Re: [rt-users] RT 4.4.1 on Debian with RT::Authen::ExternalAuth?

2016-10-19 Thread Martin Wheldon 

Hi Malcolm,

The output from rt-ldapimport is normal if no changes are required, as
I've just tried it here in my lab and it is working.

Incidentally LDAPImport doesn't currently support TLS, I've written a 
patch which
you are welcome to have if you would like it. I'm afraid I haven't 
submitted it to BP

yet, but intend too when I get some time.

Best Regards

Martin

On 2016-10-19 14:21, Malcolm Galland wrote:

Ah, yes.  It looks like I had commented it out during testing, and
that's what was causing the PeerHost error.  Below is the section of
SiteConfig dedicated to LDAPImport:

Set($LDAPHost,'ggdc1.domain.int'); 
Set($LDAPUser,'LDAP_ACCOUNT'); 
Set($LDAPPassword,'LDAP_ACCOUNT_PASS'); 
Set($LDAPBase, 'dc=domain,dc=int'); 
Set($LDAPFilter, '(&(cn = users))'); 
Set($LDAPMapping, {Name => 'uid', # required
   EmailAddress => 'mail', 
   RealName => 'cn', 
   WorkPhone=> 'telephoneNumber', 
   Organization => 'departmentName'}); 

# If you want to sync Groups from LDAP into RT

Set($LDAPGroupBase, 'dc=domain,dc=int'); 
Set($LDAPGroupFilter, '(&(cn = Groups))'); 
Set($LDAPGroupMapping, {Name   => 'cn', 
Member_Attr=> 'member', 
Member_Attr_Value  => 'dn' });

Interesting follow up question though, when I run rt-ldapimport I don't
get any errors, but the output doesn't exactly instill a feeling of
sucess either:

/opt/rt4/sbin/rt-ldapimport --debug
Running test import, no data will be changed
Rerun command with --import to perform the import
Rerun command with --debug for more information
Testing group import
Finished test


On Wed, 2016-10-19 at 14:09 +, Martin Wheldon wrote:

Hi Malcolm,

You are missing the LDAP import configuration, which is separate
from 
the External auth config.
The following will help:

   https://docs.bestpractical.com/rt/4.4.1/RT/LDAPImport.html

Best Regards

Martin

On 2016-10-19 13:37, Malcolm Galland wrote:
>
> I've set up RT, and am testing it with rt-server.  Everything seems
> to
> be going smoothly except LDAP with RT::Authen::ExternalAuth.  I
> read
> the docs and have implemented the suggested changes in
> /opt/rt4/etc/RT_SiteConfig.pm like so:
>
> Set( $ExternalAuthPriority, ["My_LDAP"] );
> Set( $ExternalInfoPriority, ["My_LDAP"] );
> Set($ExternalAuth, 1);
> Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
> Set($AutoCreateNonExternalUsers, 1);
> Set($ExternalSettings, {
>     'My_LDAP'   =>  {
>         'type' =>  'ldap',
>         'server'   =>  'ggdc1.domain.int',
>         'user' =>  'LDAP_ACCOUNT',
>         'pass' =>  'LDAP_ACCOUNT_PASS',
>         'base' =>  'ou=Production,dc=domain,dc=int',
>         'filter'   =>  '(objectClass=inetOrgPerson)',
>         'attr_match_list'  => [
>             'Name',
>             'EmailAddress',
>         ],
>         'attr_map' => {
> 'Name' => 'sAMAccountName',
> 'EmailAddress' => 'mail',
> 'RealName' => 'cn',
>                 'WorkPhone'=> 'telephoneNumber',
> 'Address1' => 'streetAddress',
> 'City' => 'l',
> 'State'=> 'st',
> 'Zip'  => 'postalCode',
> 'Country'  => 'co',
>         },
>     },
> } );
>
> The issue is when I try to login the users aren't allowed access,
> and I
> get the following error from rt-server:
>
> [error]: FAILED LOGIN for username_redacted from IP_REDACTED
> (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:826)
>
> Just for kicks, if I run /opt/rt4/sbin/rt-ldapimport --debug
> I get: 
>  [critical]: Expected 'PeerHost' at
> /usr/local/share/perl/5.20.2/Net/LDAP.pm line 164.
> (/opt/rt4/sbin/../lib/RT.pm:390)
>
> Any ideas?  I read every document I could find, but it's hard to
> know
> which non-official ones you can trust since RT has been around so
> long
> and ExternalAuth was just added to the core.  Also, the official
> docs
> are a bit terse.
> -
> RT 4.4 and RTIR training sessions, and a new workshop day!
> https://bestpractical.com/training
> * Boston - October 24-26
> * Los Angeles - Q1 2017

-
RT 4.4 and RTIR training sessions, and a new workshop day! 
https://bestpractical.com/training
* Boston - October 24-26
* Los Angeles - Q1 2017

Re: [rt-users] RT 4.4.1 on Debian with RT::Authen::ExternalAuth?

