Re: [rt-users] Problems with external auth and double prompting for authentication
Jim, Found it. There was a random apache process running that was causing the error. Somehow it must have been started by hand. Resulted in odd behaviour as sometimes it would work and sometimes not. Thanks for your help! Kind regards Bart Jim Brandt writes: > Browser authentication is typically triggered by an Apache > configuration, so if your goal is to have just RT authentication, you > might compare your Apache configuration with the example in the docs: > > https://docs.bestpractical.com/rt/4.4.0/web_deployment.html > > On 5/11/16 3:50 AM, Bart Bunting wrote: >> >> >> Hi everyone, >> >> I have been trying to get external authentication with ldapauth and >> ldapimport working on a brand new rt 4.4 from the latest pull of >> 4.4-trunk. >> >> I have the ldap authentication and rt-ldapimport working correctly >> against our ldap server. >> >> The one issue I can not appear to resolve is that I am prompted first >> by the browsers authentication prompt and then by the RT login screen. >> So you need to enter your authentication credentials twice. >> >> I am hoping to just have the RT login screen, no browser authentication >> prompt. >> >> I'm sure it's something simple but I'm pulling my hair out :). >> >> If someone could take a look at my config and tell me where the error is >> I'd be eternally grateful: >> >> Here is the section of my rt config. >> >> The first few options are commented out as they are part of previous >> attempts to make it work as expected. >> >> #* Authentication >> # configure external authentication >> >> #Set($WebRemoteUserAuth, 1); >> # check authentication on each request rather than just once >> #Set($WebRemoteUserContinuous, 1); >> >> # fall back to rt login if external auth fails. >> #Set($WebFallbackToRTLogin, 1); >> >> Set ($ExternalAuth, 1); >> Set( $ExternalAuthPriority, ['URSYS_LDAP'] ); >> Set( $ExternalInfoPriority, ['URSYS_LDAP'] ); >> >> # Make users created from LDAP Privileged >> Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } ); >> >> # Users should still be autocreated by RT as internal users if they >> # fail to exist in an external service; this is so requestors (who >> # are not in LDAP) can still be created when they email in. >> Set($AutoCreateNonExternalUsers, 1); >> >> # LDAP configuration; see RT::Authen::ExternalAuth::LDAP for >> # further details and examples >> Set($ExternalSettings, { >> 'URSYS_LDAP' => { >> 'type' => 'ldap', >> 'server' => 'ldap.x, >> 'base' => 'cn=users,cn=accounts,dc=xx', >> 'user' => 'uid=system,cn=sysaccounts,x', >> 'pass' => 'xx', >> 'filter' => '(&(memberOf=cn=helpdesk-*))', >> 'attr_match_list' => [ >> 'Name', >> ], >> 'attr_map' => { >> 'Name' => 'uid', >> 'EmailAddress' => 'mail', >> }, >> }, >> } ); >> >> # * rt-ldapimport configuration >> # enable plugin >> Plugin( qw(RT::LDAPImport)); >> >> Set($LDAPBase,'cn=users,cn=accounts,x'); >> Set($LDAPHost,'ldap.x'); >> Set($LDAPUser,'uid=system,cn=sysaccounts,xx'); >> Set($LDAPPassword,''); >> Set($LDAPFilter, '(&(memberOf=cn=helpdesk-*))'); >> Set($LDAPMapping, {Name => 'uid', # required >> EmailAddress => 'mail', >> RealName => 'cn', >> WorkPhone=> 'telephoneNumber', >> Organization => 'departmentName'}); >> # create users as privileged >> Set($LDAPCreatePrivileged, 1); >> >> # sync Groups from LDAP into RT >> Set($LDAPGroupBase, 'cn=accounts,x'); >> Set($LDAPGroupFilter, '(&(objectClass=groupofnames)(cn=helpdesk-*))'); >> Set($LDAPGroupMapping, {Name => 'cn', >> Description => 'description', >> Member_Attr=> 'member', >> Member_Attr_Value => 'dn', >> }); >> >> As above all the ldap stuff appears to work apart from the double >> request for authentication. >> >> >> >> Kind regards >> Bart >> > - > RT 4.4 and RTIR Training Sessions https://bestpractical.com/training > * Washington DC - May 23 & 24, 2016 Bart -- Bart Bunting - URSYS PH: 02 87452811 Mbl: 0409560005 - RT 4.4 and RTIR Training Sessions https://bestpractical.com/training * Washington DC - May 23 & 24, 2016
