Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
I have been trying to do a little debugging. I am using RT version 4.0.0 and it appears the ExternalAuth I am using is version 0.08, is that versioning a match? Secondly, I went to ExternalAuth.pm and added a debug statment and it appears as though I am not getting any value passed for $given_user or $given_pass to my external authentication explaining why it appears that I am not even calling my actual ldap active directory and attempting external auth, I continue to receive: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:66) [Tue Aug 30 14:08:37 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:94) [Tue Aug 30 14:08:37 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26) as my only debug messages out of external authentication, it appears to not be getting any given_user to work with. Thanks Brian - Original Message - From: Brian Murphy blmur...@eiu.edu To: rt-users@lists.bestpractical.com Sent: Monday, August 29, 2011 11:32:47 AM Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl Still struggling with trying to get RT externally authenticating with my 2008 Active Directory. I have been able to accomplish an ldapsearch with the following options successfully: ldapsearch -x -b dc=eiuad,dc=eiu,dc=edu -D CN=RT Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu -h eiuad.eiu.edu -p 389 -W sAMAccountName=blmurphy I would like to use the blmurphy as my RT account name. When I execute the above ldapsearch and input the prompted for password I get back my account information from the Active Directory. I have the following set in my RT_SiteConfig.pm but continue to get the externalauth nouser response. Brian Set($ExternalSettings, { # EIUAD Active Directory 'EIUAD' = { ## GENERIC SECTION # The type of service (db/ldap/cookie) 'type' = 'ldap', # The server hosting the service 'server' = 'eiuad.eiu.edu', ## SERVICE-SPECIFIC SECTION # If you can bind to your LDAP server anonymously you should # remove the user and pass config lines, otherwise specify them here: # # The username RT should use to connect to the LDAP server 'user' = 'CN=RT Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu', # The password RT should use to connect to the LDAP server 'pass' = 'x', # # The LDAP search base 'base' = 'dc=eiuad,dc=eiu,dc=edu', # # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES! # YOU **MUST** SPECIFY A filter AND A d_filter!! # # The filter to use to match RT-Users 'filter' = '(sAMAccountName=*)', # A catch-all example filter: '(objectClass=*)' # # The filter that will only match disabled users 'd_filter' = '(objectclass=Foo)', # A catch-none example d_filter: '(objectClass=FooBarBaz)' # # Should we try to use TLS to encrypt connections? 'tls' = 0, # SSL Version to provide
Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
I am making progress in that I am at least now getting some indication that the code is trying to authenticate my user in my active directory. I now receive the following after I upgraded my RT::Auth::External to 0.09. [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Tue Aug 30 14:32:12 2011] [debug]: Calling UserExists with $username (blmurphy) and $service (EIUAD) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105) [Tue Aug 30 14:32:12 2011] [debug]: UserExists params: username: blmurphy , service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274) [Tue Aug 30 14:32:12 2011] [debug]: LDAP Search === Base: ou=its employees,ou=employee accounts,ou=eiu users,dc=eiuad,dc=eiu.dc=edu == Filter: ((objectClass=person)(sAMAccountName=blmurphy)) == Attrs: sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304) [Tue Aug 30 14:32:12 2011] [debug]: User Check Failed :: ( EIUAD ) blmurphy User not found (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:318) Anyone have any other pointers for trying to debug this thing? Thanks. Brian - Original Message - From: Brian Murphy blmur...@eiu.edu To: rt-users@lists.bestpractical.com Sent: Tuesday, August 30, 2011 9:13:51 AM Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl I have been trying to do a little debugging. I am using RT version 4.0.0 and it appears the ExternalAuth I am using is version 0.08, is that versioning a match? Secondly, I went to ExternalAuth.pm and added a debug statment and it appears as though I am not getting any value passed for $given_user or $given_pass to my external authentication explaining why it appears that I am not even calling my actual ldap active directory and attempting external auth, I continue to receive: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:66) [Tue Aug 30 14:08:37 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:94) [Tue Aug 30 14:08:37 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26) as my only debug messages out of external authentication, it appears to not be getting any given_user to work with. Thanks Brian - Original Message - From: Brian Murphy blmur...