subject:"\[rt\-users\] Problems with external auth and double prompting for authentication"

Re: [rt-users] Problems with external auth and double prompting for authentication

2016-05-11 Thread Bart Bunting

Jim,

Found it.

There was a random apache process running that was causing the error.
Somehow it must have been started by hand.

Resulted in odd behaviour as sometimes it would work and sometimes not.

Thanks for your help!


Kind regards

Bart

Jim Brandt  writes:

> Browser authentication is typically triggered by an Apache 
> configuration, so if your goal is to have just RT authentication, you 
> might compare your Apache configuration with the example in the docs:
>
> https://docs.bestpractical.com/rt/4.4.0/web_deployment.html
>
> On 5/11/16 3:50 AM, Bart Bunting wrote:
>>
>>
>> Hi everyone,
>>
>> I have been trying to get external authentication with ldapauth and
>> ldapimport working on a brand new rt 4.4 from the latest pull of
>> 4.4-trunk.
>>
>> I have the ldap authentication and rt-ldapimport working correctly
>> against our ldap server.
>>
>> The one issue I can not appear to resolve is that I am prompted first
>> by the browsers authentication prompt and then by the RT login screen.
>> So you need to enter your authentication credentials twice.
>>
>> I am hoping to just have the RT login screen, no browser authentication
>> prompt.
>>
>> I'm sure it's something simple but I'm pulling my hair out :).
>>
>> If someone could take a look at my config and tell me where the error is
>> I'd be eternally grateful:
>>
>> Here is the section of my rt config.
>>
>> The first few options are commented out as they are part of previous
>> attempts to make it work as expected.
>>
>> #* Authentication
>> # configure external authentication
>>
>> #Set($WebRemoteUserAuth, 1);
>> # check authentication on each request rather than just once
>> #Set($WebRemoteUserContinuous, 1);
>>
>> # fall back to rt login if external auth fails.
>> #Set($WebFallbackToRTLogin, 1);
>>
>> Set ($ExternalAuth, 1);
>> Set( $ExternalAuthPriority, ['URSYS_LDAP'] );
>> Set( $ExternalInfoPriority, ['URSYS_LDAP'] );
>>
>> # Make users created from LDAP Privileged
>> Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
>>
>> # Users should still be autocreated by RT as internal users if they
>> # fail to exist in an external service; this is so requestors (who
>> # are not in LDAP) can still be created when they email in.
>> Set($AutoCreateNonExternalUsers, 1);
>>
>> # LDAP configuration; see RT::Authen::ExternalAuth::LDAP for
>> # further details and examples
>> Set($ExternalSettings, {
>> 'URSYS_LDAP'   =>  {
>>  'type' =>  'ldap',
>>  'server'   =>  'ldap.x,
>>  'base' =>  'cn=users,cn=accounts,dc=xx',
>>  'user' => 'uid=system,cn=sysaccounts,x',
>>  'pass' => 'xx',
>>  'filter' => '(&(memberOf=cn=helpdesk-*))',
>>  'attr_match_list'  => [
>>  'Name',
>>  ],
>>  'attr_map' => {
>>  'Name' => 'uid',
>>  'EmailAddress' => 'mail',
>>  },
>>  },
>> } );
>>
>> # * rt-ldapimport configuration
>> # enable plugin
>> Plugin( qw(RT::LDAPImport));
>>
>> Set($LDAPBase,'cn=users,cn=accounts,x');
>> Set($LDAPHost,'ldap.x');
>> Set($LDAPUser,'uid=system,cn=sysaccounts,xx');
>> Set($LDAPPassword,'');
>> Set($LDAPFilter, '(&(memberOf=cn=helpdesk-*))');
>> Set($LDAPMapping, {Name => 'uid', # required
>> EmailAddress => 'mail',
>> RealName => 'cn',
>> WorkPhone=> 'telephoneNumber',
>> Organization => 'departmentName'});
>> # create users as privileged
>>   Set($LDAPCreatePrivileged, 1);
>>
>> # sync Groups from LDAP into RT
>> Set($LDAPGroupBase, 'cn=accounts,x');
>> Set($LDAPGroupFilter, '(&(objectClass=groupofnames)(cn=helpdesk-*))');
>> Set($LDAPGroupMapping, {Name   => 'cn',
>>  Description   => 'description',
>>  Member_Attr=> 'member',
>>  Member_Attr_Value  => 'dn',
>> });
>>
>> As above all the ldap stuff appears to work apart from the double
>> request for authentication.
>>
>>
>>
>> Kind regards
>> Bart
>>
> -
> RT 4.4 and RTIR Training Sessions https://bestpractical.com/training
> * Washington DC - May 23 & 24, 2016
Bart
-- 

