AD integration for external auth

I’m coming back to RT after a few years. I am trying to set up external
auth against our AD server.

I have a working implementation for mediawiki, so I know that it’s
possible on our system. As far as possible I’ve duplicated the options
from mediawiki/php to rt/perl, but I am still missing something
important as all login attempts get rejected with a NoUser.

The only thing that I find different (and I’m searching my memory from a
few years ago when I set up mediawiki) there is a line where the user
name is pre-pended with the domain for AD:

$wgLDAPSearchStrings = array( ‘HPM’ => “HPM\USER-NAME” );

And I can’t find anything like that in the RT config.

Does anyone have a working AD external auth they can share?

Thanks.

Here’s the logfile snippet:

[4835] [Tue Jul 7 15:17:14 2015] [debug]: Attempting to use external
auth service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:424)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: Calling UserExists with
$username (yans) and $service (My_LDAP)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:465)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: UserExists params:
username: yans , service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: LDAP Search === Base:
ou=Staff,dc=hpm,dc=net == Filter:
(&(objectClass=inetOrgPerson)(sAMAccountName=yans)) == Attrs:
cn,co,telephoneNumber,l,postalCode,streetAddress,st,sAMAccountName,mail
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: User Check Failed :: (
My_LDAP ) yans User not found
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:483)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: Autohandler called
ExternalAuth. Response: (0, No User)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[4835] [Tue Jul 7 15:17:14 2015] [error]: FAILED LOGIN for yans from
10.10.30.51 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:810)

And here’s the setup in RTSiteConfig.pm:

Plugin(‘RT::Authen::ExternalAuth’);
Set($ExternalAuthPriority, [ ‘My_LDAP’ ]);
Set($ExternalInfoPriority, [ ‘My_LDAP’ ]);
Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘file_print.hpm.net’,
# By not passing ‘user’ and ‘pass’ we are using an
anonymous
# bind, which some servers to not allow
’base’ => ‘dc=hpm,dc=net’,
‘filter’ => ‘(objectClass=inetOrgPerson)’,
# Users are allowed to log in via email address or account
# name
’attr_match_list’ => [
‘Name’,

‘EmailAddress’,

        ],
             # Import the following properties of the user from LDAP 

upon
# login
’attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’,
},
},
} );

This may help:

http://trevthorpe.blogspot.com/2015/01/request-tracker-424-ldap-authentication.htmlOn Tue, Jul 7, 2015 at 11:24 AM, Yan Seiner yan@seiner.com wrote:

I’m coming back to RT after a few years. I am trying to set up external
auth against our AD server.

I have a working implementation for mediawiki, so I know that it’s
possible on our system. As far as possible I’ve duplicated the options
from mediawiki/php to rt/perl, but I am still missing something important
as all login attempts get rejected with a NoUser.

The only thing that I find different (and I’m searching my memory from a
few years ago when I set up mediawiki) there is a line where the user name
is pre-pended with the domain for AD:

$wgLDAPSearchStrings = array( ‘HPM’ => “HPM\USER-NAME” );

And I can’t find anything like that in the RT config.

Does anyone have a working AD external auth they can share?

Thanks.

Here’s the logfile snippet:

[4835] [Tue Jul 7 15:17:14 2015] [debug]: Attempting to use external auth
service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:424)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: Calling UserExists with
$username (yans) and $service (My_LDAP)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:465)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: UserExists params:
username: yans , service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: LDAP Search === Base:
ou=Staff,dc=hpm,dc=net == Filter:
(&(objectClass=inetOrgPerson)(sAMAccountName=yans)) == Attrs:
cn,co,telephoneNumber,l,postalCode,streetAddress,st,sAMAccountName,mail
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: User Check Failed :: ( My_LDAP
) yans User not found
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:483)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: Autohandler called
ExternalAuth. Response: (0, No User)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[4835] [Tue Jul 7 15:17:14 2015] [error]: FAILED LOGIN for yans from
10.10.30.51 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:810)

And here’s the setup in RTSiteConfig.pm:

Plugin(‘RT::Authen::ExternalAuth’);
Set($ExternalAuthPriority, [ ‘My_LDAP’ ]);
Set($ExternalInfoPriority, [ ‘My_LDAP’ ]);
Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘file_print.hpm.net’,
# By not passing ‘user’ and ‘pass’ we are using an
anonymous
# bind, which some servers to not allow
’base’ => ‘dc=hpm,dc=net’,
‘filter’ => ‘(objectClass=inetOrgPerson)’,
# Users are allowed to log in via email address or account
# name
’attr_match_list’ => [
‘Name’,

‘EmailAddress’,

       ],
            # Import the following properties of the user from LDAP

upon
# login
’attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’,
},
},
} );

What format do you use for the username?