@eiu.edu To: rt-users@lists.bestpractical.com Sent: Monday, August 29, 2011 11:32:47 AM Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl Still struggling with trying to get RT externally authenticating with my 2008 Active Directory. I have been able to accomplish an ldapsearch with the following options successfully: ldapsearch -x -b dc=eiuad,dc=eiu,dc=edu -D CN=RT Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu -h eiuad.eiu.edu -p 389 -W sAMAccountName=blmurphy I would like to use the blmurphy as my RT account name. When I execute the above ldapsearch and input the prompted for password I get back my account information from the Active Directory. I have the following set in my RT_SiteConfig.pm but continue to get the externalauth nouser response. Brian Set($ExternalSettings, { # EIUAD Active Directory 'EIUAD' = { ## GENERIC SECTION # The type of service (db/ldap/cookie) 'type' = 'ldap', # The server hosting the service 'server' = 'eiuad.eiu.edu', ## SERVICE-SPECIFIC SECTION # If you can bind to your LDAP server anonymously you should # remove the user and pass config lines, otherwise specify them here: # # The username RT should use to connect to the LDAP server 'user' = 'CN=RT Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu', # The password RT should use to connect to the LDAP server 'pass' = 'x', # # The LDAP
Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
A bit confused about that whole filter thing. If I specify objectClass=person and the sAMAccountName on the same filter it does not work with ldapsearch. if I use either one by titself, I get back my user record from AD. Brian - Original Message - From: Kevin Falcone falc...@bestpractical.com To: rt-users@lists.bestpractical.com Sent: Tuesday, August 30, 2011 9:41:57 AM Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl On Tue, Aug 30, 2011 at 09:35:39AM -0500, Brian Murphy wrote: I am making progress in that I am at least now getting some indication that the code is trying to authenticate my user in my active directory. I now receive the following after I upgraded my RT::Auth::External to 0.09. Yes, you must use the newest version (0.09) for it to work with RT4 [Tue Aug 30 14:32:12 2011] [debug]: LDAP Search === Base: ou=its employees,ou=employee accounts,ou=eiu users,dc=eiuad,dc=eiu.dc=edu == Filter: ((objectClass=person)(sAMAccountName=blmurphy)) == Attrs: sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304) Is that the right OU and Filter? Does that OU and Filter work from ldapsearch? -kevin RT Training Sessions (http://bestpractical.com/services/training.html) * Chicago, IL, USA � September 26 27, 2011 * San Francisco, CA, USA � October 18 19, 2011 * Washington DC, USA � October 31 November 1, 2011 * Melbourne VIC, Australia � November 28 29, 2011 * Barcelona, Spain � November 28 29, 2011 RT Training Sessions (http://bestpractical.com/services/training.html) * Chicago, IL, USA September 26 27, 2011 * San Francisco, CA, USA October 18 19, 2011 * Washington DC, USA October 31 November 1, 2011 * Melbourne VIC, Australia November 28 29, 2011 * Barcelona, Spain November 28 29, 2011
Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
I can do the following with ldapsearch notice the filter: Enter LDAP Password: # extended LDIF # # LDAPv3 # base dc=eiuad,dc=eiu,dc=edu with scope subtree # filter: ((sAMAccountName=blmurphy)) # requesting: ALL # # Murphy\2C Brian, ITS Employees, Employee Accounts, EIU USERS, eiuad.eiu.edu dn: CN=Murphy\, Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=ei uad,DC=eiu,DC=edu objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Murphy, Brian sn: Murphy title: Associate Director description: Information Technology Services physicalDeliveryOfficeName: Technical Support Operations telephoneNumber: 581-7618 givenName: Brian distinguishedName: CN=Murphy\, Brian,OU=ITS Employees,OU=Employee Accounts,OU= EIU USERS,DC=eiuad,DC=eiu,DC=edu instanceType: 4 whenCreated: 20011219230613.0Z whenChanged: 20110829133938.0Z displayName: Murphy, Brian uSNCreated: 43124 info: Associate Director - higher limits allowed memberOf: