw(Extension::QuickDelete)));
> Set( @Plugins, qw(RT::Authen::ExternalAuth) );
> Set($ExternalAuthPriority,  [ 'My_LDAP' ] );
> Set($ExternalInfoPriority,  [ 'My_LDAP' ] );
> Set($ExternalServiceUsesSSLorTLS,0);
> Set($AutoCreateNonExternalUsers,0);
> Set($ExternalSettings,  {   'My_LDAP'   =>  {
> 
> 'type'  =>  'ldap',
> 
> 'auth'  =>  1,
> 
> 'info'  =>  1,
> 
> 'server'=>  'ldap.mbc.qld.edu.au',
> 
> #'user' =>  'ldaphelpdesk',
> 
> #'pass' =>  'rt_ldap_password',
> 
> 'base'  =>  'ou=lab,o=mbc',
> 
> 'filter'=>  '(objectClass=inetOrgPerson)',
> 
> #'d_filter'  =>  '(FILTER_STRING)',
> 
> 'tls'   =>  0,
> 
> 'net_ldap_args' => [version =>  3   ],
> 
> 'group' =>  'cn=GRP_Staff,ou=lab,o=mbc',
> 
> 'group_attr'=>  'groupMembership',
> 
> 'attr_match_list'   => ['Name',
>   
>  'EmailAddress 
> ',
>   
>  #'RealName 
> ',
>   
>  #'WorkPhone 
> ',
>   
>  #'Address2 
> '
>   
> ],
> 
> 'attr_map'  =>  {   'Name' => 'cn',
>   
>  'EmailAddress 
> ' => 'mail',
>   
>  'Organization 
> ' => 'l',
>   
>  'RealName 
> ' => 'cn',
>   
>  #'ExternalAuthId 
> ' => 'sAMAccountName',
>   
>  #'Gecos 
> ' => 'sAMAccountName',
>   
>  'WorkPhone 
> ' => 'telephoneNumber',
>   
>  'Address1 
> ' => 'streetAddress',
> 

Re: [rt-users] Ldap Authentication setup question

[Michael Mollard]

Thanks for the assistance.
I have downloaded and installed the latest version of 
RT-Authen-ExternalAuth-0.06_02, with RT 3.8.1(latest)
I seem to have gotten a step further, but still have some issues.

When I try and authenticate with an ldap account, my browser reports:
"Can't call method "Disabled" on an undefined value at 
/srv/www/vhosts/rt.mbc.qld.edu.au/bin/../local/lib/RT/User_Vendor.pm line 351, 
line 273."

and my ./var/log/rt.log says:
[Thu Oct 23 00:11:07 2008] [warning]: Transaction->Create couldn't, as you 
didn't specify an object type and id 
(/srv/www/vhosts/rt.mbc.qld.edu.au/bin/../lib/RT/Record.pm:1439)
[Thu Oct 23 00:11:07 2008] [error]: Couldn't get principal for not loaded 
object (/srv/www/vhosts/rt.mbc.qld.edu.au/bin/../lib/RT/User_Overlay.pm:1113)

It seems to be connectiong to my ldap, (which was more than it was doing) but 
fails soon after.  Am I missing something?

Here is my RT_Siteconfig.pm

Set( $rtname, 'mbc.qld.edu.au');
Set($LogToSyslog, 'debug');
Set($LogToScreen, 'debug');
Set($LogToFile  , 'debug');
Set($LogDir, 'var/log');
Set($LogToFileNamed , "rt.log");#log to rt.log

#Set(@Plugins,(qw(Extension::QuickDelete)));
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalAuthPriority,  [ 'My_LDAP' ] );
Set($ExternalInfoPriority,  [ 'My_LDAP' ] );
Set($ExternalServiceUsesSSLorTLS,0);
Set($AutoCreateNonExternalUsers,0);
Set($ExternalSettings,  {   'My_LDAP'   =>  {
'type'  
=>  'ldap',
'auth'  
=>  1,
'info'  
=>  1,
'server'
=>  'ldap.mbc.qld.edu.au',
#'user' 
=>  'ldaphelpdesk',
#'pass' 
=>  'rt_ldap_password',
'base'  
=>  'ou=lab,o=mbc',
'filter'
=>  '(objectClass=inetOrgPerson)',
#'d_filter' 
 =>  '(FILTER_STRING)',
'tls'   
=>  0,
'net_ldap_args' 
=> [version =>  3   ],
'group' 
=>  'cn=GRP_Staff,ou=lab,o=mbc',
'group_attr'
=>  'groupMembership',
'attr_match_list'   
=> ['Name',

'EmailAddress',

#'RealName',

#'WorkPhone',

#'Address2'

   ],
'attr_map'  
=>  {   'Name' => 'cn',

'EmailAddress' => 'mail',

'Organization' => 'l',

'RealName' => 'cn',

#'ExternalAuthId' => 'sAMAccountName',

#'Gecos' => 'sAMAccountName',

'WorkPhone' => 'telephoneNumber',

'Address1' => 'streetAddress',

'City' => 'l',

'State' => 'st',

'Zip' => 'postalCode',

'Country' => 'co'

}
   

Re: [rt-users] Ldap Authentication setup question

[Mike Peachey]

Michael Mollard wrote:
> Hi all,
> I'm an RT newbie, so be gentle with me.
> 
> I have setup a functioning RT system (on SLES10sp2)

What version of RT?

> I have installed the RT::Authen::ExternalAuth 0.5.  This creates a 
> <$RT_HOME>/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm
> I have edited that file with the correct site-specific ldap stuff.  
> 
> Now, what do I need to add to my <$RT_Home>/etc/RT_SiteConfig.pm to activate 
> the LDAP stuff?  Are there any other changes needed?

The file
$RTHOME/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm is not
part of the installation, it simply contains examples for you to paste
into your $RTHOME/etc/RT_SiteConfig.pm file.

You can alternatively choose to put a line in your RT_SiteConfig to
"include" the example file instead of just copying the lines out of it.

> The wiki articles (http://wiki.bestpractical.com/view/ExternalAuth) are 
> helpful to a point, but the Post-Install section (which is apparently the 
> crux of the setup) is too vague for an RT newbie.

I've just read it again and the instructions seem fairly clear. If you
can advise what is confusing to you, perhaps we can make it better.

If you are using RT 3.8.x then I recommend using this ExternalAuth
0.06_002 instead of 0.05 as it is a pre-release candidate for RT3.8
compatibility. 0.05 was written before 3.8 came out and so requires
tweaking before it will work properly with 3.8 and later.

You can get it here:
http://www.cpan.org/authors/id/F/FA/FALCONE/RT-Authen-ExternalAuth-0.06_02.tar.gz

-- 
Kind Regards,

__

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com
__
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

[rt-users] Ldap Authentication setup question

[Michael Mollard]

Hi all,
I'm an RT newbie, so be gentle with me.

I have setup a functioning RT system (on SLES10sp2), and am trying to setup 
ldap authentication to our eDirectory (using LDAP) for automatic user 
authentication/creation.  I have spent a week, I've googled, wiki'd, and 
searched the RT list archives.  I keep coming back to the same few documents, 
and am having little luck.  I know it's my understanding of how RT fits 
together, and probably perl in general, but if someone could help me with this, 
I'd be very grateful.

I have installed the RT::Authen::ExternalAuth 0.5.  This creates a 
<$RT_HOME>/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm
I have edited that file with the correct site-specific ldap stuff.  

