Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
I have been trying to do a little debugging.
I am using RT version 4.0.0 and it appears the ExternalAuth I am using is
version 0.08, is that versioning a match?
Secondly, I went to ExternalAuth.pm and added a debug statment and it appears
as though I am not getting any value passed for $given_user or $given_pass to
my external authentication explaining why it appears that I am not even calling
my actual ldap active directory and attempting external auth, I continue to
receive:
Attempting to use external auth service: EIUAD
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:66)
[Tue Aug 30 14:08:37 2011] [debug]: SSO Failed and no user to test with.
Nexting
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:94)
[Tue Aug 30 14:08:37 2011] [debug]: Autohandler called ExternalAuth. Response:
(0, No User)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
as my only debug messages out of external authentication, it appears to not be
getting any given_user to work with.
Thanks
Brian
- Original Message -
From: Brian Murphy blmur...@eiu.edu
To: rt-users@lists.bestpractical.com
Sent: Monday, August 29, 2011 11:32:47 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
Still struggling with trying to get RT externally authenticating with my 2008
Active Directory.
I have been able to accomplish an ldapsearch with the following options
successfully:
ldapsearch -x -b dc=eiuad,dc=eiu,dc=edu -D CN=RT
Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu -h eiuad.eiu.edu -p 389 -W
sAMAccountName=blmurphy
I would like to use the blmurphy as my RT account name. When I execute the
above ldapsearch and input the prompted for password I get back my account
information from the Active Directory. I have the following set in my
RT_SiteConfig.pm but continue to get the externalauth nouser response.
Brian
Set($ExternalSettings, {
# EIUAD Active Directory
'EIUAD' = { ## GENERIC SECTION
# The type of service
(db/ldap/cookie)
'type'
= 'ldap',
# The server hosting
the service
'server'
= 'eiuad.eiu.edu',
## SERVICE-SPECIFIC
SECTION
# If you can bind to
your LDAP server anonymously you should
# remove the user and
pass config lines, otherwise specify them here:
#
# The username RT
should use to connect to the LDAP server
'user'
= 'CN=RT Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu',
# The password RT
should use to connect to the LDAP server
'pass'
= 'x',
#
# The LDAP search base
'base'
= 'dc=eiuad,dc=eiu,dc=edu',
#
# ALL FILTERS MUST BE
VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU **MUST** SPECIFY
A filter AND A d_filter!!
#
# The filter to use to
match RT-Users
'filter'
= '(sAMAccountName=*)',
# A catch-all example
filter: '(objectClass=*)'
#
# The filter that will
only match disabled users
'd_filter'
= '(objectclass=Foo)',
# A catch-none example
d_filter: '(objectClass=FooBarBaz)'
#
# Should we try to use
TLS to encrypt connections?
'tls'
= 0,
# SSL Version to
provide
Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
I am making progress in that I am at least now getting some indication that the
code is trying to authenticate my user in my active directory.
I now receive the following after I upgraded my RT::Auth::External to 0.09.
[debug]: Attempting to use external auth service: EIUAD
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Tue Aug 30 14:32:12 2011] [debug]: Calling UserExists with $username
(blmurphy) and $service (EIUAD)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Tue Aug 30 14:32:12 2011] [debug]: UserExists params:
username: blmurphy , service: EIUAD
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Tue Aug 30 14:32:12 2011] [debug]: LDAP Search === Base: ou=its
employees,ou=employee accounts,ou=eiu users,dc=eiuad,dc=eiu.dc=edu == Filter:
((objectClass=person)(sAMAccountName=blmurphy)) == Attrs: sAMAccountName
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Tue Aug 30 14:32:12 2011] [debug]: User Check Failed :: ( EIUAD ) blmurphy
User not found
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:318)
Anyone have any other pointers for trying to debug this thing?
Thanks.
Brian
- Original Message -
From: Brian Murphy blmur...@eiu.edu
To: rt-users@lists.bestpractical.com
Sent: Tuesday, August 30, 2011 9:13:51 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
I have been trying to do a little debugging.
I am using RT version 4.0.0 and it appears the ExternalAuth I am using is
version 0.08, is that versioning a match?
Secondly, I went to ExternalAuth.pm and added a debug statment and it appears
as though I am not getting any value passed for $given_user or $given_pass to
my external authentication explaining why it appears that I am not even calling
my actual ldap active directory and attempting external auth, I continue to
receive:
Attempting to use external auth service: EIUAD
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:66)
[Tue Aug 30 14:08:37 2011] [debug]: SSO Failed and no user to test with.