Re: [rt-users] Problems with external auth and double prompting for authentication
Hi Jim, Thanks for the quick reply. I should have included my apache virtualhost config: Here it is for reference. I did have ldap auth working at one point but it is totally commented out in the config. Apache is apache2 2.4.18-2ubuntu3 amd64 debian Xenial LTS # # Vhost template in module puppetlabs-apache # Managed by Puppet # ServerName helpdesk.in.urnet.com.au ## Vhost docroot DocumentRoot "/opt/rt4/share/html" ## Alias declarations for resources outside the DocumentRoot AliasMatch /NoAuth/images/ "/opt/rt4/share/html/NoAuth/images/" ## Directories, there should at least be a declaration for /opt/rt4/share/html Options Indexes FollowSymLinks MultiViews AllowOverride None Require all granted ## Logging ErrorLog "/var/log/apache2/helpdesk.in.urnet.com.au_error.log" ServerSignature Off CustomLog "/var/log/apache2/helpdesk.in.urnet.com.au_access.log" combined ## Custom fragment AddDefaultCharset UTF-8 ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/ DocumentRoot "/opt/rt4/share/html" # bart: disabled for now until we move towards SSO # AuthType Basic # AuthName "Ursys LDAP" # AuthBasicProvider ldap # AuthLDAPURL ldap://ldap.:389/cn=accounts,?uid?sub # AuthLDAPBindDN uid=system,cn=sysaccounts,xxx # AuthLDAPBindPassword x # Require ldap-group cn=noc,cn=groups,xx Require all granted Options +ExecCGI AddHandler fcgid-script fcgi Is there anything wrong with that, it pritty much mirrors the config described in the documentation. If there is a better way of doing things other than mod_fastcgi I'm open to trying that. Kind regards Bart Jim Brandt writes: > Browser authentication is typically triggered by an Apache > configuration, so if your goal is to have just RT authentication, you > might compare your Apache configuration with the example in the docs: > > https://docs.bestpractical.com/rt/4.4.0/web_deployment.html > > On 5/11/16 3:50 AM, Bart Bunting wrote: >> >> >> Hi everyone, >> >> I have been trying to get external authentication with ldapauth and >> ldapimport working on a brand new rt 4.4 from the latest pull of >> 4.4-trunk. >> >> I have the ldap authentication and rt-ldapimport working correctly >> against our ldap server. >> >> The one issue I can not appear to resolve is that I am prompted first >> by the browsers authentication prompt and then by the RT login screen. >> So you need to enter your authentication credentials twice. >> >> I am hoping to just have the RT login screen, no browser authentication >> prompt. >> >> I'm sure it's something simple but I'm pulling my hair out :). >> >> If someone could take a look at my config and tell me where the error is >> I'd be eternally grateful: >> >> Here is the section of my rt config. >> >> The first few options are commented out as they are part of previous >> attempts to make it work as expected. >> >> #* Authentication >> # configure external authentication >> >> #Set($WebRemoteUserAuth, 1); >> # check authentication on each request rather than just once >> #Set($WebRemoteUserContinuous, 1); >> >> # fall back to rt login if external auth fails. >> #Set($WebFallbackToRTLogin, 1); >> >> Set ($ExternalAuth, 1); >> Set( $ExternalAuthPriority, ['URSYS_LDAP'] ); >> Set( $ExternalInfoPriority, ['URSYS_LDAP'] ); >> >> # Make users created from LDAP Privileged >> Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } ); >> >> # Users should still be autocreated by RT as internal users if they >> # fail to exist in an external service; this is so requestors (who >> # are not in LDAP) can still be created when they email in. >> Set($AutoCreateNonExternalUsers, 1); >> >> # LDAP configuration; see RT::Authen::ExternalAuth::LDAP for >> # further details and examples >> Set($ExternalSettings, { >> 'URSYS_LDAP' => { >> 'type' => 'ldap', >> 'server' => 'ldap.x, >> 'base' => 'cn=users,cn=accounts,dc=xx', >> 'user' => 'uid=system,cn=sysaccounts,x', >> 'pass' => 'xx', >> 'filter' => '(&(memberOf=cn=helpdesk-*))', >> 'attr_match_list' => [ >> 'Name', >> ], >> 'attr_map' => { >> 'Name' => 'uid', >> 'EmailAddress' => 'mail', >> }, >> }, >> } ); >> >> # * rt-ldapimport configuration >> # enable plugin >> Plugin( qw(RT::LDAPImport)); >> >> Set($LDAPBase,'cn=users,cn=accounts,x'); >> Set($LDAPHost,'ldap.x'); >> Set($LDAPUser,'uid=system,cn=sysaccounts,xx'); >> Set($LDAPPassword,''); >> Set($LDAPFilter, '(&(memberOf=cn=helpdesk-*))'); >> Set($LDAPMapping, {Name => 'uid', # r
Re: [rt-users] Problems with external auth and double prompting for authentication
Browser authentication is typically triggered by an Apache configuration, so if your goal is to have just RT authentication, you might compare your Apache configuration with the example in the docs: https://docs.bestpractical.com/rt/4.4.0/web_deployment.html On 5/11/16 3:50 AM, Bart Bunting wrote: Hi everyone, I have been trying to get external authentication with ldapauth and ldapimport working on a brand new rt 4.4 from the latest pull of 4.4-trunk. I have the ldap authentication and rt-ldapimport working correctly against our ldap server. The one issue I can not appear to resolve is that I am prompted first by the browsers authentication prompt and then by the RT login screen. So you need to enter your authentication credentials twice. I am hoping to just have the RT login screen, no browser authentication prompt. I'm sure it's something simple but I'm pulling my hair out :). If someone could take a look at my config and tell me where the error is I'd be eternally grateful: Here is the section of my rt config. The first few options are commented out as they are part of previous attempts to make it work as expected. #* Authentication # configure external authentication #Set($WebRemoteUserAuth, 1); # check authentication on each request rather than just once #Set($WebRemoteUserContinuous, 1); # fall back to rt login if external auth fails. #Set($WebFallbackToRTLogin, 1); Set ($ExternalAuth, 1); Set( $ExternalAuthPriority, ['URSYS_LDAP'] ); Set( $ExternalInfoPriority, ['URSYS_LDAP'] ); # Make users created from LDAP Privileged Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } ); # Users should still be autocreated by RT as internal users if they # fail to exist in an external service; this is so requestors (who # are not in LDAP) can still be created when they email in. Set($AutoCreateNonExternalUsers, 1); # LDAP configuration; see RT::Authen::ExternalAuth::LDAP for # further details and examples Set($ExternalSettings, { 'URSYS_LDAP' => { 'type' => 'ldap', 'server' => 'ldap.x, 'base' => 'cn=users,cn=accounts,dc=xx', 'user' => 'uid=system,cn=sysaccounts,x', 'pass' => 'xx', 'filter' => '(&(memberOf=cn=helpdesk-*))', 'attr_match_list' => [ 'Name', ], 'attr_map' => { 'Name' => 'uid', 'EmailAddress' => 'mail', }, }, } ); # * rt-ldapimport configuration # enable plugin Plugin( qw(RT::LDAPImport)); Set($LDAPBase,'cn=users,cn=accounts,x'); Set($LDAPHost,'ldap.x'); Set($LDAPUser,'uid=system,cn=sysaccounts,xx'); Set($LDAPPassword,''); Set($LDAPFilter, '(&(memberOf=cn=helpdesk-*))'); Set($LDAPMapping, {Name => 