Now, what do I need to add to my <$RT_Home>/etc/RT_SiteConfig.pm to activate 
the LDAP stuff?  Are there any other changes needed?

The wiki articles (http://wiki.bestpractical.com/view/ExternalAuth) are helpful 
to a point, but the Post-Install section (which is apparently the crux of the 
setup) is too vague for an RT newbie.

Any pointers would be much appreciated..

Kind regards,




Michael Mollard
Network Administrator
Moreton Bay College
[EMAIL PROTECTED]
http://www.mbc.qld.edu.au
Ph: (Direct) 07 3907 5712 / (Mob) 0417 631 801 
Fax: 07 3390 8919 ( http://www.mbc.qld.edu.au )



Disclaimer: Whilst every attempt has been made to ensure that material 
contained in this email is free from computer viruses or other defects, the 
attached files are provided, and may only be used, on the basis that the user 
assumes all responsibility for use of the material transmitted. This email is 
intended only for the use of the individual or entity names above and may 
contain information that is confidential and privileged. If you are not the 
intended recipient, please note that any dissemination, distribution or copying 
of this email is strictly prohibited. If you have received this email in error, 
please notify us immediately by return email or telephone 07 3390 8555 and 
destroy the original message. The contents of this message are provided without 
responsibility in law for their accuracy or otherwise, and without assumption 
of a duty of care by the School.

___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] Ldap authentication *Easy Question

[Auch, Benjamin]

Thanks for the tips.  From searching last night, I found several sites
that appear to use RT and single-sign on, but everything is so outdated.
Plus, any method using NTLM for Microsoft Active Directory will break
using Windows Server 2008 (NTLMv2) (Confirmation anyone?)

Maybe the RT::Authen::ExternalAuth and RT::Authen::CookieAuth is the way
to go.  The extra LDAP field mappings and allowed/restricted groups are
nice features. 

Helpful links I found.  pass through authentication single signon ldap
authentication 
http://blank.org/memory/output/rt-ad-sso.html 
http://mywheel.net/blog/index.php/mod_ntlm2-on-apache-22x/ 
http://wiki.bestpractical.com/view/LdapOverlay 
http://www.justatheory.com/computers/programming/perl/rt/ldap_auth.html



The information contained in this communication may be confidential or legally 
privileged and is intended only for the recipient named above. If the reader of 
this message is not the intended recipient, you are hereby notified that any 
dissemination, distribution or copying of this communication or its contents is 
strictly prohibited. If you have received this communication in error, 
immediately advise the sender and delete the original and any copies from your 
computer system.


___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] Ldap authentication *Easy Question

[Mike Peachey]

Auch, Benjamin wrote:
> Hi, I’m running 3.8.1 on Ubuntu 8.04 with MySQL, apache2, modperl2 and
> LDAP.  (Had Linux virtual machine running on MS virtual server 2005, but
> it was a tad slow (no CPU usage though, weird))
> 
>  
> 
> My LDAP config uses the Mike Peachey External Auth method, with the hack
> for 3.8.1.  My users are prompted for their username and password (from
> the RT Self Service page) it uses LDAP to grab their password.  It also
> creates an account when they first email or when I create an account it
> pulls in the AD info.   So LDAP works great.
> 
>  
> 
> My question is:  Can I do more LDAP authentication than I have now?  (I
> think I have LDAP overlay?)  Using an MS domain environment, can the
> site grab the users current credentials and pass them through?  IE –
> pass through authentication?  (We do this all the time for IIS sites on
> our Intranet)

Difficult one. Certainly no way exists at the moment for pass-through
auth on windows, however you are free to write a way. The closest I got
so far is using Cookies to provide single-sign on for the website RT is
integrated into. Using RT::Authen::ExternalAuth's ability to
authenticate against a MySQL database and RT::Authen::CookieAuth
together allows users to login to our website and be automatically
logged into RT with the cookie the website provides.

Perhaps that's somewhere for you to start?

Alternatively, if you're happy to have users tied to individual
certificates, you can get very effective single sign-on using
certificate authentication and installing a unique certificate in each
user's browser.

-- 
Kind Regards,

__

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com
__
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

[rt-users] Ldap authentication *Easy Question

[Auch, Benjamin]

Hi, I'm running 3.8.1 on Ubuntu 8.04 with MySQL, apache2, modperl2 and
LDAP.  (Had Linux virtual machine running on MS virtual server 2005, but
it was a tad slow (no CPU usage though, weird))

 

My LDAP config uses the Mike Peachey External Auth method, with the hack
for 3.8.1.  My users are prompted for their username and password (from
the RT Self Service page) it uses LDAP to grab their password.  It also
creates an account when they first email or when I create an account it
pulls in the AD info.   So LDAP works great.

 

My question is:  Can I do more LDAP authentication than I have now?  (I
think I have LDAP overlay?)  Using an MS domain environment, can the
site grab the users current credentials and pass them through?  IE -
pass through authentication?  (We do this all the time for IIS sites on
our Intranet)

 

Thanks for your help, loving RT so far.  (Anxiously awaiting the
outbound plaintext to HTML fix )

 

Also I did have the famed 3.8.1 view a page, prompt for login, view a
page, prompt for login.  All I did was the re-do the install and it
worked.  

 

Thanks

Ben

 

External Auth: http://wiki.bestpractical.com/view/ExternalAuth

3.8.1 Hacks: http://www.gossamer-threads.com/lists/rt/users/77286

 



The information contained in this communication may be confidential or legally 
privileged and is intended only for the recipient named above. If the reader of 
this message is not the intended recipient, you are hereby notified that any 
dissemination, distribution or copying of this communication or its contents is 
strictly prohibited. If you have received this communication in error, 
immediately advise the sender and delete the original and any copies from your 
computer system.

___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] LDAP Authentication Problems

[Lloyd Hughes]

Hi Mike

Thanks for the quick response.  I did a reinstall of RT and that fixed 
the problem. My predecessor must have modified the code at some point.

Lloyd

Mike Peachey wrote:
> Lloyd Hughes wrote:
> > I'm using Mike Peachey's RT-Authen-External installed via c-pan but am
> > unable to login. I'm running RT3 v 3.6.5
> >
> >>From my log file it appears that sAMAccountName is not getting set, or
> > the user's login name is not being passed to RT-Authen-External.
> >
> > My log:
> > [Fri Jun 20 20:57:11 2008] [debug]: LDAP Search ===  Base: 
> DC=ZeugmaSystems,dc=local  == Filter: 
> (&(*sAMAccountName=*)(objectclass=Person)) == Attrs: dn
> > (/usr/local/lib/rt3/lib/RT/User_Vendor.pm:185)
> > [Fri Jun 20 20:57:11 2008] [info]: My_LDAP AUTH FAILED:  User not 
> found or more than one user found 
> (/usr/local/lib/rt3/lib/RT/User_Vendor.pm:208)
>
> I don't quite see where the *s are coming from: 
> (&(*sAMAccountName=*)(objectclass=Person))
>
> There definitely shouldn't be a * before sAMAccountName and the one 
> after should be an actual user and not a wildcard search.
>
> The config and the debug output dont seem to match up.
>
> Can you make sure that, with the config as it is, you do a full restart:
>
> apachectl stop
> rm -rf $RTHOME/var/mason_data/obj/*
> apachectl start
>
> and then try again and check that the output is exactly the same?
>
> Also can you confirm you are using v0.05 and you haven't altered it at 
> all?
>
> If after a full restart everything is the same, you might want to add 
> a little debug around line 208 in 
> /usr/local/lib/rt3/lib/RT/User_Vendor.pm to work out where those stars 
> are coming from - I've never seen them before...
> -- 
> Kind Regards,
>
> __
>
> Mike Peachey, IT
> Tel: +44 114 281 2655
> Fax: +44 114 281 2951
> Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
> Comp Reg No: 3191371 - Registered In England
> http://www.jennic.com
> __
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] LDAP Authentication Problems