Bart Bunting - URSYS
PH: 02 87452811
Mbl: 0409560005
-
RT 4.4 and RTIR Training Sessions https://bestpractical.com/training
* Washington DC - May 23 & 24, 2016

Re: [rt-users] Problems with external auth and double prompting for authentication

2016-05-11 Thread Bart Bunting

Hi Jim,

Thanks for the quick reply.

I should have included my apache virtualhost config:

Here it is for reference.  I did have ldap auth working at one point but
it is totally commented out in the  config.

Apache is apache2  2.4.18-2ubuntu3
amd64 debian Xenial LTS

# 
# Vhost template in module puppetlabs-apache
# Managed by Puppet
# 


  ServerName helpdesk.in.urnet.com.au

  ## Vhost docroot
  DocumentRoot "/opt/rt4/share/html"
  ## Alias declarations for resources outside the DocumentRoot
  AliasMatch /NoAuth/images/ "/opt/rt4/share/html/NoAuth/images/"

  ## Directories, there should at least be a declaration for /opt/rt4/share/html
  
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Require all granted
  

  ## Logging
  ErrorLog "/var/log/apache2/helpdesk.in.urnet.com.au_error.log"
  ServerSignature Off
  CustomLog "/var/log/apache2/helpdesk.in.urnet.com.au_access.log" combined 

  ## Custom fragment
  
AddDefaultCharset UTF-8
ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/

DocumentRoot "/opt/rt4/share/html"

# bart: disabled for now until we move towards SSO
#   AuthType Basic
#   AuthName "Ursys LDAP"
#   AuthBasicProvider ldap
#   AuthLDAPURL ldap://ldap.:389/cn=accounts,?uid?sub
#   AuthLDAPBindDN uid=system,cn=sysaccounts,xxx
#   AuthLDAPBindPassword x
#   Require ldap-group cn=noc,cn=groups,xx

Require all granted

Options +ExecCGI
AddHandler fcgid-script fcgi






Is there anything wrong with that, it pritty much mirrors the config
described in the documentation.

If there is a better way of doing things other than mod_fastcgi I'm open to 
trying that.


Kind regards

Bart






Jim Brandt  writes:

> Browser authentication is typically triggered by an Apache 
> configuration, so if your goal is to have just RT authentication, you 
> might compare your Apache configuration with the example in the docs:
>
> https://docs.bestpractical.com/rt/4.4.0/web_deployment.html
>
> On 5/11/16 3:50 AM, Bart Bunting wrote:
>>
>>
>> Hi everyone,
>>
>> I have been trying to get external authentication with ldapauth and
>> ldapimport working on a brand new rt 4.4 from the latest pull of
>> 4.4-trunk.
>>
>> I have the ldap authentication and rt-ldapimport working correctly
>> against our ldap server.
>>
>> The one issue I can not appear to resolve is that I am prompted first
>> by the browsers authentication prompt and then by the RT login screen.
>> So you need to enter your authentication credentials twice.
>>
>> I am hoping to just have the RT login screen, no browser authentication
>> prompt.
>>
>> I'm sure it's something simple but I'm pulling my hair out :).
>>
>> If someone could take a look at my config and tell me where the error is
>> I'd be eternally grateful:
>>
>> Here is the section of my rt config.
>>
>> The first few options are commented out as they are part of previous
>> attempts to make it work as expected.
>>
>> #* Authentication
>> # configure external authentication
>>
>> #Set($WebRemoteUserAuth, 1);
>> # check authentication on each request rather than just once
>> #Set($WebRemoteUserContinuous, 1);
>>
>> # fall back to rt login if external auth fails.
>> #Set($WebFallbackToRTLogin, 1);
>>
>> Set ($ExternalAuth, 1);
>> Set( $ExternalAuthPriority, ['URSYS_LDAP'] );
>> Set( $ExternalInfoPriority, ['URSYS_LDAP'] );
>>
>> # Make users created from LDAP Privileged
>> Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
>>
>> # Users should still be autocreated by RT as internal users if they
>> # fail to exist in an external service; this is so requestors (who
>> # are not in LDAP) can still be created when they email in.
>> Set($AutoCreateNonExternalUsers, 1);
>>
>> # LDAP configuration; see RT::Authen::ExternalAuth::LDAP for
>> # further details and examples
>> Set($ExternalSettings, {
>> 'URSYS_LDAP'   =>  {
>>  'type' =>  'ldap',
>>  'server'   =>  'ldap.x,
>>  'base' =>  'cn=users,cn=accounts,dc=xx',
>>  'user' => 'uid=system,cn=sysaccounts,x',
>>  'pass' => 'xx',
>>  'filter' => '(&(memberOf=cn=helpdesk-*))',
>>  'attr_match_list'  => [
>>  'Name',
>>  ],
>>  'attr_map' => {
>>  'Name' => 'uid',
>>  'EmailAddress' => 'mail',
>>  },
>>  },
>> } );
>>
>> # * rt-ldapimport configuration
>> # enable plugin
>> Plugin( qw(RT::LDAPImport));
>>
>> Set($LDAPBase,'cn=users,cn=accounts,x');
>> Set($LDAPHost,'ldap.x');
>> Set($LDAPUser,'uid=system,cn=sysaccounts,xx');
>> Set($LDAPPassword,'');
>> Set($LDAPFilter, '(&(memberOf=cn=helpdesk-*))');
>> Set($LDAPMapping,