Nexting
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:94)
[Tue Aug 30 14:08:37 2011] [debug]: Autohandler called ExternalAuth. Response:
(0, No User)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
as my only debug messages out of external authentication, it appears to not be
getting any given_user to work with.
Thanks
Brian
- Original Message -
From: Brian Murphy blmur...@eiu.edu
To: rt-users@lists.bestpractical.com
Sent: Monday, August 29, 2011 11:32:47 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
Still struggling with trying to get RT externally authenticating with my 2008
Active Directory.
I have been able to accomplish an ldapsearch with the following options
successfully:
ldapsearch -x -b dc=eiuad,dc=eiu,dc=edu -D CN=RT
Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu -h eiuad.eiu.edu -p 389 -W
sAMAccountName=blmurphy
I would like to use the blmurphy as my RT account name. When I execute the
above ldapsearch and input the prompted for password I get back my account
information from the Active Directory. I have the following set in my
RT_SiteConfig.pm but continue to get the externalauth nouser response.
Brian
Set($ExternalSettings, {
# EIUAD Active Directory
'EIUAD' = { ## GENERIC SECTION
# The type of service
(db/ldap/cookie)
'type'
= 'ldap',
# The server hosting
the service
'server'
= 'eiuad.eiu.edu',
## SERVICE-SPECIFIC
SECTION
# If you can bind to
your LDAP server anonymously you should
# remove the user and
pass config lines, otherwise specify them here:
#
# The username RT
should use to connect to the LDAP server
'user'
= 'CN=RT Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu',
# The password RT
should use to connect to the LDAP server
'pass'
= 'x',
#
# The LDAP
Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
A bit confused about that whole filter thing. If I specify objectClass=person and the sAMAccountName on the same filter it does not work with ldapsearch. if I use either one by titself, I get back my user record from AD. Brian - Original Message - From: Kevin Falcone falc...@bestpractical.com To: rt-users@lists.bestpractical.com Sent: Tuesday, August 30, 2011 9:41:57 AM Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl On Tue, Aug 30, 2011 at 09:35:39AM -0500, Brian Murphy wrote: I am making progress in that I am at least now getting some indication that the code is trying to authenticate my user in my active directory. I now receive the following after I upgraded my RT::Auth::External to 0.09. Yes, you must use the newest version (0.09) for it to work with RT4 [Tue Aug 30 14:32:12 2011] [debug]: LDAP Search === Base: ou=its employees,ou=employee accounts,ou=eiu users,dc=eiuad,dc=eiu.dc=edu == Filter: ((objectClass=person)(sAMAccountName=blmurphy)) == Attrs: sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304) Is that the right OU and Filter? Does that OU and Filter work from ldapsearch? -kevin RT Training Sessions (http://bestpractical.com/services/training.html) * Chicago, IL, USA � September 26 27, 2011 * San Francisco, CA, USA � October 18 19, 2011 * Washington DC, USA � October 31 November 1, 2011 * Melbourne VIC, Australia � November 28 29, 2011 * Barcelona, Spain � November 28 29, 2011 RT Training Sessions (http://bestpractical.com/services/training.html) * Chicago, IL, USA September 26 27, 2011 * San Francisco, CA, USA October 18 19, 2011 * Washington DC, USA October 31 November 1, 2011 * Melbourne VIC, Australia November 28 29, 2011 * Barcelona, Spain November 28 29, 2011
Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
I can do the following with ldapsearch notice the filter: Enter LDAP Password: # extended LDIF # # LDAPv3 # base dc=eiuad,dc=eiu,dc=edu with scope subtree # filter: ((sAMAccountName=blmurphy)) # requesting: ALL # # Murphy\2C Brian, ITS Employees, Employee Accounts, EIU USERS, eiuad.eiu.edu dn: CN=Murphy\, Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=ei uad,DC=eiu,DC=edu objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Murphy, Brian sn: Murphy title: Associate Director description: Information Technology Services physicalDeliveryOfficeName: Technical Support Operations telephoneNumber: 581-7618 givenName: Brian distinguishedName: CN=Murphy\, Brian,OU=ITS Employees,OU=Employee Accounts,OU= EIU USERS,DC=eiuad,DC=eiu,DC=edu instanceType: 4 whenCreated: 20011219230613.0Z whenChanged: 20110829133938.0Z displayName: Murphy, Brian uSNCreated: 43124 info: Associate Director - higher limits allowed memberOf: CN=RT_Access,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu memberOf: CN=Outlook SSL Change,OU=GPO Scripting