CN=RT_Access,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu memberOf: CN=Outlook SSL Change,OU=GPO Scripting Groups,OU=Groups,DC=eiuad,DC= eiu,DC=edu memberOf: CN=Hyperic Administrators,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu memberOf: CN=Global Psynch Helpdesk Staff,OU=ITS Groups,OU=Business Affairs Re source Sharing Groups,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu memberOf: CN=Xythos Users,OU=Groups,DC=eiuad,DC=eiu,DC=edu memberOf: CN=ITS group for Xythos sharing,OU=ITS Groups,OU=Business Affairs Re source Sharing Groups,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu memberOf: CN=BannerINBJavaUpdater,OU=Groups,DC=eiuad,DC=eiu,DC=edu memberOf: CN=ITS PLs Prgmrs,OU=ITS Groups,OU=Business Affairs Resource Sharing Groups,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu memberOf: CN=ITSDEPT,OU=ITS Groups,OU=Business Affairs Resource Sharing Groups ,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu memberOf: CN=Tech Support,OU=ITS Groups,OU=Business Affairs Resource Sharing G roups,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu memberOf: CN=Systems Tech Supt,OU=ITS Groups,OU=Business Affairs Resource Sh aring Groups,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu memberOf: CN=Server Ops,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu memberOf: CN=ONORDER,OU=ITS Groups,OU=Business Affairs Resource Sharing Groups ,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu memberOf: CN=ILOM Admins,OU=Infrastructure Management,OU=Groups,DC=eiuad,DC=ei u,DC=edu memberOf: CN=Brian Murphys Group,OU=ITS Groups,OU=Business Affairs Resource Sh aring Groups,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu memberOf: CN=Others,OU=EISE Project,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC =eiu,DC=edu memberOf: CN=Degree Audit Process Team,OU=EISE Project,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu memberOf: CN=EIU Faculty and Staff for Citrix Access,OU=Citrix,DC=eiuad,DC=eiu ,DC=edu memberOf: CN=DISASTER,OU=ITS Groups,OU=Business Affairs Resource Sharing Group s,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu memberOf: CN=SECURITY,OU=Lumpkin Hall Computer Labs,DC=eiuad,DC=eiu,DC=edu memberOf: CN=Backup Operators,CN=Builtin,DC=eiuad,DC=eiu,DC=edu uSNChanged: 12145001 department: Information Technology Services company: Eastern Illinois University streetAddress:: U3R1ZGVudCBTZXJ2aWNlcyBCdWlsZGluZw0KQjk= directReports: CN=Bensley\, Brett,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu directReports: CN=Clayton\, Allen,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu directReports: CN=Wilson\, Julie,OU=Net Admin OU,OU=Sensitive,DC=eiuad,DC=eiu, DC=edu name: Murphy, Brian objectGUID:: RlmmJv+FGEWZvik8YlZYmw== userAccountControl: 512 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 129495066522016517 lastLogoff: 0 lastLogon: 129591191145074682 logonHours:: pwdLastSet: 129470205541973909 primaryGroupID: 513 objectSid:: AQUAAAUVkDCgJUtYtjLperlb6gMAAA== adminCount: 1 accountExpires: 0 logonCount: 122 sAMAccountName: blmurphy sAMAccountType: 805306368 userPrincipalName: blmur...@eiuad.eiu.edu lockoutTime: 0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=eiuad,DC=eiu,DC=edu dSCorePropagationData: 20110809183717.0Z dSCorePropagationData: 20110803191151.0Z dSCorePropagationData: 20110628195950.0Z dSCorePropagationData: 20110525205317.0Z dSCorePropagationData: 16010714223651.0Z lastLogonTimestamp: 129590987787492303 mail: blmur...@eiu.edu # search reference ref: ldap://DomainDnsZones.eiuad.eiu.edu/DC=DomainDnsZones,DC=eiuad,DC=eiu,DC= edu # search reference ref: ldap://ForestDnsZones.eiuad.eiu.edu/DC=ForestDnsZones,DC=eiuad,DC=eiu,DC= edu # search reference ref: ldap://eiuad.eiu.edu/CN=Configuration,DC=eiuad,DC=eiu,DC=edu # search result search: 2 result: 0 Success # numResponses: 5 # numEntries: 1 # numReferences: 3 - Original Message - From: Brian Murphy blmur...@eiu.edu To: rt-users@lists.bestpractical.com
[rt-users] Fwd: rt4 and External Auth to AD 2008 non-ssl