When I try hpm\yans which should, in theory, work, I get:

[5367] [Tue Jul 7 17:07:28 2015] [debug]: LDAP Search === Base:
dc=hpm,dc=net == Filter: (&(objectClass=*)(sAMAccountName=hpm\5cyans))
== Attrs: sAMAccountName,mail
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)

Notice the mangled sAMAccountName=hpm\5cyans . If this is what it is
searching for, then we have a problem. :slight_smile:

–YanOn 7/7/2015 11:57 AM, Trev wrote:

This may help:

http://trevthorpe.blogspot.com/2015/01/request-tracker-424-ldap-authentication.html

On Tue, Jul 7, 2015 at 11:24 AM, Yan Seiner <yan@seiner.com mailto:yan@seiner.com> wrote:

I'm coming back to RT after a few years.  I am trying to set up
external auth against our AD server.

I have a working implementation for mediawiki, so I know that it's
possible on our system.  As far as possible I've duplicated the
options from mediawiki/php to rt/perl, but I am still missing
something important as all login attempts get rejected with a NoUser.

The only thing that I find different (and I'm searching my memory
from a few years ago when I set up mediawiki) there is a line
where the user name is pre-pended with the domain for AD:

$wgLDAPSearchStrings = array( 'HPM' => "HPM\\USER-NAME" );

And I can't find anything like that in the RT config.

Does anyone have a working AD external auth they can share?

Thanks.

Here's the logfile snippet:

[4835] [Tue Jul  7 15:17:14 2015] [debug]: Attempting to use
external auth service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:424)
[4835] [Tue Jul  7 15:17:14 2015] [debug]: Calling UserExists with
$username (yans) and $service (My_LDAP)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:465)
[4835] [Tue Jul  7 15:17:14 2015] [debug]: UserExists params:
username: yans , service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)
[4835] [Tue Jul  7 15:17:14 2015] [debug]: LDAP Search === Base:
ou=Staff,dc=hpm,dc=net == Filter:
(&(objectClass=inetOrgPerson)(sAMAccountName=yans)) == Attrs:
cn,co,telephoneNumber,l,postalCode,streetAddress,st,sAMAccountName,mail
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)
[4835] [Tue Jul  7 15:17:14 2015] [debug]: User Check Failed :: (
My_LDAP ) yans User not found
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:483)
[4835] [Tue Jul  7 15:17:14 2015] [debug]: Autohandler called
ExternalAuth. Response: (0, No User)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[4835] [Tue Jul  7 15:17:14 2015] [error]: FAILED LOGIN for yans
from 10.10.30.51 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:810)

And here's the setup in RTSiteConfig.pm:

Plugin('RT::Authen::ExternalAuth');
Set($ExternalAuthPriority,  [ 'My_LDAP' ]);
Set($ExternalInfoPriority,  [ 'My_LDAP' ]);
Set($ExternalSettings, {
     'My_LDAP'       =>  {
     'type'             =>  'ldap',
     'server'           =>  'file_print.hpm.net
<http://file_print.hpm.net>',
                # By not passing 'user' and 'pass' we are using an
anonymous
                # bind, which some servers to not allow
     'base'             =>  'dc=hpm,dc=net',
     'filter'           => '(objectClass=inetOrgPerson)',
                # Users are allowed to log in via email address or
account
                # name
     'attr_match_list'  => [
           'Name',
#           'EmailAddress',
           ],
                # Import the following properties of the user from
LDAP upon
                # login
                'attr_map' => {
                    'Name'         => 'sAMAccountName',
                    'EmailAddress' => 'mail',
                    'RealName'     => 'cn',
                    'WorkPhone'    => 'telephoneNumber',
                    'Address1'     => 'streetAddress',
                    'City'         => 'l',
                    'State'        => 'st',
                    'Zip'          => 'postalCode',
                    'Country'      => 'co',
                },
            },
        } );

If you mean during the login via RT Gui – username is, sAMAccountName.
THere shouldn’t be any need to prefix with the domain as the domain is
already be queried.On Tue, Jul 7, 2015 at 1:24 PM, Yan Seiner yan@seiner.com wrote:

What format do you use for the username?