Re: [rt-users] Problems with external auth and double prompting for authentication

2016-05-11 Thread Jim Brandt

Browser authentication is typically triggered by an Apache 
configuration, so if your goal is to have just RT authentication, you 
might compare your Apache configuration with the example in the docs:


https://docs.bestpractical.com/rt/4.4.0/web_deployment.html

On 5/11/16 3:50 AM, Bart Bunting wrote:



Hi everyone,

I have been trying to get external authentication with ldapauth and
ldapimport working on a brand new rt 4.4 from the latest pull of
4.4-trunk.

I have the ldap authentication and rt-ldapimport working correctly
against our ldap server.

The one issue I can not appear to resolve is that I am prompted first
by the browsers authentication prompt and then by the RT login screen.
So you need to enter your authentication credentials twice.

I am hoping to just have the RT login screen, no browser authentication
prompt.

I'm sure it's something simple but I'm pulling my hair out :).

If someone could take a look at my config and tell me where the error is
I'd be eternally grateful:

Here is the section of my rt config.

The first few options are commented out as they are part of previous
attempts to make it work as expected.

#* Authentication
# configure external authentication

#Set($WebRemoteUserAuth, 1);
# check authentication on each request rather than just once
#Set($WebRemoteUserContinuous, 1);

# fall back to rt login if external auth fails.
#Set($WebFallbackToRTLogin, 1);

Set ($ExternalAuth, 1);
Set( $ExternalAuthPriority, ['URSYS_LDAP'] );
Set( $ExternalInfoPriority, ['URSYS_LDAP'] );

# Make users created from LDAP Privileged
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );

# Users should still be autocreated by RT as internal users if they
# fail to exist in an external service; this is so requestors (who
# are not in LDAP) can still be created when they email in.
Set($AutoCreateNonExternalUsers, 1);

# LDAP configuration; see RT::Authen::ExternalAuth::LDAP for
# further details and examples
Set($ExternalSettings, {
'URSYS_LDAP'   =>  {
'type' =>  'ldap',
'server'   =>  'ldap.x,
'base' =>  'cn=users,cn=accounts,dc=xx',
'user' => 'uid=system,cn=sysaccounts,x',
'pass' => 'xx',
'filter' => '(&(memberOf=cn=helpdesk-*))',
'attr_match_list'  => [
'Name',
],
'attr_map' => {
'Name' => 'uid',
'EmailAddress' => 'mail',
},
},
} );

# * rt-ldapimport configuration
# enable plugin
Plugin( qw(RT::LDAPImport));

Set($LDAPBase,'cn=users,cn=accounts,x');
Set($LDAPHost,'ldap.x');
Set($LDAPUser,'uid=system,cn=sysaccounts,xx');
Set($LDAPPassword,'');
Set($LDAPFilter, '(&(memberOf=cn=helpdesk-*))');
Set($LDAPMapping, {Name => 'uid', # required
   EmailAddress => 'mail',
   RealName => 'cn',
   WorkPhone=> 'telephoneNumber',
   Organization => 'departmentName'});
# create users as privileged
  Set($LDAPCreatePrivileged, 1);

# sync Groups from LDAP into RT
Set($LDAPGroupBase, 'cn=accounts,x');
Set($LDAPGroupFilter, '(&(objectClass=groupofnames)(cn=helpdesk-*))');
Set($LDAPGroupMapping, {Name   => 'cn',
Description   => 'description',
Member_Attr=> 'member',
Member_Attr_Value  => 'dn',
});

As above all the ldap stuff appears to work apart from the double
request for authentication.