[Mike Peachey]

Lloyd Hughes wrote:
 > I'm using Mike Peachey's RT-Authen-External installed via c-pan but am
 > unable to login. I'm running RT3 v 3.6.5
 >
 >>From my log file it appears that sAMAccountName is not getting set, or
 > the user's login name is not being passed to RT-Authen-External.
 >
 > My log:
 > [Fri Jun 20 20:57:11 2008] [debug]: LDAP Search ===  Base: 
DC=ZeugmaSystems,dc=local  == Filter: 
(&(*sAMAccountName=*)(objectclass=Person)) == Attrs: dn
 > (/usr/local/lib/rt3/lib/RT/User_Vendor.pm:185)
 > [Fri Jun 20 20:57:11 2008] [info]: My_LDAP AUTH FAILED:  User not 
found or more than one user found 
(/usr/local/lib/rt3/lib/RT/User_Vendor.pm:208)

I don't quite see where the *s are coming from: 
(&(*sAMAccountName=*)(objectclass=Person))

There definitely shouldn't be a * before sAMAccountName and the one 
after should be an actual user and not a wildcard search.

The config and the debug output dont seem to match up.

Can you make sure that, with the config as it is, you do a full restart:

apachectl stop
rm -rf $RTHOME/var/mason_data/obj/*
apachectl start

and then try again and check that the output is exactly the same?

Also can you confirm you are using v0.05 and you haven't altered it at all?

If after a full restart everything is the same, you might want to add a 
little debug around line 208 in /usr/local/lib/rt3/lib/RT/User_Vendor.pm 
to work out where those stars are coming from - I've never seen them 
before...
--
Kind Regards,

__

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com
__
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

[rt-users] LDAP Authentication Problems

[Lloyd Hughes]

I'm using Mike Peachey's RT-Authen-External installed via c-pan but am 
unable to login. I'm running RT3 v 3.6.5

>From my log file it appears that sAMAccountName is not getting set, or 
the user's login name is not being passed to RT-Authen-External.

My log:
[Fri Jun 20 20:57:11 2008] [debug]: RT::User::IsExternalPassword Trying 
External authentication (/usr/local/lib/rt3/lib/RT/User_Vendor.pm:52)
[Fri Jun 20 20:57:11 2008] [debug]: Attempting to use external auth service: 
My_LDAP (/usr/local/lib/rt3/lib/RT/User_Vendor.pm:63)
[Fri Jun 20 20:57:11 2008] [debug]: LDAP Search ===  Base: 
DC=ZeugmaSystems,dc=local  == Filter: 
(&(*sAMAccountName=*)(objectclass=Person)) == Attrs: dn 
(/usr/local/lib/rt3/lib/RT/User_Vendor.pm:185)
[Fri Jun 20 20:57:11 2008] [info]: My_LDAP AUTH FAILED:  User not found or more 
than one user found (/usr/local/lib/rt3/lib/RT/User_Vendor.pm:208)
[Fri Jun 20 20:57:11 2008] [info]: RT::User::IsExternalPassword External Auth 
Failed:  (/usr/local/lib/rt3/lib/RT/User_Vendor.pm:294)
[Fri Jun 20 20:57:11 2008] [debug]: RT::User::IsPassword External auth FAILED 
(/usr/local/lib/rt3/lib/RT/User_Vendor.pm:360)
[Fri Jun 20 20:57:11 2008] [info]: RT::User::IsInternalPassword AUTH FAILED (no 
passwd):  (/usr/local/lib/rt3/lib/RT/User_Vendor.pm:305)
[Fri Jun 20 20:57:11 2008] [debug]: RT::User::IsPassword Internal auth FAILED 
(/usr/local/lib/rt3/lib/RT/User_Vendor.pm:366)


My configuration in RT-SiteConfig.pm is as follows

### LDAP Settings
#
Set($ExternalAuthPriority,  [   'My_LDAP'
   ]
);
Set($ExternalInfoPriority,  [   'My_LDAP'
   ]
);
Set($ExternalServiceUsesSSLorTLS,0);
Set($AutoCreateNonExternalUsers,0);
Set($ExternalSettings,  {   # AN EXAMPLE LDAP SERVICE
   'My_LDAP'   =>  {   ## GENERIC SECTION

'type'  =>  'ldap',

'auth'  =>  1,

'info'  =>  1,

'server'=>  'exchange.zeugmasystems.local',

'base'  =>  'DC=ZeugmaSystems,dc=local ',

'filter'=>  '(objectclass=Person)',
'd_filter' => 
'(userAccountControl:1.2.840.113556.1.4.803:=2)',

'tls'   =>  0,

'net_ldap_args' => [version =>  3   ],

'attr_match_list'   => ['Name',

   
'EmailAddress',

   
'RealName',

   
'WorkPhone',

   
'Address2'

   
],

'attr_map'  =>  {   'Name' => 'sAMAccountName',

   
'EmailAddress' => 'mail',

   
'Organization' => 'physicalDeliveryOfficeName',

   
'RealName' => 'cn',

   
'ExternalAuthId' => 'sAMAccountName',

   
'Gecos' => 'sAMAccountName',

   
'WorkPhone' => 'telephoneNumber',

   
'Address1' => 'streetAddress',

   
'City' => 'l',

   
'State' => 'st',

   
'Zip' => 'postalCode',

   
'Country' => 'co'

   
}
  

Re: [rt-users] LDAP Authentication and User Account Creation 3.6.6. and latest ExternalAuth

[Carlos J. Velez-Rivera]

On Monday 02 June 2008 04:25:17 Mike Peachey wrote:
> Carlos J. Velez-Rivera wrote:
> > Mike,
> > 
> > I'm one of those who has the issue you mention.  I'd like to help.  Do 
> > you want some more output enabled?  Would you like me to add some code to 
> > my instance so you can output anything that might help you fix it?
> 
> It's not something that is easily done by remote instruction. What I 
> really need is someone who is vaguely familiar with perl and RT to run 
> through the code with a few new debugging statements, and make 
> adjustments to them where necessary based on the log output to determine 
> where the ID is getting lost.

Honestly, I'm not familiar with the RT code, but have done extensive perl 
programing in the past.  I'd like to give it a try, if you are up for it!  Let 
me know if you have any recommended reading before I jump in.

-- 
Carlos J. Velez-Rivera

Manager
CK Computing Corporation
[EMAIL PROTECTED]
Voice: (787)464-1182
Fax: 866-910-4798
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] LDAP Authentication and User Account Creation 3.6.6. and latest ExternalAuth

[Mike Peachey]

Carlos J. Velez-Rivera wrote:
> Mike,
> 
>   I'm one of those who has the issue you mention.  I'd like to help.  Do 
> you want some more output enabled?  Would you like me to add some code to my 
> instance so you can output anything that might help you fix it?