When I try hpm\yans which should, in theory, work, I get:

[5367] [Tue Jul 7 17:07:28 2015] [debug]: LDAP Search === Base:
dc=hpm,dc=net == Filter: (&(objectClass=*)(sAMAccountName=hpm\5cyans)) ==
Attrs: sAMAccountName,mail
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)

Notice the mangled sAMAccountName=hpm\5cyans . If this is what it is
searching for, then we have a problem. :slight_smile:

–Yan

On 7/7/2015 11:57 AM, Trev wrote:

This may help:

http://trevthorpe.blogspot.com/2015/01/request-tracker-424-ldap-authentication.html

On Tue, Jul 7, 2015 at 11:24 AM, Yan Seiner yan@seiner.com wrote:

I’m coming back to RT after a few years. I am trying to set up external
auth against our AD server.

I have a working implementation for mediawiki, so I know that it’s
possible on our system. As far as possible I’ve duplicated the options
from mediawiki/php to rt/perl, but I am still missing something important
as all login attempts get rejected with a NoUser.

The only thing that I find different (and I’m searching my memory from a
few years ago when I set up mediawiki) there is a line where the user name
is pre-pended with the domain for AD:

$wgLDAPSearchStrings = array( ‘HPM’ => “HPM\USER-NAME” );

And I can’t find anything like that in the RT config.

Does anyone have a working AD external auth they can share?

Thanks.

Here’s the logfile snippet:

[4835] [Tue Jul 7 15:17:14 2015] [debug]: Attempting to use external
auth service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:424)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: Calling UserExists with
$username (yans) and $service (My_LDAP)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:465)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: UserExists params:
username: yans , service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: LDAP Search === Base:
ou=Staff,dc=hpm,dc=net == Filter:
(&(objectClass=inetOrgPerson)(sAMAccountName=yans)) == Attrs:
cn,co,telephoneNumber,l,postalCode,streetAddress,st,sAMAccountName,mail
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: User Check Failed :: ( My_LDAP
) yans User not found
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:483)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: Autohandler called
ExternalAuth. Response: (0, No User)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[4835] [Tue Jul 7 15:17:14 2015] [error]: FAILED LOGIN for yans from
10.10.30.51 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:810)

And here’s the setup in RTSiteConfig.pm:

Plugin(‘RT::Authen::ExternalAuth’);
Set($ExternalAuthPriority, [ ‘My_LDAP’ ]);
Set($ExternalInfoPriority, [ ‘My_LDAP’ ]);
Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘file_print.hpm.net’,
# By not passing ‘user’ and ‘pass’ we are using an
anonymous
# bind, which some servers to not allow
’base’ => ‘dc=hpm,dc=net’,
‘filter’ => ‘(objectClass=inetOrgPerson)’,
# Users are allowed to log in via email address or account
# name
’attr_match_list’ => [
‘Name’,

‘EmailAddress’,

       ],
            # Import the following properties of the user from LDAP

upon
# login
’attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’,
},
},
} );

Use --> Plugin( “RT::Extension::LDAPImport” );

Note the configuration I linked to you prior.

I had some issues with limited functionality using
Plugin(‘RT::Authen::ExternalAuth’)… it’s been a while actually, I may
not even have had that extension working.On Tue, Jul 7, 2015 at 1:28 PM, Trev trevor@onepost.net wrote:

If you mean during the login via RT Gui – username is, sAMAccountName.
THere shouldn’t be any need to prefix with the domain as the domain is
already be queried.

On Tue, Jul 7, 2015 at 1:24 PM, Yan Seiner yan@seiner.com wrote:

What format do you use for the username?