Groups,OU=Groups,DC=eiuad,DC= eiu,DC=edu memberOf: CN=Hyperic Administrators,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu memberOf: CN=Global Psynch Helpdesk Staff,OU=ITS Groups,OU=Business Affairs Re source Sharing Groups,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu memberOf: CN=Xythos Users,OU=Groups,DC=eiuad,DC=eiu,DC=edu memberOf: CN=ITS group for Xythos sharing,OU=ITS Groups,OU=Business Affairs Re source Sharing Groups,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu memberOf: CN=BannerINBJavaUpdater,OU=Groups,DC=eiuad,DC=eiu,DC=edu memberOf: CN=ITS PLs Prgmrs,OU=ITS Groups,OU=Business Affairs Resource Sharing Groups,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu memberOf: CN=ITSDEPT,OU=ITS Groups,OU=Business Affairs Resource Sharing Groups ,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu memberOf: CN=Tech Support,OU=ITS Groups,OU=Business Affairs Resource Sharing G roups,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu memberOf: CN=Systems Tech Supt,OU=ITS Groups,OU=Business Affairs Resource Sh aring Groups,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu memberOf: CN=Server Ops,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu memberOf: CN=ONORDER,OU=ITS Groups,OU=Business Affairs Resource Sharing Groups ,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu memberOf: CN=ILOM Admins,OU=Infrastructure Management,OU=Groups,DC=eiuad,DC=ei u,DC=edu memberOf: CN=Brian Murphys Group,OU=ITS Groups,OU=Business Affairs Resource Sh aring Groups,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu memberOf: CN=Others,OU=EISE Project,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC =eiu,DC=edu memberOf: CN=Degree Audit Process Team,OU=EISE Project,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu memberOf: CN=EIU Faculty and Staff for Citrix Access,OU=Citrix,DC=eiuad,DC=eiu ,DC=edu memberOf: CN=DISASTER,OU=ITS Groups,OU=Business Affairs Resource Sharing Group s,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu memberOf: CN=SECURITY,OU=Lumpkin Hall Computer Labs,DC=eiuad,DC=eiu,DC=edu memberOf: CN=Backup Operators,CN=Builtin,DC=eiuad,DC=eiu,DC=edu uSNChanged: 12145001 department: Information Technology Services company: Eastern Illinois University streetAddress:: U3R1ZGVudCBTZXJ2aWNlcyBCdWlsZGluZw0KQjk= directReports: CN=Bensley\, Brett,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu directReports: CN=Clayton\, Allen,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu directReports: CN=Wilson\, Julie,OU=Net Admin OU,OU=Sensitive,DC=eiuad,DC=eiu, DC=edu name: Murphy, Brian objectGUID:: RlmmJv+FGEWZvik8YlZYmw== userAccountControl: 512 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 129495066522016517 lastLogoff: 0 lastLogon: 129591191145074682 logonHours:: pwdLastSet: 129470205541973909 primaryGroupID: 513 objectSid:: AQUAAAUVkDCgJUtYtjLperlb6gMAAA== adminCount: 1 accountExpires: 0 logonCount: 122 sAMAccountName: blmurphy sAMAccountType: 805306368 userPrincipalName: blmur...@eiuad.eiu.edu lockoutTime: 0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=eiuad,DC=eiu,DC=edu dSCorePropagationData: 20110809183717.0Z dSCorePropagationData: 20110803191151.0Z dSCorePropagationData: 20110628195950.0Z dSCorePropagationData: 20110525205317.0Z dSCorePropagationData: 16010714223651.0Z lastLogonTimestamp: 129590987787492303 mail: blmur...@eiu.edu # search reference ref: ldap://DomainDnsZones.eiuad.eiu.edu/DC=DomainDnsZones,DC=eiuad,DC=eiu,DC= edu # search reference ref: ldap://ForestDnsZones.eiuad.eiu.edu/DC=ForestDnsZones,DC=eiuad,DC=eiu,DC= edu # search reference ref: ldap://eiuad.eiu.edu/CN=Configuration,DC=eiuad,DC=eiu,DC=edu # search result search: 2 result: 0 Success # numResponses: 5 # numEntries: 1 # numReferences: 3 - Original Message - From: Brian Murphy blmur...@eiu.edu To: rt-users@lists.bestpractical.com
[rt-users] Fwd: rt4 and External Auth to AD 2008 non-ssl
Well, sh**! Sometimes the simplest are the most difficult. I was way too close to the forest to see the trees on that one. Having a . instead of the , in my base string was causing me to not be able to find the entry. I have my filter set to () and am using the sAMAccountName and finding the user account, but now it refuses my password. here is what I get in the log. Any ideas. I know my password and am using it for other accounts. [Tue Aug 30 15:48:14 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Tue Aug 30 15:48:14 2011] [debug]: Calling UserExists with $username (blmurphy) and $service (EIUAD) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105) [Tue Aug 30 15:48:14 2011] [debug]: UserExists params: username: blmurphy , service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274) [Tue Aug 30 15:48:14 2011] [debug]: LDAP Search === Base: dc=eiuad,dc=eiu,dc=edu == Filter: ((sAMAccountName=blmurphy)) == Attrs: sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304) [Tue Aug 30 15:48:14 2011] [debug]: Password validation required for service - Executing... (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155) [Tue Aug 30 15:48:14 2011] [debug]: Trying external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16) [Tue Aug 30 15:48:14 2011] [debug]: LDAP Search === Base: dc=eiuad,dc=eiu,dc=edu == Filter: ((sAMAccountName=blmurphy)) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43) [Tue Aug 30 15:48:14 2011] [debug]: Found LDAP DN: CN=Murphy\, Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75) [Tue Aug 30 15:48:14 2011] [debug]: LDAP Search === Base: dc=eiuad,dc=eiu,dc=edu == Filter: (member=CN=Murphy, Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100) [Tue Aug 30 15:48:14 2011] [info]: EIUAD AUTH FAILED: blmurphy (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127) [Tue Aug 30 15:48:14 2011] [debug]: LDAP password validation result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334) [Tue Aug 30 15:48:14 2011] [debug]: Password Validation Check Result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159) [Tue Aug 30 15:48:14 2011] [debug]: Autohandler called ExternalAuth. Response: (0, Password Invalid) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11) [Tue Aug 30 15:48:14 2011] [error]: FAILED LOGIN for blmurphy from 139.67.17.30 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:639) [Tue Aug 30 15:48:17 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Tue Aug 30 15:48:17 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92) [Tue Aug 30 15:48:17 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11) - Original Message - From: David Chandek-Stark david.chandek.st...@duke.edu To: Brian Murphy blmur...@eiu.edu, rt-users@lists.bestpractical.com Sent: Tuesday, August 30, 2011 10:41:54 AM Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl I'm guessing your base should have a comma b/w eiu and dc -- I.e., dc=eiuad,dc=eiu,dc=edu. --D On 8/30/11 11:34 AM, Brian Murphy blmur...@eiu.edu wrote: [Tue Aug 30 15:29:48 2011] [debug]: LDAP Search === Base: dc=eiuad,dc=eiu.dc=edu == Filter: ((sAMAccountName=blmurphy)) == Attrs: sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/ LDAP.pm:304) RT Training Sessions (http://bestpractical.com/services/training.html) * Chicago, IL, USA September 26 27, 2011 * San Francisco, CA, USA October 18 19, 2011 * Washington DC, USA October 31 November 1, 2011 * Melbourne VIC, Australia November 28 29, 2011 * Barcelona, Spain November 28 29, 2011
Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
!!
#
# The filter to use to
match RT-Users
'filter'
= '(objectClass=*)',
# A catch-all example
filter: '(objectClass=*)'
#
# The filter that will
only match disabled users
'd_filter'
= '(objectclass=Foo)',
# A catch-none example
d_filter: '(objectClass=FooBarBaz)'
#
# Should we try to use
TLS to encrypt connections?
'tls'
= 0,
# SSL Version to
provide to Net::SSLeay *if* using SSL
'ssl_version'
= 3,
# What other args
should I pass to Net::LDAP-new($host,@args)?
'net_ldap_args'
= [version = 3 ],
# Does authentication
depend on group membership? What group name?
'group'
= 'CN=RT_Access,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu',
# What is the attribute
for the group object that determines membership?
'group_attr'
= 'member',
## RT ATTRIBUTE
MATCHING SECTION
# The list of RT
attributes that uniquely identify a user
# This example shows
what you *can* specify.. I recommend reducing this
# to just the Name and
EmailAddress to save encountering problems later.
'attr_match_list'
= ['Name'
],
# The mapping of RT
attributes on to LDAP attributes
'attr_map'
= { 'Name' = 'sAMAccountName'
}
}
}
);
- Original Message -
From: Brian Murphy blmur...@eiu.edu
To: rt-users@lists.bestpractical.com
Sent: Tuesday, August 30, 2011 10:59:08 AM
Subject: Fwd: [rt-users] rt4 and External Auth to AD 2008 non-ssl
Well, sh**! Sometimes the simplest are the most difficult. I was way too
close to the forest to see the trees on that one. Having a . instead of the ,
in my base string was causing me to not be able to find the entry. I have my
filter set to () and am using the sAMAccountName and finding the user account,
but now it refuses my password. here is what I get in the log. Any ideas. I
know my password and am using it for other accounts.