'uid', # required EmailAddress => 'mail', RealName => 'cn', WorkPhone=> 'telephoneNumber', Organization => 'departmentName'}); # create users as privileged Set($LDAPCreatePrivileged, 1); # sync Groups from LDAP into RT Set($LDAPGroupBase, 'cn=accounts,x'); Set($LDAPGroupFilter, '(&(objectClass=groupofnames)(cn=helpdesk-*))'); Set($LDAPGroupMapping, {Name => 'cn', Description => 'description', Member_Attr=> 'member', Member_Attr_Value => 'dn', }); As above all the ldap stuff appears to work apart from the double request for authentication. Kind regards Bart - RT 4.4 and RTIR Training Sessions https://bestpractical.com/training * Washington DC - May 23 & 24, 2016
[rt-users] Problems with external auth and double prompting for authentication
Hi everyone, I have been trying to get external authentication with ldapauth and ldapimport working on a brand new rt 4.4 from the latest pull of 4.4-trunk. I have the ldap authentication and rt-ldapimport working correctly against our ldap server. The one issue I can not appear to resolve is that I am prompted first by the browsers authentication prompt and then by the RT login screen. So you need to enter your authentication credentials twice. I am hoping to just have the RT login screen, no browser authentication prompt. I'm sure it's something simple but I'm pulling my hair out :). If someone could take a look at my config and tell me where the error is I'd be eternally grateful: Here is the section of my rt config. The first few options are commented out as they are part of previous attempts to make it work as expected. #* Authentication # configure external authentication #Set($WebRemoteUserAuth, 1); # check authentication on each request rather than just once #Set($WebRemoteUserContinuous, 1); # fall back to rt login if external auth fails. #Set($WebFallbackToRTLogin, 1); Set ($ExternalAuth, 1); Set( $ExternalAuthPriority, ['URSYS_LDAP'] ); Set( $ExternalInfoPriority, ['URSYS_LDAP'] ); # Make users created from LDAP Privileged Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } ); # Users should still be autocreated by RT as internal users if they # fail to exist in an external service; this is so requestors (who # are not in LDAP) can still be created when they email in. Set($AutoCreateNonExternalUsers, 1); # LDAP configuration; see RT::Authen::ExternalAuth::LDAP for # further details and examples Set($ExternalSettings, { 'URSYS_LDAP' => { 'type' => 'ldap', 'server' => 'ldap.x, 'base' => 'cn=users,cn=accounts,dc=xx', 'user' => 'uid=system,cn=sysaccounts,x', 'pass' => 'xx', 'filter' => '(&(memberOf=cn=helpdesk-*))', 'attr_match_list' => [ 'Name', ], 'attr_map' => { 'Name' => 'uid', 'EmailAddress' => 'mail', }, }, } ); # * rt-ldapimport configuration # enable plugin Plugin( qw(RT::LDAPImport)); Set($LDAPBase,'cn=users,cn=accounts,x'); Set($LDAPHost,'ldap.x'); Set($LDAPUser,'uid=system,cn=sysaccounts,xx'); Set($LDAPPassword,''); Set($LDAPFilter, '(&(memberOf=cn=helpdesk-*))'); Set($LDAPMapping, {Name => 'uid', # required EmailAddress => 'mail', RealName => 'cn', WorkPhone=> 'telephoneNumber', Organization => 'departmentName'}); # create users as privileged Set($LDAPCreatePrivileged, 1); # sync Groups from LDAP into RT Set($LDAPGroupBase, 'cn=accounts,x'); Set($LDAPGroupFilter, '(&(objectClass=groupofnames)(cn=helpdesk-*))'); Set($LDAPGroupMapping, {Name => 'cn', Description => 'description', Member_Attr=> 'member', Member_Attr_Value => 'dn', }); As above all the ldap stuff appears to work apart from the double request for authentication. Kind regards Bart -- Bart Bunting - URSYS PH: 02 87452811 Mbl: 0409560005 - RT 4.4 and RTIR Training Sessions https://bestpractical.com/training * Washington DC - May 23 & 24, 2016