Well, sh**! Sometimes the simplest are the most difficult. I was way too close to the forest to see the trees on that one. Having a . instead of the , in my base string was causing me to not be able to find the entry. I have my filter set to () and am using the sAMAccountName and finding the user account, but now it refuses my password. here is what I get in the log. Any ideas. I know my password and am using it for other accounts. [Tue Aug 30 15:48:14 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Tue Aug 30 15:48:14 2011] [debug]: Calling UserExists with $username (blmurphy) and $service (EIUAD) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105) [Tue Aug 30 15:48:14 2011] [debug]: UserExists params: username: blmurphy , service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274) [Tue Aug 30 15:48:14 2011] [debug]: LDAP Search === Base: dc=eiuad,dc=eiu,dc=edu == Filter: ((sAMAccountName=blmurphy)) == Attrs: sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304) [Tue Aug 30 15:48:14 2011] [debug]: Password validation required for service - Executing... (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155) [Tue Aug 30 15:48:14 2011] [debug]: Trying external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16) [Tue Aug 30 15:48:14 2011] [debug]: LDAP Search === Base: dc=eiuad,dc=eiu,dc=edu == Filter: ((sAMAccountName=blmurphy)) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43) [Tue Aug 30 15:48:14 2011] [debug]: Found LDAP DN: CN=Murphy\, Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75) [Tue Aug 30 15:48:14 2011] [debug]: LDAP Search === Base: dc=eiuad,dc=eiu,dc=edu == Filter: (member=CN=Murphy, Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100) [Tue Aug 30 15:48:14 2011] [info]: EIUAD AUTH FAILED: blmurphy (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127) [Tue Aug 30 15:48:14 2011] [debug]: LDAP password validation result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334) [Tue Aug 30 15:48:14 2011] [debug]: Password Validation Check Result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159) [Tue Aug 30 15:48:14 2011] [debug]: Autohandler called ExternalAuth. Response: (0, Password Invalid) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11) [Tue Aug 30 15:48:14 2011] [error]: FAILED LOGIN for blmurphy from 139.67.17.30 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:639) [Tue Aug 30 15:48:17 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Tue Aug 30 15:48:17 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92) [Tue Aug 30 15:48:17 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11) - Original Message - From: David Chandek-Stark david.chandek.st...@duke.edu To: Brian Murphy blmur...@eiu.edu, rt-users@lists.bestpractical.com Sent: Tuesday, August 30, 2011 10:41:54 AM Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl I'm guessing your base should have a comma b/w eiu and dc -- I.e., dc=eiuad,dc=eiu,dc=edu. --D On 8/30/11 11:34 AM, Brian Murphy blmur...@eiu.edu wrote: [Tue Aug 30 15:29:48 2011] [debug]: LDAP Search === Base: dc=eiuad,dc=eiu.dc=edu == Filter: ((sAMAccountName=blmurphy)) == Attrs: sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/ LDAP.pm:304) RT Training Sessions (http://bestpractical.com/services/training.html) * Chicago, IL, USA September 26 27, 2011 * San Francisco, CA, USA October 18 19, 2011 * Washington DC, USA October 31 November 1, 2011 * Melbourne VIC, Australia November 28 29, 2011 * Barcelona, Spain November 28 29, 2011
Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
!! # # The filter to use to match RT-Users 'filter' = '(objectClass=*)', # A catch-all example filter: '(objectClass=*)' # # The filter that will only match disabled users 'd_filter' = '(objectclass=Foo)', # A catch-none example d_filter: '(objectClass=FooBarBaz)' # # Should we try to use TLS to encrypt connections? 'tls' = 0, # SSL Version to provide to Net::SSLeay *if* using SSL 'ssl_version' = 3, # What other args should I pass to Net::LDAP-new($host,@args)? 'net_ldap_args' = [version = 3 ], # Does authentication depend on group membership? What group name? 'group' = 'CN=RT_Access,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu', # What is the attribute for the group object that determines membership? 'group_attr' = 'member', ## RT ATTRIBUTE MATCHING SECTION # The list of RT attributes that uniquely identify a user # This example shows what you *can* specify.. I recommend reducing this # to just the Name and EmailAddress to save encountering problems later. 'attr_match_list' = ['Name' ], # The mapping of RT attributes on to LDAP attributes 'attr_map' = { 'Name' = 'sAMAccountName' } } } ); - Original Message - From: Brian Murphy blmur...