[Tue Aug 30 15:48:14 2011] [debug]: Attempting to use external auth service:
EIUAD
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Tue Aug 30 15:48:14 2011] [debug]: Calling UserExists with $username
(blmurphy) and $service (EIUAD)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Tue Aug 30 15:48:14 2011] [debug]: UserExists params:
username: blmurphy , service: EIUAD
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Tue Aug 30 15:48:14 2011] [debug]: LDAP Search === Base:
dc=eiuad,dc=eiu,dc=edu == Filter: ((sAMAccountName=blmurphy)) == Attrs:
sAMAccountName
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Tue Aug 30 15:48:14 2011] [debug]: Password validation required for service -
Executing...
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
[Tue Aug 30 15:48:14 2011] [debug]: Trying external auth service: EIUAD
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
[Tue Aug 30 15:48:14 2011] [debug]: LDAP Search === Base:
dc=eiuad,dc=eiu,dc=edu == Filter: ((sAMAccountName=blmurphy)) == Attrs: dn
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
[Tue Aug 30 15:48:14 2011] [debug]: Found LDAP DN: CN=Murphy\, Brian,OU
Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
.
'attr_match_list'
= ['Name'
],
# The mapping of RT
attributes on to LDAP attributes
'attr_map'
= { 'Name' = 'sAMAccountName'
}
}
- Original Message -
From: Brian Murphy blmur...@eiu.edu
To: rt-users@lists.bestpractical.com
Sent: Thursday, August 25, 2011 11:59:50 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
I only get the login failed message back from web.pm.
The account I am using is already in RT and being used so is this a problem. I
was assuming the id would exist and just the auth would be done externally.
Brian
- Original Message -
From: Kevin Falcone falc...@bestpractical.com
To: rt-users@lists.bestpractical.com
Sent: Thursday, August 25, 2011 9:46:01 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
On Wed, Aug 24, 2011 at 04:42:04PM -0500, Brian Murphy wrote:
Thanks for the tip on the logging kevin.
Seeing the following, don't know eactly what to make of it.
[Wed Aug 24 21:38:37 2011] [debug]: Attempting to use external auth service:
EIUAD
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Wed Aug 24 21:38:37 2011] [debug]: SSO Failed and no user to test with.
Nexting
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Wed Aug 24 21:38:37 2011] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
Those are the messages you get when the login page pops up.
What do you get after typing your username and password in?
-kevin
- Original Message -
From: Kevin Falcone falc...@bestpractical.com
To: rt-users@lists.bestpractical.com
Sent: Wednesday, August 24, 2011 4:18:08 PM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
On Wed, Aug 24, 2011 at 01:09:15PM -0500, Brian Murphy wrote:
I am trying desparately to get this goingnd am not seeing that my
externalauth is even being called. I am attaching my RT_SiteConfig.pm
for review. I am a newbie and don't know much about anything RT as
yet. I see very little in my /var/log/messages other tham LOGIN failed
for x from web.pm, so I don't really think my externalauth is
really in play as of yet. Any assistance in getting this going would
be greatly appreciated.
You don't appear to have turned your logging level up, most useful
logs are at the debug level. LogToScreen is probably the easiest,
because they'll end up in your apache error log.