It's not something that is easily done by remote instruction. What I 
really need is someone who is vaguely familiar with perl and RT to run 
through the code with a few new debugging statements, and make 
adjustments to them where necessary based on the log output to determine 
where the ID is getting lost.
-- 
Kind Regards,

__

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com
__
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] LDAP Authentication and User Account C reation 3.6.6. and latest ExternalAuth

[Carlos J. Velez-Rivera]

Mike,

I'm one of those who has the issue you mention.  I'd like to help.  Do 
you want some more output enabled?  Would you like me to add some code to my 
instance so you can output anything that might help you fix it?

Thanks,
Carlos
On Friday 30 May 2008 04:34:10 Mike Peachey wrote:
> Bill Teeple wrote:
> > (also - note - I put rt3 within the /var volume not the /opt volume)
> 
> Meh, I always stick it in /usr
> 
> > Here is a part of my log:
> > 
> > 
> > 
> > [Thu May 29 19:37:57 2008] [warning]: Transaction->Create couldn't, as 
> > you didn't specify an object type and id (/var/rt3/lib/RT/Record.pm:1486)
> 
> I'm not sure what the cause of this message is, but it does not get int 
> the way of user creation, this is one of those messages that has ALWAYS 
> been there, I've just yet to get around to working out why.
> 
> > [Thu May 29 19:37:57 2008] [warning]: Use of uninitialized value in join 
> > or string at /usr/lib/perl5/site_perl/5.8.8/Log/Dispatch.pm line 22. 
> > (/var/rt3/local/lib/RT/User_Vendor.pm:408)
> 
> I've never seen this one before, but I'm guessing it's due to a lack of 
> a Set($ExternalInfoPriority, ['My_LDAP']); in your config. Auth and info 
> are treated as completely seperate services and so you need to define 
> the services for each.
> 
> > [Thu May 29 19:37:57 2008] [debug]: Attempting to get user info using 
> > this external service:  (/var/rt3/local/lib/RT/User_Vendor.pm:408)
> 
> Hence this line ^^
> 
> > [Thu May 29 19:37:57 2008] [info]: RT::User::CanonicalizeUserInfo 
> > returning Disabled: 0, EmailAddress: , Gecos: ldapsearch, Name: 
> > ldapsearch, Privileged: 0 (/var/rt3/local/lib/RT/User_Vendor.pm:444)
> 
> > [Thu May 29 19:37:57 2008] [warning]: Use of uninitialized value in join 
> > or string at /usr/lib/perl5/site_perl/5.8.8/Log/Dispatch.pm line 22. 
> > (/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50)
> 
> And again ^^
> 
> > [Thu May 29 19:37:57 2008] [info]: Autocreated authenticated user 
> > ldapsearch (  ) 
> > (/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50)
> 
> This one ^^ is the nub of the problem. I have had a number of people 
> report having this issue, for some reason there just seems to be no user 
> object created or no principle ID assigned and, because it's only debug 
> output, it's not clear if anything is being created or not, or if it's 
> just not reporting right to the debugging code.
> 
> If you can help me get to the cause of this issue I would greatly 
> appreciate it. The problem I have is that, because it's never happened 
> to me, I do not have access to a copy of RT with the problem so that I 
> can debug it myself.
> 
> > Here is my RT_SiteConfig.pm:
> > 
> > Set($AuthMethods, ['LDAP','internal']);
> 
> This setting ^^ is irrelevant. It forms part of Jim Meyer's LDAP 
> User_Local.pm overlay code which was deprecated by the ExternalAuth 
> extension. I recommend removing it. Also, since you have this line, make 
> sure you don't have a $RTHOME/local/lib/RT/User_Local.pm or the same in 
> the non-local tree, because if you have accidentally combined my code 
> and Jim Meyer's you could be looking at problems.
> 
> > # These are the full settings for each external service as a HashOfHashes
> > # Note that you may have as many external services as you wish. They will
> > # be checked in the order specified in the Priority directives above.
> > # e.g.
> > Set($ExternalAuthPriority,['My_LDAP']);
> 
> Obviously insert ExternalInfoPriority here.
> 
> 
> > 'attr_match_list'   => ['Name',
> >  'EmailAddress',
> >  'RealName',
> >  'WorkPhone',
> >  'Address2'
> >  ],
> 
> I think I'll be updating the example config for the next release to 
> reduce the attr_match_list. I would recommend only using Name and 
> EmailAddress in your configuration. These should be attributes that 
> *uniquely* identify a user meaning you can't have more than one with the 
> same Address or workphone. Name and Email give RT a username and an 
> e-mail address, each of which should be unique for each and every user.
> 
> > When I uncomment the:
> > 
> > #Set($AutoCreateNonExternalUsers,1);
> >
> > line, my attempted user gets AUTO-CREATED in the system, but no 
> > attributes are pulled over.
> 
> As per the comments, if you uncomment it, RT will create the user 
> whether they authenticated (and informaticated :/) correctly or not.
> 
> > 
> > As you can see by the log file above, when a user (in log above, example 
> > user is called ldapsearch) who is not within RT attempts to log on, 
> > settings are pulled just fine - it even says it has authenticated 
> > properly, but then the last line:
> > 
> > [Thu May 29 19:37:57 2008] [info]: Autocreated authenticated user 
> > ldapsearch (  ) 
> > (/var/rt3/share/html/Callbacks/Ex

Re: [rt-users] LDAP Authentication and User Account Creation 3.6.6. and latest ExternalAuth

[Mike Peachey]

Bill Teeple wrote:
> (also - note - I put rt3 within the /var volume not the /opt volume)

Meh, I always stick it in /usr

> Here is a part of my log:
> 
> 
> 
> [Thu May 29 19:37:57 2008] [warning]: Transaction->Create couldn't, as 
> you didn't specify an object type and id (/var/rt3/lib/RT/Record.pm:1486)

I'm not sure what the cause of this message is, but it does not get int 
the way of user creation, this is one of those messages that has ALWAYS 
been there, I've just yet to get around to working out why.

> [Thu May 29 19:37:57 2008] [warning]: Use of uninitialized value in join 
> or string at /usr/lib/perl5/site_perl/5.8.8/Log/Dispatch.pm line 22. 
> (/var/rt3/local/lib/RT/User_Vendor.pm:408)

I've never seen this one before, but I'm guessing it's due to a lack of 
a Set($ExternalInfoPriority, ['My_LDAP']); in your config. Auth and info 
are treated as completely seperate services and so you need to define 
the services for each.

> [Thu May 29 19:37:57 2008] [debug]: Attempting to get user info using 
> this external service:  (/var/rt3/local/lib/RT/User_Vendor.pm:408)

Hence this line ^^

> [Thu May 29 19:37:57 2008] [info]: RT::User::CanonicalizeUserInfo 
> returning Disabled: 0, EmailAddress: , Gecos: ldapsearch, Name: 
> ldapsearch, Privileged: 0 (/var/rt3/local/lib/RT/User_Vendor.pm:444)

> [Thu May 29 19:37:57 2008] [warning]: Use of uninitialized value in join 
> or string at /usr/lib/perl5/site_perl/5.8.8/Log/Dispatch.pm line 22. 
> (/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50)

And again ^^

> [Thu May 29 19:37:57 2008] [info]: Autocreated authenticated user 
> ldapsearch (  ) 
> (/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50)

This one ^^ is the nub of the problem. I have had a number of people 
report having this issue, for some reason there just seems to be no user 
object created or no principle ID assigned and, because it's only debug 
output, it's not clear if anything is being created or not, or if it's 
just not reporting right to the debugging code.

If you can help me get to the cause of this issue I would greatly 
appreciate it. The problem I have is that, because it's never happened 
to me, I do not have access to a copy of RT with the problem so that I 
can debug it myself.

