Active Directory and RT

davidneudorfer · May 24, 2013, 9:33pm

I’m having the hardest time binding RT to Active Directory. We’ve overcome
some initial hurdles but we’re stuck at this last part. I was hoping someone
could help me diagnose this error. The initial user binds fine and my user
is found but then it fails when it tries to authenticate. Thanks for the
help.

[Fri May 24 21:31:20 2013] [debug]: Attempting to use external auth service:
My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:186)
[Fri May 24 21:31:20 2013] [debug]: Calling UserExists with $username
(david.neudorfer) and $service (My_LDAP)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:227)
[Fri May 24 21:31:20 2013] [debug]: UserExists params:
username: david.neudorfer , service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)
[Fri May 24 21:31:20 2013] [debug]: LDAP Search === Base:
ou=lb,DC=office,DC=lbox,DC=com == Filter:
(&(objectClass=*)(sAMAccountName=david.neudorfer)) == Attrs:
l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,sAMAccountName
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)
[Fri May 24 21:31:20 2013] [debug]: Password validation required for service

Executing…
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:277)
[Fri May 24 21:31:20 2013] [debug]: Trying external auth service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:153)
[Fri May 24 21:31:20 2013] [debug]: LDAP Search === Base:
ou=lb,DC=office,DC=lbox,DC=com == Filter:
(&(sAMAccountName=david.neudorfer)(objectClass=*)) == Attrs: dn
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:186)
[Fri May 24 21:31:20 2013] [debug]: Found LDAP DN: CN=David
Neudorfer,OU=lb,DC=office,DC=lbox,DC=com
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:220)
[Fri May 24 21:31:20 2013] [debug]: LDAP Search === Base:
ou=lb,DC=office,DC=lbox,DC=com == Scope: base == Filter: (member=CN=David
Neudorfer,OU=lb,DC=office,DC=lbox,DC=com) == Attrs: dn
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:256)
[Fri May 24 21:31:20 2013] [debug]: LDAP group membership check returned 0
results
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:285)
[Fri May 24 21:31:20 2013] [info]: My_LDAP AUTH FAILED: david.neudorfer
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:289)
[Fri May 24 21:31:20 2013] [debug]: LDAP password validation result: 0
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:456)
[Fri May 24 21:31:20 2013] [debug]: Password Validation Check Result: 0
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:281)
[Fri May 24 21:31:20 2013] [debug]: Autohandler called ExternalAuth.
Response: (0, Password Invalid)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:16)
[Fri May 24 21:31:20 2013] [error]: FAILED LOGIN for david.neudorfer from
10.0.4.59 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:753)

View this message in context: http://requesttracker.8502.n7.nabble.com/Active-Directory-and-RT-tp54021.html

Glenn_E_Sieb · May 24, 2013, 9:38pm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1On 5/24/13 5:33 PM, davidneudorfer wrote:

I’m having the hardest time binding RT to Active Directory. We’ve
overcome some initial hurdles but we’re stuck at this last part. I
was hoping someone could help me diagnose this error. The initial
user binds fine and my user is found but then it fails when it
tries to authenticate. Thanks for the help.

Can we see the relevant portion of RT_SiteConfig.pm?

Best,

–Glenn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGf3b0ACgkQf5MxTDXTimE6RgCfdEeya5ivPtorM3d8Jjx6OOQU
eKMAnA9vRq5fFoKaPXAKmtdemQFVpySR
=89fj
-----END PGP SIGNATURE-----

davidneudorfer · May 24, 2013, 9:40pm

Here it is. Thanks Glenn.

Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘ad.office.lbox.com’,
‘user’ =>
‘cn=thisisauser,cn=Users,DC=office,DC=lbox,DC=com’,
‘pass’ => ‘redacted’,
‘base’ => ‘DC=office,DC=lbox,DC=com’,
‘filter’ => ‘(objectClass=*)’,
‘d_filter’ => ‘(objectClass=FooBar)’,
‘group’ =>
‘ou=Lunchbox,DC=office,DC=lbox,DC=com’,
‘group_attr’ => ‘member’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ port => 389, version => 3,
debug => 0 ],
‘attr_match_list’ => [
‘Name’,
‘EmailAddress’,
‘RealName’,
],
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
},
}}
);

View this message in context: http://requesttracker.8502.n7.nabble.com/Active-Directory-and-RT-tp54021p54023.html

Glenn_E_Sieb · May 24, 2013, 9:51pm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Try changing some of these settings…

Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘ad.office.lbox.com’,
‘port’ => ‘389’,
‘user’ =>
‘cn=thisisauser,cn=Users,DC=office,DC=lbox,DC=com’,
‘pass’ => ‘redacted’,
‘base’ => ‘DC=office,DC=lbox,DC=com’,
‘filter’ => ‘(objectClass=*)’,
‘d_filter’ =>
‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
‘group’ =>
‘ou=Lunchbox,DC=office,DC=lbox,DC=com’,

‘group_attr’ => ‘member’,

    'tls'                       =>  0,
    'ssl_version'               =>  3,
    'net_ldap_args'             => [    version =>  3  ],

(the rest as you had them…)

Summary–put port in your my_LDAP section, change d_filter, keep
net_ldap_args simple, and then I would remove group_attr for now. Once
you’ve determined the connection is working, then get fancy.