-kevin
# Any configuration directives you include here will override
# RT's default configuration file, RT_Config.pm
#
# To include a directive here, just copy the equivalent statement
# from RT_Config.pm and change the value. We've included a single
# sample value below.
#
# This file is actually a perl module, so you can include valid
# perl code, as well.
#
# The converse is also true, if this file isn't valid perl, you're
# going to run into trouble. To check your SiteConfig file, use
# this comamnd:
#
# perl -c /path/to/your/etc/RT_SiteConfig.pm
#
# You must restart your webserver after making changes to this file.
# You must install Plugins on your own, this is only an example
# of the correct syntax to use when activating them.
# There should only be one @Plugins declaration in your config file.
#Set(@Plugins,(qw(RT::Extension::QuickDelete RT::Extension::CommandByMail
RT::Extension::ActivityReports)));
#Set(@Plugins,(qw(RT::Extension::ActivityReports)));
Set(@Plugins,(qw(RT::Extension::ActivityReports RT::Authen::ExternalAuth)));
Set( $CorrespondAddress, '' );
Set( $rtname, 'EIU ITS Campus Technology' );
Set( $DatabaseRequireSSL, '' );
Set( $WebPort, '8080' );
Set( $DatabaseType, 'mysql' );
Set( $SendmailPath, '/usr/sbin/sendmail' );
Set( $WebDomain, 'localhost' );
Set( $CommentAddress, '' );
Set($Timezone, US/Central);
Set($UnsafeEmailCommands, 1);
Set($ParseNewMessageForTicketCcs, 1);
Set($NotifyActor, 1);
Set( $OwnerEmail, '' );
Set( $DatabaseUser, 'rt_user' );
Set( $DatabasePort, '' );
Set( $DatabasePassword, 'RT_pass1-' );
Set( $DatabaseAdmin, 'root' );
Set( $DatabaseAdminPassword, 'Mtfbwu+1' );
Set( $DatabaseHost, 'localhost' );
Set( $DatabaseName, 'rt4' );
Set( $Organization, 'ITS' );
1;
# The order in which the services defined in ExternalSettings
# should be used to authenticate users. User is authenticated
# if successfully confirmed by any service - no more
Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
I only get the login failed message back from web.pm. The account I am using is already in RT and being used so is this a problem. I was assuming the id would exist and just the auth would be done externally. Brian - Original Message - From: Kevin Falcone falc...@bestpractical.com To: rt-users@lists.bestpractical.com Sent: Thursday, August 25, 2011 9:46:01 AM Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl On Wed, Aug 24, 2011 at 04:42:04PM -0500, Brian Murphy wrote: Thanks for the tip on the logging kevin. Seeing the following, don't know eactly what to make of it. [Wed Aug 24 21:38:37 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Wed Aug 24 21:38:37 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92) [Wed Aug 24 21:38:37 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26) Those are the messages you get when the login page pops up. What do you get after typing your username and password in? -kevin - Original Message - From: Kevin Falcone falc...@bestpractical.com To: rt-users@lists.bestpractical.com Sent: Wednesday, August 24, 2011 4:18:08 PM Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl On Wed, Aug 24, 2011 at 01:09:15PM -0500, Brian Murphy wrote: I am trying desparately to get this goingnd am not seeing that my externalauth is even being called. I am attaching my RT_SiteConfig.pm for review. I am a newbie and don't know much about anything RT as yet. I see very little in my /var/log/messages other tham LOGIN failed for x from web.pm, so I don't really think my externalauth is really in play as of yet. Any assistance in getting this going would be greatly appreciated. You don't appear to have turned your logging level up, most useful logs are at the debug level. LogToScreen is probably the easiest, because they'll end up in your apache error log. -kevin # Any configuration directives you include here will override # RT's default configuration file, RT_Config.pm # # To include a directive here, just copy the equivalent statement # from RT_Config.pm and change the value. We've included a single # sample value below. # # This file is actually a perl module, so you can include valid # perl code, as well. # # The converse is also true, if this file isn't valid perl, you're # going to run into trouble. To check your SiteConfig file, use # this comamnd: # # perl -c /path/to/your/etc/RT_SiteConfig.pm # # You must restart your webserver after making changes to this file. # You must install Plugins on your own, this is only an example # of the correct syntax to use when activating them. # There should only be one @Plugins declaration in your config file. #Set(@Plugins,(qw(RT::Extension::QuickDelete RT::Extension::CommandByMail RT::Extension::ActivityReports))); #Set(@Plugins,(qw(RT::Extension::ActivityReports))); Set(@Plugins,(qw(RT::Extension::ActivityReports RT::Authen::ExternalAuth))); Set( $CorrespondAddress, '' ); Set( $rtname, 'EIU ITS Campus Technology' ); Set( $DatabaseRequireSSL, '' ); Set( $WebPort, '8080' ); Set( $DatabaseType, 'mysql' ); Set( $SendmailPath, '/usr/sbin/sendmail' ); Set( $WebDomain, 'localhost' ); Set( $CommentAddress, '' ); Set($Timezone, US/Central); Set($UnsafeEmailCommands, 1); Set($ParseNewMessageForTicketCcs, 1); Set($NotifyActor, 1); Set( $OwnerEmail, '' ); Set( $DatabaseUser, 'rt_user' ); Set( $DatabasePort, '' ); Set( $DatabasePassword, 'RT_pass1-' ); Set( $DatabaseAdmin, 'root' ); Set( $DatabaseAdminPassword, 'Mtfbwu+1' ); Set( $DatabaseHost, 'localhost' ); Set( $DatabaseName, 'rt4' ); Set( $Organization, 'ITS' ); 1; # The order in which the services defined in ExternalSettings # should be used to authenticate users. User is authenticated # if successfully confirmed by any service - no more services # are checked. Set($ExternalAuthPriority, [ 'EIUAD' ] ); # The order in which the services defined in ExternalSettings # should be used to get information about users. This includes # RealName, Tel numbers etc, but also whether or not the user # should be considered disabled. # # Once user info is found, no more services are checked. # # You CANNOT use a SSO cookie for authentication. Set($ExternalInfoPriority, [ 'EIUAD' ] ); # If this is set to true, then the relevant packages will # be loaded to use SSL/TLS connections. At the moment, # this just means use Net::SSLeay; Set($ExternalServiceUsesSSLorTLS,0); # If this is set to 1
[rt-users] rt4 and External Auth to AD 2008 non-ssl
I am trying desparately to get this goingnd am not seeing that my externalauth
is even being called. I am attaching my RT_SiteConfig.pm for review. I am a
newbie and don't know much about anything RT as yet. I see very little in my
/var/log/messages other tham LOGIN failed for x from web.pm, so I don't
really think my externalauth is really in play as of yet. Any assistance in
getting this going would be greatly appreciated.