> Here is my RT_SiteConfig.pm:
> 
> Set($AuthMethods, ['LDAP','internal']);

This setting ^^ is irrelevant. It forms part of Jim Meyer's LDAP 
User_Local.pm overlay code which was deprecated by the ExternalAuth 
extension. I recommend removing it. Also, since you have this line, make 
sure you don't have a $RTHOME/local/lib/RT/User_Local.pm or the same in 
the non-local tree, because if you have accidentally combined my code 
and Jim Meyer's you could be looking at problems.

> # These are the full settings for each external service as a HashOfHashes
> # Note that you may have as many external services as you wish. They will
> # be checked in the order specified in the Priority directives above.
> # e.g.
> Set($ExternalAuthPriority,['My_LDAP']);

Obviously insert ExternalInfoPriority here.


> 'attr_match_list'   => ['Name',
>  'EmailAddress',
>  'RealName',
>  'WorkPhone',
>  'Address2'
>  ],

I think I'll be updating the example config for the next release to 
reduce the attr_match_list. I would recommend only using Name and 
EmailAddress in your configuration. These should be attributes that 
*uniquely* identify a user meaning you can't have more than one with the 
same Address or workphone. Name and Email give RT a username and an 
e-mail address, each of which should be unique for each and every user.

> When I uncomment the:
> 
> #Set($AutoCreateNonExternalUsers,1);
>
> line, my attempted user gets AUTO-CREATED in the system, but no 
> attributes are pulled over.

As per the comments, if you uncomment it, RT will create the user 
whether they authenticated (and informaticated :/) correctly or not.

> 
> As you can see by the log file above, when a user (in log above, example 
> user is called ldapsearch) who is not within RT attempts to log on, 
> settings are pulled just fine - it even says it has authenticated 
> properly, but then the last line:
> 
> [Thu May 29 19:37:57 2008] [info]: Autocreated authenticated user 
> ldapsearch (  ) 
> (/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50)
> 
> Shows me that the account is attempting to be created, but the "( )" is 
> missing an ID of some?

Precisely. A few of your own debugging statements may be able to help 
you work out why and I would love to know. If I can help I'm always 
around, especially in #rt on irc.perl.org. Just say Zordrak three times 
and I shall appear. I'm magic like that.

> This coupled with the error further UP the log:
> 
> [Thu May 29 19:37:57 2008] [warning]: Transaction->Create couldn't

[rt-users] LDAP Authentication and User Account Creation 3.6.6. and latest ExternalAuth

[Bill Teeple]

OK,

I have just finished splunking about 4 months of back articles/e-mails 
on LDAP Authentication within RT and have run up against some sort of 
error that I might just be mis-interpretting.

DEBUG Logging is enabled.

I am using the ExternAuth using LDAP to Windows 2003 SP2 based Active 
Directory controllers.

(also - note - I put rt3 within the /var volume not the /opt volume)

Running on CentOS 5.1 32 bit - fully patched.





Here is a part of my log:



[Thu May 29 19:37:57 2008] [warning]: Transaction->Create couldn't, as 
you didn't specify an object type and id (/var/rt3/lib/RT/Record.pm:1486)
[Thu May 29 19:37:57 2008] [debug]: RT::User::IsExternalPassword Trying 
External authentication (/var/rt3/local/lib/RT/User_Vendor.pm:52)
[Thu May 29 19:37:57 2008] [debug]: Attempting to use external auth 
service: My_LDAP (/var/rt3/local/lib/RT/User_Vendor.pm:63)
[Thu May 29 19:37:57 2008] [debug]: LDAP Search ===  Base: 
ou=Corporate,dc=3leafnetworks,dc=corp == Filter: 
(&(sAMAccountName=ldapsearch)(objectclass=Person)) == Attrs: dn 
(/var/rt3/local/lib/RT/User_Vendor.pm:185)
[Thu May 29 19:37:57 2008] [debug]: Found LDAP DN: CN=LDAP 
Search,OU=Corporate,DC=3leafnetworks,DC=corp 
(/var/rt3/local/lib/RT/User_Vendor.pm:217)
[Thu May 29 19:37:57 2008] [info]: RT::User::IsExternalPassword External 
Auth OK ( My_LDAP ): ldapsearch (/var/rt3/local/lib/RT/User_Vendor.pm:281)
[Thu May 29 19:37:57 2008] [debug]: RT::User::IsPassword External auth 
SUCCEEDED (/var/rt3/local/lib/RT/User_Vendor.pm:360)
[Thu May 29 19:37:57 2008] [debug]: RT::User::CanonicalizeUserInfo 
called by RT::User /var/rt3/lib/RT/User_Overlay.pm 192 with: Disabled: 
0, EmailAddress: , Gecos: ldapsearch, Name: ldapsearch, Privileged: 0 
(/var/rt3/local/lib/RT/User_Vendor.pm:400)
[Thu May 29 19:37:57 2008] [warning]: Use of uninitialized value in join 
or string at /usr/lib/perl5/site_perl/5.8.8/Log/Dispatch.pm line 22. 
(/var/rt3/local/lib/RT/User_Vendor.pm:408)
[Thu May 29 19:37:57 2008] [debug]: Attempting to get user info using 
this external service:  (/var/rt3/local/lib/RT/User_Vendor.pm:408)
[Thu May 29 19:37:57 2008] [info]: RT::User::CanonicalizeUserInfo 
returning Disabled: 0, EmailAddress: , Gecos: ldapsearch, Name: 
ldapsearch, Privileged: 0 (/var/rt3/local/lib/RT/User_Vendor.pm:444)
[Thu May 29 19:37:57 2008] [warning]: Use of uninitialized value in join 
or string at /usr/lib/perl5/site_perl/5.8.8/Log/Dispatch.pm line 22. 
(/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50)
[Thu May 29 19:37:57 2008] [info]: Autocreated authenticated user 
ldapsearch (  ) 
(/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50)



Here is my RT_SiteConfig.pm:


# Any configuration directives you include  here will override
# RT's default configuration file, RT_Config.pm
#
# To include a directive here, just copy the equivalent statement
# from RT_Config.pm and change the value. We've included a single
# sample value below.
#
# This file is actually a perl module, so you can include valid
# perl code, as well.
#
# The converse is also true, if this file isn't valid perl, you're
# going to run into trouble. To check your SiteConfig file, use
# this comamnd:
#
#   perl -c /path/to/your/etc/RT_SiteConfig.pm

Set( $rtname, '3leafnetworks.com');
Set($SendmailPath , "/usr/sbin/sendmail");
Set($SendmailArguments , "-oi -t");
Set($AuthMethods, ['LDAP','internal']);
Set($LogToFileNamed, "/var/log/rt3/rt.log");
Set($LogToFile, 'debug');

# If this is set to 1, then users should be autocreated by RT
# as internal users if they fail to authenticate from an
# external service.
#Set($AutoCreateNonExternalUsers,1);

# These are the full settings for each external service as a HashOfHashes
# Note that you may have as many external services as you wish. They will
# be checked in the order specified in the Priority directives above.
# e.g.
Set($ExternalAuthPriority,['My_LDAP']);
#
Set($ExternalSettings,  {
   'My_LDAP' =>  {
  'type'  =>  'ldap',
  'auth'  =>  1,
  'info'  =>  1,
  'server' =>  'zeus.3leafnetworks.com',
  'user'  =>  '3LEAF\\ldapsearch',
  'pass'  =>  'ldapsearch',
  'base'  => 'ou=Corporate,dc=3leafnetworks,dc=corp',
  'filter' =>  '(objectclass=Person)',
  'd_filter' => 
'(userAccountControl:1.2.840.113556.1.4.803:=2)',
  'tls' =>  0,
  'net_ldap_args' => [version =>  3   ],
  #'group' =>  'GROUP_NAME',
  #'group_attr' =>  'GROUP_ATTR',