When I try hpm\yans which should, in theory, work, I get:

[5367] [Tue Jul 7 17:07:28 2015] [debug]: LDAP Search === Base:
dc=hpm,dc=net == Filter: (&(objectClass=*)(sAMAccountName=hpm\5cyans)) ==
Attrs: sAMAccountName,mail
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)

Notice the mangled sAMAccountName=hpm\5cyans . If this is what it is
searching for, then we have a problem. :slight_smile:

–Yan

On 7/7/2015 11:57 AM, Trev wrote:

This may help:

http://trevthorpe.blogspot.com/2015/01/request-tracker-424-ldap-authentication.html

On Tue, Jul 7, 2015 at 11:24 AM, Yan Seiner yan@seiner.com wrote:

I’m coming back to RT after a few years. I am trying to set up external
auth against our AD server.

I have a working implementation for mediawiki, so I know that it’s
possible on our system. As far as possible I’ve duplicated the options
from mediawiki/php to rt/perl, but I am still missing something important
as all login attempts get rejected with a NoUser.

The only thing that I find different (and I’m searching my memory from a
few years ago when I set up mediawiki) there is a line where the user name
is pre-pended with the domain for AD:

$wgLDAPSearchStrings = array( ‘HPM’ => “HPM\USER-NAME” );

And I can’t find anything like that in the RT config.

Does anyone have a working AD external auth they can share?

Thanks.

Here’s the logfile snippet:

[4835] [Tue Jul 7 15:17:14 2015] [debug]: Attempting to use external
auth service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:424)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: Calling UserExists with
$username (yans) and $service (My_LDAP)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:465)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: UserExists params:
username: yans , service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: LDAP Search === Base:
ou=Staff,dc=hpm,dc=net == Filter:
(&(objectClass=inetOrgPerson)(sAMAccountName=yans)) == Attrs:
cn,co,telephoneNumber,l,postalCode,streetAddress,st,sAMAccountName,mail
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: User Check Failed :: (
My_LDAP ) yans User not found
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:483)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: Autohandler called
ExternalAuth. Response: (0, No User)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[4835] [Tue Jul 7 15:17:14 2015] [error]: FAILED LOGIN for yans from
10.10.30.51 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:810)

And here’s the setup in RTSiteConfig.pm:

Plugin(‘RT::Authen::ExternalAuth’);
Set($ExternalAuthPriority, [ ‘My_LDAP’ ]);
Set($ExternalInfoPriority, [ ‘My_LDAP’ ]);
Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘file_print.hpm.net’,
# By not passing ‘user’ and ‘pass’ we are using an
anonymous
# bind, which some servers to not allow
’base’ => ‘dc=hpm,dc=net’,
‘filter’ => ‘(objectClass=inetOrgPerson)’,
# Users are allowed to log in via email address or
account
# name
’attr_match_list’ => [
‘Name’,

‘EmailAddress’,

       ],
            # Import the following properties of the user from LDAP

upon
# login
’attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’,
},
},
} );

Sorry about that, review the blog entry I sent you prior. I do see I did
add that plugin, again, it’s been a while since I wrestled with LDAP
authentication. So, I threw my working config with notes, into that blog.On Tue, Jul 7, 2015 at 1:30 PM, Trev trevor@onepost.net wrote:

Use --> Plugin( “RT::Extension::LDAPImport” );

Note the configuration I linked to you prior.

I had some issues with limited functionality using Plugin(‘RT::Authen::ExternalAuth’)… it’s been a while actually, I may not even have had that extension working.

On Tue, Jul 7, 2015 at 1:28 PM, Trev trevor@onepost.net wrote:

If you mean during the login via RT Gui – username is, sAMAccountName.
THere shouldn’t be any need to prefix with the domain as the domain is
already be queried.

On Tue, Jul 7, 2015 at 1:24 PM, Yan Seiner yan@seiner.com wrote:

What format do you use for the username?