Thanks.
Brian Murphy
Eastern Illinois University
# Any configuration directives you include here will override
# RT's default configuration file, RT_Config.pm
#
# To include a directive here, just copy the equivalent statement
# from RT_Config.pm and change the value. We've included a single
# sample value below.
#
# This file is actually a perl module, so you can include valid
# perl code, as well.
#
# The converse is also true, if this file isn't valid perl, you're
# going to run into trouble. To check your SiteConfig file, use
# this comamnd:
#
# perl -c /path/to/your/etc/RT_SiteConfig.pm
#
# You must restart your webserver after making changes to this file.
# You must install Plugins on your own, this is only an example
# of the correct syntax to use when activating them.
# There should only be one @Plugins declaration in your config file.
#Set(@Plugins,(qw(RT::Extension::QuickDelete RT::Extension::CommandByMail
RT::Extension::ActivityReports)));
#Set(@Plugins,(qw(RT::Extension::ActivityReports)));
Set(@Plugins,(qw(RT::Extension::ActivityReports RT::Authen::ExternalAuth)));
Set( $CorrespondAddress, '' );
Set( $rtname, 'EIU ITS Campus Technology' );
Set( $DatabaseRequireSSL, '' );
Set( $WebPort, '8080' );
Set( $DatabaseType, 'mysql' );
Set( $SendmailPath, '/usr/sbin/sendmail' );
Set( $WebDomain, 'localhost' );
Set( $CommentAddress, '' );
Set($Timezone, US/Central);
Set($UnsafeEmailCommands, 1);
Set($ParseNewMessageForTicketCcs, 1);
Set($NotifyActor, 1);
Set( $OwnerEmail, '' );
Set( $DatabaseUser, 'rt_user' );
Set( $DatabasePort, '' );
Set( $DatabasePassword, 'RT_pass1-' );
Set( $DatabaseAdmin, 'root' );
Set( $DatabaseAdminPassword, 'Mtfbwu+1' );
Set( $DatabaseHost, 'localhost' );
Set( $DatabaseName, 'rt4' );
Set( $Organization, 'ITS' );
1;
# The order in which the services defined in ExternalSettings
# should be used to authenticate users. User is authenticated
# if successfully confirmed by any service - no more services
# are checked.
Set($ExternalAuthPriority, [ 'EIUAD'
]
);
# The order in which the services defined in ExternalSettings
# should be used to get information about users. This includes
# RealName, Tel numbers etc, but also whether or not the user
# should be considered disabled.
#
# Once user info is found, no more services are checked.
#
# You CANNOT use a SSO cookie for authentication.
Set($ExternalInfoPriority, [ 'EIUAD'
]
);
# If this is set to true, then the relevant packages will
# be loaded to use SSL/TLS connections. At the moment,
# this just means use Net::SSLeay;
Set($ExternalServiceUsesSSLorTLS,0);
# If this is set to 1, then users should be autocreated by RT
# as internal users if they fail to authenticate from an
# external service.
Set($AutoCreateNonExternalUsers,0);
# These are the full settings for each external service as a HashOfHashes
# Note that you may have as many external services as you wish. They will
# be checked in the order specified in the Priority directives above.
# e.g.
#
Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP','Other-DB']);
#
Set($ExternalSettings, {
# EIUAD Active Directory
'EIUAD' = { ## GENERIC SECTION
# The type of service
(db/ldap/cookie)
'type'
= 'ldap',
# The server hosting
the service
'server'
= 'x.xxx.edu',
## SERVICE-SPECIFIC
SECTION
# If you can bind to
your LDAP server anonymously you should
# remove the user and
pass config lines, otherwise specify them here:
#
# The username RT
should use to connect to the LDAP server
'user'
= 'rtauth',
# The password RT
should use to connect to the LDAP server
'pass'
= 'xxx
Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
Thanks for the tip on the logging kevin.