'attr_match_list'   => ['Name',
 'EmailAddress',
 'RealName',
 'WorkPhone',
 'Address2'
 ],
'attr_map'  => 

Re: [rt-users] LDAP authentication fails in RT 3.6.1

[Ian A. Tegebo]

On Mon, Nov 13, 2006 at 09:21:38PM -0500, Garret Huntress wrote:
> I've been trying to setup LDAP integration in RT 3.6.1, however I am  
> unable to get authentication to work properly.  
> 
> The first key line in the logs seems to be: [Sat Nov 11 19:34:19  
> 2006] [warning]: Transaction->Create couldn't, as you didn't specify  
> an object type and id (/usr/lib/perl5/vendor_perl/5.8.8/RT/Record.pm: 
> 1466)
I'm also seeing this same problem.  I got a different error message
after noticing that I had put User_Local.pm in the wrong place.  Now I
think my problem is a firewall issue.

--
Ian Tegebo
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] LDAP Authentication is not working

[Jim Meyer]

On 11/6/06, Navin Chandra Singh <[EMAIL PROTECTED]> wrote:




Dear All,



I am using RT 3.2.3 it is working fine now I want users should authenticate
from our existing  LDAP server I tried so many options but still no luck.
Can some one guide me on this?


If you are indeed using RT 3.2.3, the LDAP extension isn't supported
and very likely won't function at all. It was authored for 3.5x and
greater.

--j
--
Jim Meyer, Geek at Large[EMAIL PROTECTED]
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

[rt-users] LDAP authentication fails in RT 3.6.1

[Garret Huntress]

Hello,I've been trying to setup LDAP integration in RT 3.6.1, however I am unable to get authentication to work properly.  Authentication against the LDAP directory succeeds (the code is able to bind with the supplied credentials), however the $UserObj->Id variable remains undefined, and the rest of the code fails.  I spent the weekend poking around in the code, I've attached some logs below to help explain what I have found.Note, I've removed some details from the logs for privacy/security:$MyUID is my ldap UID$MyDN is my ldap DN$MyEMAIL is my Email$MyINFO is all of the LDAP infoThe first key line in the logs seems to be: [Sat Nov 11 19:34:19 2006] [warning]: Transaction->Create couldn't, as you didn't specify an object type and id (/usr/lib/perl5/vendor_perl/5.8.8/RT/Record.pm:1466)Which occurs at this line of code in the LDAP Auth callback: my ($val, $msg) = $UserObj->SetName($user);What this means, I do not know.  I'm not familiar enough with RT's structure to debug that line.The next key log is: [Sat Nov 11 19:34:19 2006] [debug]: RT::User::IsPassword auth method IsLDAPPassword SUCCEEDED (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:291)So the code is able to bind with the credentials I supplied.  Our ldap server logs also indicate successful binding as my userThe next key log: [Sat Nov 11 19:34:19 2006] [info]: Autocreated authenticated user $MyUID () (/usr/share/rt3/html/Callbacks/LDAP/autohandler/Auth:23)Which occurs at this line in the LDAP Auth callback: $RT::Logger->info("Autocreated authenticated user " . $UserObj->Name . " (" . $UserObj->Id . ")\n");What's interesting about this is that the $UserObj->Id is blank.  This means that no data is loaded into the $session{'CurrentUser'} variable, and remainder of the code fails to execute because it is dependent on $session{'CurrentUser'}->Id to be setIs this a bug, or is something wrong with my LDAP mapping that cause the $UserObj->Id value to not be set?  Below are the relevant LDAP settings from my RT_SiteConfig.pm (I've left out server settings since I know those are working):Set($AuthMethods, ['LDAP', 'Internal']);Set($LdapExternalAuth, 1);Set($LdapExternalInfo, 1);Set($LdapAutoCreateNonLdapUsers, 1);Set($LdapAttrMap, {'Name' => 'uid',        'EmailAddress' => 'mail',        'Organization' => 'o',        'RealName' => 'cn',        'ExternalContactInfoId' => 'dn',        'ExternalAuthId' => 'uid',        'Gecos' => 'uid',        'WorkPhone' => 'telephoneNumber',        'Address1' => 'street',        'City' => 'l',        'State' => 'st',        'Zip' => 'postalCode',        'Country' => 'co'});Set($LdapRTAttrMatchList, ['ExternalContactInfoId',        'Name',        'EmailAddress',        'RealName']);Set($LdapEmailAttrMatchList, ['mail']);Set($LdapEmailAttrMatchPrefix, ['']);-GarretP.S. Logs[Sat Nov 11 19:34:19 2006] [warning]: Transaction->Create couldn't, as you didn't specify an object type and id (/usr/lib/perl5/vendor_perl/5.8.8/RT/Record.pm:1466)[Sat Nov 11 19:34:19 2006] [debug]: Trying LDAP authentication (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:153)[Sat Nov 11 19:34:19 2006] [debug]: RT::User::IsLDAPPassword Found LDAP DN: $MyDN (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:187)[Sat Nov 11 19:34:19 2006] [info]: RT::User::IsLDAPPassword AUTH OK: $MyUID ($MyDN) (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:222)[Sat Nov 11 19:34:19 2006] [debug]: RT::User::IsPassword auth method IsLDAPPassword SUCCEEDED (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:291)[Sat Nov 11 19:34:19 2006] [debug]: RT::User::CanonicalizeUserInfo  called by RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/User_Overlay.pm 190 with: Disabled: 0, EmailAddress: , Gecos: $MyUID, Name: $MyUID, Privileged: 0 (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:378)[Sat Nov 11 19:34:19 2006] [debug]: RT::User::LookupExternalUserInfo called with baseDN "MyDN" and filter "uid=$MyUID" by RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm 393 (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:508)[Sat Nov 11 19:34:19 2006] [info]: RT::User::LookupExternalUserInfo : $MyINFO (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:563)[Sat Nov 11 19:34:19 2006] [debug]: RT::User::CanonicalizeEmailAddress : called with "$MyEMAIL" by RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm 402 (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:326)[Sat Nov 11 19:34:19 2006] [debug]: RT::User::LookupExternalUserInfo called with baseDN "$MyDN" and filter "mail=$MyEMAIL" by RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm 332 (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:508)[Sat Nov 11 19:34:19 2006] [info]: RT::User::LookupExternalUserInfo : $MyINFO (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:563)[Sat Nov 11 19:34:19 2006] [debug]: FOUND OK (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:335)[Sat Nov 11 19:34:19 2006] [info]: RT::User::CanonicalizeEmailAddress $MyEMAIL =>  $MyEMAIL (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm

Re: [rt-users] LDAP Authentication is not working

[Andrej Ricnik-Bay]

On 11/8/06, Navin C Singh <[EMAIL PROTECTED]> wrote:


Dear All,

Can anyone find any solution for me ?

Please help

Navin

Good grief, mate, this is an international mailing list, not
your local helpdesk;  take your time, even if it's obviously
important to you.  Two "reminders" within 19 hours is over
the top.
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] LDAP Authentication is not working

[Navin C Singh]

Navin Chandra Singh wrote:

Navin Chandra Singh wrote:

Chaim Rieger wrote:

Navin Chandra Singh wrote:

...