When I try hpm\yans which should, in theory, work, I get:

[5367] [Tue Jul 7 17:07:28 2015] [debug]: LDAP Search === Base:
dc=hpm,dc=net == Filter: (&(objectClass=*)(sAMAccountName=hpm\5cyans)) ==
Attrs: sAMAccountName,mail
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)

Notice the mangled sAMAccountName=hpm\5cyans . If this is what it is
searching for, then we have a problem. :slight_smile:

–Yan

On 7/7/2015 11:57 AM, Trev wrote:

This may help:

http://trevthorpe.blogspot.com/2015/01/request-tracker-424-ldap-authentication.html

On Tue, Jul 7, 2015 at 11:24 AM, Yan Seiner yan@seiner.com wrote:

I’m coming back to RT after a few years. I am trying to set up
external auth against our AD server.

I have a working implementation for mediawiki, so I know that it’s
possible on our system. As far as possible I’ve duplicated the options
from mediawiki/php to rt/perl, but I am still missing something important
as all login attempts get rejected with a NoUser.

The only thing that I find different (and I’m searching my memory from
a few years ago when I set up mediawiki) there is a line where the user
name is pre-pended with the domain for AD:

$wgLDAPSearchStrings = array( ‘HPM’ => “HPM\USER-NAME” );

And I can’t find anything like that in the RT config.

Does anyone have a working AD external auth they can share?

Thanks.

Here’s the logfile snippet:

[4835] [Tue Jul 7 15:17:14 2015] [debug]: Attempting to use external
auth service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:424)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: Calling UserExists with
$username (yans) and $service (My_LDAP)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:465)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: UserExists params:
username: yans , service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: LDAP Search === Base:
ou=Staff,dc=hpm,dc=net == Filter:
(&(objectClass=inetOrgPerson)(sAMAccountName=yans)) == Attrs:
cn,co,telephoneNumber,l,postalCode,streetAddress,st,sAMAccountName,mail
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: User Check Failed :: (
My_LDAP ) yans User not found
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:483)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: Autohandler called
ExternalAuth. Response: (0, No User)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[4835] [Tue Jul 7 15:17:14 2015] [error]: FAILED LOGIN for yans from
10.10.30.51 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:810)

And here’s the setup in RTSiteConfig.pm:

Plugin(‘RT::Authen::ExternalAuth’);
Set($ExternalAuthPriority, [ ‘My_LDAP’ ]);
Set($ExternalInfoPriority, [ ‘My_LDAP’ ]);
Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘file_print.hpm.net’,
# By not passing ‘user’ and ‘pass’ we are using an
anonymous
# bind, which some servers to not allow
’base’ => ‘dc=hpm,dc=net’,
‘filter’ => ‘(objectClass=inetOrgPerson)’,
# Users are allowed to log in via email address or
account
# name
’attr_match_list’ => [
‘Name’,

‘EmailAddress’,

       ],
            # Import the following properties of the user from LDAP

upon
# login
’attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’,
},
},
} );

I’m kicking this back to the list only. I’ve been going round and round
with this and I have some more information, but still not a solution.

ldapsearch works:

ldapsearch -H ldap://file_print.hpm.net -b “dc=hpm,dc=net” -s sub
"(sAMAccountName=yans)" -D ‘HPM\yans’ -x -W uid

But notice that I need to use either ‘HPM\yans’ for the user or the
older ‘yans@hpm.net’ for the system to allow me to bind to the ldap
server. The way we’re set up, any user can bind to the server with
valid credentials, but anonymous binds are not allowed.

But the way ExternalAuth is set up, I have to provide the ldap userid
and password, which in our system would be a real user.

         'user'                      =>  'rt_ldap_username',
         'pass'                      =>  'rt_ldap_password',

Is there any way to get ExternalAuth to use the credentials entered in
the login to bind to the ldap server?

(As near as I can figure, the LDAPImport extension imports the userids
from ldap, which is not what I need. I need to authenticate against AD
in realtime.)

–YanOn 7/7/2015 1:32 PM, Trev wrote:

Sorry about that, review the blog entry I sent you prior. I do see I
did add that plugin, again, it’s been a while since I wrestled with
LDAP authentication. So, I threw my working config with notes, into
that blog.

On Tue, Jul 7, 2015 at 1:30 PM, Trev <trevor@onepost.net mailto:trevor@onepost.net> wrote:

Use --> Plugin( "RT::Extension::LDAPImport" );
Note the configuration I linked to you prior.
I had some issues with limited functionality using
Plugin('RT::Authen::ExternalAuth').. it's been a while actually, I
may not even have had that extension working.