Seeing the following, don't know eactly what to make of it.
[Wed Aug 24 21:38:37 2011] [debug]: Attempting to use external auth service:
EIUAD
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Wed Aug 24 21:38:37 2011] [debug]: SSO Failed and no user to test with.
Nexting
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Wed Aug 24 21:38:37 2011] [debug]: Autohandler called ExternalAuth. Response:
(0, No User)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
Brian
- Original Message -
From: Kevin Falcone falc...@bestpractical.com
To: rt-users@lists.bestpractical.com
Sent: Wednesday, August 24, 2011 4:18:08 PM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
On Wed, Aug 24, 2011 at 01:09:15PM -0500, Brian Murphy wrote:
I am trying desparately to get this goingnd am not seeing that my
externalauth is even being called. I am attaching my RT_SiteConfig.pm
for review. I am a newbie and don't know much about anything RT as
yet. I see very little in my /var/log/messages other tham LOGIN failed
for x from web.pm, so I don't really think my externalauth is
really in play as of yet. Any assistance in getting this going would
be greatly appreciated.
You don't appear to have turned your logging level up, most useful
logs are at the debug level. LogToScreen is probably the easiest,
because they'll end up in your apache error log.
-kevin
# Any configuration directives you include here will override
# RT's default configuration file, RT_Config.pm
#
# To include a directive here, just copy the equivalent statement
# from RT_Config.pm and change the value. We've included a single
# sample value below.
#
# This file is actually a perl module, so you can include valid
# perl code, as well.
#
# The converse is also true, if this file isn't valid perl, you're
# going to run into trouble. To check your SiteConfig file, use
# this comamnd:
#
# perl -c /path/to/your/etc/RT_SiteConfig.pm
#
# You must restart your webserver after making changes to this file.
# You must install Plugins on your own, this is only an example
# of the correct syntax to use when activating them.
# There should only be one @Plugins declaration in your config file.
#Set(@Plugins,(qw(RT::Extension::QuickDelete RT::Extension::CommandByMail
RT::Extension::ActivityReports)));
#Set(@Plugins,(qw(RT::Extension::ActivityReports)));
Set(@Plugins,(qw(RT::Extension::ActivityReports RT::Authen::ExternalAuth)));
Set( $CorrespondAddress, '' );
Set( $rtname, 'EIU ITS Campus Technology' );
Set( $DatabaseRequireSSL, '' );
Set( $WebPort, '8080' );
Set( $DatabaseType, 'mysql' );
Set( $SendmailPath, '/usr/sbin/sendmail' );
Set( $WebDomain, 'localhost' );
Set( $CommentAddress, '' );
Set($Timezone, US/Central);
Set($UnsafeEmailCommands, 1);
Set($ParseNewMessageForTicketCcs, 1);
Set($NotifyActor, 1);
Set( $OwnerEmail, '' );
Set( $DatabaseUser, 'rt_user' );
Set( $DatabasePort, '' );
Set( $DatabasePassword, 'RT_pass1-' );
Set( $DatabaseAdmin, 'root' );
Set( $DatabaseAdminPassword, 'Mtfbwu+1' );
Set( $DatabaseHost, 'localhost' );
Set( $DatabaseName, 'rt4' );
Set( $Organization, 'ITS' );
1;
# The order in which the services defined in ExternalSettings
# should be used to authenticate users. User is authenticated
# if successfully confirmed by any service - no more services
# are checked.
Set($ExternalAuthPriority, [ 'EIUAD'
]
);
# The order in which the services defined in ExternalSettings
# should be used to get information about users. This includes
# RealName, Tel numbers etc, but also whether or not the user
# should be considered disabled.
#
# Once user info is found, no more services are checked.
#
# You CANNOT use a SSO cookie for authentication.
Set($ExternalInfoPriority, [ 'EIUAD'
]
);
# If this is set to true, then the relevant packages will
# be loaded to use SSL/TLS connections. At the moment,
# this just means use Net::SSLeay;
Set($ExternalServiceUsesSSLorTLS,0);
# If this is set to 1, then users should be autocreated by RT
# as internal users if they fail to authenticate from an
# external service.
Set($AutoCreateNonExternalUsers,0);
# These are the full settings for each external service as a HashOfHashes
# Note that you may have as many external services as you wish. They will
# be checked in the order specified in the Priority directives above.
# e.g.
#
Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP','Other-DB']);
#
Set($ExternalSettings, {
# EIUAD Active Directory
'EIUAD' = { ## GENERIC SECTION
# The type of service
(db