2016-10-19 Thread Martin Wheldon 

Hi Malcolm,

Are you able to get any results from the LDAP server when you try the 
same search

using ldapsearch from the commandline on the Debian box?

Something like:
  ldapsearch -D LDAP_ACCOUNT -x -w -ZZ -H ldap://ggdc1.domain.int/ -b 
ou=Production,dc=domain,dc=int "(objectClass=inetOrgPerson)"


I'm guessing your LDAP server is MS AD so you will probably need to 
configure TLS.

The following items come from my configuration.


Set( $ExternalAuthPriority, ["My_LDAP"] );
Set( $ExternalInfoPriority, ["My_LDAP"] );
Set($ExternalAuth, 1);
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
Set($AutoCreateNonExternalUsers, 1);


# Use TLS
Set($ExternalServiceUsesSSLorTLS,1);


Set($ExternalSettings, {
'My_LDAP'   =>  {
'type' =>  'ldap',
'server'   =>  'ggdc1.domain.int',


# Configure TLS settings
'tls'   =>  {
'verify'=>  'require',
'cafile'=>  '/etc/ssl/certs/CACert.pem',  # Path CA 
file

 },


'user' =>  'LDAP_ACCOUNT',
'pass' =>  'LDAP_ACCOUNT_PASS',
'base' =>  'ou=Production,dc=domain,dc=int',
'filter'   =>  '(objectClass=inetOrgPerson)',
'attr_match_list'  => [
'Name',
'EmailAddress',
],
'attr_map' => {
'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'RealName' => 'cn',
'WorkPhone'=> 'telephoneNumber',
'Address1' => 'streetAddress',
'City' => 'l',
'State'=> 'st',
'Zip'  => 'postalCode',
'Country'  => 'co',
},
},
} );


Best Regards

Martin

On 2016-10-19 13:37, Malcolm Galland wrote:

I've set up RT, and am testing it with rt-server.  Everything seems to
be going smoothly except LDAP with RT::Authen::ExternalAuth.  I read
the docs and have implemented the suggested changes in
/opt/rt4/etc/RT_SiteConfig.pm like so:

Set( $ExternalAuthPriority, ["My_LDAP"] );
Set( $ExternalInfoPriority, ["My_LDAP"] );
Set($ExternalAuth, 1);
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
Set($AutoCreateNonExternalUsers, 1);
Set($ExternalSettings, {
    'My_LDAP'   =>  {
        'type' =>  'ldap',
        'server'   =>  'ggdc1.domain.int',
        'user' =>  'LDAP_ACCOUNT',
        'pass' =>  'LDAP_ACCOUNT_PASS',
        'base' =>  'ou=Production,dc=domain,dc=int',
        'filter'   =>  '(objectClass=inetOrgPerson)',
        'attr_match_list'  => [
            'Name',
            'EmailAddress',
        ],
        'attr_map' => {
'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'RealName' => 'cn',
                'WorkPhone'=> 'telephoneNumber',
'Address1' => 'streetAddress',
'City' => 'l',
'State'=> 'st',
'Zip'  => 'postalCode',
'Country'  => 'co',
        },
    },
} );

The issue is when I try to login the users aren't allowed access, and I
get the following error from rt-server:

[error]: FAILED LOGIN for username_redacted from IP_REDACTED
(/opt/rt4/sbin/../lib/RT/Interface/Web.pm:826)

Just for kicks, if I run /opt/rt4/sbin/rt-ldapimport --debug
I get: 
 [critical]: Expected 'PeerHost' at
/usr/local/share/perl/5.20.2/Net/LDAP.pm line 164.
(/opt/rt4/sbin/../lib/RT.pm:390)

Any ideas?  I read every document I could find, but it's hard to know
which non-official ones you can trust since RT has been around so long
and ExternalAuth was just added to the core.  Also, the official docs
are a bit terse.
-
RT 4.4 and RTIR training sessions, and a new workshop day!
https://bestpractical.com/training
* Boston - October 24-26
* Los Angeles - Q1 2017

-
RT 4.4 and RTIR training sessions, and a new workshop day! 
https://bestpractical.com/training
* Boston - October 24-26
* Los Angeles - Q1 2017

Re: [rt-users] RT 4.4.1 on Debian with RT::Authen::ExternalAuth?

2016-10-19 Thread Martin Wheldon 

Hi Malcolm,

You are missing the LDAP import configuration, which is separate from 
the External auth config.