On Tue, Jul 7, 2015 at 1:28 PM, Trev <trevor@onepost.net <mailto:trevor@onepost.net>> wrote:

    If you mean during the login via RT Gui --  username is,
    sAMAccountName. THere shouldn't be any need to prefix with the
    domain as the domain is already be queried.



    On Tue, Jul 7, 2015 at 1:24 PM, Yan Seiner <yan@seiner.com <mailto:yan@seiner.com>> wrote:

        What format do you use for the username?

        When I try hpm\yans which should, in theory, work, I get:

        [5367] [Tue Jul  7 17:07:28 2015] [debug]: LDAP Search
        ===  Base: dc=hpm,dc=net == Filter:
        (&(objectClass=*)(sAMAccountName=hpm\5cyans)) == Attrs:
        sAMAccountName,mail
        (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)

        Notice the mangled sAMAccountName=hpm\5cyans .  If this is
        what it is searching for, then we have a problem.   :)

        --Yan


        On 7/7/2015 11:57 AM, Trev wrote:
        This may help:

        http://trevthorpe.blogspot.com/2015/01/request-tracker-424-ldap-authentication.html



        On Tue, Jul 7, 2015 at 11:24 AM, Yan Seiner <yan@seiner.com <mailto:yan@seiner.com>> wrote:

            I'm coming back to RT after a few years.  I am trying
            to set up external auth against our AD server.

            I have a working implementation for mediawiki, so I
            know that it's possible on our system.  As far as
            possible I've duplicated the options from
            mediawiki/php to rt/perl, but I am still missing
            something important as all login attempts get
            rejected with a NoUser.

            The only thing that I find different (and I'm
            searching my memory from a few years ago when I set
            up mediawiki) there is a line where the user name is
            pre-pended with the domain for AD:

            $wgLDAPSearchStrings = array( 'HPM' =>
            "HPM\\USER-NAME" );

            And I can't find anything like that in the RT config.

            Does anyone have a working AD external auth they can
            share?

            Thanks.

            Here's the logfile snippet:

            [4835] [Tue Jul  7 15:17:14 2015] [debug]: Attempting
            to use external auth service: My_LDAP
            (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:424)
            [4835] [Tue Jul  7 15:17:14 2015] [debug]: Calling
            UserExists with $username (yans) and $service
            (My_LDAP)
            (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:465)
            [4835] [Tue Jul  7 15:17:14 2015] [debug]: UserExists
            params:
            username: yans , service: My_LDAP
            (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)
            [4835] [Tue Jul  7 15:17:14 2015] [debug]: LDAP
            Search ===  Base: ou=Staff,dc=hpm,dc=net == Filter:
            (&(objectClass=inetOrgPerson)(sAMAccountName=yans))
            == Attrs:
            cn,co,telephoneNumber,l,postalCode,streetAddress,st,sAMAccountName,mail
            (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)
            [4835] [Tue Jul  7 15:17:14 2015] [debug]: User Check
            Failed :: ( My_LDAP ) yans User not found
            (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:483)
            [4835] [Tue Jul  7 15:17:14 2015] [debug]:
            Autohandler called ExternalAuth. Response: (0, No
            User)
            (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
            [4835] [Tue Jul  7 15:17:14 2015] [error]: FAILED
            LOGIN for yans from 10.10.30.51
            (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:810)

            And here's the setup in RTSiteConfig.pm:

            Plugin('RT::Authen::ExternalAuth');
            Set($ExternalAuthPriority, [ 'My_LDAP' ]);
            Set($ExternalInfoPriority, [ 'My_LDAP' ]);
            Set($ExternalSettings, {
                 'My_LDAP'  =>  {
                 'type'  =>  'ldap',
                 'server'  =>  'file_print.hpm.net
            <http://file_print.hpm.net>',
                            # By not passing 'user' and 'pass' we
            are using an anonymous
                            # bind, which some servers to not allow
                 'base'  =>  'dc=hpm,dc=net',
                 'filter'  => '(objectClass=inetOrgPerson)',
                            # Users are allowed to log in via
            email address or account
                            # name
                 'attr_match_list' => [
                       'Name',
            #  'EmailAddress',
                       ],
                            # Import the following properties of
            the user from LDAP upon
                            # login
                            'attr_map' => {
            'Name'         => 'sAMAccountName',
            'EmailAddress' => 'mail',
            'RealName'     => 'cn',
            'WorkPhone'    => 'telephoneNumber',
            'Address1'     => 'streetAddress',
            'City'         => 'l',
            'State'        => 'st',
                                'Zip'         => 'postalCode',
            'Country'      => 'co',
                            },
                        },
                    } );

Generally speaking, it is typical to create an ‘LDAP User’ for binding, and
reading purposes within AD itself.

LDAPImport does authenticate against the users in AD. And builds the user
records within RT as I have mapped in my example.

Cronjob to do the import, maybe every 15 minutes. Makes it much easier to
use AD groups within RT as well.

Very dynamic…On Tue, Jul 7, 2015 at 4:50 PM, Yan Seiner yan@seiner.com wrote:

I’m kicking this back to the list only. I’ve been going round and round
with this and I have some more information, but still not a solution.

ldapsearch works:

ldapsearch -H ldap://file_print.hpm.net -b “dc=hpm,dc=net” -s sub
"(sAMAccountName=yans)" -D ‘HPM\yans’ -x -W uid

But notice that I need to use either ‘HPM\yans’ for the user or the older ‘
yans@hpm.net’ for the system to allow me to bind to the ldap server. The
way we’re set up, any user can bind to the server with valid credentials,
but anonymous binds are not allowed.

But the way ExternalAuth is set up, I have to provide the ldap userid and
password, which in our system would be a real user.

        'user'                      =>  'rt_ldap_username',
        'pass'                      =>  'rt_ldap_password',

Is there any way to get ExternalAuth to use the credentials entered in the
login to bind to the ldap server?

(As near as I can figure, the LDAPImport extension imports the userids
from ldap, which is not what I need. I need to authenticate against AD in
realtime.)

–Yan

On 7/7/2015 1:32 PM, Trev wrote:

Sorry about that, review the blog entry I sent you prior. I do see I did
add that plugin, again, it’s been a while since I wrestled with LDAP
authentication. So, I threw my working config with notes, into that blog.

On Tue, Jul 7, 2015 at 1:30 PM, Trev trevor@onepost.net wrote:

Use --> Plugin( “RT::Extension::LDAPImport” );
Note the configuration I linked to you prior.
I had some issues with limited functionality using Plugin(‘RT::Authen::ExternalAuth’)… it’s been a while actually, I may not even have had that extension working.

On Tue, Jul 7, 2015 at 1:28 PM, Trev < trevor@onepost.net trevor@onepost.net> wrote:

If you mean during the login via RT Gui – username is, sAMAccountName.
THere shouldn’t be any need to prefix with the domain as the domain is
already be queried.

On Tue, Jul 7, 2015 at 1:24 PM, Yan Seiner < yan@seiner.com yan@seiner.com> wrote:

What format do you use for the username?

When I try hpm\yans which should, in theory, work, I get:

[5367] [Tue Jul 7 17:07:28 2015] [debug]: LDAP Search === Base:
dc=hpm,dc=net == Filter: (&(objectClass=*)(sAMAccountName=hpm\5cyans)) ==
Attrs: sAMAccountName,mail
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)

Notice the mangled sAMAccountName=hpm\5cyans . If this is what it is
searching for, then we have a problem. :slight_smile:

–Yan

On 7/7/2015 11:57 AM, Trev wrote:

This may help:

http://trevthorpe.blogspot.com/2015/01/request-tracker-424-ldap-authentication.html

On Tue, Jul 7, 2015 at 11:24 AM, Yan Seiner < yan@seiner.com yan@seiner.com> wrote:

I’m coming back to RT after a few years. I am trying to set up
external auth against our AD server.

I have a working implementation for mediawiki, so I know that it’s
possible on our system. As far as possible I’ve duplicated the options
from mediawiki/php to rt/perl, but I am still missing something important
as all login attempts get rejected with a NoUser.