@eiu.edu To: rt-users@lists.bestpractical.com Sent: Tuesday, August 30, 2011 10:59:08 AM Subject: Fwd: [rt-users] rt4 and External Auth to AD 2008 non-ssl Well, sh**! Sometimes the simplest are the most difficult. I was way too close to the forest to see the trees on that one. Having a . instead of the , in my base string was causing me to not be able to find the entry. I have my filter set to () and am using the sAMAccountName and finding the user account, but now it refuses my password. here is what I get in the log. Any ideas. I know my password and am using it for other accounts. [Tue Aug 30 15:48:14 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Tue Aug 30 15:48:14 2011] [debug]: Calling UserExists with $username (blmurphy) and $service (EIUAD) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105) [Tue Aug 30 15:48:14 2011] [debug]: UserExists params: username: blmurphy , service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274) [Tue Aug 30 15:48:14 2011] [debug]: LDAP Search === Base: dc=eiuad,dc=eiu,dc=edu == Filter: ((sAMAccountName=blmurphy)) == Attrs: sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304) [Tue Aug 30 15:48:14 2011] [debug]: Password validation required for service - Executing... (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155) [Tue Aug 30 15:48:14 2011] [debug]: Trying external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16) [Tue Aug 30 15:48:14 2011] [debug]: LDAP Search === Base: dc=eiuad,dc=eiu,dc=edu == Filter: ((sAMAccountName=blmurphy)) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43) [Tue Aug 30 15:48:14 2011] [debug]: Found LDAP DN: CN=Murphy\, Brian,OU
Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
. 'attr_match_list' = ['Name' ], # The mapping of RT attributes on to LDAP attributes 'attr_map' = { 'Name' = 'sAMAccountName' } } - Original Message - From: Brian Murphy blmur...@eiu.edu To: rt-users@lists.bestpractical.com Sent: Thursday, August 25, 2011 11:59:50 AM Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl I only get the login failed message back from web.pm. The account I am using is already in RT and being used so is this a problem. I was assuming the id would exist and just the auth would be done externally. Brian - Original Message - From: Kevin Falcone falc...@bestpractical.com To: rt-users@lists.bestpractical.com Sent: Thursday, August 25, 2011 9:46:01 AM Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl On Wed, Aug 24, 2011 at 04:42:04PM -0500, Brian Murphy wrote: Thanks for the tip on the logging kevin. Seeing the following, don't know eactly what to make of it. [Wed Aug 24 21:38:37 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Wed Aug 24 21:38:37 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92) [Wed Aug 24 21:38:37 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26) Those are the messages you get when the login page pops up. What do you get after typing your username and password in? -kevin - Original Message - From: Kevin Falcone falc...@bestpractical.com To: rt-users@lists.bestpractical.com Sent: Wednesday, August 24, 2011 4:18:08 PM Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl On Wed, Aug 24, 2011 at 01:09:15PM -0500, Brian Murphy wrote: I am trying desparately to get this goingnd am not seeing that my externalauth is even being called. I am attaching my RT_SiteConfig.pm for review. I am a newbie and don't know much about anything RT as yet. I see very little in my /var/log/messages other tham LOGIN failed for x from web.pm, so I don't really think my externalauth is really in play as of yet. Any assistance in getting this going would be greatly appreciated. You don't appear to have turned your logging level up, most useful logs are at the debug level. LogToScreen is probably the easiest, because they'll end up in your apache error log. -kevin # Any configuration directives you include here will override # RT's default configuration file, RT_Config.pm # # To include a directive here, just copy the equivalent statement # from RT_Config.pm and change the value. We've included a single # sample value below. # # This file is actually a perl module, so you can include valid # perl code, as well. # # The converse is also true, if this file isn't valid perl, you're # going to run into trouble. To check your SiteConfig file, use # this comamnd: # # perl -c /path/to/your/etc/RT_SiteConfig.pm # # You must restart your webserver after making changes to this file. # You must install Plugins on your own, this is only an example # of the correct syntax to use when activating them. # There should only be one @Plugins declaration in your config file. #Set(@Plugins,(qw(RT::Extension::QuickDelete RT::Extension::CommandByMail RT::Extension::ActivityReports))); #Set(@Plugins,(qw(RT::Extension::ActivityReports))); Set(@Plugins,(qw(RT::Extension::ActivityReports RT::Authen::ExternalAuth))); Set( $CorrespondAddress, '' ); Set( $rtname, 