The following will help:

  https://docs.bestpractical.com/rt/4.4.1/RT/LDAPImport.html

Best Regards

Martin

On 2016-10-19 13:37, Malcolm Galland wrote:

I've set up RT, and am testing it with rt-server.  Everything seems to
be going smoothly except LDAP with RT::Authen::ExternalAuth.  I read
the docs and have implemented the suggested changes in
/opt/rt4/etc/RT_SiteConfig.pm like so:

Set( $ExternalAuthPriority, ["My_LDAP"] );
Set( $ExternalInfoPriority, ["My_LDAP"] );
Set($ExternalAuth, 1);
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
Set($AutoCreateNonExternalUsers, 1);
Set($ExternalSettings, {
    'My_LDAP'   =>  {
        'type' =>  'ldap',
        'server'   =>  'ggdc1.domain.int',
        'user' =>  'LDAP_ACCOUNT',
        'pass' =>  'LDAP_ACCOUNT_PASS',
        'base' =>  'ou=Production,dc=domain,dc=int',
        'filter'   =>  '(objectClass=inetOrgPerson)',
        'attr_match_list'  => [
            'Name',
            'EmailAddress',
        ],
        'attr_map' => {
'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'RealName' => 'cn',
                'WorkPhone'=> 'telephoneNumber',
'Address1' => 'streetAddress',
'City' => 'l',
'State'=> 'st',
'Zip'  => 'postalCode',
'Country'  => 'co',
        },
    },
} );

The issue is when I try to login the users aren't allowed access, and I
get the following error from rt-server:

[error]: FAILED LOGIN for username_redacted from IP_REDACTED
(/opt/rt4/sbin/../lib/RT/Interface/Web.pm:826)

Just for kicks, if I run /opt/rt4/sbin/rt-ldapimport --debug
I get: 
 [critical]: Expected 'PeerHost' at
/usr/local/share/perl/5.20.2/Net/LDAP.pm line 164.
(/opt/rt4/sbin/../lib/RT.pm:390)

Any ideas?  I read every document I could find, but it's hard to know
which non-official ones you can trust since RT has been around so long
and ExternalAuth was just added to the core.  Also, the official docs
are a bit terse.
-
RT 4.4 and RTIR training sessions, and a new workshop day!
https://bestpractical.com/training
* Boston - October 24-26
* Los Angeles - Q1 2017

-
RT 4.4 and RTIR training sessions, and a new workshop day! 
https://bestpractical.com/training
* Boston - October 24-26
* Los Angeles - Q1 2017

[rt-users] RT 4.4.1 on Debian with RT::Authen::ExternalAuth?

2016-10-19 Thread Malcolm Galland 
I've set up RT, and am testing it with rt-server.  Everything seems to
be going smoothly except LDAP with RT::Authen::ExternalAuth.  I read
the docs and have implemented the suggested changes in
/opt/rt4/etc/RT_SiteConfig.pm like so:

Set( $ExternalAuthPriority, ["My_LDAP"] );
Set( $ExternalInfoPriority, ["My_LDAP"] );
Set($ExternalAuth, 1);
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
Set($AutoCreateNonExternalUsers, 1);
Set($ExternalSettings, {
    'My_LDAP'   =>  {
        'type' =>  'ldap',
        'server'   =>  'ggdc1.domain.int',
        'user' =>  'LDAP_ACCOUNT',
        'pass' =>  'LDAP_ACCOUNT_PASS',
        'base' =>  'ou=Production,dc=domain,dc=int',
        'filter'   =>  '(objectClass=inetOrgPerson)',
        'attr_match_list'  => [
            'Name',
            'EmailAddress',
        ],
        'attr_map' => {
'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'RealName' => 'cn',
                'WorkPhone'=> 'telephoneNumber',
'Address1' => 'streetAddress',
'City' => 'l',
'State'=> 'st',
'Zip'  => 'postalCode',
'Country'  => 'co',
        },
    },
} );

The issue is when I try to login the users aren't allowed access, and I
get the following error from rt-server:

[error]: FAILED LOGIN for username_redacted from IP_REDACTED
(/opt/rt4/sbin/../lib/RT/Interface/Web.pm:826)

Just for kicks, if I run /opt/rt4/sbin/rt-ldapimport --debug
I get: 
 [critical]: Expected 'PeerHost' at
/usr/local/share/perl/5.20.2/Net/LDAP.pm line 164.
(/opt/rt4/sbin/../lib/RT.pm:390)

Any ideas?  I read every document I could find, but it's hard to know
which non-official ones you can trust since RT has been around so long
and ExternalAuth was just added to the core.  Also, the official docs
are a bit terse.
-
RT 4.4 and RTIR training sessions, and a new workshop day! 
https://bestpractical.com/training
* Boston - October 24-26
* Los Angeles - Q1 2017