...

did it ever work,

if not, can ldap do anonymous binding ?

no never worked . I am installing new server. yes anonymous binding 
is works.





Hello All,

Can someone please help me on this

Thanks
Navin



Dear All,

Can anyone find any solution for me ?

Please help

Navin

--
No virus found in this outgoing message.
Checked by ClamAV 0.88/2035/Mon Oct 16 02:12:30 2006
WARNING: Version mismatch. See http://www.clamav.net/faq.html
Tool version: 0.88, Engine version: 0.88.5
Build time: 16 Aug 2006 20-46 +0200
# of signatures: 64138
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] LDAP Authentication is not working

[Navin Chandra Singh]

Navin Chandra Singh wrote:

Chaim Rieger wrote:

Navin Chandra Singh wrote:

...


...

did it ever work,

if not, can ldap do anonymous binding ?

no never worked . I am installing new server. yes anonymous binding is 
works.





Hello All,

Can someone please help me on this

Thanks
Navin

--
No virus found in this outgoing message.
Checked by ClamAV 0.88/2035/Mon Oct 16 02:12:30 2006
WARNING: Version mismatch. See http://www.clamav.net/faq.html
Tool version: 0.88, Engine version: 0.88.5
Build time: 16 Aug 2006 20-46 +0200
# of signatures: 64138
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] LDAP Authentication is not working

[Navin Chandra Singh]

Chaim Rieger wrote:

Navin Chandra Singh wrote:

...


...

did it ever work,

if not, can ldap do anonymous binding ?

no never worked . I am installing new server. yes anonymous binding is 
works.



--
No virus found in this outgoing message.
Checked by ClamAV 0.88/2035/Mon Oct 16 02:12:30 2006
WARNING: Version mismatch. See http://www.clamav.net/faq.html
Tool version: 0.88, Engine version: 0.88.5
Build time: 16 Aug 2006 20-46 +0200
# of signatures: 64138
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] LDAP Authentication is not working

[Chaim Rieger]

Navin Chandra Singh wrote:

...


...

did it ever work,

if not, can ldap do anonymous binding ?

--
eats the blues for breakfast,
does unix for rent,
plays harp for food,
will play the flute for kicks
rides for the freedom

www.up-south.com

___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] LDAP Authentication is not working

[Navin Chandra Singh]

Chaim Rieger wrote:

Navin Chandra Singh wrote:


Dear All,


I am attaching my RT_SiteConfig.pm for your reference.




can you please post the relevant lines of your SiteConfig,



### LDAP Settings
#
# There are two different branches of this: LdapAuth* and LdapInfo*;
# additionally, most of the old Ldap* variables are honored, too.
#
# This means if you only have one LDAP server/config you can just set
# "LdapServer", "LdapUser", etc. and they will be used for both
# authentication and information

### Enable/Disable LDAP services
Set($LdapExternalAuth, 1);
Set($LdapExternalInfo, 1);

### Common Settings: affecting both auth and info services

# Should we create accounts for users who aren't in LDAP?
Set($LdapAutoCreateNonLdapUsers, 1);

# Map RT attributes to LDAP attributes
#
### THE MAPPING BELOW WILL NOT WORK FOR YOU UNLESS YOU CHANGE
### IT TO MATCH YOUR LDAP SCHEMA! See 
http://wiki.bestpractical.com/?LdapAttrMap

### to learn how to set this variable properly for either LDAP or Windows
### Active Directory.
Set($LdapAttrMap, {'Name' => 'uid',
  'EmailAddress' => 'mail',
  'Address2' => 'physicalDeliveryOfficeName'}
);

# A list of RT attrs which can uniquely identify a user,
# ordered from most to least preferred.
Set($LdapRTAttrMatchList, ['ExternalContactInfoId', 'Name' ]
);# ordered from most to least preferred
Set($LdapEmailAttrMatchList, ['mail', 'mailRoutingAddress']
);

# A list of prefixes to apply to email address matches.
# Windows 2003 AD uses prefixes or smtp: or SMTP:.
# If not required just leave ''
Set($LdapEmailAttrMatchPrefix, ['', 'smtp:', 'SMTP:'] );

# The basics; if set, these override $RT::LdapAuth* and $RT::LdapInfo*
Set($LdapServer, 'mail.bgr.ionidea.com');
Set($LdapBase, 'o=ionidea.com');
Set($LdapFilter, '(objectclass=*)');
#   Windows 2003 Active Directory does not allow anonymous LDAP binding
#   thus you must pass Net::LDAP a username and password that has
#   access to read the directory.
#
#   You may also need to specify the full distinguished name instead of
#   just a username for LdapUser below.
#   e.g. cn=Username,cn=Users,dc=yourdomain,dc=com
#
#Set($LdapUser, '');
#Set($LdapPass, '');

# This filter is used by RT::User::UpdateFromLdap to test whether an
# LDAP user's RT account should be disabled. Any user whose LDAP record
# passes this filter (returns true) will be disabled at login
Set($LdapDisableFilter, '(employmentStatus=Terminated)');

# If you set these, only members of this group can auth via LDAP
#Set($LdapGroup, 'cn=RT,ou=Group,dc=example,dc=com');
#Set($LdapGroupAttr, 'uniqueMember');

# These turn on SSL for LDAP
#Set($LdapTLS, 0);
#Set($LdapSSLVersion, 3);### Authentication settings
#
# These are used only if their $RT::Ldap* analogs are not set;
# if you want one of these variables to be honored, you must comment
# out the corresponding $RT::Ldap* variable above

#Set($LdapAuthServer, 'ldap.example.com');
#Set($LdapAuthBase, 'ou=People,dc=example,dc=com');
#Set($LdapAuthFilter, "(objectclass=posixAccount)");
#Set($LdapAuthUser, '');
#Set($LdapAuthPass, '');

# This filter is used by RT::User::UpdateFromLdap to test whether an
# LDAP user's RT account should be disabled. Any user whose LDAP record
# passes this filter (returns true) will be disabled at login
# Set($LdapAuthDisableFilter, '(employmentStatus=Terminated)');

# If you set these, only members of this group can auth via LDAP
#Set($LdapAuthGroup, 'cn=RT,ou=Group,dc=example,dc=com');
#Set($LdapAuthGroupAttr, 'uniqueMember');

# These turn on SSL for LDAP
#Set($LdapAuthTLS, 0);
#Set($LdapAuthSSLVersion, 3);

### Information settings
#
# These are used only if their $RT::Ldap* analogs are not set;
# if you want one of these variables to be honored, you must comment
# out the corresponding $RT::Ldap* variable above

#Set($LdapInfoServer, 'ldap.example.com');
#Set($LdapInfoBase, 'ou=People,dc=example,dc=com');
#Set($LdapInfoFilter, "(objectclass=posixAccount)");
#Set($LdapInfoUser, '');
#Set($LdapInfoPass, '');
# This filter is used by RT::User::UpdateFromLdap to test whether an
# LDAP user's RT account should be disabled. Any user whose LDAP record
# passes this filter (returns true) will be disabled at login
# Set($LdapInfoDisableFilter, '(employmentStatus=Terminated)');

# These turn on SSL for LDAP
#Set($LdapInfoTLS, 0);
#Set($LdapInfoSSLVersion, 3);



### IF YOU USE THE SAME LDAP SERVER FOR AUTH AND INFO STOP HERE ###


# A list of LDAP attrs to examine when canonicalizing email addresses,






--
No virus found in this outgoing message.
Checked by ClamAV 0.88/2035/Mon Oct 16 02:12:30 2006
WARNING: Version mismatch. See http://www.clamav.net/faq.html
Tool version: 0.88, Engine version: 0.88.5
Build time: 16 Aug 2006 20-46 +0200
# of signatures: 64138
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Di

Re: [rt-users] LDAP Authentication is not working

[Chaim Rieger]

Navin Chandra Singh wrote:


Dear All,


I am attaching my RT_SiteConfig.pm for your reference.




can you please post the relevant lines of your SiteConfig,


___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

[rt-users] LDAP Authentication is not working

[Navin Chandra Singh]

Dear All,
 
I am using RT 3.2.3 it is working fine now I want
users should authenticate from
our existing  LDAP server I tried
so many options but still no luck.  Can
some one guide me on this?
I am attaching my RT_SiteConfig.pm for your
reference.