Kind regards
Bart


-
RT 4.4 and RTIR Training Sessions https://bestpractical.com/training
* Washington DC - May 23 & 24, 2016

[rt-users] Problems with external auth and double prompting for authentication

2016-05-11 Thread Bart Bunting



Hi everyone,

I have been trying to get external authentication with ldapauth and
ldapimport working on a brand new rt 4.4 from the latest pull of
4.4-trunk.

I have the ldap authentication and rt-ldapimport working correctly
against our ldap server.

The one issue I can not appear to resolve is that I am prompted first
by the browsers authentication prompt and then by the RT login screen.
So you need to enter your authentication credentials twice.

I am hoping to just have the RT login screen, no browser authentication
prompt.

I'm sure it's something simple but I'm pulling my hair out :).

If someone could take a look at my config and tell me where the error is
I'd be eternally grateful:

Here is the section of my rt config.

The first few options are commented out as they are part of previous
attempts to make it work as expected.

#* Authentication
# configure external authentication

#Set($WebRemoteUserAuth, 1);
# check authentication on each request rather than just once
#Set($WebRemoteUserContinuous, 1);

# fall back to rt login if external auth fails.
#Set($WebFallbackToRTLogin, 1);

Set ($ExternalAuth, 1);
Set( $ExternalAuthPriority, ['URSYS_LDAP'] );
Set( $ExternalInfoPriority, ['URSYS_LDAP'] );

# Make users created from LDAP Privileged
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );

# Users should still be autocreated by RT as internal users if they
# fail to exist in an external service; this is so requestors (who
# are not in LDAP) can still be created when they email in.
Set($AutoCreateNonExternalUsers, 1);

# LDAP configuration; see RT::Authen::ExternalAuth::LDAP for
# further details and examples
Set($ExternalSettings, {
'URSYS_LDAP'   =>  {
'type' =>  'ldap',
'server'   =>  'ldap.x,
'base' =>  'cn=users,cn=accounts,dc=xx',
'user' => 'uid=system,cn=sysaccounts,x',
'pass' => 'xx',
'filter' => '(&(memberOf=cn=helpdesk-*))',
'attr_match_list'  => [
'Name',
],
'attr_map' => {
'Name' => 'uid',
'EmailAddress' => 'mail',
},
},
} );

# * rt-ldapimport configuration
# enable plugin
Plugin( qw(RT::LDAPImport));

Set($LDAPBase,'cn=users,cn=accounts,x');
Set($LDAPHost,'ldap.x');
Set($LDAPUser,'uid=system,cn=sysaccounts,xx');
Set($LDAPPassword,'');
Set($LDAPFilter, '(&(memberOf=cn=helpdesk-*))');
Set($LDAPMapping, {Name => 'uid', # required
   EmailAddress => 'mail',
   RealName => 'cn',
   WorkPhone=> 'telephoneNumber',
   Organization => 'departmentName'});
# create users as privileged
  Set($LDAPCreatePrivileged, 1);

# sync Groups from LDAP into RT
Set($LDAPGroupBase, 'cn=accounts,x');
Set($LDAPGroupFilter, '(&(objectClass=groupofnames)(cn=helpdesk-*))');
Set($LDAPGroupMapping, {Name   => 'cn',
Description   => 'description',
Member_Attr=> 'member',
Member_Attr_Value  => 'dn',
});

As above all the ldap stuff appears to work apart from the double
request for authentication.



Kind regards
Bart
-- 

Bart Bunting - URSYS
PH: 02 87452811
Mbl: 0409560005
-
RT 4.4 and RTIR Training Sessions https://bestpractical.com/training
* Washington DC - May 23 & 24, 2016

Re: [rt-users] Problems with external auth and double prompting for authentication

Re: [rt-users] Problems with external auth and double prompting for authentication

Re: [rt-users] Problems with external auth and double prompting for authentication

[rt-users] Problems with external auth and double prompting for authentication

4 matches

Site Navigation

Mail list logo

Footer information