'EIU ITS Campus Technology' ); Set( $DatabaseRequireSSL, '' ); Set( $WebPort, '8080' ); Set( $DatabaseType, 'mysql' ); Set( $SendmailPath, '/usr/sbin/sendmail' ); Set( $WebDomain, 'localhost' ); Set( $CommentAddress, '' ); Set($Timezone, US/Central); Set($UnsafeEmailCommands, 1); Set($ParseNewMessageForTicketCcs, 1); Set($NotifyActor, 1); Set( $OwnerEmail, '' ); Set( $DatabaseUser, 'rt_user' ); Set( $DatabasePort, '' ); Set( $DatabasePassword, 'RT_pass1-' ); Set( $DatabaseAdmin, 'root' ); Set( $DatabaseAdminPassword, 'Mtfbwu+1' ); Set( $DatabaseHost, 'localhost' ); Set( $DatabaseName, 'rt4' ); Set( $Organization, 'ITS' ); 1; # The order in which the services defined in ExternalSettings # should be used to authenticate users. User is authenticated # if successfully confirmed by any service - no more
Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
I only get the login failed message back from web.pm. The account I am using is already in RT and being used so is this a problem. I was assuming the id would exist and just the auth would be done externally. Brian - Original Message - From: Kevin Falcone falc...@bestpractical.com To: rt-users@lists.bestpractical.com Sent: Thursday, August 25, 2011 9:46:01 AM Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl On Wed, Aug 24, 2011 at 04:42:04PM -0500, Brian Murphy wrote: Thanks for the tip on the logging kevin. Seeing the following, don't know eactly what to make of it. [Wed Aug 24 21:38:37 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Wed Aug 24 21:38:37 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92) [Wed Aug 24 21:38:37 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26) Those are the messages you get when the login page pops up. What do you get after typing your username and password in? -kevin - Original Message - From: Kevin Falcone falc...@bestpractical.com To: rt-users@lists.bestpractical.com Sent: Wednesday, August 24, 2011 4:18:08 PM Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl On Wed, Aug 24, 2011 at 01:09:15PM -0500, Brian Murphy wrote: I am trying desparately to get this goingnd am not seeing that my externalauth is even being called. I am attaching my RT_SiteConfig.pm for review. I am a newbie and don't know much about anything RT as yet. I see very little in my /var/log/messages other tham LOGIN failed for x from web.pm, so I don't really think my externalauth is really in play as of yet. Any assistance in getting this going would be greatly appreciated. You don't appear to have turned your logging level up, most useful logs are at the debug level. LogToScreen is probably the easiest, because they'll end up in your apache error log. -kevin # Any configuration directives you include here will override # RT's default configuration file, RT_Config.pm # # To include a directive here, just copy the equivalent statement # from RT_Config.pm and change the value. We've included a single # sample value below. # # This file is actually a perl module, so you can include valid # perl code, as well. # # The converse is also true, if this file isn't valid perl, you're # going to run into trouble. To check your SiteConfig file, use # this comamnd: # # perl -c /path/to/your/etc/RT_SiteConfig.pm # # You must restart your webserver after making changes to this file. # You must install Plugins on your own, this is only an example # of the correct syntax to use when activating them. # There should only be one @Plugins declaration in your config file. #Set(@Plugins,(qw(RT::Extension::QuickDelete RT::Extension::CommandByMail RT::Extension::ActivityReports))); #Set(@Plugins,(qw(RT::Extension::ActivityReports))); Set(@Plugins,(qw(RT::Extension::ActivityReports RT::Authen::ExternalAuth))); Set( $CorrespondAddress, '' ); Set( $rtname, 'EIU ITS Campus Technology' ); Set( $DatabaseRequireSSL, '' ); Set( $WebPort, '8080' ); Set( $DatabaseType, 'mysql' ); Set( $SendmailPath, '/usr/sbin/sendmail' ); Set( $WebDomain, 'localhost' ); Set( $CommentAddress, '' ); Set($Timezone, US/Central); Set($UnsafeEmailCommands, 1); Set($ParseNewMessageForTicketCcs, 1); Set($NotifyActor, 1); Set( $OwnerEmail, '' ); Set( $DatabaseUser, 'rt_user' ); Set( $DatabasePort, '' ); Set( $DatabasePassword, 'RT_pass1-' ); Set( $DatabaseAdmin, 'root' ); Set( $DatabaseAdminPassword, 'Mtfbwu+1' ); Set( $DatabaseHost, 'localhost' ); Set( $DatabaseName, 'rt4' ); Set( $Organization, 'ITS' ); 1; # The order in which the services defined in ExternalSettings # should be used to authenticate users. User is authenticated # if