Best,

–Glenn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGf4NYACgkQf5MxTDXTimGdfQCgtQ60HrwPEDishu3Lb/398mfc
RocAn0dbflykdBZOeqmdLZcZ40U17vuj
=pFSK
-----END PGP SIGNATURE-----

Thomas_Sibley · May 24, 2013, 9:57pm

    'attr_match_list' => [
        'Name',
        'EmailAddress',
        'RealName',
    ],

First things first, remove RealName from the config above. It should be
removed from the example configs as it’s a misleading example.
“attr_match_list” are properties that in combination uniquely identify a
user; by including RealName, you’re telling RT that a user’s real name
may never change (such as not being provided, or differing slightly).

https://metacpan.org/source/TSIBLEY/RT-Authen-ExternalAuth-0.15/etc/RT_SiteConfig.pm#L128

Glenn’s suggestions are also good.

Second, note these lines:

[Fri May 24 21:31:20 2013] [debug]: LDAP Search === Base:
ou=lb,DC=office,DC=lbox,DC=com == Scope: base == Filter: (member=CN=David
Neudorfer,OU=lb,DC=office,DC=lbox,DC=com) == Attrs: dn
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:256)
[Fri May 24 21:31:20 2013] [debug]: LDAP group membership check returned 0
results
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:285)
[Fri May 24 21:31:20 2013] [info]: My_LDAP AUTH FAILED: david.neudorfer

This is why auth fails: RT didn’t find the logging in user as a member
of the group you specified that users must be a member of.

I suspect you’re running into the issue that the group check is done as
the logging in user rather than the service user (cn=thisisauser in your
sample). The group check happens after the rebind to check the provided
password. There’s an open bug about this because it should be made
configurable: Human Verification

davidneudorfer · May 24, 2013, 9:59pm

If I comment out group_attr then I get:

Use of uninitialized value $group_attr in concatenation (.) or string

This is my new config:

Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘ad.office.lbox.com’,
‘port’ => ‘389’,
‘user’ =>
‘CN=thisisauser,CN=Users,DC=office,DC=lbox,DC=com’,
‘pass’ => ‘redacted’,
‘base’ => ‘DC=office,DC=lbox,DC=com’,
‘filter’ => ‘(objectClass=*)’,
‘d_filter’ =>
‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
‘group’ => ‘CN=Users,DC=office,DC=lbox,DC=com’,
‘group_attr’ => ‘member’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3 ],
‘attr_match_list’ => [
‘Name’,
‘EmailAddress’,
‘RealName’,
],
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
},
}}
);

And the resulting error:

[Fri May 24 21:59:38 2013] [debug]: Attempting to use external auth service:
My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:186)
[Fri May 24 21:59:38 2013] [debug]: Calling UserExists with $username
(david.neudorfer) and $service (My_LDAP)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:227)
[Fri May 24 21:59:38 2013] [debug]: UserExists params:
username: david.neudorfer , service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)
[Fri May 24 21:59:38 2013] [debug]: LDAP Search === Base:
DC=office,DC=lbox,DC=com == Filter:
(&(objectClass=*)(sAMAccountName=david.neudorfer)) == Attrs:
l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,sAMAccountName
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)
[Fri May 24 21:59:38 2013] [debug]: Password validation required for service

Executing…
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:277)
[Fri May 24 21:59:38 2013] [debug]: Trying external auth service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:153)
[Fri May 24 21:59:38 2013] [debug]: LDAP Search === Base:
DC=office,DC=lbox,DC=com == Filter:
(&(sAMAccountName=david.neudorfer)(objectClass=*)) == Attrs: dn
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:186)
[Fri May 24 21:59:38 2013] [debug]: Found LDAP DN: CN=David
Neudorfer,OU=Lunchbox,DC=office,DC=lbox,DC=com
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:220)
[Fri May 24 21:59:38 2013] [debug]: LDAP Search === Base:
CN=Users,DC=office,DC=lbox,DC=com == Scope: base == Filter: (member=CN=David
Neudorfer,OU=Lunchbox,DC=office,DC=lbox,DC=com) == Attrs: dn
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:256)
[Fri May 24 21:59:38 2013] [debug]: LDAP group membership check returned 0
results
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:285)
[Fri May 24 21:59:38 2013] [info]: My_LDAP AUTH FAILED: david.neudorfer
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:289)
[Fri May 24 21:59:38 2013] [debug]: LDAP password validation result: 0
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:456)
[Fri May 24 21:59:38 2013] [debug]: Password Validation Check Result: 0
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:281)
[Fri May 24 21:59:38 2013] [debug]: Autohandler called ExternalAuth.
Response: (0, Password Invalid)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:16)
[Fri May 24 21:59:38 2013] [error]: FAILED LOGIN for david.neudorfer from
10.0.4.59 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:753)