The only thing that I find different (and I’m searching my memory from
a few years ago when I set up mediawiki) there is a line where the user
name is pre-pended with the domain for AD:

$wgLDAPSearchStrings = array( ‘HPM’ => “HPM\USER-NAME” );

And I can’t find anything like that in the RT config.

Does anyone have a working AD external auth they can share?

Thanks.

Here’s the logfile snippet:

[4835] [Tue Jul 7 15:17:14 2015] [debug]: Attempting to use external
auth service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:424)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: Calling UserExists with
$username (yans) and $service (My_LDAP)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:465)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: UserExists params:
username: yans , service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: LDAP Search === Base:
ou=Staff,dc=hpm,dc=net == Filter:
(&(objectClass=inetOrgPerson)(sAMAccountName=yans)) == Attrs:
cn,co,telephoneNumber,l,postalCode,streetAddress,st,sAMAccountName,mail
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: User Check Failed :: (
My_LDAP ) yans User not found
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:483)
[4835] [Tue Jul 7 15:17:14 2015] [debug]: Autohandler called
ExternalAuth. Response: (0, No User)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[4835] [Tue Jul 7 15:17:14 2015] [error]: FAILED LOGIN for yans from
10.10.30.51 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:810)

And here’s the setup in RTSiteConfig.pm:

Plugin(‘RT::Authen::ExternalAuth’);
Set($ExternalAuthPriority, [ ‘My_LDAP’ ]);
Set($ExternalInfoPriority, [ ‘My_LDAP’ ]);
Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘file_print.hpm.net’,
# By not passing ‘user’ and ‘pass’ we are using an
anonymous
# bind, which some servers to not allow
’base’ => ‘dc=hpm,dc=net’,
‘filter’ => ‘(objectClass=inetOrgPerson)’,
# Users are allowed to log in via email address or
account
# name
’attr_match_list’ => [
‘Name’,

‘EmailAddress’,

       ],
            # Import the following properties of the user from

LDAP upon
# login
’attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’,
},
},
} );

I’m kicking this back to the list only. I’ve been going round and round
with this and I have some more information, but still not a solution.

ldapsearch works:

Excellent and vital first crawl.

Next to stand up and walk:
Can you interrogate your LDAP with Net::LDAP?
URL:https://metacpan.org/pod/distribution/perl-ldap/lib/Net/LDAP.pod

ISTR having to pass some options when I last ran with RT’s LDAP/AD
integration.

Happy hacking,
John
groenveld@acm.org

But the way ExternalAuth is set up, I have to provide the ldap userid
and password, which in our system would be a real user.

         'user'                      =>  'rt_ldap_username',
         'pass'                      =>  'rt_ldap_password',

Is there any way to get ExternalAuth to use the credentials entered in
the login to bind to the ldap server?

At user login ExternalAuth first finds the user with the credentials you
mention above, and then attempts to bind with the login provided
credentials. A successful bind is how it knows that the user is
authenticated. From the code:

my $ldap_entry = $ldap_msg->first_entry;
my $ldap_dn = $ldap_entry->dn;

THIS bind determines success or failure on the password.

$ldap_msg = $ldap->bind($ldap_dn, password => $password);

But notice that I need to use either ‘HPM\yans’ for the user or the
older ‘yans@hpm.net’ for the system to allow me to bind to the ldap
server. The way we’re set up, any user can bind to the server with
valid credentials, but anonymous binds are not allowed.

For the former, you’d have to modify the extension to prefix the
username it attempts to bind with. The subroutine is
RT::Authen::ExternalAuth::LDAP::GetAuth. You could make a command line
script to call this and debug it until you get it to return 1. Like
jdg117 mentioned, you have to get Net::LDAP connecting to your LDAP and
then figure out how to configure or modify the extension to get it to
connect in the same way.

For the latter I think you can update the configuration to store the
email address as the name so that its used when the bind is attempted.
You’d have to use the email address to log in to RT.

Perhaps make attr_match_list just ‘EmailAddress’ and then have in the
attr_map:

             'Name' => 'mail', # instead of sAMAccountName
             'EmailAddress' => 'mail',