Thanks
Navin




RT_SiteConfig.pm
Description: Perl program
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] LDAP authentication question

[Jim Meyer]

Hello!

On 6/21/06, Drew Taylor <[EMAIL PROTECTED]> wrote:

I'm working on a fresh 3.6 install and would like to try the LDAP
authentication option. However, our corporate structure requires us to
have 2 distinct Active Directory trees. Is there any way to setup
authentication so it will try multiple servers? From my quick glance at
the code, it seems it is not trivial.


No, there's no support for this in the current overlay. I don't know
that it's horribly difficult to add, though; you'd need to add another
variable for the alternate server, then hack the auth routines to try
primary, then secondary.

Good luck!

--j
--
Jim Meyer, Geek at Large[EMAIL PROTECTED]
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com



We're hiring! Come hack Perl for Best Practical: 
http://bestpractical.com/about/jobs.html

[rt-users] LDAP authentication question

[Drew Taylor]

I'm working on a fresh 3.6 install and would like to try the LDAP
authentication option. However, our corporate structure requires us to
have 2 distinct Active Directory trees. Is there any way to setup
authentication so it will try multiple servers? From my quick glance at
the code, it seems it is not trivial.

Thanks,
Drew
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com


We're hiring! Come hack Perl for Best Practical: 
http://bestpractical.com/about/jobs.html

Re: #rt was Re: [rt-users] LDAP Authentication

[Rodney Rindels]

I'm not seeing that.Best,Jesse
been fine for me also, even more stable than most IRC channels...could you have a firewall issue?--Rod
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com


We're hiring! Come hack Perl for Best Practical: 
http://bestpractical.com/about/jobs.html

Re: #rt was Re: [rt-users] LDAP Authentication

[Jesse Vincent]

I'm not seeing that.
Best,
Jesse
-- 
This message was sent from my Treo. Please accept my apologies for its brevity 
and for any typos. 

-Original Message-
From: "Covington, Chris" 
I've been trying to join that channel for the last 2 days but it's +k:

*** Connected to port 6667 of server irc.perl.org
*** #rt Cannot join channel (+k) (Bad channel key)

---

___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com


We're hiring! Come hack Perl for Best Practical: 
http://bestpractical.com/about/jobs.html

#rt was Re: [rt-users] LDAP Authentication

[Covington, Chris]

On Thu, Apr 13, 2006 at 03:42:34PM -0700, [EMAIL PROTECTED] wrote:
> For more instant feedback, check out the IRC site at irc.perl.org/#rt. The 
> folks hanging out there are terrific.

I've been trying to join that channel for the last 2 days but it's +k:

*** Connected to port 6667 of server irc.perl.org
*** #rt Cannot join channel (+k) (Bad channel key)

---
Chris Covington
IT
Plus One Health Management
75 Maiden Lane Suite 801
NY, NY 10038
646-312-6269
http://www.plusoneactive.com
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com


We're hiring! Come hack Perl for Best Practical: 
http://bestpractical.com/about/jobs.html

Re: [rt-users] LDAP Authentication

[Greg Cornell]

Hi Eric,

[EMAIL PROTECTED] wrote:
Have a look at http://wiki.bestpractical.com/index.cgi?LdapSummary.  I 
just recently got my RT authenticating against an Active Directory 
server (Bill-of-Borg's modified LDAP).
Yup.  This is where I've got most of my information from.  Still having 
trouble getting the auto-create stuff working.  I think I have it at 
least trying to look up info from LDAP.


For more instant feedback, check out the IRC site at irc.perl.org/#rt. 
 The folks hanging out there are terrific.

Thanks, I'll give it a try.

Greg
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com



We're hiring! Come hack Perl for Best Practical: 
http://bestpractical.com/about/jobs.html

Re: [rt-users] LDAP Authentication

[eric . valor]

Greg:

Have a look at http://wiki.bestpractical.com/index.cgi?LdapSummary.
 I just recently got my RT authenticating against an Active Directory
server (Bill-of-Borg's modified LDAP).

I used the Mosemann package with the
RT_SiteConfig.pm settings modified a bit with the settings given in the
Mehl documentation (to account for the different field names between LDAP
and AD).

For more instant feedback, check out
the IRC site at irc.perl.org/#rt.  The folks hanging out there are
terrific.

Good luck and let me know if I can help
further.

--
Eric N. Valor
Sr. Systems Administrator
DaimlerChrysler Research & Technology North America, Inc.
[EMAIL PROTECTED]
1510 Page Mill Road, Palo Alto, CA 94304
CIMS 931-00-00
650-845-2536

: This Space Intentionally Left Blank :






Greg Cornell <[EMAIL PROTECTED]>

Sent by: [EMAIL PROTECTED]
04/13/2006 03:07 PM





To
rt-users@lists.bestpractical.com


cc



Subject
[rt-users] LDAP Authentication








Hi All,

I guess this message is really for the RT developers.  Will RT ever
work 
with LDAP "out of the box"?  Meaning, will it look up user
info from 
LDAP and authenticate to LDAP.

After spending a couple of weeks so far unsuccessfully trying to get RT

to authenticate and create users from LDAP, I've got to think that this

is something RT should just do.  Cause frankly, this is a whole lot
of 
work, and like I mentioned, I haven't been able to get it to work (yet).

  (Maybe it's just me though.)  It also seems that this would
benefit 
quite a lot of RT users.

Anyway, RT is wonderful, just wish it worked with LDAP.

Thank you for your time,
Greg
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com


We're hiring! Come hack Perl for Best Practical: http://bestpractical.com/about/jobs.html

___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com


We're hiring! Come hack Perl for Best Practical: 
http://bestpractical.com/about/jobs.html

[rt-users] LDAP Authentication

[Greg Cornell]

Hi All,

I guess this message is really for the RT developers.  Will RT ever work 
with LDAP "out of the box"?  Meaning, will it look up user info from 
LDAP and authenticate to LDAP.


After spending a couple of weeks so far unsuccessfully trying to get RT 
to authenticate and create users from LDAP, I've got to think that this 
is something RT should just do.  Cause frankly, this is a whole lot of 
work, and like I mentioned, I haven't been able to get it to work (yet). 
 (Maybe it's just me though.)  It also seems that this would benefit 
quite a lot of RT users.


Anyway, RT is wonderful, just wish it worked with LDAP.

Thank you for your time,
Greg
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com



We're hiring! Come hack Perl for Best Practical: 
http://bestpractical.com/about/jobs.html