successfully confirmed by any service - no more services # are checked. Set($ExternalAuthPriority, [ 'EIUAD' ] ); # The order in which the services defined in ExternalSettings # should be used to get information about users. This includes # RealName, Tel numbers etc, but also whether or not the user # should be considered disabled. # # Once user info is found, no more services are checked. # # You CANNOT use a SSO cookie for authentication. Set($ExternalInfoPriority, [ 'EIUAD' ] ); # If this is set to true, then the relevant packages will # be loaded to use SSL/TLS connections. At the moment, # this just means use Net::SSLeay; Set($ExternalServiceUsesSSLorTLS,0); # If this is set to 1
[rt-users] rt4 and External Auth to AD 2008 non-ssl
I am trying desparately to get this goingnd am not seeing that my externalauth is even being called. I am attaching my RT_SiteConfig.pm for review. I am a newbie and don't know much about anything RT as yet. I see very little in my /var/log/messages other tham LOGIN failed for x from web.pm, so I don't really think my externalauth is really in play as of yet. Any assistance in getting this going would be greatly appreciated. Thanks. Brian Murphy Eastern Illinois University # Any configuration directives you include here will override # RT's default configuration file, RT_Config.pm # # To include a directive here, just copy the equivalent statement # from RT_Config.pm and change the value. We've included a single # sample value below. # # This file is actually a perl module, so you can include valid # perl code, as well. # # The converse is also true, if this file isn't valid perl, you're # going to run into trouble. To check your SiteConfig file, use # this comamnd: # # perl -c /path/to/your/etc/RT_SiteConfig.pm # # You must restart your webserver after making changes to this file. # You must install Plugins on your own, this is only an example # of the correct syntax to use when activating them. # There should only be one @Plugins declaration in your config file. #Set(@Plugins,(qw(RT::Extension::QuickDelete RT::Extension::CommandByMail RT::Extension::ActivityReports))); #Set(@Plugins,(qw(RT::Extension::ActivityReports))); Set(@Plugins,(qw(RT::Extension::ActivityReports RT::Authen::ExternalAuth))); Set( $CorrespondAddress, '' ); Set( $rtname, 'EIU ITS Campus Technology' ); Set( $DatabaseRequireSSL, '' ); Set( $WebPort, '8080' ); Set( $DatabaseType, 'mysql' ); Set( $SendmailPath, '/usr/sbin/sendmail' ); Set( $WebDomain, 'localhost' ); Set( $CommentAddress, '' ); Set($Timezone, US/Central); Set($UnsafeEmailCommands, 1); Set($ParseNewMessageForTicketCcs, 1); Set($NotifyActor, 1); Set( $OwnerEmail, '' ); Set( $DatabaseUser, 'rt_user' ); Set( $DatabasePort, '' ); Set( $DatabasePassword, 'RT_pass1-' ); Set( $DatabaseAdmin, 'root' ); Set( $DatabaseAdminPassword, 'Mtfbwu+1' ); Set( $DatabaseHost, 'localhost' ); Set( $DatabaseName, 'rt4' ); Set( $Organization, 'ITS' ); 1; # The order in which the services defined in ExternalSettings # should be used to authenticate users. User is authenticated # if successfully confirmed by any service - no more services # are checked. Set($ExternalAuthPriority, [ 'EIUAD' ] ); # The order in which the services defined in ExternalSettings # should be used to get information about users. This includes # RealName, Tel numbers etc, but also whether or not the user # should be considered disabled. # # Once user info is found, no more services are checked. # # You CANNOT use a SSO cookie for authentication. Set($ExternalInfoPriority, [ 'EIUAD' ] ); # If this is set to true, then the relevant packages will # be loaded to use SSL/TLS connections. At the moment, # this just means use Net::SSLeay; Set($ExternalServiceUsesSSLorTLS,0); # If this is set to 1, then users should be autocreated by RT # as internal users if they fail to authenticate from an # external service. Set($AutoCreateNonExternalUsers,0); # These are the full settings for each external service as a HashOfHashes # Note that you may have as many external services as you wish. They will # be checked in the order specified in the Priority directives above. # e.g. # Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP','Other-DB']); # Set($ExternalSettings, { # EIUAD Active Directory 'EIUAD' = { ## GENERIC SECTION # The type of service (db/ldap/cookie) 'type' = 'ldap', # The server hosting the service 'server' = 'x.xxx.edu', ## SERVICE-SPECIFIC SECTION # If you can bind to your LDAP server anonymously you should # remove the user and pass config lines, otherwise specify them here: # # The username RT should use to connect to the LDAP server 'user' = 'rtauth', # The password RT should use to connect to the LDAP server 'pass' = 'xxx
Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl
Thanks for the tip on the logging kevin. Seeing the following, don't know eactly what to make of it. [Wed Aug 24 21:38:37 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Wed Aug 24 21:38:37 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92) [Wed Aug 24 21:38:37 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26) Brian - Original Message - From: Kevin Falcone falc...@bestpractical.com To: rt-users@lists.bestpractical.com Sent: Wednesday, August 24, 2011 4:18:08 PM Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl On Wed, Aug 24, 2011 at 01:09:15PM -0500, Brian Murphy wrote: I am trying desparately to get this goingnd am not seeing that my externalauth is even being called. I am attaching my RT_SiteConfig.pm for review. I am a newbie and don't know much about anything RT as yet. I see very little in my /var/log/messages other tham LOGIN failed for x from web.pm, so I don't really think my externalauth is really in play as of yet. Any assistance in getting this going would be greatly appreciated. You don't appear to have turned your logging level up, most useful logs are at the debug level. LogToScreen is probably the easiest, because they'll end up in your apache error log. -kevin # Any configuration directives you include here will override # RT's default configuration file, RT_Config.pm # # To include a directive here, just copy the equivalent statement # from RT_Config.pm and change the value. We've included a single # sample value below. # # This file is actually a perl module, so you can include valid # perl code, as well. # # The converse is also true, if this file isn't valid perl, you're # going to run into trouble. To check your SiteConfig file, use # this comamnd: # # perl -c /path/to/your/etc/RT_SiteConfig.pm # # You must restart your webserver after making changes to this file. # You must install Plugins on your own, this is only an example # of the correct syntax to use when activating them. # There should only be one @Plugins declaration in your config file. #Set(@Plugins,(qw(RT::Extension::QuickDelete RT::Extension::CommandByMail RT::Extension::ActivityReports))); #Set(@Plugins,(qw(RT::Extension::ActivityReports))); Set(@Plugins,(qw(RT::Extension::ActivityReports RT::Authen::ExternalAuth))); Set( $CorrespondAddress, '' ); Set( $rtname, 'EIU ITS Campus Technology' ); Set( $DatabaseRequireSSL, '' ); Set( $WebPort, '8080' ); Set( $DatabaseType, 'mysql' ); Set( $SendmailPath, '/usr/sbin/sendmail' ); Set( $WebDomain, 'localhost' ); Set( $CommentAddress, '' ); Set($Timezone, US/Central); Set($UnsafeEmailCommands, 1); Set($ParseNewMessageForTicketCcs, 1); Set($NotifyActor, 1); Set( $OwnerEmail, '' ); Set( $DatabaseUser, 'rt_user' ); Set( $DatabasePort, '' ); Set( $DatabasePassword, 'RT_pass1-' ); Set( $DatabaseAdmin, 'root' ); Set( $DatabaseAdminPassword, 'Mtfbwu+1' ); Set( $DatabaseHost, 'localhost' ); Set( $DatabaseName, 'rt4' ); Set( $Organization, 'ITS' ); 1; # The order in which the services defined in ExternalSettings # should be used to authenticate users. User is authenticated # if successfully confirmed by any service - no more services # are checked. Set($ExternalAuthPriority, [ 'EIUAD' ] ); # The order in which the services defined in ExternalSettings # should be used to get information about users. This includes # RealName, Tel numbers etc, but also whether or not the user # should be considered disabled. # # Once user info is found, no more services are checked. # # You CANNOT use a SSO cookie for authentication. Set($ExternalInfoPriority, [ 'EIUAD' ] ); # If this is set to true, then the relevant packages will # be loaded to use SSL/TLS connections. At the moment, # this just means use Net::SSLeay; Set($ExternalServiceUsesSSLorTLS,0); # If this is set to 1, then users should be autocreated by RT # as internal users if they fail to authenticate from an # external service. Set($AutoCreateNonExternalUsers,0); # These are the full settings for each external service as a HashOfHashes # Note that you may have as many external services as you wish. They will # be checked in the order specified in the Priority directives above. # e.g. # Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP','Other-DB']); # Set($ExternalSettings, { # EIUAD Active Directory 'EIUAD' = { ## GENERIC SECTION # The type of service (db