View this message in context: http://requesttracker.8502.n7.nabble.com/Active-Directory-and-RT-tp54021p54027.html

davidneudorfer · May 24, 2013, 10:01pm

What do you make of the lines:

[debug]: LDAP Search === Base: CN=Users,DC=office,DC=lbox,DC=com == Scope:
base == Filter: (member=CN=David
Neudorfer,OU=Lunchbox,DC=office,DC=lbox,DC=com) == Attrs: dn
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:256)

[debug]: LDAP group membership check returned 0 results
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:285)

View this message in context: http://requesttracker.8502.n7.nabble.com/Active-Directory-and-RT-tp54021p54028.html

Glenn_E_Sieb · May 24, 2013, 10:08pm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1On 5/24/13 5:59 PM, davidneudorfer wrote:

If I comment out group_attr then I get:

I have no group_attr at all in my config…

Here is my anonymized config:

Set( $ExternalSettings, {‘My_LDAP’ => { ## GENERIC SECTION
‘type’ => ‘ldap’,
‘server’ => ‘MYAD’,
‘port’ => ‘389’,
‘user’ => ‘USERNAME’,
‘pass’ => ‘PASSWORD’,
‘base’ => ‘dc=MYAD,dc=LOCAL’,
‘filter’ => ‘(objectClass=*)’,
‘d_filter’ =>
‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
‘net_ldap_args’ => [ version => 3 ],
‘attr_match_list’ => [ ‘Name’, ‘EmailAddress’ ],
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
}
},
});

Best,

–G.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGf5MAACgkQf5MxTDXTimG+3wCfae8Eh0DMSqhjLaLAJMmbhAX1
F/gAniGNNIpmbvDBWkw++TzStwaqz2Ge
=o7X6
-----END PGP SIGNATURE-----

davidneudorfer · May 24, 2013, 10:14pm

That did it! Thank you Glenn.

View this message in context: http://requesttracker.8502.n7.nabble.com/Active-Directory-and-RT-tp54021p54031.html

Joachim_Thuau3 · May 24, 2013, 10:17pm

For the sake of the archive, was it changing “member” to “memberOf” in the
group_attr section of your config that fixed it?

(realizing that I replied to David off list earlier)

Thanks,
Jok
| Joachim Thuau | IT Systems Engineer - Linux / SpaceX |On 5/24/13 3:14 PM, “davidneudorfer” david.neudorfer@lbox.com wrote:

That did it! Thank you Glenn.

–
View this message in context:
http://requesttracker.8502.n7.nabble.com/Active-Directory-and-RT-tp54021p5
4031.html
Sent from the Request Tracker - User mailing list archive at Nabble.com.

–
RT Training in Seattle, June 19-20: http://bestpractical.com/training

davidneudorfer · May 24, 2013, 10:35pm

Removing group and group_attr was what did it for me. Hopefully this helps
someone else in the future.

Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘ad.office.lbox.com’,
‘port’ => ‘389’,
‘user’ =>
‘CN=thisisauser,CN=Users,DC=office,DC=lbox,DC=com’,
‘pass’ => ‘redacted’,
‘base’ => ‘DC=office,DC=lbox,DC=com’,
‘filter’ => ‘(objectClass=*)’,
‘d_filter’ =>
‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3, ],
‘attr_match_list’ => [
‘Name’,
‘EmailAddress’,
‘RealName’,
],
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
},
}}
);

View this message in context: http://requesttracker.8502.n7.nabble.com/Active-Directory-and-RT-tp54021p54033.html

Thomas_Sibley · May 24, 2013, 10:50pm

Removing group and group_attr was what did it for me. Hopefully this helps
someone else in the future.

It looks like you missed my reply, where I explained what was going
wrong with your group and group_attr, along with a few other things.

http://lists.bestpractical.com/pipermail/rt-users/2013-May/080377.html

davidneudorfer · May 24, 2013, 10:59pm

Completely did but thank you and at your suggestion I’ve removed RealName as well. Thank you Thomas.

View this message in context: http://requesttracker.8502.n7.nabble.com/Active-Directory-and-RT-tp54021p54035.html